Cybersecurity at DOE still lags: IG
- By Patience Wait
- Sep 21, 2006
The Energy Department continues to struggle with information security and many of its weaknesses are the same as in past years, according to a new report
by the department's inspector general.
Even though DOE has undertaken several actions to improve its cybersecurity posture, 'we continued to observe deficiencies that exposed its critical systems to an increased risk of compromise,' according to Gregory Friedman, the inspector general. 'In several respects, these findings parallel those reported in 2005.'
The cybersecurity evaluation was conducted by the IG's office in accordance with provisions in the Federal Information Security Management Act, Friedman wrote. DOE has received an F on its FISMA scorecard every year since the measurement was implemented in 2001.
Among the problems the IG identified:
- Even though DOE has made improvements in reporting methodologies and standards, it has not yet completed a 'complex-wide inventory' of its IT systems;
- Many system certifications and accreditations have not been performed, or are inadequate because they lack essential elements such as annual self-assessments and independent testing of security controls;
- Contingency planning for continuity of operations in the event of an emergency or disaster has not been completed for some critical systems; and
- Weaknesses still exist in physical, logical access and change controls intended to protect computer resources from modification, loss or disclosure of information to unauthorized individuals.
DOE's attempts to improve its cybersecurity measures were challenged in part by its organizational structure, the report said.
'Continuing cybersecurity weaknesses occurred, at least in part, because program and field elements did not always implement or properly execute existing departmental and federal cybersecurity requirements,' Friedman wrote. 'In a number of instances, cybersecurity weaknesses exposed through internal and external reviews were not addressed in a timely manner or tracked to resolution.'
While the IG's report did not include any information regarding specific weaknesses or critiques of component agencies' practices, the National Nuclear Security Administration has come under fire recently for failure to manage the disposition
of old computer equipment.
The NNSA also came under fire
in August when it became known that the agency had suffered a theft of employees' information in June 2004. The theft wasn't discovered for more than a year, and officials did not report the loss for almost a year after that.
The report stated that DOE has recently begun a 'revitalization effort' intended to improve management of the cybersecurity program throughout the department. The department is 'emphasiz[ing] line management's responsibility'through each of the under secretaries'to ensure that systems and data under their operational control are secure. ' The department and its program elements also recently developed policies and guidance to address Office of Management and Budget requirements for ensuring security over personally identifiable information.'
DOE's IT management team has undergone a complete overhaul this year, with Tom Pyke named CIO in January, William Hunteman promoted to CISO in April, and Carl Staton named deputy CIO in August.
Friedman added that the IG's office is conducting a separate review of certification and accreditation programs across the department.