A recent Government Accountability Office (GAO) report claims that potentially sensitive information and information systems could be vulnerable due to weaknesses in the U.S. Environmental Protection Agency’s (EPA’s) network security. According to the report, EPA has failed to adequately (i) enforce strict policies on password controls, (ii) limit user access to only those parts of the network necessary for official duties, (iii) ensure the encryption of sensitive information, (iv) kept logs of network activity, or (v) limit physical access to systems or information. The report claims that these failures give the agency “limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.” GAO also notes that “[w]ithout adequate safeguards, systems are vulnerable to individuals and groups with malicious intentions, who may obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks.”
The report makes 12 recommendations for the agency to fully implement its comprehensive information security program. In comments on a draft report, EPA agreed with the GAO recommendations. In a separate report, with limited distribution, GAO made 94 recommendations to EPA to enhance access and other information security controls over its systems.