The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2024
December 13, 2024
minute read time
December 10, 2024
The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2024
The Federal Energy Regulatory Commission (FERC) is an independent agency within the Department of Energy that assists consumers in obtaining economically efficient, safe, reliable, and secure energy services at a reasonable cost through appropriate regulatory and market means and collaborative efforts. FERC’s major responsibilities center on regulating the Nation’s transmission and wholesale of electricity, transmission and sale of natural gas, and the transportation of oil by pipelines. FERC reviews proposals to build liquefied natural gas terminals and interstate natural gas pipelines, as well as licensing hydropower projects.
The Federal Information Security Modernization Act of 2014 (FISMA) establishes requirements for Federal agencies to develop, document, and implement an agency-wide information security program to ensure that information technology resources are adequately protected. FISMA also mandates that each agency annually performs an independent evaluation of the agency’s information security program by its appointed Inspector General or by an independent external auditor as determined by the Inspector General. Our evaluation assessed FERC’s unclassified cybersecurity program according to FISMA security metrics developed by the Office of Management and Budget and the Council of the Inspectors General on Integrity and Efficiency. The metrics are focused around five cybersecurity functions and nine security domains that align with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.
Based on fiscal year 2024 test work performed by KPMG LLP, nothing came to our attention to indicate that attributes required by the Office of Management and Budget, the National Institute of Standards and Technology, and the Department of Homeland Security were not incorporated into FERC’s unclassified cybersecurity program. We found no indication that the reviewed general information technology controls and business process application controls implemented within FERC’s information technology environment were ineffective. Notably, our test work was limited only to a review of required FISMA metrics and select controls over financial processes. Our review did not include technical vulnerability testing.
Because nothing came to our attention that would indicate significant control weaknesses in the areas tested, we are not making any recommendations related to this evaluation.