Security worries lead EPA to re-evaluate e-Manifest data submissions

Agency needs to further consider homeland security

Posted July 5, 2018

Just days before the June 30, 2018, launch of the new hazardous waste electronic manifest (e-Manifest) system, EPA’s Office of Inspector General (OIG) released a “Management Alert” calling for a reevaluation of the system’s security. The OIG warns that a breach of hazardous material information within e-Manifest could facilitate terrorist or other criminal activities.

The problem, according to the alert, is that EPA categorized the sensitivity of the information within the e-Manifest system at an insufficient level. The National Institute of Standards and Technology (NIST) provides guidelines federal agencies must use for categorizing systems based on risk to determine minimum information system security controls.

This means that for now, manifests that contain Department of Homeland Security (DHS) chemicals of interest (certain acute hazardous wastes with P or U codes) must be mailed to EPA and may not be submitted to the e-Manifest system. A list of the specific waste codes affected is located on EPA’s e-Manifest development website. Look for “COI P U waste codes” in CSV format or PDF format.

According to the OIG, the low-level categorization occurred for several reasons:

  1. Personnel responsible for categorizing the sensitivity of the e-Manifest system and information did not sufficiently consider the homeland security implications of chemicals of interest.
  2. EPA personnel considered the e-Manifest information to be in a low risk category that only requires minimal system security controls to be implemented to protect the information.
  3. EPA did not consider further uses of the e-Manifest system (e.g., the system could potentially be used by first responders in their efforts to remediate incidents involving the transportation of hazardous waste).

The OIG concluded that EPA would place sensitive hazardous waste information in its system unless it implemented stronger minimum information system security controls.

Recommendations

The OIG recommended EPA work with the DHS to get a better understanding of the risk of a data breach within e-Manifest and work with NIST to determine the proper data classification to reevaluate the categorization of the data within e-Manifest. The OIG also recommended that EPA regularly reevaluate the categorization.

EPA’s response

The OIG briefed EPA on the issue on April 10, 2018. EPA disagreed with the finding, but agreed to implement the recommendations. In a July 2 press release, EPA said it is reevaluating whether additional security measures are necessary for a “small subset of manifest data about certain acute hazardous wastes.”


J. J. Keller's Uniform Hazardous Waste ManifestsJ. J. Keller's uniform hazardous waste manifests are EPA approved and help you comply with hazwaste manifest requirements.

 

J. J. Keller's FREE Workplace SafetyClicks™ email newsletter brings quick-read workplace safety and compliance news right to your email box.

Sign up to receive Workplace SafetyClicks™.