February 22, 2021
The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program – 2020
We initiated this evaluation to determine whether the Federal Energy Regulatory Commission’s (FERC) unclassified cybersecurity program adequately protected data and information systems.
Based on fiscal year 2020 test work performed by KPMG LLP, nothing came to our attention to indicate that attributes required by the Office of Management and Budget and the National Institute of Standards and Technology were not incorporated into FERC’s unclassified cybersecurity program for each of the major topic areas tested. In particular, FERC had implemented information technology security controls for various areas such as risk management, data protection and privacy, and security training, among others.
While FERC’s cybersecurity program was effective overall, we identified a segregation of duties issue in a FERC application. Specifically, we found that a user was granted conflicting privileges in the system that created an internal control weakness. Although FERC had designed a control to prevent such an issue from occurring, it had not been effectively implemented. This issue was concerning because the conflicting roles could have potentially allowed the user to both create and approve certain items in the system. Given the segregation of duties weakness, we issued a notice of finding and recommendations to FERC.
Management provided corrective actions that are responsive to our recommendations; therefore, a management decision is not required.