The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program for Fiscal Year 2025 Was Effective
February 11, 2026
minute read time
February 6, 2026
The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program for Fiscal Year 2025 Was Effective
The Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide information security program to ensure that information technology resources are adequately protected. FISMA mandates that each agency Office of Inspector General, or external auditor, as determined by the Inspector General, perform an annual independent evaluation of the agency’s information security program and practices to determine its effectiveness.
As an independent agency within the Department of Energy, the Federal Energy Regulatory Commission (FERC) is mandated to comply with FISMA. Therefore, we initiated this evaluation to determine whether FERC’s unclassified cybersecurity program adequately protected data and information systems in accordance with FISMA. The Office of Inspector General contracted with KPMG LLP to assist in the assessment of FERC’s unclassified cybersecurity program. The Office of Inspector General monitored KPMG LLP’s work to ensure it complied with applicable requirements.
Our fiscal year 2025 evaluation found that FERC had adequately protected data and information systems in accordance with FISMA. Specifically, during our review of the FISMA security metrics, we determined that FERC had implemented an effective unclassified cybersecurity program within the context of the maturity model. In addition, based on our limited testing of general information technology controls and business process application controls at FERC, we determined that all selected controls were adequately designed, implemented, and operating effectively through fiscal year end.
Based on our review of the required FISMA metrics and selected controls over financial processes, we did not identify weaknesses that required immediate corrective actions related to FERC’s cybersecurity program. As such, we did not make any recommendations.