The Environmental Protection Agency (EPA) as of late last year lacked the controls needed to comprehensively track its information systems and software assets, according to a watchdog report that uncovered nearly $6 million in potentially unaccounted-for software licenses.
In an audit published April 2 by EPA’s Office of Inspector General (OIG) related to the agency’s 2024 compliance with the Federal Information Security Modernization Act (FISMA), the OIG found that EPA lacks documented procedures to validate the completeness and accuracy of its information technology systems inventory data.
Each agency is required to maintain and update an inventory of its organizational systems, according to National Institute of Standards and Technology (NIST) requirements. The chief information officer (CIO) must also validate CyberScope report information submitted to the Office of Management and Budget (OMB) which ensures compliance for Federal cybersecurity initiatives.
The OIG also found that EPA’s software asset management (SWAM) doesn’t have complete and accurate license data needed to comply with NIST requirements. According to the report, agency personnel said the EPA hadn’t designated a specific SWAM tool as a record keeper for data.
“As of August 22, 2024, we found that 128 purchased software license records were not matched to a software installation,” the OIG said. “As a result, the SWAM tool contained records for licenses that have either not been installed or have no matching installation record in the tool, relating to licenses worth about $5.9 million.”
“Additionally, 14 of the 128 purchases without matching installations did not have a license start or end date recorded to indicate the length of the license agreement,” it continued. “Furthermore, the SWAM tool contained 1,543 software installations without matching purchases recorded.”
The OIG recommended that the EPA establish procedures to reconcile its application registry and software purchase data and validate its systems inventory. It also advised designating an official system of record for software asset management and ensuring staff are informed of the designation.
“Without a complete and accurate inventory of information technology systems, software purchases, and licensing data, the Agency lacks accountability for and visibility of those assets on the Agency’s network and limits opportunities to reduce duplicative license costs,” the IG report said.