November 3, 2015

The Department of Energy's Unclassified Cybersecurity Program – 2015

The Federal Information Security Management Act of 2002 established the requirement for Federal agencies to develop, implement, and manage agency-wide information security programs.  Federal agencies are also required to provide acceptable levels of security for the information and systems that support their operations and assets.  Recently, the Federal Information Security Modernization Act of 2014, signed into law on December 18, 2014, modified the scope of agency reporting requirements to include specific information about security threats, incident reporting, and cyber breach notifications.  As mandated by each of these laws, the Office of Inspector General is responsible for conducting an annual independent evaluation to determine whether the Department of Energy’s (Department) unclassified cybersecurity program adequately protected its data and information systems.  This report documents the results of our evaluation for the Department for fiscal year (FY) 2015. 

The Department, including the National Nuclear Security Administration, had taken a number of positive steps over the past year to address previously identified cybersecurity weaknesses related to its unclassified cybersecurity program.  Specifically, we noted that the Department made significant progress in remediating weaknesses identified in our FY 2014 evaluation, which resulted in the closure of 22 of 26 reported deficiencies.  While these actions were positive, our current evaluation found that the types of deficiencies identified in prior years, such as issues related to security reporting, vulnerability management, system integrity of Web applications, and account management continued to persist.

The weaknesses identified occurred, in part, because the Department had not ensured that policies and procedures were fully developed and/or implemented to meet all necessary cybersecurity requirements.  In addition, the Department had not always implemented an effective performance monitoring and risk management program.  For instance, we continued to identify concerns with the Department’s implementation of plans of action and milestones to track corrective actions for its vulnerability management programs.  Furthermore, we noted that risk management processes at locations reviewed were not always effective to identify and remediate cybersecurity weaknesses.

Topic: Management & Administration