Audit Report: DOE-OIG-19-42

You are here

July 19, 2019

Management of a Department of Energy Site Cybersecurity Program

Public Law enacted by Congress required the Department of Energy to solidify and dispose of radioactive waste, decommission the facilities used in this process, and return control of the site to the state of record.  To support its environmental cleanup mission, the site reviewed uses various types of information systems.  The Federal Information Security Modernization Act of 2014 requires each Federal agency to develop, document, and implement an enterprise-wide cybersecurity program to protect systems and data that support the operations and assets of an agency, including those provided or managed by contractors.  We initiated this audit to determine whether the site managed its cybersecurity program in accordance with Federal and Department requirements.

We found that the site had not fully implemented its cybersecurity program in accordance with Federal and Department requirements.  We identified weaknesses related to vulnerability and configuration management, logical and physical access controls, contingency planning, and continuous monitoring.  As a result, the integrity, confidentiality, and availability of systems and data managed by the site may be impacted by the vulnerabilities identified during our review.  To help improve the management of the site’s cybersecurity program, we issued a detailed report to the site’s Director that included three recommendations. 

Due to the sensitive nature of the vulnerabilities identified during our audit, the report issued to the Department was for Official Use Only.  We provided site and program officials with detailed information regarding vulnerabilities that we identified.

Topic: Management & Administration