EPA Doesn’t Know About Dozens Of Its Own IT Systems

(REUTERS/Gary Cameron)

Daily Caller News Foundation logo
Ethan Barton Editor in Chief
Font Size:

Environmental Protection Agency officials can’t keep track of its information technology systems, which increases the risk of data breaches that could cost taxpayers at least $12 million, a government watchdog reported Monday.

The EPA lacks a complete list of its IT systems that are managed by contractors, meaning officials can’t properly ensure the systems’ cyber-security, and could mean the agency is paying for multiple systems that perform duplicative functions, according to the EPA inspector general.

“The EPA risks being unable to effectively mitigate security vulnerabilities and unable to protect the organization’s resources and data from undue harm,” the inspector general said. “The EPA’s official IT systems inventory does not contain all contractor systems. Our analysis of this list showed that 22 contractor systems and an initiative were not reported.”

Having an incomplete IT systems database is a significant problem because “managerial oversight of contractor compliance with information security control is critical for maintaining the public’s confidence in the environmental impacts achieved through EPA programs, as well as for helping avoid costs associated with data breaches.”

“Without a complete inventory of contractor systems, the agency cannot ensure that all IT systems, services and models are receiving the appropriate level of IT governance. Furthermore, without a complete inventory, there is no way to determine if there are systems already developed or acquired that will meet current or future” needs.

Also, the EPA didn’t ensure “contractors conducted their annual security assessments,” the IG said. In fact, some officials weren’t even aware that they had oversight responsibilities. “We found that the EPA did not provide oversight of contractors implementing EPA information security procedures because responsible personnel were unaware of the requirements.”

In the past, “data maintained by a third party and residing at the vendor’s site were breached on multiple occasions,” the IG said.

A lack of security assessments could cause “a compromised system or the inability to subvert a data breach,” the report said. “As a result, the EPA could potential spend from $1.4 million to over $12 million to mitigate data breaches on the systems we reviewed.”

Follow Ethan on Twitter

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact

All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact