Skip to main content
Report File
Date Issued
Submitting OIG
Environmental Protection Agency OIG
Agencies Reviewed/Investigated
Environmental Protection Agency
Report Number
25-P-0023
Report Description

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to assess the EPA’s compliance with the fiscal year 2024 Inspector General Federal Information Security Modernization Act of 2014 reporting metrics. The reporting metrics outline five security function areas and nine corresponding domains to help federal agencies manage cybersecurity risks.

 

Summary of Findings

We assessed the EPA’s information security program effectiveness against the Office of Management and Budget’s FY 2023–2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics at the maturity level of Level 4 (Managed and Measurable). The Agency achieved Level 4 ratings for 30, or 81 percent, of the 37 fiscal year 2024 metrics. Overall, we concluded that the EPA achieved a maturity level of Level 4 for the five security functions and nine domains outlined in the IG FISMA Reporting Metrics. This means that the EPA collects quantitative and qualitative measures on the effectiveness of policies, procedures, and strategies across the organization that are used to assess and make necessary changes. We identified that the EPA had deficiencies in the following areas:

  • Complete and accurate inventory of EPA information systems.
  • Software asset management data. We found that the Agency’s software management asset tool lacks complete and accurate data related to its software license inventory.
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
3
Questioned Costs
$0
Funds for Better Use
$5,885,000
Report updated under NDAA 5274
No

Environmental Protection Agency OIG

United States