Watchdog Highlights EPA’s Ongoing Cybersecurity Issues

The Government Accountability Office (GAO) has criticized the Environmental Protection Agency (EPA) for failing to implement a comprehensive cybersecurity risk assessment process. This recommendation, first made in 2019, was intended to help the EPA manage cybersecurity risks across its operations. The GAO’s annual report on open priority recommendations emphasized the need for the EPA to establish this process, highlighting it as one of 12 key areas needing improvement.

Despite updating its cybersecurity risk management strategy and engaging third-party assistance, the EPA has repeatedly delayed the release of an organization-wide cybersecurity risk assessment framework. The agency now plans to release the assessment by late summer to early fall of 2024. This delay comes amid increasing concerns about the cybersecurity standards of U.S. water systems, with over 70% of community water systems failing to meet EPA security standards as of a recent survey.

The GAO also urged the EPA to address other priority areas, including enhancing water and air quality, mitigating climate risks, and improving communication and data management for drinking water and wastewater infrastructure. The watchdog stressed that implementing a comprehensive cybersecurity risk assessment is crucial for the EPA to effectively manage and mitigate cyber threats, particularly given its role in overseeing critical infrastructure like water systems.