The Environmental Protection Agency (EPA) needs to address mounting cybersecurity and data management risks, including problems with a key online reporting portal and more than 41,500 terabytes of environmental data, the agency’s watchdog warned Wednesday.
In its fiscal year 2026 report on the EPA’s top management challenges, the Office of Inspector General (OIG) identified cybersecurity and data management as one of the agency’s six biggest risks. The OIG cited concerns about data reliability, network security, and artificial intelligence (AI) readiness.
Some of those concerns center on the EPA’s Central Data Exchange, which allows regulated entities to submit environmental data to agency programs. According to the OIG, the portal contains unverified users, inactive accounts, and questionable data.
“Without remediating such high-risk vulnerabilities, the EPA cannot provide assurance that its environmental data are accurate and reliable, plus it leaves the agency’s network open to threat actors,” the OIG said.
Among its recommendations, the watchdog urged the EPA to strengthen data governance and management practices while maintaining scientific and programmatic data integrity. Without those safeguards, the OIG warned, the agency could face barriers to effectively deploying AI, one of the EPA’s five priorities under the Trump administration.
The OIG said the EPA must also improve oversight of its environmental data.
Under reduction-in-force orders from the White House last year, the EPA lost nearly 23% of its staff. Scientific staff remaining in the Office of Research and Development – which oversaw the unhoused data – were moved “to program offices,” according to the OIG.
As the EPA shifts ownership of that data, the agency must determine where the information will be stored, how much storage will cost, and who will have access to it, the OIG said.
The watchdog also identified data management gaps in the EPA’s oversight of contracts and grants, saying program managers often lack the information needed to track grant progress and spending.
“The EPA relies on grantees to report information as prescribed in policy, regulation, and the award terms and conditions,” the OIG said. “However, while grantees typically provide sufficient information about their own activities, we have found that they do not always collect or provide the same level of information about their subrecipients. In other words, the agency may not have visibility into the actions of entities performing work for the grantees.”
The OIG also tied stronger data management practices to more effective AI governance.
“The EPA’s internal AI governance councils must also continue to oversee the risks of AI and work to improve how data assets are identified and inventoried across the agency,” the OIG said. “For example, the EPA needs to implement procedures to validate inventory data from the regional and program offices.”
According to the report, the EPA must also improve visibility into and documentation of its modernization efforts and AI deployments.
“[The EPA] … must continue to build its AI use case inventory, identify barriers and opportunities for automation or AI, and develop an implementation strategy,” the OIG said.
The watchdog said that strategy should include pre-deployment testing, impact assessments, continuous monitoring of AI systems, staff training, appeals processes for people affected by AI-enabled decisions, and feedback mechanisms for end users and the public.
In response, the EPA said it is actively investing in updating legacy systems and processes while improving its cybersecurity measures to secure its data. The agency said it is also establishing governance frameworks as it rolls out advanced technologies, including rigorous testing and engagement with stakeholders.
“EPA’s strategic modernization efforts will maintain the effectiveness and safety of our technological advancements and preserve the quality and security of our scientific and programmatic data, resulting in accurate and dependable data and systems that ensure secure and dependable mission delivery,” the EPA said in its response.