March 25, 2021

The Department of Energy’s Unclassified Cybersecurity Program - 2020

The Department of Energy operates many facilities across the Nation that depend on information technology systems and networks for essential operations required to accomplish its national security, research and development, and environmental management missions.  As information technology continues to evolve, there are greater opportunities for efficiencies and accessibility to information but also increased cybersecurity threats.  In its Federal Information Security Modernization Act of 2014 Fiscal Year 2019 Report to Congress, the Office of Management and Budget reported that the number of agency-reported incidents across the Federal Government decreased by 8 percent between fiscal years (FY) 2018 and 2019.  However, this decline in incidents did not at all indicate a reduction in the cybersecurity threat posed to the Federal Government.  In fact, the systems used to support the Department’s various missions continue to face millions of cybersecurity threats each year, ranging from unsophisticated hackers to advanced persistent threats using state-of-the-art intrusion tools and techniques.  In addition, during FY 2020, the Department faced the unprecedented challenge of maintaining security over its information and systems even as a large component of its workforce worked remotely in response to COVID-19.

The Federal Information Security Modernization Act of 2014 requires Federal agencies to develop, implement, and manage agency-wide information security programs.  In addition, Federal agencies are required to provide acceptable levels of security for the information and systems that support their operations and assets.  As required by the Federal Information Security Modernization Act of 2014, the Office of Inspector General conducted an independent evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected its data and information systems.  This report documents the results of our evaluation of the Department’s cybersecurity program for FY 2020.

We determined that opportunities existed for the Department, including the National Nuclear Security Administration, to improve the protection of unclassified information systems and data.  The Department had taken actions over the past year to address previously identified weaknesses related to its cybersecurity program.  In particular, programs and sites made progress remediating weaknesses identified in our fiscal year 2019 evaluation, which resulted in the closure of 42 of 54 (78 percent) prior year recommendations.  Although these actions were positive, our current evaluation identified weaknesses in areas including system integrity of web applications, configuration management, vulnerability management, access controls, and contingency planning, many of which were consistent with our prior reports. 

The weaknesses identified throughout our evaluation of the Department’s unclassified cybersecurity program occurred for a variety of reasons.  For instance, the identified weaknesses related to system integrity of web applications generally occurred because those applications were configured without implementing adequate security controls designed to reject malicious input.  In addition, vulnerability management programs at the sites reviewed did not always include testing processes and procedures to identify vulnerabilities related to attacks against web application functionality.  We also noted that vulnerability management weaknesses existed at one location because the vulnerability management process was not fully effective in addressing known vulnerabilities, including those related to unsupported software and missing patches. 

To correct the cybersecurity weaknesses identified throughout the Department, we made 83 recommendations to programs and sites during fiscal year 2020 to include those identified during this evaluation and in other issued reports.  Corrective actions to address each of the recommendations, if fully implemented, should help to enhance the Department’s unclassified cybersecurity program.  In some instances, we also provided opportunities for improvement at locations reviewed but did not issue them as formal findings and recommendations.  Because there are no recommendations included in this report, a management decision is not required.   

Topic: Cybersecurity