Watchdog calls out EPA for continued cybersecurity concerns

The Environmental Protection Agency has still not enacted a risk assessment process to help mitigate cyber threats to the agency, the Government Accountability Office warned on Tuesday.

In its annual report on open priority recommendations for the agency, the watchdog called out the EPA for failing to outline a procedure for assessing vulnerabilities across its operations. 

“Implementing our priority recommendation to establish a process for conducting an agency-wide cybersecurity risk assessment would help EPA better manage its cybersecurity risks,” GAO said.

The unaddressed cyber guidance was one of 12 priority recommendations GAO outlined in the report, which included proposals for the EPA to enhance the nation’s water quality and air quality, mitigate climate risks and address communication and data issues regarding drinking water and wastewater infrastructure. 

The watchdog said it first recommended in 2019 that the agency create a process for conducting cybersecurity risk assessments. GAO noted that EPA updated its cybersecurity risk management strategy since that initial report, including taking steps “to develop an organization-wide perspective on cybersecurity risks.” 

The agency told the watchdog that it is “in the process of updating an internal procedure to address ongoing risk assessment activities,” including planning to release an organization-wide cyber risks assessment in “late summer to early fall of 2024.”

EPA, however, has repeatedly slow walked the release of the cyber risk assessment framework. 

The agency told GAO in 2022 that it “had engaged with a third-party Federally Funded Research Development Corporation to help develop an organization-wide cybersecurity risk assessment” and that the process was expected to be “completed in the third quarter of fiscal year 2023, pending funding.”

Agency officials subsequently told GAO in 2023 that it “planned to leverage an independent security assessment from the Federal Aviation Administration to augment its current risk assessment process.”

EPA’s lack of an organization-wide cybersecurity risk assessment comes as the agency has increasingly pressed U.S. water systems, in particular, to enhance their cyber standards. 

The EPA warned earlier this month that more than 70% of community water systems surveyed since September 2023 failed to meet its security standards. The agency said it planned to increase inspections of water systems and “will take civil and criminal enforcement actions, including in response to a situation that may present an imminent and substantial endangerment.”

Nextgov/FCW Cybersecurity Reporter David DiMolfetta contributed to this report.