A week after news that a massive federal data breach exposed the personal records of current and former federal workers, the chief information officer of the Environmental Protection Agency fielded questions about her agency’s security policies.
During a Senate Environment and Public Works Committee confirmation hearing Thursday, Ann Dunkin laid out some of the most important things her agency considers while protecting its systems:
1. Knowing what is important to secure. “If we don’t set priorities, nothing will be secure,” she said.
2. Instituting appropriate controls and hygiene activities. That can mean everything from ensuring that new systems have the Federal Risk and Authorization Management Program’s authority to operate to patching existing systems when threats come to light. She also said it’s important to educate users on what they can do (like use stronger passwords or not click on links in dubious emails) to limit the systems’ vulnerability.
3. Focus on monitoring the network. That way, the agency can respond if there’s a problem.
[Editor’s note: Various federal IT leaders brought up some of these ideas during a recent discussion hosted by FedScoop on how to strengthen cybersecurity.]
Last week, the EPA’s inspector general released a report highlighting five areas where the agency had security deficiencies and urging leadership to take action. Dunkin said cybersecurity has been a priority for her, and she said the Office of Personnel Management has provided her agency with some information about the recent hack.
“We could probably talk about security all day, ” she said. “We are working hard to ensure the security of the information assets at the EPA.”
The committee was considering Dunkin’s nomination to serve as assistant administrator for EPA’s Office of Environmental Information. Dunkin moved into the agency’s CIO spot earlier this year, as first reported by FedScoop, but she must still receive confirmation to hold the assistant administrator title associated with the CIO job. The Obama administration nominated her for the post in 2014 and again this year.
Dunkin promised in her opening statement to improve the quality of EPA’s information services delivery and offer better tools to allow staff to be more efficient. She also highlighted her efforts to bring digital services expertise into the agency.
During the hearing, committee Chairman Jim Inhofe, R-Okla., questioned Dunkin on her office’s efforts to make EPA’s grant recipient database more user friendly, an issue he’s been pushing for years. Dunkin agreed to submit a written response to his questions.
Dunkin shared the witness panel with Thomas Burke, nominated to serve as assistant administrator for EPA’s Office of Research and Development; and Jane Nishida, nominee for assistant administrator for the Office of International and Tribal Affairs.
At the end of the hearing, freshman Sen. Dan Sullivan, R-Alaska, asked the nominees whether it would be right for the committee to hold up their nominations in a bid to pressure the agency to justify recent regulations it has issued.
“Do you think it’s a legitimate exercise of our authority as the Congress, as the oversight committee, to put a hold on your nominations and confirmations until we actually get legitimate answers from the administrator?” he asked.
“Senator, I don’t feel qualified to speak to the procedural issues of this body,” Dunkin replied.
So far, the committee has not scheduled a vote on the nominees.