August 4, 2016

Department of Energy’s Implementation of Selected Controls as Defined in the Cybersecurity Act of 2015

The mission of the Department of Energy is to help ensure the Nation’s security and prosperity by addressing energy, environmental, and national security challenges.  The Department, including its contractors, relies on a variety of information resources and technology systems.  The Cybersecurity Act of 2015 (Act) required the Office of Inspector General to report on various aspects of the Department’s national security systems and information systems containing personally identifiable information.  This report summarizes the results of our review.

We found that the Department had generally developed and implemented controls related to a number of the areas covered by the Act.  However, based on the information reported by the Department, we also noted areas highlighted by the Act where the Department had not fully implemented certain types of controls.

As noted in our report, the Department had generally developed policies and procedures related to logical access controls over its national security systems and systems containing personally identifiable information.  In addition, we determined that the Department operated a decentralized program for managing software licenses and had not established detailed policies and procedures to guide the program.  Rather, programs and sites maintained a range of independent capabilities related to software inventory management.  Furthermore, although we noted that mixed capabilities existed related to forensic and data exfiltration capabilities, we noted limited to no capabilities within the Department related to digital rights management.

Topic: Management & Administration