U.S. EPA Water Sector Cybersecurity Evaluation Program


'tV U,i edit.

fCUS ¦

US. EM Water Sector
Cybersecurity
Evaluadoii Program

How is the Cybersecurity Evaluation
Program helping water and wastewater
systems build cyber resilience?

The EPA will conduct a free cybersecurity assessment
for Water/Wastewater Systems (W/WSs) to identify
gaps or vulnerabilities in information technology
(IT) and operational technology (OT) using the EPA
Cybersecurity Checklist.

What is the EPA Cybersecurity Checklist?

The Cybersecurity Checklist is a list of questions EPA
derived from CISA's Cybersecurity Performance Goals to
help W/WSs assess their cyber risk. The Cybersecurity
Checklist is available in the EPA guidance document, EPA
Cybersecurity Risk Assessment Guidance for Drinking
Water and Wastewater Systems. W/WSs are encouraged
to use the resources and technical assistance offered in
EPA's guidance document to address identified gaps and
reduce the risk of cyberattacks.

How does the Cybersecurity Evaluation
program work?

A W/WS must register to receive a cybersecurity
assessment. Once registered, an EPA contractor
will contact the W/WS to gather basic information,
provide guidance on how to prepare and schedule
an assessment. During the assessment, the EPA

contractor will ask the W/WS each of the questions
in the Cybersecurity Checklist.

The contractor will generate a report that identifies
cybersecurity gaps and/or vulnerabilities in the W/WS's
IT/OT based on response to the Cybersecurity Checklist.
In addition, a template for a Risk Mitigation Plan will
be generated, which the W/WS can use to plan and
document actions to address cybersecurity gaps.

What does the W/WS need to prepare
before the assessment?

The assessment will require input from management,
operations, business, and IT and OT staff as appropriate.
The W/WS will also need to compile any existing
system documentation, diagrams, policies, and
procedures to help answer the Checklist questions.

How does EPA protect the results of the
W/WS Cybersecurity Assessment?

EPA does not share the results of the assessment with
any party beyond the W/WS. The file is delivered using a
secure file transfer. The contractor shares the anonymized,
aggregated results with EPA. EPA will protect information
submitted to the agency in accordance with applicable
authorities. The EPA contractor supporting this program
is the Horsley Witten Group, Inc.

To register your W/WS, please visit:
www.eDa.aov/waterresifience/forms/
eoas-water-sector-cvbersecuritv-
evaluation-oroaram

For more information, contact:

Horsley Witten Group
508-833-6600x501

Office of Watef (4608T)
EPA-810-F-24-001
February 2024

vvEPA

-------