Why We Did This Report
The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to assess the EPA’s compliance with the fiscal year 2024 Inspector General Federal Information Security Modernization Act of 2014 reporting metrics. The reporting metrics outline five security function areas and nine corresponding domains to help federal agencies manage cybersecurity risks.
Summary of Findings
We assessed the EPA’s information security program effectiveness against the Office of Management and Budget’s FY 2023–2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics at the maturity level of Level 4 (Managed and Measurable). The Agency achieved Level 4 ratings for 30, or 81 percent, of the 37 fiscal year 2024 metrics. Overall, we concluded that the EPA achieved a maturity level of Level 4 for the five security functions and nine domains outlined in the IG FISMA Reporting Metrics. This means that the EPA collects quantitative and qualitative measures on the effectiveness of policies, procedures, and strategies across the organization that are used to assess and make necessary changes. We identified that the EPA had deficiencies in the following areas:
- Complete and accurate inventory of EPA information systems.
- Software asset management data. We found that the Agency’s software management asset tool lacks complete and accurate data related to its software license inventory.
