October 27, 2017

Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2017 

The Federal Energy Regulatory Commission (Commission) is an independent agency within the Department of Energy responsible for, among other things, regulating the interstate transmission and transportation of the Nation’s electricity, natural gas, and oil. The Commission’s mission is to assist consumers in obtaining reliable, efficient, and sustainable energy services at a reasonable cost through appropriate regulatory and market means. To accomplish this, the information technology infrastructure that supports the Commission must be reliable and protected against attacks from malicious sources. 

The Federal Information Security Modernization Act of 2014 established requirements for Federal agencies to develop, implement, and manage agency-wide information security programs, including periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems and data that support the operations and assets of the agency. In addition, the Federal Information Security Modernization Act of 2014 mandated that an independent evaluation be performed annually by the Office of Inspector General to determine whether the Commission’s unclassified cybersecurity program adequately protected data and information systems. The Office of Inspector General contracted with KPMG LLP to perform an assessment of the Commission’s unclassified cybersecurity program. This report presents the results of that evaluation for fiscal year 2017.

Based on fiscal year 2017 test work performed by KPMG LLP, nothing came to our attention to indicate that attributes required by the Office of Management and Budget, Department of Homeland Security, and the National Institute of Standards and Technology were not incorporated into the Commission’s unclassified cybersecurity program for each of the major topic areas tested. In particular, the Commission had implemented information technology security controls for various areas such as configuration management, risk management, and security training. For instance, testing on multiple targets within the Commission’s unclassified internal network, including servers and workstations, found the technical controls implemented within that environment were effective. 

However, near the completion of our test work, we became aware of a recent security incident involving the Commission’s unclassified cybersecurity program. Upon learning of the incident, Commission officials initiated action to identify the cause of the incident, determine its impact, and implement corrective actions, as necessary. While we commend the Commission for its response to the security incident, we are concerned that certain controls may not have been in place that could have potentially prevented the incident. At the time of our test work, the Commission was still in the process of determining the impact of the incident.

To help improve the Commission’s unclassified cybersecurity program, we made a recommendation to the Executive Director for the Commission.   Management concurred with the recommended action and indicated that corrective actions had been taken or were initiated to address the issues identified in the report.

Topic: National Security & Safety