November 10, 2021

Management of a Department Energy Site Cybersecurity Program

The Department of Energy operates many facilities across the Nation that depend on information technology systems and networks for essential operations required to accomplish its national security, research and development, and environmental management missions.  To support its mission, the site reviewed uses various types of information systems including several key systems and applications.  The Federal Information Security Modernization Act of 2014 requires each Federal agency to develop, document, and implement an enterprise-wide cybersecurity program to protect systems and data that support the operations and assets of an agency, including those provided or managed by contractors.  We initiated this audit to determine whether the site effectively managed its cybersecurity program in accordance with Federal and Department requirements. 

The site had not implemented an effective cybersecurity program in accordance with Federal and Department requirements.  Our review identified control weaknesses in 15 of 18 control families tested as described in National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.  The issues we identified were primarily related to the ineffective implementation of controls within the National Institute of Standards and Technology’s program management family of controls.  In particular, we tested 10 program management controls and determined that 6 were not effectively implemented.  For instance, the site had not fully implemented a cybersecurity risk management strategy that required the Authorizing Official[1] to provide explicit approval for deviations from the control baseline even though risk acceptance was required to be documented and formally accepted.  In addition, we determined that the Authorizing Official had inappropriately granted an authorization to operate the site’s enclaves at the cybersecurity program level rather than the system, enclave, or authorization boundary level, as required.  We also noted that the authorization to operate was based on an inadequate assessment of the site’s security control environment.  Further, a lack of developed policies, procedures, and plans also contributed to many of the weaknesses identified. 

To their credit, site officials had created several plans of actions and milestones to assist in managing, assessing, prioritizing, monitoring, and remediating known cybersecurity weaknesses.  In addition, officials made improvements to address weaknesses identified throughout our review.  However, without a fully designed and effectively implemented cybersecurity program, the site’s information and systems may be exposed to a higher than necessary level of risk of compromise, loss, modification, or non-availability.  In addition, if the Authorizing Official is not fully aware of all known risks and plans for addressing those risks, they may not be adequately prioritized and addressed in a timely manner.

To help improve the management of the site’s cybersecurity program, we issued a detailed report to Department management that included a total of 15 recommendations. 

Management concurred with the recommendations and indicated that corrective actions were planned or in process to address the issues identified in the report.

Due to the sensitive nature of the vulnerabilities identified during our audit, the report issued to the Department was for Official Use Only.  We provided site and program officials with detailed information regarding vulnerabilities that we identified.

[1] The Authorizing Official is a senior Federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations, assets, and individuals.