DOE IG Finds NNSA Cybersecurity Controls Weak

The National Nuclear Security Administration’s cybersecurity controls contain weaknesses that create vulnerabilities for the agency’s information systems, according to an audit report released yesterday by the Department of Energy’s Office of Inspector General. The audit found that federal requirements were not followed and cybersecurity controls were not “adequately developed, documented, or implemented,” which caused gaps in access controls, database change management, configuration management, and monitoring.  According to the report, user passwords were not changed as often as required, some devices had “open ports or missing security patches,” and features meant to restrict access to certain personnel were bypassed. The system also lacked continuous security monitoring, the report said. NNSA management accepted the audit’s recommendations to implement measures addressing these issues, and reported that corrective actions were put into place in response to the audit.