CISA Needs to Improve Collaboration to Enhance Cyber Resiliency in the Water and Wastewater Sector

Date Issued

Wednesday, January 10, 2024

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Report Number

OIG-24-09

Report Description

The Cybersecurity and Infrastructure Security Agency (CISA) had extensive products and services to manage risks and mitigate cybersecurity threats to critical water and wastewater infrastructure and increase its resiliency. However, CISA did not consistently collaborate with the Environmental Protection Agency and the Water and Wastewater Systems Sector to leverage and integrate its cybersecurity expertise with stakeholders’ water expertise.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend the CISA Director establish and implement a written Memorandum of Understanding with EPA to fully document each agency’s roles and responsibilities and mechanisms for collaboration.
2	No	$0	$0
We recommend the CISA Director develop and implement comprehensive policies and procedures regarding its collaboration with EPA and other Water and Wastewater Systems Sector stakeholders. These policies and procedures should address: • the Water Sector Liaison’s roles and responsibilities; • what information should be shared with stakeholders; • how often and when divisions should coordinate their communications; and • how best to facilitate information sharing about cyber threats, vulnerabilities, incidents, potential protective measures, and best practices, in both routine and urgent circumstances.
3	No	$0	$0
We recommend the CISA Director have an agency-wide requirement to develop and implement standard operating procedures to improve regular communication among CISA divisions relevant to the Water and Wastewater Sector or other critical infrastructure Sectors and share that information and updates on projects, decisions, and lead roles and responsibilities related to the Water and Wastewater Systems Sector and other sectors as appropriate.