November 8, 2012

The Department's Unclassified Cyber Security Program - 2012

As the use of information technology resources continues to expand, the number of cyber security threats against Federal agencies has also increased.  To help mitigate the risks posed by such threats, the Department of Energy (Department) expended significant resources in Fiscal Year (FY) 2012 on cyber security measures designed to secure its information systems and data that support various program operations.  We noted that the Department and the National Nuclear Security Administration took corrective actions to address 40 of 56 weaknesses identified during our prior year evaluation and initiated a transition to a more risk-based approach to securing its resources.  While this is a positive trend, our current evaluation found that the types and severity of weaknesses continued to persist and remained consistent with prior years.  In addition to the 16 previously identified weaknesses that remained uncorrected, including 4 from FY 2010, an additional 22 cyber security weaknesses were identified at various locations including problems with access controls, vulnerability management, integrity of web applications, planning for continuity of operations, and change control management.  The weaknesses identified occurred, in part, because Department elements had not ensured that cyber security requirements were fully developed and implemented.  In addition, programs and sites had not always effectively monitored performance to ensure that appropriate controls were in place.  The Department concurred with the finding and recommendations, and agreed to take necessary corrective actions.

Topic: National Security & Safety