October 19, 2018

The Department of Energy’s Unclassified Cybersecurity Program – 2018 

The use of information technology by Federal agencies continues to evolve, resulting in greater opportunities for efficiencies and accessibility to Government information.  The Department of Energy operates many facilities, including National Laboratories and plants, across the Nation and depends on information technology systems and networks for essential operations required to accomplish its national security, research and development, and environmental management missions.  Advancements in technology, however, can result in increased cybersecurity threats.  For instance, the systems used to support the Department’s various missions face millions of cyber threats each year, ranging from unsophisticated hackers to advanced persistent threats using state-of-the-art intrusion tools and techniques.  Many of these malicious attacks are designed to steal information and disrupt, deny access, degrade, or destroy the Department’s information systems.

The Federal Information Security Modernization Act of 2014 requires Federal agencies to develop and implement agency-wide information security programs.  In addition, Federal agencies are required to provide acceptable levels of security for the information and systems that support their operations and assets.  As required by the Federal Information Security Modernization Act of 2014, the Office of Inspector General conducted an independent evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected its data and information systems.  This report documents the results of our evaluation of the Department for fiscal year 2018.

We identified weaknesses related to vulnerability and configuration management, system integrity of Web applications, access controls, cybersecurity and privacy awareness training, and security control testing.  Although the types of vulnerabilities identified were mostly consistent with our prior evaluations, our fiscal year 2018 review disclosed weaknesses at new locations.

To correct the weaknesses highlighted in this report, we made 25 recommendations to programs and sites during fiscal year 2018.  In addition to these program- and site-specific recommendations, we made one overall recommendation to ensure that appropriate emphasis is placed on correcting identified cybersecurity weaknesses, including addressing findings identified during our current unclassified cybersecurity evaluation; this process should include the effective use of plans of actions and milestones to improve performance monitoring by identifying, prioritizing, and tracking the progress of remediation actions for all identified cybersecurity weaknesses.

Topic: Management & Administration