'tV U,i edit. fCUS ¦ US. EM Water Sector Cybersecurity Evaluadoii Program How is the Cybersecurity Evaluation Program helping water and wastewater systems build cyber resilience? The EPA will conduct a free cybersecurity assessment for Water/Wastewater Systems (W/WSs) to identify gaps or vulnerabilities in information technology (IT) and operational technology (OT) using the EPA Cybersecurity Checklist. What is the EPA Cybersecurity Checklist? The Cybersecurity Checklist is a list of questions EPA derived from CISA's Cybersecurity Performance Goals to help W/WSs assess their cyber risk. The Cybersecurity Checklist is available in the EPA guidance document, EPA Cybersecurity Risk Assessment Guidance for Drinking Water and Wastewater Systems. W/WSs are encouraged to use the resources and technical assistance offered in EPA's guidance document to address identified gaps and reduce the risk of cyberattacks. How does the Cybersecurity Evaluation program work? A W/WS must register to receive a cybersecurity assessment. Once registered, an EPA contractor will contact the W/WS to gather basic information, provide guidance on how to prepare and schedule an assessment. During the assessment, the EPA contractor will ask the W/WS each of the questions in the Cybersecurity Checklist. The contractor will generate a report that identifies cybersecurity gaps and/or vulnerabilities in the W/WS's IT/OT based on response to the Cybersecurity Checklist. In addition, a template for a Risk Mitigation Plan will be generated, which the W/WS can use to plan and document actions to address cybersecurity gaps. What does the W/WS need to prepare before the assessment? The assessment will require input from management, operations, business, and IT and OT staff as appropriate. The W/WS will also need to compile any existing system documentation, diagrams, policies, and procedures to help answer the Checklist questions. How does EPA protect the results of the W/WS Cybersecurity Assessment? EPA does not share the results of the assessment with any party beyond the W/WS. The file is delivered using a secure file transfer. The contractor shares the anonymized, aggregated results with EPA. EPA will protect information submitted to the agency in accordance with applicable authorities. The EPA contractor supporting this program is the Horsley Witten Group, Inc. To register your W/WS, please visit: www.eDa.aov/waterresifience/forms/ eoas-water-sector-cvbersecuritv- evaluation-oroaram For more information, contact: Horsley Witten Group 508-833-6600x501 Office of Watef (4608T) EPA-810-F-24-001 February 2024 vvEPA ------- |