Resource constraints led to EPA’s failure to address critical vulnerabilities in air and radiation data

The Environmental Protection Agency is failing to track and remediate thousands of critical vulnerabilities to its environmental and radiation data, according to a new watchdog report that claims the security deficiencies could potentially pose a significant risk to public health. 

The inspector general report published on Wednesday said the EPA had not complied with federal mandates that require the agency to address identified vulnerabilities under specific timeframes for its Analytical Radiation Data System, otherwise known as ARaDS. 

The system is an information technology architecture that collects and analyzes radiation monitoring data for air, precipitation, drinking water and soil across the country, and can provide alerts about national radiological incidents.

A scan of the agency's network revealed more than 20,000 instances of critical vulnerabilities that could potentially impact remote computers through denial of service attacks, memory corruption and remote code execution. The EPA also failed to provide adequate tracking and remediation efforts for eight critical vulnerabilities the Office of the Inspector General selected as part of its review.

"Because of the significance of the data collected, analyzed and hosted within ARadDS, the impact of these data being compromised poses a significant risk to public health," the report said.

The National Institute of Standards and Technology gives federal entities two calendar days to remediate critical vulnerabilities, seven days for moderate vulnerabilities and 30 days for low vulnerabilities.

EPA officials cited “the significant number of vulnerabilities” associated with ARaDS “and the limited resources to address them” as part of the reason for the apparent backlog installing critical patches for the system. 

The report said that the EPA scored an overall level three out of five on its maturity model spectrum, meaning that the EPA has consistently implemented its information security policies and procedures in accordance with the Federal Information Security Modernization Act of 2014, but noted that "quantitative and qualitative effectiveness measures are lacking."

The IG report recommended that the EPA develop implementation plans to prioritize and schedule known patches to identified vulnerabilities within required timeframes, as well as update its monitoring guidance to include a more timely process for reviewing new information security procedures and assign responsibilities to track and measure progress.  

The EPA is currently following outdated IT evaluation procedures that give the agency three years to ensure its compliance with the federal mandates, while the Office of Management and Budget has tasked federal entities with following NIST standards within one year of their publication. 

The EPA agreed with the inspector general's three recommendations and provided corrective actions with timeframes to address the noted vulnerability tracking and remediation issues. 

Joseph Goffman, principal deputy assistant administrator for the Office of Air and Radiation, said in a response attached to the report that manufacturers do not regularly update nuclear counting instruments that measure radiation data, which, in part, led to the identified vulnerabilities going unaddressed. 

Goffman said the agency is adding two new cybersecurity positions to his office to support monitoring and mitigation efforts, as well as funding hardware solutions to replace outdated software. The agency has also sought a $2.5 million investment from the Technology Modernization Fund to assist with additional modernization efforts that impact the ARaDS network.