The CSB Has Improved Its Information Security Program but Needs to Document Recovery Testing Results, Consistent with National Institute of Standards and Technology Guidelines

Why We Did This ReportThe U.S. Environmental Protection Agency Office of Inspector General conducted this audit to assess the U.S. Chemical Safety and Hazard Investigation Board’s compliance with the FY 2023–2024 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics. We contracted with SB & Company LLC to perform this audit under our direction and oversight. Summary of FindingsSB & Company concluded that the CSB achieved an overall maturity of Level 2, Defined, in fiscal year 2023. This means that the CSB’s policies, procedures, and strategies are formalized and documented but not consistently implemented. While the CSB has improved its overall maturity from the Level 1, Ad Hoc, rating it achieved in fiscal year 2022, SB & Company identified that improvements are still needed in the Incident Response domain within the Respond Function Area. Specifically, SB & Company concluded that the CSB should formally document the results of and the lessons learned during its disaster recovery testing scenarios. Because the CSB only has an informal process for documenting testing results and lessons learned, it did not fully document the results of its disaster recovery testing in a manner that was consistent with the National Institute of Standards and Technology guidelines.