The Environmental Protection Agency awarded more than $540 million worth of often-sensitive information security contracts during the last two years of the Obama administration without learning whether the contractors now doing the jobs have gotten special “role-based” training required for their tasks, according to an internal audit report.
Indeed, the EPA, at the time the audit was conducted, “was unaware” of the number of contractors who actually had “significant information security responsibilities” and required such training, the audit says – and largely didn’t even track contractors to see if they met the training requirements.
Nor had the agency reported any of the training lapses to the White House Office of Management and Budget, as required, for either of the two fiscal years, 2015 and 2016, a period when the EPA was under the direction of Administrator Gina McCarthy.
The federal government’s fiscal year runs from October of the previous year through October of the designated year.
As a result, the audit declares in carefully oblique prose: “EPA management lacks the necessary data to make risk-based decisions about the capabilities of its contractor workforce charged with protecting the confidentiality, integrity and availability of the agency’s network and data.”
Translation: EPA officials had no way of knowing whether the contractors were always capable of keeping its cyber-networks and their data secure or not, because it neither evaluated them for “significant” information security responsibilities nor provided “role-based” training for them, as required both by law and by internal administrative guidelines.
Moreover, without “consistently developing” contractor employee skills to counter cyberattacks, “EPA [computer] applications are more likely to be compromised by a security breach where personally identifiable and other information could be lost or altered. This could lead to compromised identities, or the potential for environmental data used to protect and improve human health and the environment being altered or erased.”
The 11-page audit by EPA’s Office of Inspector General (OIG) concerning the glaring info-security lapses, and accompanying preliminary responses from EPA officials, was finished last July, but the agency told Fox News last week it is still working on its formal replies. Auditors worked on the project for more than a year, from March 2016 through April 2017.
Some of the work being carried out by those untracked contractors is far from trivial. Based on a sampling of five of 688 EPA contracts that nonetheless covered roughly 30 percent of the overall $546.5 million total, these areas included:
? Information technology hosting service at EPA’s National Computing Center, located in Research Triangle Park in North Carolina, and self-described as “one of the largest computer centers in the United States.” The NCC is EPA’s main nerve center. It provides “large scale computing services for EPA nationwide,” including “administrative activities” as well as telecommunications and e-mail, and “advanced supercomputing for scientific research in air quality protection and other environmental studies,” according to the NCC website, not to mention EPA’s information security.
? The “custom application management contract” at the same National Center, which focuses on ensuring that computer applications are fine-tuned appropriately in such areas as security, performance and disaster-proofing.
? Operation and maintenance support for EPA’s own procurement system, which currently lists about $4.4 billion in contracts as of May 2017;
? The general information technology contract for EPA’s desktop applications, “security partitioning,” and remote access, among other things.
The lapses in the EPA’s cybersecurity training cycles spanned a period that started three months after the Obama administration launched a much-publicized “30-Day Sprint” to patch cybersecurity vulnerabilities in 2015, after some of the biggest hacks of U.S. government data in history at the White House Office of Personnel Management.
The lapses in procedure, and failure to report the shortcomings, also came more than two years after the massive U.S. intelligence breaches carried out by notorious leaker Edward Snowden, many of them accomplished while he was an information security contractor with the ultra-sensitive National Security Agency.
The EPA, of course, is by no means as sensitive a government agency as the ultra-secret NSA.
Nonetheless, in the new atmosphere of concern for information security vulnerabilities of all kinds, the OIG watchdogs found that in three of the contacts they inspected, which included the NCC and procurement systems, there was no language at all demanding contractors complete the required training.
The auditors also discovered that EPA personnel overseeing the contractors were themselves not often aware of the demand for special contractor training and only one of them ensured that any contractors got the appropriate training.
Perhaps unsurprisingly, even before the auditors finished their investigation, things began to change. By the end of 2016, their report says, the EPA told them that the agency had developed standard contract clauses to require contractor compliance with federal information security requirements, including the specialized training.
New contracts for 2017, the audit report says, are being reviewed to make sure they contain the new language.
“However,” the report adds, “the official said no milestone dates have been established to review existing contracts for the inclusion of the clauses.”
The auditors offered a number of recommendations, including inclusion of its new information security clauses, in “all existing and future information technology contracts and task orders,” not to mention getting a list of all the contractors in sensitive positions that they are already supposed to be tracking, and recording whether they are getting the required specialized training or not.
The question is when? Under a timetable appended to the audit, the EPA was supposed to implement “a strategy” for updating all those past contracts by the end of June 2017. It also was supposed to report the number of contractors in special positions, as required by law, by the end of September.
It is additionally supposed to “implement a process” to have “appropriate” EPA officials maintain a listing of sensitive contractor personnel and make the EPA bureaucrats accountable to the agency’s Chief Information Security Officer for ensuring that the appropriate training takes place—by the end of 2018.
And EPA is supposed to the update its procurement policies to include cyber-security tasks—the training issue among them—only by the end of October 2019.
All of that, however, is apparently still preliminary. In response to a question from Fox News late last week, an EPA spokesperson declared that two internal EPA offices are still working “to develop our formal response [to the audit] and a timeline for delivering that response.”