October 29, 2013

The Department of Energy's Unclassified Cyber Security Program – 2013

Cyber security threats are a major concern for all Federal entities, including the Department of Energy.  The Federal Information Security Management Act of 2002 (FISMA) established the requirement for Federal agencies to develop, implement and manage agency-wide information security programs, and provide acceptable levels of security for the information and systems that support the operations and assets of the agency.  As part of our responsibilities under FISMA, the Office of Inspector General conducts an annual independent evaluation to determine whether the Department's unclassified cyber security program adequately protected its unclassified data and information systems. 

The Department had taken a number of positive steps over the past year to correct cyber security weaknesses related to its unclassified information systems, including corrective actions to resolve 28 of the 38 conditions we identified during our FY 2012 evaluation.  In spite of these efforts, we found that significant weaknesses and associated vulnerabilities continued to expose the Department's unclassified information systems to a higher than necessary risk of compromise.  Our testing revealed various weaknesses related to security reporting, access controls, patch management, system integrity, configuration management, segregation of duties and security management.  In total, we discovered 29 new weaknesses and confirmed that 10 weaknesses from the prior year's review had not been resolved.  These problems were spread across 11 of the 26 Department locations where we performed testing. 

The weaknesses identified occurred, in part, because Department elements had not ensured that cyber security requirements were fully developed and implemented.  Management concurred with our findings and recommendations and has taken and/or initiated corrective actions. 

Topic:  National Security & Safety