September 25, 2006

Management Controls over the Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2006

The Federal Energy Regulatory Commission (Commission) has developed and implemented a number of information systems to support its mission of regulating the natural gas industry, hydroelectric projects, oil pipelines, and wholesale rates for electricity. Because of the increasing frequency and sophistication of cyber attacks, the potential for malicious intrusion and damage to these information technology assets and the information they contain continues to grow. During 2006, the Commission estimated that it spent almost $1 million to protect its $27 million information technology investment from cyber related threats. The importance of maintaining a robust cyber security program is well demonstrated by the debilitating effects that recent attacks on Federal organizations have had on mission performance, agency reputation, and on constituents that have been subjected to compromise of personally identifiable or sensitive data. As required by the Federal Information Security Management Act (FISMA), and consistent with Congress's desire to develop a comprehensive framework to protect the government's information technology operations and assets, the Office of Inspector General is required to perform an annual independent evaluation of the Commission's cyber security program. This evaluation is designed to assess the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of the FISMA. This memorandum and the attached report present the results of our 2006 evaluation.