The Department of Energy Took Actions Necessary to Implement the Cybersecurity Information Sharing Act of 2015
April 2, 2026
minute read time
April 2, 2026
The Department of Energy Took Actions Necessary to Implement the Cybersecurity Information Sharing Act of 2015
The Cybersecurity Information Sharing Act of 2015 (Cybersecurity Act) requires agencies to develop processes and procedures to facilitate and promote the timely sharing of cyber threat information. It also requires the Office of Inspector General to report to Congress at least every 2 years on the sufficiency of information sharing policies, procedures, and guidelines.
We participated in a joint review led by the Office of the Inspector General of the Intelligence Community to assess efforts by seven executive agencies, including the Department of Energy, to implement Cybersecurity Act requirements related to policies and procedures, information sharing, and barriers.
Our evaluation determined that the Department had taken the actions necessary to implement the requirements of the Cybersecurity Act. Specifically, we found that policies and procedures related to the sharing of cyber threat indicators were sufficient and included requirements for the removal of personally identifiable information. Officials also indicated that they were unaware of any violations by the Department regarding the failure to remove personally identifiable information related to a cybersecurity threat. In addition, Department officials informed us that security clearances were authorized for the purpose of sharing classified cyber threat indicators and defensive measures with the private sector. The Department also continued to share and receive cyber threat indicators using Automated Indicator Sharing capabilities during the period under review.
Although the barrier related to the quality of cyber threat indicators received from the Office of the Director of National Intelligence was mitigated since our 2023 evaluation, with the discontinued active feed of the Intelligence Community Analysis and Signature Tool, Department officials noted another barrier related to the quality of cyber threat indicators shared with the Department and industry partners. Specifically, information-sharing fatigue from the large quantity of cyber threat indicators was noted as an issue. While Department officials noted this barrier, we did not identify any associated impact to the sharing of threat indicators and defensive measures from calendar year 2023 through calendar year 2024.
Due to the Department’s continued implementation of the Cybersecurity Act, we did not make formal recommendations for improvement.