EPA says it’s ‘on target’ to complete process for cybersecurity risk assessment

Five years after a GAO recommendation, the agency commits to finishing its work by Nov. 22.
The Environmental Protection Agency's logo is displayed on a door at its headquarters on March 16, 2017, in Washington, D.C. (Photo by Justin Sullivan/Getty Images)

The Environmental Protection Agency said it is “on target” to establish a process to conduct organization-wide cybersecurity risk assessments within the next six months, putting a hard timeline on its long-awaited response to a watchdog report critical of the agency’s cyber posture.

An agency spokesperson said in an email to FedScoop that the cyber risk assessment process — recommended to the EPA in a July 2019 Government Accountability Office report — is on track to be finished “by November 22.” The EPA had previously told the GAO that it was committed to a “late summer to early fall” timeline.

In its original recommendation, the GAO made the case for the administrator of the EPA to establish a process to conduct an agency-wide cybersecurity risk assessment as a means to protect against “a growing number of threats to their information technology systems and data” — a recommendation applicable to all federal agencies. Adopting a “risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks,” the GAO said at the time, would help the EPA “better manage” its cyber risks.

While the EPA has updated its cybersecurity risk management strategy, the agency told the GAO last month that it “was continuing to plan” for the assessment and was “in the process of updating an internal procedure to address ongoing risk assessment activities.” 


The EPA spokesperson told FedScoop that updates to the agency’s enterprise risk assessment procedure would include a variety of additional performance metrics, citing logging maturity, strong authentication, critical vulnerability remediation and priority security control specifically.

The agency’s updated procedure for assessing cyber risks will also feature a modified risk-scoring system, the spokesperson added. That portion of the assessment will now include “enterprise and component-level risk scores, which will be added to the senior executive dashboard.”

“The procedures also include activities to consolidate the various cybersecurity dashboards into one overall dashboard that provides an executive level view of EPA’s risk posture,” the spokesperson said. 

In the priority open recommendations document released by the GAO this week, the watchdog warned that absent an established process for overseeing a cyber risk assessment, the EPA “may be missing opportunities to identify trends in cybersecurity risks, target systemic risks to the agency and its systems, and prioritize investments in risk mitigation activities.”

The EPA has been active recently on the cybersecurity front, stepping up its warnings to the country’s water utilities of increasingly serious cyber threats. This month, the agency issued an alert about rising threats to the water sector and said it will boost its inspections and enforcement efforts. 


That alert came two months after an EPA and White House warning to U.S. governors about cyberattacks capable of “disabling” water facilities. The EPA said it would establish a task force focused specifically on defending the water sector from cyber threats.

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at

Latest Podcasts