November 15, 2021

The Federal Energy Regulatory Commission’s Unclassified Cybersecurity Program — 2021

The Federal Energy Regulatory Commission (FERC) regulates the wholesale and interstate transmission of the Nation’s electricity and natural gas and the pipeline transportation of oil.  Further, FERC establishes standards to protect the reliability and cybersecurity of the bulk-power system.  Given its mission and responsibilities, FERC’s information technology environment must be reliable and protected against attacks from malicious sources.  The Federal Information Security Modernization Act of 2014 establishes requirements for Federal agencies to develop, implement, and manage agency-wide information security programs to ensure that information technology resources are adequately protected.  In response to the Federal Information Security Modernization Act of 2014 mandate, the Office of Inspector General contracted with KPMG LLP to assist in the assessment of FERC’s unclassified cybersecurity program.  The objective of the evaluation was to determine whether FERC’s unclassified cybersecurity program adequately protected its data and information systems.  This report presents the results of that evaluation for fiscal year 2021.  FERC’s unclassified cybersecurity program was effective overall.  In addition, based on the results of the test work, we determined that FERC had achieved a calculated maturity level of “managed and measurable” in eight security domains.  Based on fiscal year 2021 test work performed by KPMG LLP, nothing came to our attention to indicate that attributes required by the Office of Management and Budget and the National Institute of Standards and Technology were not incorporated into FERC’s unclassified cybersecurity program for each of the major topic areas tested.  Because nothing came to our attention that would indicate significant control weaknesses in the areas tested by KPMG LLP, we are not making any recommendations or suggested actions relative to this evaluation.