August 20, 2019
Management of Cybersecurity Activities at a Department of Energy Site
In January 2019, the Office of Inspector General initiated a review to determine whether the selected Department of Energy location had effectively managed its cybersecurity program. During the course of our test work, we noted several areas of immediate concern. Due to the nature of the work conducted at the site and the use of systems that have mission critical and safety significant functions, we are issuing this management alert to ensure that management is provided with the opportunity to initiate immediate actions to address risks identified within the site’s cybersecurity program.
Preliminary results of test work conducted at the site revealed potentially significant cybersecurity vulnerabilities on the site’s general support system, including major financial management and safety applications. During the course of our audit to date, we have issued 11 recommendations to the site’s manager to help improve its cybersecurity program. Our management alert also included a recommendation to the Under Secretary for Science. Management concurred with the recommendations and indicated that corrective actions were planned to mitigate the findings identified during our preliminary review.
Due to the sensitive nature of the vulnerabilities identified during our audit, the management alert issued to the Department was for Official Use Only. We provided site and program officials with detailed information regarding the vulnerabilities that we identified.
Topic: Management and Administration