November 15, 2011
The Federal Energy Regulatory Commission's Unclassified Cyber Security Program - 2011
The Federal Information Security Management Act of 2002 (FISMA) established requirements for Federal agencies related to the management and oversight of information security risks and to ensure that information technology resources were adequately protected. As directed by FISMA, the Office of Inspector General conducted an independent evaluation of the Federal Energy Regulatory Commission's (Commission) unclassified cyber security program to determine whether it adequately protected data and information systems.
The Commission had taken actions to improve its cyber security posture and mitigate risks associated with certain issues identified during our Fiscal Year 2010 evaluation. While these measures are noteworthy, our current evaluation disclosed that additional action is needed to further protect information systems and data. Specifically, we continued to identify weaknesses related to the Commission's timely remediation of software vulnerabilities.
The problems we identified were due, in part, to less than fully effective implementation of cyber security policies and procedures. In particular, Commission officials informed us that they did not follow their existing Vulnerability Management Program policies due to budget and resource constraints. Although the Commission continued to make progress in improving its cyber security posture, additional actions are needed to further reduce the risk to the agency's information systems and data.
Topic: National Security & Safety