December 11, 2012

Follow-up Audit of the Department's Cyber Security Incident Management Program

The Federal Information Security Management Act of 2002 requires each agency to implement procedures for detecting, reporting and responding to cyber security incidents, including notifying and consulting with the Federal information security incident center, law enforcement agencies and Inspectors General.  To meet this requirement and counter the threat posed by cyber attacks, the Department's Office of the Chief Information Officer, the National Nuclear Security Administration (NNSA) and a number of field sites established organizations to provide expertise in preventing, detecting, responding to and recovering from cyber security incidents.  In 2008, we reported in The Department's Cyber Security Incident Management Program (DOE/IG-0787, January 2008) that the Department and NNSA established and maintained a number of independent, at least partially duplicative, cyber security incident management capabilities.

Although certain actions had been taken in response to our prior report, we identified several issues that limited the efficiency and effectiveness of the Department's cyber security incident management program and adversely impacted the ability of law enforcement to investigate incidents.  For instance, we noted that the Department and NNSA continued to operate independent, partially duplicative cyber security incident management capabilities at an annual cost of more than $30 million.  The issues identified were due, in part, to the lack of a unified, Department-wide cyber security incident management strategy.  In response to our finding, management concurred with the recommendations and indicated that it had initiated actions to address the issues identified.

Topic: National Security & Safety