In March, MeriTalk recognized the Environmental Protection Agency (EPA) at the annual FITARA Awards ceremony for winning in the “Most Improved” category.
EPA’s Chief Information Security Officer (CISO) Tonya Manning told MeriTalk in an exclusive interview that the agency is keeping up the momentum by moving forward on several innovative cyber and IT projects – including AI implementation and supply chain cybersecurity.
Manning highlighted that EPA is still on its cybersecurity journey.
“We’re not done yet. It’s not a sprint,” she said. “Technology, it changes, requirements change, tactics of bad actors become increasingly sophisticated, so we must stay on top of that. Just generally maintaining a secure program while we implement these new priorities that come into play – specifically, we’re talking about the Federal priorities that are measured on the FITARA scorecard.”
In the 17th edition of the FITARA Scorecard, EPA earned a “B” grade – it’s third “B” in a row, up from a “C” grade in the 14th iteration of the scorecard.
To earn the “Most Improved” award, Manning said her team at EPA implemented a multi-faceted approach to cybersecurity.
“I started with garnering senior executive IT staff and information security staff’s buy-in and their support, so without that, this program would not have been successful,” Manning said.
The CISO said her team then executed a “cyber sprint” which followed a schedule of weekly meetings to measure implementation progress across the EPA, as well as challenges and solutions.
“We created an enterprise dashboard to track our progress at each component level, and then we routinely held management briefings,” she said. “As a result of those efforts, we continue to make significant and quick progress. So, we were able to surpass the Federal targets for data encryption, and we’re very close to achieving the Federal targets for MFA – which we plan to achieve this fiscal year.”
Manning highlighted other projects her team is currently prioritizing for this year at EPA, including solutions for safe and secure AI. “AI can be our best friend, but AI can also – used irresponsibly – could be our worst enemy,” she said. “We want to make sure that we are approaching it from an enterprise perspective and thinking about the best way that AI could help our customers and help our employees.”
The CISO told MeriTalk that EPA is in the midst of piloting an internal large language model with one of its technology partners.
“The other project that I’ll highlight is cybersecurity supply chain risk management,” Manning said. “We’re standing up that program and looking for solutions that will enable us to manage all cybersecurity risk that’s associated with supply chain, but also prepare us to prevent compromise to our supply chain.”
She explained that “standing up that program” means pulling from existing resources across the agency to identify what requirements are needed to implement strong cybersecurity for supply chain, and partnering with vendors to make sure that they are meeting Federal requirements for the tools they provide the EPA.
“We are collaborating with our architecture team on zero trust architecture,” Manning added. “There are a lot of tenants underneath that in terms of securing each layer of our infrastructure and all of our systems.”
“We’re also going to be closing out the year working on streamlining some of our cyber processes. Specifically at the top of that list is transitioning from that very rigid three-year authorization to operate process – we’re trying to move into continuous authorization,” she said.
Manning has been an IT and cyber leader within the Federal government for nearly three decades, and said she is most proud of being a change agent in leading award-winning organizational programs.
“During my tenure, I instituted enterprise processes and technologies and solutions that led either the department I’ve been working for or the agency to receive Federal recognition for many of our initiatives,” Manning said.
Manning said she’s always had a natural interest in technology, majoring in computer science when she was in college. She started her 28-year stint in the Federal government as an IT system administrator but made the transition to cybersecurity based off a personal experience.
“I was a victim of identity theft very early on, and it had a profound effect on me because it took years working through getting my identity back,” Manning said. “I wanted to figure out okay, I’m in the government, I’m in IT, is there some way I could help?”
She continued, “My career path didn’t lead me to identity theft and credit protection specifically, but I did find my way to information and cybersecurity which involved making sure that we were protecting and safeguarding the personal identifiable information that our customers and our employees are entrusting us to manage.”
Outside of Federal IT, Manning said she loves to spend time with her family and travel.
“An interesting and fun fact is that on my maternal side, we have about 22 sets of twins. So, my family is huge, and my grandmother actually holds the record for multiple births in her city,” Manning said. “I also love to travel. One item on my bucket list is to travel to all 50 states, and believe it or not, I only have about six left.”