November 13, 2019

Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2019

The Federal Energy Regulatory Commission (FERC) is an independent agency within the Department of Energy responsible for, among other things, regulating the interstate transmission of the Nation’s electricity, natural gas, and oil.  FERC’s mission is to assist consumers in obtaining reliable, efficient, and sustainable energy services at a reasonable cost through appropriate regulatory and market means.  To accomplish this, the information technology infrastructure that supports FERC must be reliable and protected against attacks from malicious sources. 

The Federal Information Security Modernization Act of 2014 established requirements for Federal agencies to develop, implement, and manage agency-wide information security programs, including a periodic assessment of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems and data that support the operations and assets of the agency.  In addition, the Federal Information Security Modernization Act of 2014 mandated that an independent evaluation be performed annually by the Office of Inspector General to determine whether FERC’s unclassified cybersecurity program adequately protected data and information systems.  The Office of Inspector General contracted with KPMG LLP to perform an assessment of FERC’s unclassified cybersecurity program.  This report presents the results of that evaluation for fiscal year 2019.

Based on fiscal year 2019 test work performed by KPMG LLP, we determined that FERC had implemented the tested attributes of its cybersecurity program in a manner that was generally consistent with Federal requirements.  In particular, we found no indications that management, operating, and technical controls implemented within FERC’s information technology environment were not effective.

Because nothing came to our attention that would indicate significant control weaknesses in the areas tested by KPMG LLP, we are not making any recommendations or suggested actions relative to this evaluation.

Topic: Information Technology