The Department's Unclassified Cyber Security Program – 2010
Federal information systems are routinely confronted with increasingly sustained cyber attacks –
many of which involve targeted and serious threats – executed with varying levels of technical
sophistication. The number of incidents reported by Federal agencies to the Department of
Homeland Security has, in fact, increased by over 400 percent in the past 4 years. To help
combat the escalating number and complexity of cyber security threats, the Department of
Energy expended significant funds in Fiscal Year (FY) 2010 on cyber security measures
designed to protect systems and their information. The Department's systems support various
program operations, including its energy, national security, scientific discovery and innovation,
and environmental remediation portfolios.
many of which involve targeted and serious threats – executed with varying levels of technical
sophistication. The number of incidents reported by Federal agencies to the Department of
Homeland Security has, in fact, increased by over 400 percent in the past 4 years. To help
combat the escalating number and complexity of cyber security threats, the Department of
Energy expended significant funds in Fiscal Year (FY) 2010 on cyber security measures
designed to protect systems and their information. The Department's systems support various
program operations, including its energy, national security, scientific discovery and innovation,
and environmental remediation portfolios.
The State of Illinois Weatherization Assistance Program
Report on Critical Asset Vulnerability and Risk Assessments at the Power Marketing Administrations--Followup Audit
The Department of Energy's largest Power Marketing Administrations (PMAs), Bonneville,
Western Area, and Southwestern, provide wholesale electric power to utilities for use in homes,
hospitals, financial institutions and military installations. Serving the electricity supply needs of
millions of citizens in the western part of the United States, these PMAs maintain an elaborate
and extensive infrastructure that includes electrical substations, high-voltage transmission lines
and towers, and power system control centers. To protect these assets, the PMAs follow safety
and security requirements established by the Department, the North American Electric
Reliability Corporation (NERC), and the Department of Homeland Security (Homeland
Security). Under established policy, the PMAs are required to conduct vulnerability and risk
assessments of their most critical assets to: evaluate existing security systems; analyze current
threat information; identify security enhancements needed to reduce risk; and, document the
level of risk PMA management is willing to accept on individual critical assets.
In 2003, the Office of Inspector General reported in our Audit of Power Marketing
Administration Infrastructure Protection (OAS-B-03-01, April 2003) that Bonneville had
initiated, but not yet completed vulnerability and risk assessments; Western had conducted
inadequate assessments; and, Southwestern had not conducted any assessments. Given the
importance of these efforts to safeguarding the Nation's electrical infrastructure, we initiated this
audit to determine whether the PMAs had conducted vulnerability and risk assessments.
Western Area, and Southwestern, provide wholesale electric power to utilities for use in homes,
hospitals, financial institutions and military installations. Serving the electricity supply needs of
millions of citizens in the western part of the United States, these PMAs maintain an elaborate
and extensive infrastructure that includes electrical substations, high-voltage transmission lines
and towers, and power system control centers. To protect these assets, the PMAs follow safety
and security requirements established by the Department, the North American Electric
Reliability Corporation (NERC), and the Department of Homeland Security (Homeland
Security). Under established policy, the PMAs are required to conduct vulnerability and risk
assessments of their most critical assets to: evaluate existing security systems; analyze current
threat information; identify security enhancements needed to reduce risk; and, document the
level of risk PMA management is willing to accept on individual critical assets.
In 2003, the Office of Inspector General reported in our Audit of Power Marketing
Administration Infrastructure Protection (OAS-B-03-01, April 2003) that Bonneville had
initiated, but not yet completed vulnerability and risk assessments; Western had conducted
inadequate assessments; and, Southwestern had not conducted any assessments. Given the
importance of these efforts to safeguarding the Nation's electrical infrastructure, we initiated this
audit to determine whether the PMAs had conducted vulnerability and risk assessments.
Semiannual Report to Congress
Semiannual Report to Congress
The Department's Information Technology Capital Planning and Investment Control Activities
The Department of Energy spends approximately $2.2 billion annually on information
technology (IT) resources to help accomplish its science, security, energy supply and
environmental mission objectives. The Department's capital planning and investment control
(CPIC) process is an essential tool for managing IT investments. The Office of Management and
Budget (OMB) requires that agencies implement a well-managed CPIC process to enhance the
ability to properly set spending priorities, control investments and evaluate the success of those
investments once completed. As part of its current focus on eliminating under-performing
investments, OMB requires that agencies develop an IT Investment Portfolio and Capital Asset
Plans – two activities that are necessary to ensure new and ongoing investments are appropriately
identified and managed efficiently and effectively.
technology (IT) resources to help accomplish its science, security, energy supply and
environmental mission objectives. The Department's capital planning and investment control
(CPIC) process is an essential tool for managing IT investments. The Office of Management and
Budget (OMB) requires that agencies implement a well-managed CPIC process to enhance the
ability to properly set spending priorities, control investments and evaluate the success of those
investments once completed. As part of its current focus on eliminating under-performing
investments, OMB requires that agencies develop an IT Investment Portfolio and Capital Asset
Plans – two activities that are necessary to ensure new and ongoing investments are appropriately
identified and managed efficiently and effectively.
2010 Inspector General Semiannual Report to Congress