About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

GAO-25-108095 1 (April 30, 2025)

handle is hein.gao/prtyopnrm0001 and id is 1 raw text is: GAO U.S. GOVERNMENT ACCOUNTABILITY OFFICE 441 G St. N.W. Comptroller General Washington, DC 20548 of the United States April 30, 2025 The Honorable Lee Zeldin Administrator of the Environmental Protection Agency U.S. Environmental Protection Agency 1200 Pennsylvania Ave, NW Washington, D.C. 20460 Priority Open Recommendations: Environmental Protection Agency Dear Administrator Zeldin: Congratulations on your appointment. The purpose of this letter is to call your personal attention to four areas based on GAO's past work and nine open priority recommendations, which are enclosed.1 Additionally, there are 73 other GAO open recommendations that we will continue to work with your staff to address. We are highlighting the following areas that warrant timely and focused action. Specifically: Ensuring cybersecurity at EPA. Federal agencies face a growing number of threats to their information technology systems and data. To protect against these threats, federal law and policies establish that agencies should adopt a risk-based approach to cybersecurity by effectively identifying, prioritizing, and managing cyber risks. The Environmental Protection Agency (EPA) has updated its cybersecurity risk management strategy but has not yet implemented GAO's recommendation that it establish a process for conducting an organization- wide cybersecurity risk assessment. Without such a process, EPA risks not identifying emerging trends that could impact its operations and hamper its ability to prioritize risk mitigation investments, thus leaving the agency vulnerable to an increasing number of cyber threats. In August 2024, EPA's Office of Inspector General found that the agency lacked fully documented, implemented, and compliant IT procedures. Without such procedures, EPA cannot ensure its information security program is protecting EPA systems or that its data adheres to nationally recognized standards. EPA is also responsible for leading, coordinating, and supporting activities to reduce cybersecurity risk in the water sector, which includes approximately 170,000 drinking water and wastewater systems. In August 2024, we made recommendations to EPA to help it target its efforts and more effectively address cybersecurity risk.2 For example, we recommended that EPA evaluate its legal authorities and identify and request any new ones that would be needed 1GAO considers a recommendation to be a priority if when implemented, it may significantly improve government operations, for example, by realizing large dollar savings; eliminating mismanagement, fraud, and abuse; or making progress toward addressing a high-risk or duplication issue. 2GAO, Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems, GAO-24-106744 (Washington, D.C.: Aug. 1, 2024). GAO-25-108095 Open Priority Recommendations Page 1

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most