December 20, 2023

The Department of Energy’s Implementation of the Cybersecurity Information Sharing Act of 2015

We performed this evaluation to review the Department of Energy’s actions taken to implement the requirements of the Cybersecurity Information Sharing Act of 2015 related to policies and procedures, information sharing, and barriers.  We participated in the joint review led by the Office of the Inspector General of the Intelligence Community to assess implementation efforts by seven executive agencies during calendar years 2021 and 2022. 

Our evaluation determined that the Department had taken the actions necessary to implement the requirements of the Cybersecurity Information Sharing Act of 2015.  Specifically, we found that policies and procedures related to the sharing of cyber threat indicators were sufficient and included requirements for the removal of personally identifiable information. Officials also indicated that they were unaware of any violations by the Department regarding the failure to remove or classify information related to a cybersecurity threat.  In addition, we found that the Department had authorized security clearances for the purpose of sharing threat indicators and defensive measures with private sector representatives.

Based on the information provided by the Department, we found that almost 33,000 cyber threat indicators and defensive measures had been shared with the U.S. Department of Homeland Security during calendar years 2021 and 2022.  Similarly, we determined that the Department received over 475,000 cyber threat indicators and defensive measures from the U.S. Department of Homeland Security in calendar years 2021 and 2022. 

Considering the Department’s continued implementation of the Cybersecurity Information Sharing Act of 2015, we did not make formal recommendations for improvement.