December 14, 2020

Contingency Planning Efforts for Information Technology Mission Support Systems at Selected Department of Energy Locations

Information technology (IT) mission support systems and their related functions play a paramount role in the Department of Energy’s ability to accomplish its day-to-day missions.  However, information systems are vulnerable to a variety of disruptions ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire).  Ensuring that IT support systems are available at critical moments can impact the Department’s ability to withstand or recover from disruptions.  Contingency planning supports this requirement through the establishment of thorough plans, procedures, and technical measures that enable a system to be recovered as quickly and effectively as possible following a service disruption.

Because of the importance of the Department’s missions, it is imperative that the Department understands the impact of potential disruptions on its computing environment and be able to maintain or restore its information systems and maintain operations, as appropriate.  As such, we initiated this audit to determine whether the Department had adequately planned for the restoration of IT mission support systems and functions in accordance with established requirements to ensure functionality in the event of a disruption. 

The Department had not always adequately planned for the restoration of information systems in accordance with established requirements to ensure availability and functionality in the event of a disruption.  Specifically, we found that three of the four sites reviewed had not fully implemented contingency planning requirements related to development of a Business Impact Analysis as identified in Federal requirements.  In addition, sites had not fully developed Information System Contingency Plans in accordance with Federal guidance for 10 of the 17 systems reviewed.

The weaknesses identified were due primarily to inappropriate interpretations of contingency planning requirements by Federal and contractor officials.  Management concurred with the recommendations and stated that corrective actions were planned to address the issues identified in the report.

Topic: Cybersecurity