The Department of Energy, including its semi-autonomous National Nuclear Security Administration, has taken action to address weaknesses in its unclassified cybersecurity program, according to an August report by the Office of Inspector General.
The report, which evaluated the program at 29 DOE locations from January 2024 through May 2025, said that programs and sites, after taking corrective actions, were able to close 19 of 63 recommendations made in 2024. However, 44 recommendations still remain that include weaknesses such as “risk management, configuration management, identity and access management, information security, continuous monitoring, and security training.”
Weaknesses occurred due to many factors, the report said, including sites that had not fully developed policies for implementing security controls and vulnerability management processes. Often practices were only partly effective in identifying or addressing vulnerabilities.
The report also made 79 new recommendations throughout fiscal 2024, to total 123. The recommendations emphasized addressing vulnerabilities in a timely manner, especially if repeated from prior years.
As a requirement of the Federal Information Security Modernization Act of 2014, the Office of Inspector General must conduct an independent review of DOE’s unclassified cybersecurity program to determine whether it protects the data and information systems involved. The Act also requires all federal agencies to develop and maintain agency-wide information security programs and “acceptable levels of security for the information and systems that support their operations and assets,” the report said.
