The U.S. Government Accountability Office warned Tuesday that the Environmental Protection Agency has not yet instituted a risk assessment process to mitigate cyber threats against the agency.
In its annual report on outstanding priority recommendations to the EPA, the watchdog accused the agency of not having procedures in place to assess vulnerabilities across its operations.
“Implementing our priority recommendation to establish a process to conduct EPA-wide cybersecurity risk assessments will enable EPA to better manage cybersecurity risks,” GAO said.
The unaddressed cyber guidance was one of 12 priority recommendations GAO outlined in its report, which included suggestions for the EPA to improve the nation's water and air quality, mitigate climate risks, and address communications and data issues related to drinking water and wastewater infrastructure.
The watchdog said it first recommended that the EPA create a process for conducting cybersecurity risk assessments in 2019. GAO noted that since its initial report, the EPA has updated its cybersecurity risk management strategy and taken steps to “develop an organization-wide perspective on cybersecurity risks.”
The agency told the watchdog it is “updating its internal procedures to address ongoing risk assessment activities,” including plans to release an organization-wide cyber risk assessment “in late summer to early fall 2024.”
However, the EPA has repeatedly delayed the release of its cyber risk assessment framework.
The agency told GAO in 2022 that it had “partnered with a third-party, federally funded Research and Development Corporation to assist in the development of an organization-wide cybersecurity risk assessment,” and that the process was scheduled to be “completed in the third quarter of fiscal year 2023, subject to funding being secured.”
Agency officials then told GAO in 2023 that they “plan to leverage an independent security evaluation from the Federal Aviation Administration to enhance our current risk assessment process.”
The EPA's lack of an organization-wide cybersecurity risk assessment comes as the agency is increasingly pushing for stronger cyber standards, particularly for the nation's water systems.
The EPA warned earlier this month that more than 70% of community water systems inspected since September 2023 will not meet safety standards. The agency said it plans to increase inspections of water systems and will “take civil and criminal enforcement actions, including responding to conditions that may pose imminent and significant danger.”
Nextgov/FCW cybersecurity reporter David DiMolfetta contributed to this report.