FISMA: Why it’s no longer just a checkbox for federal enterprise cybersecurity compliance

Water and wastewater facilities are easy targets for state-sponsored cyberattacks, presenting an unacceptable risk to the American public.

Water and wastewater facilities are easy targets for state-sponsored cyberattacks, presenting an unacceptable risk to the health and welfare of the American public. Securing the digital systems critical to safe drinking water and wastewater management requires a federal regulator and operational collaboration from local governments, service providers, and cybersecurity vendors. Market forces have failed to build cyber resilience across the “approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States,” according to the Cybersecurity and Infrastructure Security Agency.

To be an effective regulator, agencies must satisfy Federal Information Security Modernization Act (FISMA) reporting requirements, including traditional IT, IoT and OT endpoints on their networks.

“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the Office of Management and Budget memo reads. “This includes the interconnected devices that interact with the physical world — from building maintenance systems to environmental sensors to specialized equipment in hospitals and laboratories.”

“Drinking water and wastewater systems are a lifeline for communities, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks,” said Environmental Protection Agency Administrator Michael S. Regan. “EPA and [the National Security Council] take these threats very seriously and will continue to partner with state environmental, health and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems.”

Raising awareness, however, is only table stakes and needs to be increased. FISMA compliance and benchmarking maturity aside, the threat landscape for regulators and protectors, such as the EPA, is challenging. OMB is now flexing new oversight authority muscles on many agencies, including the Coast Guard, whose authorities were recently upgraded, and the EPA, which aspires to be a regulator.

What does FISMA have to do with it?

FISMA compliance and benchmarks have been graded on a curve, with the goalposts moving based on an agency or department’s determination of an incident. For example, an Atlantic Council report found, “The 2018 Annual FISMA Report to Congress indicated that seventeen of twenty-three primary federal civilian agencies had implemented such practices.” In the years following the SolarWinds breach, while the federal government has made progress in preventing intrusions and responding to breaches, holding them accountable for moderating, securing and controlling all endpoints on their network is no longer an objective but a requirement as a department or agency can’t be an effective regulator if it can’t secure its networks, systems and data.

To enhance its credibility in the water and wastewater sector, the EPA would benefit from having cybersecurity expertise in several key areas:

Understanding of the cyber threat landscape

EPA regulators must be well-versed in the evolving cybersecurity threats targeting critical infrastructure, including water and wastewater systems. This includes knowledge of common cyberattack vectors, such as ransomware, phishing and insider threats.

Risk assessment and management

Cybersecurity experts within the EPA should be capable of conducting comprehensive risk assessments specific to water and wastewater systems. This involves identifying vulnerabilities, assessing the potential impacts of cyberattacks, and prioritizing mitigation efforts based on risk levels.

Incident response planning

EPA regulators should be skilled in developing and reviewing incident response plans for water and wastewater utilities. This involves establishing protocols for detecting, responding to and recovering from cybersecurity incidents effectively to minimize disruption and damage.

Technology and systems understanding

A strong understanding of the technology and systems used in water and wastewater treatment facilities is essential for assessing cybersecurity risks accurately. This includes knowledge of Supervisory Control and Data Acquisition (SCADA) systems, Industrial Control Systems (ICS), Programmable Logic Controllers (PLCs), and other critical infrastructure components.

Continuous monitoring and compliance auditing

EPA cybersecurity experts should be capable of monitoring the cybersecurity posture of water and wastewater systems on an ongoing basis and performing compliance audits to ensure adherence to regulatory requirements and best practices.


“Water, water, everywhere, and not any drop to drink” – “The Rime of the Ancient Mariner,” Samuel Taylor Coleridge

In January, Easterly revealed in testimony to Congress that the U.S. had thwarted a major attack intended to embed malware within the nation’s critical infrastructure – including targeting water treatment facilities. Analysis revealed the discovery of a botnet of hundreds of small office and home routers controlled by Chinese hackers.

In November 2023, the Aliquippa Municipal Water Authority in Pittsburgh experienced a cyberattack after one of its booster stations was hacked by an Iranian-backed cyber group known as ‘Cyber Av3ngers.’ Attacks on critical infrastructure in Denmark in May 2023 also caught the attention of security experts worldwide because they affected 11 Danish companies within critical infrastructure, where Russian attackers targeted an unpatched firewall as an entry point.

Other major critical infrastructure breaches include the 2022 compromise of the Florida water treatment facility near Tampa days before the Super Bowl.

Critical infrastructure is proving to be an easy target with a high margin of success. While the EPA aspires to follow in the footsteps of the Transportation Security Administration and Food and Drug Administration to provide cybersecurity rules for their sectors, Congress will need to provide the EPA with these new authorities. In the interim, the EPA, along with all federal regulators that fall under FISMA, need to ensure they can do their work without being held hostage by malicious cyber actors by securing their networks and, by doing so, setting the best example for their sectors.

Alison King is vice president of government affairs at Forescout. Before joining Forescout, Alison spent over a decade in the federal civil service, working for the Department of the Navy and the Cybersecurity Infrastructure Security Agency (CISA).

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Getty Images/iStockphoto/monsitj)defocus dots and lines connection on abstract technology background.

    New FISMA guidance strikes familiar cyber tune, but can OMB change out the instruments?

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    FISMA reform bill moves forward in Senate, while CMMC goes to White House review

    Read more
    (Amelia Brust/Federal News Network)

    Federal CISO DeRusha: FISMA report details a key part of cyber roadmap

    Read more