IG: DOE Needs to Strengthen Cybersecurity Program

The Department of Energy should take more steps to strengthen its cybersecurity program, DOE’s Office of Inspector General said in a report released yesterday. “While the Department continued to make progress in correcting deficiencies identified in prior years, additional effort is needed to ensure that the risks of operating systems are identified and that systems and information are adequately secured,” the report states. It adds: “Without improvements, the Department’s unclassified cybersecurity program will continue to operate at a higher-than-necessary level of risk.”

 

For example, DOE still had not reported performance metric data for all of its contractor systems, and critical vulnerabilities were found on many of the systems the IG tested. “The issues identified occurred, at least in part, because the Department’s programs and sites reviewed had not ensured that cybersecurity policies and procedures were developed and properly implemented,” the report states. “For example, numerous locations had not implemented processes that could have prevented many of the weaknesses identified during our testing. In addition, as noted in our prior evaluation report, the Department’s performance monitoring and risk management programs were not completely effective.”