You are here

Evaluation Report: OAS-L-13-01

November 7, 2012

The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2012

To achieve its mission, the Federal Energy Regulatory Commission (Commission) relies on a wide range of information technology (IT) resources to help ensure that rates and terms and conditions for the wholesale of electric energy and natural gas are just and reasonable, and promote the development of a safe, reliable and efficient energy infrastructure.  To help protect against continuing cyber security threats, the Commission estimated that it would expend approximately $5.3 million during Fiscal Year (FY) 2012 to secure its IT assets, a 39 percent increase from FY 2011.  The Commission had taken action to further improve its cyber security posture and mitigate risks associated with the weaknesses identified during our FY 2011 evaluation.  While these actions are noteworthy, our current evaluation disclosed that additional opportunities existed to better protect its information systems and data.  Specifically, we continued to identify weaknesses related to the Commission's timely remediation of software vulnerabilities.  As in past years, the problems we identified with the Commission's vulnerability management process were due, in part, to less than fully effective implementation of policies and procedures.  In addition, Commission officials informed us that they did not follow their existing Vulnerability Management Program policies due to budget and resource constraints.  As corrective action was initiated by management in certain instances, we made a suggestion to the Executive Director to update existing vulnerability and patch management procedures as needed to ensure that security vulnerabilities are remediated and verified in a timely manner.

Topic: National Security & Safety