November 19, 2019

The Department of Energy’s Unclassified Cybersecurity Program - 2019

We initiated this evaluation to determine whether the Department of Energy’s unclassified cybersecurity program protected data and information systems in accordance with Federal and Department requirements. We found that opportunities existed for the Department, including the National Nuclear Security Administration, to improve the protection of unclassified information systems and data. Although the Department had taken actions over the past year to address previously identified weaknesses related to its cybersecurity program, our current evaluation identified weaknesses that were consistent with our prior reports related to vulnerability management, configuration management, system integrity of Web applications, access controls and segregation of duties, cybersecurity and privacy training, and security control testing and continuous monitoring.

The weaknesses identified in our report occurred due to a variety of reasons. For instance, we noted that vulnerability management weaknesses existed at one location because officials only conducted technical scanning for vulnerabilities on an ad-hoc basis, and the site did not have a process to regularly conduct vulnerability scanning of the entire environment. In some instances, software management tools and processes did not ensure that software was upgraded prior to the end-of-support dates. Furthermore, Web applications remained vulnerable because sites did not always ensure that appropriate safeguards were in place and operating effectively. For example, certain locations tested had not always developed and implemented adequate testing processes and procedures to identify vulnerabilities related to data confidentiality and integrity of authentication functionality in Web applications.

Throughout fiscal year 2019, management made 54 recommendations to programs and sites related to improving the Department’s cybersecurity program. Furthermore, in some instances, management provided opportunities for improvement at locations reviewed but did not issue formal recommendations. Without improvements to address the weaknesses identified in our report, the Department’s information systems and data may be at a higher-than-necessary risk of compromise, loss, and/or modification. The Office of Inspector General has continuously recognized cybersecurity as a management challenge area for the Department, emphasizing the critical need to enhance the Department’s overall security posture. In addition, the Office of Inspector General and other independent reviewers continue to identify vulnerabilities related to developing, updating, and/or implementing policies and procedures that may adversely affect the Department’s ability to properly secure its information systems and data. Therefore, additional action is necessary to help strengthen the Department’s unclassified cybersecurity program.

Topic: Management and Adminstration