EPA Aims to Complete GAO-Recommended Cyber Risk Audit by November

The Environmental Protection Agency will soon be able to comply with the Government Accountability Office’s recommendation to assess its cybersecurity risk. 

In a recent email to FedScoop, an EPA spokesperson said that the agency is expected to complete its risk assessment process by Nov. 22. The spokesperson also shared that the EPA updated its procedure for assessing cyber risks to include a modified risk-scoring system and the ability to consolidate various cybersecurity dashboards to offer an executive view of the agency’s risk posture. A GAO report recommended the audit to protect the agency against “a growing number of threats to their information technology systems and data,” FedScoop reported.

In 2019, GAO made 58 recommendations for federal agencies, including the EPA, to enhance their cybersecurity risk management efforts. The audit agency said improving an organization’s cyber posture could only be possible by integrating several key practices, including designating a cybersecurity risk executive, assessing cyber risks and coordinating between cybersecurity and enterprise-wide risk management functions.

In July 2023, the agency’s Office of Inspector General said that limited resources are to blame for the EPA’s weak cyber posture, exposing the agency to the possibility of denial-of-service attacks and other hacking activities.