December 30, 2019

The Department of Energy’s Implementation of the Cybersecurity Information Sharing Act of 2015

The Cybersecurity Information Sharing Act of 2015 (Cybersecurity Act) was signed into law on December 18, 2015, to improve the Nation’s cybersecurity through enhanced sharing of information related to cybersecurity threats.  The law authorized sharing of classified and unclassified cyber threat indicators and defensive measures among Federal agencies and with properly cleared representatives in the private sector. 

The Cybersecurity Act required agencies to develop processes and procedures to facilitate and promote the timely sharing of cyber threat information.  To address privacy and civil liberty concerns, Federal agencies were required to retain, use, and disseminate only information that is directly related to a cybersecurity threat and remove personally identifiable information not directly related to a cyber threat to prevent unauthorized use or disclosure.  In addition, the Cybersecurity Act required Inspectors General to report to Congress at least every 2 years on the sufficiency of information sharing policies, procedures, and guidelines.  As such, we participated in a joint review, led by the Office of the Inspector General of the Intelligence Community, to assess efforts of seven executive agencies to implement the Cybersecurity Act requirements.  In support of this joint endeavor, we performed this review to determine the Department of Energy’s actions taken to carry out the requirements of the Cybersecurity Act.

We determined that the Department had taken the actions necessary to carry out the requirements of the Cybersecurity Act.  Specifically, we found that policies and procedures related to sharing cyber threat indicators were sufficient and included requirements for the removal of personally identifiable information.   Therefore, we did not make any formal recommendations.

Our review did not test the effectiveness of the Department’s efforts to implement the Cybersecurity Act; rather, our test work focused on the Department’s efforts to comply with the Cybersecurity Act.  While progress has been made, Department officials indicated that barriers existed that have or could potentially affect the sharing of cyber threat indicators and defensive measures with Federal entities.  In particular, officials identified barriers related to the costs associated with obtaining security clearances, the timeliness of obtaining and adjudicating security clearances, inconsistent communications from the U.S. Department of Homeland Security, and concerns related to liability protections for threat sources.

Topic: National Security & Safety