October 30, 2015

Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2015 

The Federal Information Security Modernization Act of 2014 (FISMA) established requirements for Federal agencies to develop, implement, and manage agency-wide information security programs, including management and oversight of information security risks to ensure that information technology resources are adequately protected.  Further, FISMA mandated that agency Offices of Inspector General conduct annual independent evaluations to determine whether agencies’ unclassified cybersecurity programs adequately protected data and information systems.  This report presents the results of our evaluation for the Federal Energy Regulatory Commission (Commission) for fiscal year 2015.

Our fiscal year 2015 audit work found that the Commission had implemented the tested attributes of its cybersecurity program in a manner that was generally consistent with requirements established by the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security.  In particular, as a result of testing on a sample of targets within the Commission’s unclassified internal network, including servers and workstations, nothing came to our attention to indicate that management, operating, and technical controls implemented within that environment were not operating effectively. 

Topic: Management & Administration