May 2, 2023

The Department of Energy’s Unclassified Cybersecurity Program – 2022

The Federal Information Security Modernization Act of 2014 (FISMA) requires the Office of Inspector General to conduct an annual independent evaluation to determine whether the Department of Energy’s unclassified cybersecurity program adequately protected its data and information systems.  As part of that evaluation, the Office of Inspector General is required to assess the Department’s cybersecurity program according to FISMA security metrics issued by the Office of Management and Budget and the Council of the Inspectors General on Integrity and Efficiency.

We conducted this evaluation to determine whether the Department’s unclassified cybersecurity program adequately protected data and information systems. 

Our fiscal year 2022 FISMA evaluation determined that the Department, including the National Nuclear Security Administration, had not taken appropriate actions to address many previously identified weaknesses related to its unclassified cybersecurity program.  Although actions were taken to close 23 of 61 recommendations from our prior evaluations, 38 recommendations remained open.  We also issued 35 new recommendations, many of which were similar in type to the deficiencies identified in our previous reports.

The weaknesses identified occurred for a variety of reasons.  For instance, weaknesses related to system integrity of web applications generally occurred because the applications were configured without adequate security controls designed to reject malicious input.  In addition, identity and access management weaknesses occurred because officials were unaware of, or had not implemented, current account management requirements.

To correct the cybersecurity weaknesses identified throughout the Department, we made 73 recommendations (of which 38 were made during prior evaluations) to the Department’s programs and sites, including those identified during this evaluation and in other issued reports.  Specific recommendations were made to each of the locations where weaknesses were identified.  Corrective actions to address each of the recommendations, if fully implemented, should enhance the Department’s unclassified cybersecurity program.  Management concurred with all but two recommendations issued to programs and sites related to improving the Department’s cybersecurity program.