January 13, 2022

The Department of Energy’s Implementation of the Cybersecurity Information Sharing Act of 2015

The Cybersecurity Information Sharing Act of 2015 (Cybersecurity Act) was signed into law in December 2015 to improve the Nation’s cybersecurity through enhanced information sharing related to cybersecurity threats.  The law authorizes sharing of classified and unclassified cyber threat indicators and defensive measures among Federal agencies and with properly cleared private sector representatives.  In addition, the Cybersecurity Act requires the Office of Inspector General to report to Congress at least every 2 years on the sufficiency of information sharing policies, procedures, and guidelines.  As such, we participated in a joint review led by the Office of the Inspector General of the Intelligence Community to assess efforts by seven executive agencies, including the Department of Energy, to implement Cybersecurity Act requirements related to policies and procedures, information sharing, and barriers.  The objective of this evaluation was to determine the Department of Energy’s actions taken during calendar year (CY) 2019 and calendar year 2020 to implement the requirements of the Cybersecurity Act.  This report summarizes the results of our review of the Department’s implementation efforts.  We determined that the Department had taken the actions necessary to implement the requirements of the Cybersecurity Act.  Specifically, we found that policies and procedures related to the sharing of cyber threat indicators were sufficient and included requirements for the removal of personally identifiable information.  In addition, we found that the Department had not authorized security clearances for the purpose of sharing threat indicators and defensive measures with the private sector.  Based on information provided, we found that over 9 million threat indicators and defensive measures were shared by DHS with the Department during CY 2019 and CY 2020.  We also determined that the Department shared over 7.6 million data items with DHS during CY 2019 and CY 2020.  However, officials indicated that the classification of cyber threat information could potentially affect the sharing of threat indicators and defensive measures.  Considering the Department’s continued implementation of the Cybersecurity Act, we did not make formal recommendations for improvement.