Kenneth Fletcher
WC Monitor
10/31/2014

The Department of Energy should take more steps to strengthen its cybersecurity program, DOE’s Office of Inspector General said in a report released this week. Cybersecurity has been a growing area of concern for the Department, especially after a 2013 breach of personal information of over 104,000 individuals. The IG said in its report: “While the Department continued to make progress in correcting deficiencies identified in prior years, additional effort is needed to ensure that the risks of operating systems are identified and that systems and information are adequately secured.” It adds: “Without improvements, the Department’s unclassified cybersecurity program will continue to operate at a higher-than-necessary level of risk.”

For example, DOE still had not reported performance metric data for all of its contractor systems, and critical vulnerabilities were found on many of the systems the IG tested. “The issues identified occurred, at least in part, because the Department’s programs and sites reviewed had not ensured that cybersecurity policies and procedures were developed and properly implemented,” the report states. “For example, numerous locations had not implemented processes that could have prevented many of the weaknesses identified during our testing. In addition, as noted in our prior evaluation report, the Department’s performance monitoring and risk management programs were not completely effective.”

NNSA, EM Improve Cybersecurity in FY’14

The report does note improvements made during Fiscal Year 2014, including the approval in July of an Information Management Government Framework by DOE’s Cyber Council. The National Nuclear Security Administration is working on its Enterprise Continuous Monitoring Program. “When fully implemented, this automated solution is expected to enable the transformation of the static compliance-based risk determination process into a dynamic process, thus facilitating near real-time situational awareness and appropriate cost-effective risk-based decisions,” the IG report states.

The Office of Environmental Management is implementing its Mission Information Protection Program covering 15 sites through a continuous monitoring center. “Program capabilities included firewalls, capture of network traffic, intrusion detection, malware reverse engineering, vulnerability scanning, log management, patching of third-party products and other custom solutions that provided additional insight into the Office of Environmental Management’s cybersecurity posture,” the IG report states.

DOE Incorporating IG Recommendations in Corrective Actions

But the IG included several recommendations to further improve the program and address weaknesses that it found. That includes developing and implementing policies and procedures “to ensure that systems and information are and remain adequately secured.” Additionally, DOE should “fully develop and utilize plans of action and milestones to improve its performance monitoring program by identifying, prioritizing and tracking the progress of remediation actions for all identified cybersecurity weaknesses.”

DOE has reviewed the report and will incorporate corrective actions for the weaknesses into a plan of action and milestone report, according to a management response from acting Chief Information Officer Don Adcock. DOE largely agreed with the recommendations and said that it is updating its policies and procedures as well as its plans of actions and milestones.