The Environmental Protection Agency has still not enacted a risk assessment process to help mitigate cyber threats to the agency, the Government Accountability Office warned on Tuesday.
In its annual report on open priority recommendations for the agency, the watchdog called out the EPA for failing to outline a procedure for assessing vulnerabilities across its operations.
“Implementing our priority recommendation to establish a process for conducting an agency-wide cybersecurity risk assessment would help EPA better manage its cybersecurity risks,” GAO said.
The unaddressed cyber guidance was one of 12 priority recommendations GAO outlined in the report, which included proposals for the EPA to enhance the nation’s water quality and air quality, mitigate climate risks and address communication and data issues regarding drinking water and wastewater infrastructure.
The watchdog said it first recommended in 2019 that the agency create a process for conducting cybersecurity risk assessments. GAO noted that EPA updated its cybersecurity risk management strategy since that initial report, including taking steps “to develop an organization-wide perspective on cybersecurity…
