December 14, 2020

Management of a Department of Energy Site Cybersecurity Program

The Department of Energy operates many facilities across the Nation that depend on information technology systems and networks for essential operations required to accomplish its national security, research and development, and environmental management missions.  To support its mission, the site reviewed uses various types of information systems that includes several key systems and applications.  The Federal Information Security Modernization Act of 2014 requires each Federal agency to develop, document, and implement an enterprise-wide cybersecurity program to protect systems and data that support the operations and assets of an agency, including those provided or managed by contractors.  We initiated this audit to determine whether the site effectively managed its cybersecurity program. 

During our test work, we noted several areas of immediate concern related to vulnerability management and the authorization of information system operations at the site.  In August 2019, we issued a management alert to ensure that management was provided with the opportunity to initiate immediate actions to address certain issues identified during our audit.  Subsequent to the issuance of the management alert, we continued our test work, and this report addresses additional risk areas and recommendations.

The site had not implemented an effective cybersecurity program in accordance with Federal and Department requirements.  Our review identified control weaknesses in each of the 14 control families tested as described in National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.  The weaknesses identified occurred, in part, due to an inadequate cybersecurity governance structure, a lack of cybersecurity performance metrics, and the existence of limited resources available for cybersecurity activities.  For instance, the site’s cybersecurity governance structure relied on program-level policy, and it had not adequately developed and/or implemented many site-specific policies and procedures.  In addition, we determined that performance metrics had not been established to incentivize the site’s operating contractor to ensure that fully effective cybersecurity practices were implemented.  Furthermore, a lack of resources dedicated to cybersecurity activities contributed to many of the weaknesses identified, including those related to security assessment and authorization, risk assessment, and audit and accountability.  To their credit, officials had initiated actions to address a number of weaknesses identified during our review.  However, absent a fully effective cybersecurity program, the site’s information systems and data will continue to be at a higher-than-necessary risk of compromise, loss, or modification.

To help improve the management of the site’s cybersecurity program, we issued a detailed report to Department management that included a total of 55 recommendations.

Management concurred with the recommendations and indicated that corrective actions were taken or planned to mitigate the findings identified in the report.

Due to the sensitive nature of the vulnerabilities identified during our audit, the report issued to the Department was for Official Use Only.  We provided site and program officials with detailed information regarding vulnerabilities that we identified.

Topic: Cybersecurity

This report is Official Use Only (OUO) and not available for public viewing.