Annual Department of Energy Cybersecurity Assessment Finds Additional Protections Needed

The Department of Energy Office of the Inspector General (OIG) released a report detailing the department’s improvements and opportunity areas for FY2019. The report is required annually per the Federal Information Security Modernization Act of 2014, which calls upon the OIG to assess if the unclassified DOE cybersecurity program is adequately protecting its data and information systems. While the office saw some progress, more must be done to ensure satisfactory security.

The report found that the department programs and sites had taken corrective actions related to vulnerability and configuration management, access controls, and integrity of web applications. This progress allowed the OIG to close 21 recommendations made during the FY2018 evaluation. While the improvement in some locations was clear, the OIG noted similar issues arising in new locations.

The FY2019 review covered 28 locations. As a result of their review, the OIG listed 34 new and four repeat recommendation at nine locations.

Vulnerability management- the process of identifying, evaluating, and either mitigating or formally accepting risks- has been a consistent issue from review to review. The most recent report noted 11 sites with unsupported software networks or workstations for assessing vulnerabilities, nine locations operating workstations and servers that had missing critical and high-risk vulnerability security patches and/or updates, and one location with workstations with outdated antivirus definitions or workstations with antivirus services not running correctly.

The report noted, “We concluded that all locations reviewed implemented certain controls to mitigate risks associated with security weaknesses. However, we determined that the mitigating controls may not always be effective and could result in unauthorized access to systems and information, as well as loss or disruption to operations.”

The report found that configuration management has also been somewhat improved over the last year, but noted two new opportunity areas for improving the integrity of information systems and one from last year which must be further addressed.

In four locations, the OIG reported weaknesses related to system integrity. The OIG reported that these weaknesses occurred because “Web application session management was configured without ensuring that adequate data confidentiality safeguards were in place and operating effectively.”

The report also noted opportunity areas relating to cybersecurity and privacy training, ensuring only legitimate users have access to controls, and security control testing and continuous monitoring.

The report provides a total of 54 recommendations for improving each area of concern within each location of the department.