November 4, 2015

The Department of Energy’s Cybersecurity Risk Management Framework

In fiscal year 2015, the Department of Energy (Department) planned to spend at least $300 million on cybersecurity activities designed to protect information technology resources supporting its national security, energy, science, and environmental missions.  Prior Office of Inspector General audits and evaluations have indicated the need for improvements to the Department’s cybersecurity program in the areas of patch management, configuration management, and control testing.  In light of the current transition to a continuous risk-based cybersecurity management process, we initiated this audit to determine whether the Department had effectively implemented its cybersecurity risk management framework. 

The Department had made progress toward implementing an unclassified cybersecurity risk management framework designed to reduce the likelihood of compromise to its information systems and data.  For instance, the Department implemented the use of a software application to better analyze system risks, and at least one site reviewed had developed a tracking system to enhance communication with its authorizing official, the Federal official responsible for accepting risks and approving an information system for operation.  However, we found that additional effort is needed to ensure that operating system risks are identified and systems and information are adequately secured.

The weaknesses identified existed, in part, because Federal requirements for securing information systems had not been fully implemented, and the Department had not established sufficient oversight and communication to support its cybersecurity risk management program.  Specifically, key aspects of a successful risk management program were not developed or maintained.

Topic: Management & Adminstration