December 14, 2018

Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2018 

The Federal Energy Regulatory Commission (FERC) is an independent agency within the Department of Energy responsible for, among other things, regulating the interstate transmission of the Nation’s electricity, natural gas, and oil.  FERC’s mission is to assist consumers in obtaining reliable, efficient, and sustainable energy services at a reasonable cost through appropriate regulatory and market means.  To accomplish this, the information technology infrastructure that supports FERC must be reliable and protected against attacks from malicious sources.  

The Federal Information Security Modernization Act of 2014 established requirements for Federal agencies to develop, implement, and manage agency-wide information security programs, including periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems and data that support the operations and assets of the agency.  In addition, the Federal Information Security Modernization Act of 2014 mandated that an independent evaluation be performed annually by the Office of Inspector General to determine whether FERC’s unclassified cybersecurity program adequately protected data and information systems.  The Office of Inspector General contracted with KPMG LLP to perform an assessment of FERC’s unclassified cybersecurity program.  This report presents the results of that evaluation for fiscal year 2018.

Based on fiscal year 2018 test work performed by KPMG LLP, nothing came to our attention to indicate that attributes required by the Office of Management and Budget, Department of Homeland Security, and the National Institute of Standards and Technology were not incorporated into FERC’s unclassified cybersecurity program for each of the major topic areas tested.  In particular, FERC had implemented information technology security controls for various areas such as configuration management, risk management, and security training. 

During our fiscal year 2017 test work, we became aware of a security incident involving FERC’s unclassified cybersecurity program.  Upon learning of the incident, FERC officials initiated action to identify the cause of the incident, determine its impact, and implement corrective actions, as necessary.  While FERC’s corrective actions taken related to the implementation of preventative controls are noteworthy, we found that FERC was still in the process of reviewing the impact of the incident and completing its analysis.  Consistent with the recommendation included in our prior year’s evaluation, until all corrective actions are completed, we continue to recommend that the Executive Director of the Federal Energy Regulatory Commission ensure that the analysis related to the cyber incident is completed in a timely manner.