IG: Security at risk in EPA contract management system
During a five-month review in mid-2005, IG investigators at the Environmental Protection Agency found the Integrated Contract Management System was operating without up-to-date certification, accreditation and contingency plans.
The Environmental Protection Agency should place greater emphasis on the security of its automated acquisition and contract management process, according to the agency's inspector general.
In a new report, IG investigators during a five-month review in mid-2005 found the Integrated Contract Management System was operating without up-to-date certification, accreditation and contingency plans.
"As a result, ICMS had security vulnerabilities which, if exploited, could have had a serious adverse effect on operations, assets and individuals," the report said.
Particularly, the IG found that EPA's Office of Administration and Resources Management, which manages ICMS, did not update and approve key C&A package documents in a timely fashion, develop or test a contingency plan if the system crashed, or monitor production servers for vulnerabilities.
"Exploiting one of these vulnerabilities could result in reduced integrity of the data used by all EPA contracting offices for contract processing and degrade ICMS' availability, thereby hindering the contracting officers' ability to use the application to manage contractor tasking, allocation of funds and contractor efforts," the report said.
OARM said it agreed with these conclusions, and has implemented a plan of actions and milestones to correct the flaws.
It also said many of the IG concerns will be resolved when it finalizes its server consolidation process.
Rob Thormeyer is a staff writer for Washington Technology's sister publication, Government Computer News.