The Department of Energy’s Unclassified Cybersecurity Program – 2017
October 11, 2017
minute read time
October 11, 2017
The Department of Energy’s Unclassified Cybersecurity Program – 2017
The Department of Energy operates nearly 100 entities across the Nation and depends on information technology (IT) systems and networks for essential operations required to accomplish its national security, research and development, and environmental management missions. The systems used to support the Department’s various missions face millions of cyber threats each year ranging from unsophisticated hackers to advanced persistent threats using state-of-the-art intrusion tools and techniques. For instance, the Department responded to more than 18,000 potential incidents in fiscal year (FY) 2017 related to areas such as malicious code, information and system compromise, and unauthorized use. Many of these malicious attacks were designed to steal information and disrupt, deny access, degrade, or destroy the Department’s information systems.
The Federal Information Security Modernization Act of 2014 requires Federal agencies to develop, implement, and manage agency-wide information security programs. In addition, Federal agencies are required to provide acceptable levels of security for the information and systems that support their operations and assets. As required by the Federal Information Security Modernization Act of 2014, the Office of Inspector General conducted an independent evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected its data and information systems. This report documents the results of our evaluation of the Department for FY 2017.
We found that opportunities existed for the Department to enhance its ability to adequately protect information systems and data. The Department, including the National Nuclear Security Administration, had taken a number of actions over the past year to address previously identified weaknesses related to its cybersecurity program. In particular, programs and sites made progress remediating weaknesses identified in our FY 2016 evaluation, which resulted in the closure of 13 of 16 prior year weaknesses. While these actions were positive, our current evaluation found that the types of weaknesses identified in prior years, including issues related to vulnerability management, system integrity of Web applications, and access controls continue to exist. In particular, we found the following:
• Although improvements were made, weaknesses continue to exist related to the Department’s vulnerability management program.
• Vulnerabilities existed related to system integrity of Web applications.
• Access control weaknesses were identified at six locations.
The weaknesses identified occurred, in part, because Department officials had not fully developed and/or implemented policies and procedures related to the issues identified in our report. Without improvements to its cybersecurity program in areas such as enhanced controls over vulnerability management and access controls, the Department’s systems and information may be at a higher-than-necessary risk of compromise, loss, and/or modification. Furthermore, without improvements to ensure that the most current Federal security requirements are implemented, programs and sites may not keep pace with the challenges facing an ever-changing cybersecurity landscape.
The Office of Inspector General has continuously recognized cybersecurity as a management challenge area for the Department, emphasizing the critical need to enhance the Department’s overall security posture. Therefore, we made several recommendations that, if fully implemented, should help strengthen the Department’s cybersecurity program. Management concurred with the report’s recommendation and indicated that corrective actions had been initiated or were planned to address the issues identified in the report.
Topic: Management & Administration