An audit of a major Environmental Protection Agency contract management system uncovered significant security lapses that, if exploited by hackers, could have serious consequences for the agency's operations, assets and personnel.
The 15-page report released earlier this week by the EPA inspector general found that the agency's current integrated contract management system lacks a security plan, adequate contingency plans and a process for monitoring known security weaknesses.
The integrated contract management system automates EPA's acquisition and contract management processes by generating solicitations, contract documents, purchase orders, contract modifications and other documents.
The IG found that of the nine servers it reviewed, five were left unmonitored. The inspectors discovered 50 vulnerabilities on the nine servers, with the unmonitored ones having, on average, 70 percent more vulnerabilities than those that were watched.
The audit, conducted from March to July 2005, concluded that agency officials could have discovered these security vulnerabilities had they followed federal and agency information security policies and guidelines.
Agency officials should develop a contingency plan for the contract management system and test it at least once a year, the report recommended. In addition, the system's production servers should be periodically monitored for known vulnerabilities, and oversight of the agency's systems and major applications should be reevaluated to ensure that changes are made.
EPA officials agreed with many of the audit's recommendations and noted plans to address them. But they maintained that they are periodically monitoring the application's servers under the direct supervision of the agency's Administration and Resources Management Office.
Many of the findings will be addressed once the EPA completes its server consolidation project, according to agency.
The EPA IG annually selects one major application from each of five program offices for a cybersecurity review as part of its statutory requirements under the 2002 Federal Information Security Management Act, a computer security law governing federal agencies.
A report issued in October 2005 concluded that the agency as a whole needs to improve its security practices.