The Environmental Protection Agency said it is “on target” to establish a process to conduct organization-wide cybersecurity risk assessments within the next six months, putting a hard timeline on its long-awaited response to a watchdog report critical of the agency’s cyber posture.
An agency spokesperson said in an email to FedScoop that the cyber risk assessment process — recommended to the EPA in a July 2019 Government Accountability Office report — is on track to be finished “by November 22.” The EPA had previously told the GAO that it was committed to a “late summer to early fall” timeline.
In its original recommendation, the GAO made the case for the administrator of the EPA to establish a process to conduct an agency-wide cybersecurity risk assessment as a means to protect against “a growing number of threats to their information technology systems and data” — a recommendation applicable to all federal agencies. Adopting a “risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks,” the GAO said at the time, would help the EPA “better manage” its cyber risks.
While the EPA…
