The Department of Energy’s Unclassified Cybersecurity Program – 2023
May 22, 2024
minute read time
May 17, 2024
The Department of Energy’s Unclassified Cybersecurity Program – 2023
The Federal Information Security Modernization Act of 2014 requires Federal agencies to develop, implement, and manage agency-wide information security programs. Agencies are also required to provide acceptable levels of security for the information and systems that support their operations and assets.
The Federal Information Security Modernization Act of 2014 also mandates that the Office of Inspector General conduct an independent evaluation to determine whether the Department of Energy’s unclassified cybersecurity program adequately protected its data and information systems in accordance with Federal and Department requirements.
Our fiscal year 2023 Federal Information Security Modernization Act of 2014 evaluation determined that the Department, including the National Nuclear Security Administration, had taken actions to address some of the previously identified weaknesses related to its unclassified cybersecurity program. Actions were taken to close 45 of 73 (62 percent) recommendations from our prior year audits and evaluations. We also issued 39 new recommendations, many of which were similar in type to the deficiencies identified in our previous reports.
The weaknesses identified occurred for a variety of reasons. For instance, findings at some Department sites related to configuration and vulnerability management practices revealed vulnerabilities that could have allowed malicious attacks that could have disrupted normal business operations or have negative impacts on system and data reliability. Identity and access management weaknesses occurred because officials were unaware of, or had not implemented, current account management requirements.
Without improvements to address the weaknesses identified in our report, the Department may be unable to adequately protect its information systems and data from compromise, loss, or modification. Weaknesses will continue to exist in areas such as risk management, configuration management, identity and access controls, and security continuous monitoring.
When fully implemented, our recommendations should help to enhance the Department’s unclassified cybersecurity program. The Department should emphasize closing findings in a timely manner, especially those findings repeated from prior years. As cybersecurity remains an ongoing challenge, it is important that the Department identify the root cause for ongoing cybersecurity issues and take correction actions.