LOL EPA OIG NDA WTF: Eco-watchdog's auditors barred from seeing own agency's cloud security report by gagging order
Peak US govt bureaucracy locks investigators out of files covering '180' vulnerabilities
Lest you think working for Uncle Sam in Washington DC is glamorous or in any way enviable, behold this stunning achievement in bureaucratic cock-up, or perhaps conspiracy.
America's Environmental Protection Agency's internal auditors say they have been locked out of a critical security report on their own organization's IT systems. Specifically, Kevin Christensen, assistant inspector general for the US government's eco regulator, said he is being denied access to a security assessment of the cloud service the EPA uses for its budgeting software.
It is believed the security review found there were 180 individual vulnerabilities present in the cloud system, a matter that is understandably of interest to the Office of the Inspector General.
According to a memo, spotted by Nextgov, sent this month to the agency's financial chief Holly Greaves, the damning dossier is subject to a non-disclosure agreement (NDA) put in place by another facet of the US government.
That facet, we're told, is the Federal Risk and Authorization Management Program (FedRAMP), a government-wide computer security effort run by the General Services Administration. This program, it is claimed, banned the EPA's bean counters from revealing the security assessment of the cloud service used to host the budgeting apps. It appears FedRAMP organizes audits of external IT services, and seeks to keep any findings under wraps.
Republicans send anti-Signal signal to US EPAREAD MORE
Not wanting to run afoul of that gagging agreement, the eco watchdog's financial staff not only withheld copies of the security audit, but even destroyed their notes on the report before they could make their way to the inspector general's office. When Christensen asked for their write-ups, he was told they no longer exist.
Understandably, Christensen is not happy he and his team are being frozen out of reports discussing potentially scores of information security risks and regulatory failures. In fact, he believes that documents may have been destroyed in violation of both EPA and federal government record-keeping rules, and is demanding further action by the bean counters to get to the bottom of this mess.
"We are concerned that the OCFO [office of the chief financial officer] acted incorrectly," Christensen said. "The OCFO potentially overlooked compliance with the Federal Records Act and the agency’s Interim Records Management Policy."
The OCFO employees, on the other hand, find themselves in the unenviable position of either being found in violation of EPA rules, or running afoul of an NDA they signed with FedRAMP. Not a particularly good spot to be in.
Meanwhile, the city of Flint, Michigan, still does not have clean drinking water. ®
Sponsored: Becoming a Pragmatic Security Leader