November 20, 2023

The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2023

The Federal Energy Regulatory Commission (FERC) is an independent agency within the Department of Energy that assists consumers in obtaining efficient, safe, reliable, and secure energy services at a reasonable cost through appropriate regulatory and market means and collaborative efforts.  FERC’s statutory authority centers on major aspects of the Nation’s wholesale electric, natural gas, hydroelectric, and oil pipeline industries.  Congress charged FERC with the development and review of, as well as compliance with, mandatory reliability standards for the bulk-power system to increase the system’s reliability.  FERC also helps to secure the energy infrastructure from cyber and physical attacks by encouraging utilities to invest in advanced cybersecurity technology and participate in cybersecurity threat information sharing.  Given its mission and responsibilities, FERC’s information technology environment must be reliable and protected against attacks from malicious sources.

The Federal Information Security Modernization Act of 2014 (FISMA) established requirements for Federal agencies to develop, implement, and manage agency-wide information security programs to ensure that information technology resources are adequately protected.  FISMA also mandates that Inspectors General perform, on an annual basis, an independent evaluation of the agency’s information security program.  Our evaluation assessed FERC’s cybersecurity program according to FISMA security metrics developed by the Department of Homeland Security, the Office of Management and Budget, and the Council of the Inspectors General on Integrity and Efficiency.  The metrics are focused around five cybersecurity functions and nine security domains that align with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity.

Based on fiscal year 2023 test work performed by KPMG LLP, nothing came to our attention to indicate that attributes required by the Office of Management and Budget and the National Institute of Standards and Technology were not incorporated into the Federal Energy Regulatory Commission’s unclassified cybersecurity program for each of the major topic areas tested.  In particular, the Federal Energy Regulatory Commission implemented information security controls related to risk management, data protection and privacy, security training, and incident response, among others.

Because nothing came to our attention that would indicate significant control weaknesses in the areas tested by KPMG LLP, we are not making any recommendations or suggested actions related to this evaluation.