The Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) believes that the agency violated the Federal Records Act when it destroyed an employee’s notes that document a security report of EPA’s cloud service provider.
EPA Assistant Inspector General Kevin Christensen accused EPA of that violation in a March 8 memorandum to EPA Chief Financial Officer (CFO) Holly Greaves.
OIG requested a report that assessed the security of the agency’s cloud service provider environment, as well as an Office of the Chief Financial Officer (OCFO) report that audited EPA Budget Formulation System (BFS) information system security controls.
Due to a non-disclosure agreement (NDA) OFCO said it could not share documents related to its review with other offices, including OIG. Furthermore, OFCO personnel cited the NDA as its cause for destroying the notes assessing EPA’s cloud-hosting environment security.
OFCO acted incorrectly, OGI alleges, and it overlooked compliance with the Federal Records Act and the agency’s Interim Records Management Policy. OIG added that the employee’s notes reviewing the cloud security controls should be accessible to OIG’s audit.
“By subordinating the Inspector General Act to an NDA, the OCFO did not provide the OIG timely access to all documents relating to the subject audit,” OIG wrote. “Moreover, without the OIG’s ability to review the destroyed notes or spreadsheet, there is no documentary evidence that the EPA analyzed the impact of the 180 vulnerabilities identified in the [security assessment report].”
EPA has until tomorrow to respond to OIG concerning its findings. EPA OFCO did not respond for comment on how it plans to proceed.