The Federal Information Security Management Act of 2002 (FISMA) provides direction on the development, implementation and management of an agency-wide information security program to provide protection commensurate with risk for Federal information and systems, including those managed by another agency or contractors. In accordance with FISMA, the Office of Inspector General conducted its annual independent evaluation to determine whether the Department of Energy's (Department) unclassified cyber security program adequately protected its information and systems.
Our evaluation disclosed that the Department had taken steps to enhance its unclassified cyber security program, including resolving 11 of 35 cyber security weaknesses identified during our Fiscal Year 2010 evaluation. However, additional action is needed to further strengthen the Department's unclassified cyber security program and help address threats to its information and systems. Our evaluation disclosed numerous weaknesses in the areas of access controls, vulnerability management web application integrity, contingency planning, change control management, and cyber security training.
The weaknesses identified occurred, in part, because Departmental elements had not ensured that cyber security requirements included all necessary elements and were properly implemented. Program elements also did not always utilize effective performance monitoring activities to ensure that appropriate security controls were in place.