January 5, 2018
Department of Energy’s Implementation of the Cybersecurity Information Sharing Act of 2015
The Cybersecurity Information Sharing Act of 2015 (Cybersecurity Act) was signed into law on December 18, 2015, to improve the Nation’s cybersecurity through enhanced sharing of information related to cybersecurity threats. To address privacy and civil liberty concerns, Federal agencies were required to retain, use, and disseminate only information that is directly related to a cybersecurity threat and remove personally identifiable information not directly related to a cyber threat to prevent unauthorized use or disclosure. In addition, the Cybersecurity Act required Inspectors General to report to Congress at least every 2 years on the sufficiency of information sharing policies, procedures, and guidelines. We participated in a joint review led by the Office of the Inspector General of the Intelligence Community to summarize the efforts taken by six agencies, including the Department of Energy. To support the joint report, we performed this audit to determine whether the Department had taken actions consistent with the requirements of the Cybersecurity Act.
We determined that the Department had taken actions to carry out the requirements of the Cybersecurity Act; however, we identified several opportunities for improvement. Specifically, while the Department had taken actions related to: (1) development of policies and procedures; (2) sharing and use of cyber threat indicators and defensive measures; and (3) management and accounting of private sector security clearances for individuals responsible for sharing threat information, we noted that challenges existed that could have an impact on the sharing of cyber threat information in accordance with the Cybersecurity Act. Furthermore, although we did not test the effectiveness of the Department’s efforts to implement the Cybersecurity Act, we did identify several opportunities for improvement related to managing the cyber information sharing process.
Topic: Management & Administration