October 14, 2016

The Department of Energy’s Unclassified Cybersecurity Program – 2016

The Federal Information Security Modernization Act of 2014 requires Federal agencies to develop, implement, and manage agency-wide information security programs.  In addition, Federal agencies are required to provide acceptable levels of security for the information and systems that support their operations and assets.  As required by the Federal Information Security Modernization Act of 2014, the Office of Inspector General conducted an independent evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected its data and information systems.  This report documents the results of our evaluation of the Department for fiscal year 2016.

The Department, including the National Nuclear Security Administration, had taken a number of actions over the past year to address previously identified weaknesses related to its cybersecurity program.  In particular, the Department made progress remediating weaknesses identified in our fiscal year 2015 evaluation, which resulted in the closure of 10 of 12 prior year deficiencies.  The Department also improved the completeness of its reporting of contractor system security information to the Department of Homeland Security and the Office of Management and Budget, an issue we had reported on for several years.

While these actions were positive, our current evaluation found that the types of deficiencies identified in prior years, including issues related to vulnerability management, system integrity of Web applications, access controls and segregation of duties, and configuration management, continue to exist.  The weaknesses identified occurred, in part, because the Department had not fully developed and/or implemented policies and procedures related to the weaknesses identified in our report.  For instance, we found that the implementation of configuration and security patch management processes had not ensured that software remained secure.  In addition, Department officials had not always implemented an effective performance monitoring and risk management program, including the use of an effective cybersecurity continuous monitoring program.  We continued to identify concerns with the Department’s management of plans of action and milestones to track corrective actions for its cybersecurity program.

Topic: Management & Administration