June 17, 2016

Implementation of the Department of Energy’s CyberOne Initiative

In fiscal year (FY) 2013, the Department of Energy’s Deputy Secretary included CyberOne as a new Working Capital Fund (WCF) business line in the Department’s budget request.  The CyberOne business line is a financial management tool that funds the implementation of the Department’s Identity, Credential, and Access Management (ICAM) initiative and the Joint Cybersecurity Coordination Center (JC3).  The Office of the Chief Information Officer (OCIO) is responsible for the development and management of both ICAM and JC3.  According to a Department official, ICAM’s goal is to introduce a common, standardized, and trusted basis for digital identity, access management, and control services across the Department and Federal Government.  The OCIO developed JC3 with the goal of enhancing incident response and situational awareness across the Department.

CyberOne was budgeted to collect $40 million per year from the Department’s program offices to enable continued implementation of ICAM and JC3.  The Deputy Secretary directed that all items proposed for CyberOne funding be supported by a proposal detailing the services that would be offered and their associated costs.  Although not funded until FY 2014, the WCF provided approximately $60 million for CyberOne-related expenditures through FY 2015.  We initiated this audit to determine whether the CyberOne line of business was appropriately planned and managed.

Opportunities exist to improve the transparency of the CyberOne line of business to customers.  However, nothing came to our attention during our review that would indicate that the JC3 program was not being managed according to Department requirements.  Further, the Department is currently addressing issues pertaining to the ICAM initiative identified in our prior report on The Department of Energy’s Implementation of Homeland Security Presidential Directive-12 (DOE/IG-0860, February 2012).

Topic: Management & Administration