October 22, 2014

The Department of Energy's Unclassified Cybersecurity Program – 2014

The use of information technology by Federal entities is evolving rapidly, leading to advancements in areas such as virtualization technologies, cloud computing, and mobile devices that offer opportunities to increase the value and accessibility of Government resources and information. However, this progression also exposes Federal information and systems to new and constantly changing threats. 

The Federal Information Security Management Act of 2002 (FISMA) established the requirement for Federal agencies to develop, implement, and manage agency-wide information security programs. FISMA mandated that agency Offices of Inspector General conduct annual independent evaluations to determine whether agencies' unclassified cybersecurity programs adequately protected unclassified data and information systems. This report documents the results of our evaluation for the Department for Fiscal Year (FY) 2014.

Although the Department, including the National Nuclear Security Administration, had taken positive actions to improve the security and awareness of the unclassified cybersecurity program in FY 2014, additional effort is needed to ensure that the risks of operating systems are identified and that systems and information are adequately secured. The issues identified occurred, at least in part, because the Department's programs and sites reviewed had not ensured that cybersecurity policies and procedures were developed and properly implemented. 

Management concurred with the report's recommendations and indicated that corrective actions had been initiated or were planned to address the issues identified in the report.

Topic: Management & Administration