The Environmental Protection Agency has a detailed process for dealing with new cybersecurity weaknesses: develop a plan to remediate with clear goals and milestones, then attack the problem. The only issue: Those plans aren’t being logged, managed or tracked, according to the agency inspector general.
The agency created an automated tool for logging vulnerabilities that will take time to remediate and track progress through official plans of action and milestones. According to an inspector general report released Tuesday, many of those plans were never entered into the system, meaning they were never tracked and, in some cases, the vulnerabilities were never patched.
Auditors from the Office of the Inspector General found disparate levels of participation from EPA offices. The IG interviewed employees who said their office either doesn’t have a formal process for using the system—despite it being an agencywide requirement—and others who developed independent methods of tracking patching progress.
“One information security person indicated that their office … [is] tracking and managing the reported weaknesses on a spreadsheet,” the report states. “The person indicated their office took this action to prevent external parties within the EPA from having oversight of their office’s remediation activities.”
Our IP Address: