The Office of Environmental Management's Mission Information Protection Program
July 21, 2021
minute read time
July 21, 2021
The Office of Environmental Management's Mission Information Protection Program
The Department of Energy’s Office of Environmental Management (Environmental Management) was created to prepare for and manage the cleanup efforts resulting from decades of the Department’s nuclear weapons development and nuclear energy research. Information technology systems have become vital to the successful execution of its cleanup mission and operations. To enhance Environmental Management’s information assurance and cybersecurity posture, the Mission Information Protection Program (MIPP) was formed to conduct a variety of activities including, but not limited to, independent cybersecurity assessments of Environmental Management field sites through testing and validation of security controls; procuring enterprise cybersecurity tools; providing mission support cybersecurity services; and providing Information System Security Officer support for Environmental Management Headquarters. MIPP’s cybersecurity professionals are divided into the Headquarters Security System (HQSS) and Information Security Continuous Monitoring (ISCM) teams. The HQSS team assists sites in sharing and mitigating vulnerabilities and detecting malicious activity through the Environmental Management Continuous Monitoring Center. The ISCM team serves as an independent evaluator conducting cybersecurity site assessments and assistance visits within Environmental Management. During our audit, we conducted a full review of the ISCM team and a limited review of the HQSS team. No immediate issues came to our attention related to the HQSS function; therefore, we focused our review on the ISCM team.
Environmental Management sites relied on the ISCM team to assist with their annual tests of security controls. From fiscal year (FY) 2017 through FY 2019, the ISCM team was tasked to conduct cybersecurity reviews at seven sites. The ISCM process was designed to ensure that all security controls are tested over a 3-year period and that Environmental Management Headquarters and its sites remained informed of potential cybersecurity issues at the locations reviewed by the ISCM team. During recent audit work performed at two Environmental Management field sites, the Office of Inspector General identified cybersecurity program weaknesses in numerous security control areas. Although the ISCM team previously assessed the two locations’ cybersecurity programs, we identified additional weaknesses and noted that the issues previously identified by the ISCM team continued to exist. The weaknesses identified at those sites indicated potentially systemic problems related to the adequacy of Environmental Management’s MIPP ISCM evaluations and the program’s response to the results of the evaluations.