July 7, 2021

Allegations Related to the Office of Cybersecurity, Energy Security, and Emergency Response

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) was established in 2018 to protect the reliable flow of energy to Americans from emerging threats by improving energy infrastructure security and to support the Department’s national security mission.  In late 2019, the Office of Inspector General received multiple complaints related to CESER.  Specifically, it was alleged that CESER lacked internal control policies and procedures and a full-time staff to oversee its budget.  In addition, the Office of Inspector General received allegations that $7.5 million in CESER funds were allocated to Idaho National Laboratory to finance a startup company; software licenses purchased at a cost of up to $2.2 million were not used; and $2 million in CESER funds were inappropriately spent to update a General Services Administration web portal. 

We initiated this inspection to determine whether allegations received by the Office of Inspector General concerning CESER were substantiated.  The inspection was performed from March 2020 through February 2021 and reviewed the CESER program in Washington, DC.  We substantiated certain allegations related to CESER’s management.  In particular, we fully substantiated two of the allegations.  Specifically, we substantiated that there was a lack of internal controls established for CESER even though the office received more than $275 million since its inception.  In addition, we substantiated that CESER purchased $2.1 million in cybersecurity data analysis software licenses, but only used the software during a 1-month period.  Although we did not substantiate the remaining allegations, we did question the use of funds related to CESER’s procurement activities. 

The issues we identified occurred, in part, due to a lack of established internal controls.  The lack of program-level internal controls also contributed to identified weaknesses related to software acquisitions, the direction of program funds, and prematurely contracting for General Services Administration services.  Had adequate controls been implemented, the weaknesses could have been identified and actions taken to ensure activities were conducted in accordance with laws and regulations.  Overall, our review found that CESER spent approximately $2.2 million more than necessary related to the information technology acquisitions and services highlighted in the allegations. 

Management concurred with the recommendations and stated that corrective actions were planned or underway to address the issues identified in the report.  However, because timeframes for completing corrective actions were not provided, a Management Decision is required.