To better manage and protect against cybersecurity risks the Environmental Protection Agency (EPA) must establish an enterprise-wide cybersecurity risk assessment framework, the Government Accountability Office (GAO) said in its latest annual priority recommendations report to the agency.
GAO outlined 12 priority recommendations for EPA that fall into six focus areas – including ensuring cybersecurity at EPA.
Federal agencies continue to face a growing number of cyber threats to their systems and data. According to Federal guidelines, agencies need to effectively identify, prioritize, and manage their cyber risks to protect themselves against these threats.
“Implementing the priority recommendation to establish a process to conduct an organization-wide cybersecurity risk assessment would help EPA better manage its cybersecurity risks,” GAO wrote in the report.
The recommendation – which was first made to the EPA in 2019 – instructs the EPA Administrator to establish a process for conducting an organization-wide cybersecurity risk assessment. But according to GAO, EPA did not immediately provide comments on the 2019 report.
However, the EPA has updated its cybersecurity risk management strategy, which calls for the agency to develop an organization-wide perspective on cybersecurity risks. As of March 2022, EPA informed GAO it had engaged with a third-party Federally Funded Research Development Corporation to help develop an organization-wide cybersecurity risk assessment.
In addition, EPA stated it expects to begin this process in the third quarter of the fiscal year (FY) 2022 and complete it in the third quarter of FY 2023, pending funding.
“Until EPA develops an agency-wide cybersecurity risk management strategy, it will not have a consistent approach to protecting its systems and information against the increasing number and sophistication of cyber threats,” GAO noted.