Audit of the EPA’s Compliance with the Federal Information Security Modernization Act for Fiscal Year 2025
July 14, 2026 | Report No. 26-P-0041
Why We Did This Report
We conducted this audit to assess the EPA’s compliance with the FY 2025 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics. The Federal Information Security Modernization Act requires the inspector general of each agency to conduct an independent evaluation each year to determine the effectiveness of the agency’s information security program and practices.
Summary of Findings
The Agency achieved Level 4 ratings for 19, or more than three-quarters, of the 25 fiscal year 2025 metrics, and we concluded that the EPA’s information security program achieved an overall maturity rating of Level 4. This maturity rating indicates that the program is “managed and measurable." However, we did identify program deficiencies in the areas of data loss prevention, supply chain risk management controls, and role-based training compliance.
Report Materials
OIG Independence of EPA
The EPA's Office of Inspector General is a part of the EPA, although Congress provides our funding separate from the agency, to ensure our independence. We were created pursuant to the Inspector General Act of 1978, as amended.
Environmental Protection Agency | Office of Inspector General
1200 Pennsylvania Avenue, N.W. (2410T) | Washington, DC 20460 | 202-566-2391
OIG Hotline: 1-888-546-8740.