June 6, 2022

The Department of Energy’s Unclassified Cybersecurity Program – 2021

The Federal Information Security Modernization Act of 2014 requires the Office of Inspector General to conduct an annual independent evaluation to determine whether the Department of Energy’s unclassified cybersecurity program adequately protected its data and information systems during the fiscal year.  As part of that evaluation, the Office of Inspector General is required to assess the Department’s cybersecurity program according to Federal Information Security Modernization Act of 2014 security metrics issued by the Department of Homeland Security, the Office of Management and Budget, and the Council of the Inspectors General on Integrity and Efficiency.

We conducted this evaluation to determine whether the Department’s unclassified cybersecurity program adequately projects data and information systems.

Our fiscal year 2021 evaluation determined that the Department, including the National Nuclear Security Administration, had taken actions to address many previously identified weaknesses related to its unclassified cybersecurity program.  Weaknesses included areas related to: risk management, supply chain risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.  Many of the deficiencies were similar in type to those identified in our prior evaluations.

The identified weaknesses in the Department’s unclassified cybersecurity program occurred for a variety of reasons.  For instance, weaknesses related to configuration management, information security continuous monitoring, and contingency planning generally occurred because of deficiencies in related processes and procedures.  In addition, some of the identity and access management issues we identified occurred because officials were unaware of current account management requirements. 

To correct the cybersecurity weaknesses identified throughout the Department, we made 61 recommendations to programs and sites during fiscal year 2021 including those identified during this evaluation and in other issued reports.  Corrective actions to address each of the recommendations, if fully implemented, should help to enhance the Department’s unclassified cybersecurity program.  Management concurred with the recommendations issued to programs and sites related to improving the Department’s overall cybersecurity program.