October 23, 2013

The Federal Energy Regulatory Commission's Unclassified Cyber Security Program – 2013

The Federal Energy Regulatory Commission (Commission) is an independent agency within the Department of Energy (Department) responsible for, among other things, regulating the interstate transmission of the Nation's electricity, natural gas and oil.  To help protect against continuing cyber security threats, the Commission estimated that it would spend approximately $5.8 million during Fiscal Year (FY) 2013 to secure its information technology assets, a 9 percent increase compared to FY 2012. 

The Federal Information Security Management Act of 2002 (FISMA) established requirements for Federal agencies related to the management and oversight of information security risks and to ensure that information technology resources were adequately protected.  As directed by FISMA, the Office of Inspector General conducted an independent evaluation of the Commission's unclassified cyber security program to determine whether it adequately protected data and information systems.  This report presents the results of our evaluation for FY 2013.

The Commission had taken action to improve its cyber security posture and mitigate risks associated with the weaknesses identified during our FY 2012 evaluation.  Our current evaluation, however, disclosed that additional opportunities existed to better protect information systems and data.  In particular, we continued to identify weaknesses related to the Commission's timely remediation of software vulnerabilities.  Due to security considerations, information on specific vulnerabilities has been omitted from this report; however, management was provided with detailed information regarding identified vulnerabilities.  The Commission concurred with the report's recommended action and stated that it had initiated corrective action to address weaknesses identified in the report. 

Topic:  National Security & Safety