IG raps DOE certification/accreditation program

The Energy Department's Office of Inspector General found fault with DOE'S IT security during its latest review of the troubled program. DOE's certification and accreditation (C&A) program still falls short of federally mandated requirements despite warnings in past IG reports that Energy's certification and accreditation process needs improvement.

The new IG report, 'Certification and Accreditation of Unclassified Information Systems,' notes that C&A evaluations required by law and departmental guidance must be performed on all systems and remain in effect for three years unless a system is substantially changed.

The IG pinpointed several shortcomings in Energy's C&A process, such as:
  • Nine of the 14 sites the auditors reviewed had not properly assessed the potential risk to their systems and had not adequately tested or evaluated system security controls.
  • In many cases, DOE officials accredited systems even though they had not received adequate or complete risk information.
  • Six of the 14 sites the IG's staff checked had not identified the 'residual risk' associated with systems that continued to operate.
  • At two sites, the responsibility for accepting IT system risk and clearing the systems to operate had been improperly delegated to a contractor employee.

The report went on to cite several causes for these problems, including:
  • Security procedures that did not comply with National Institute of Standards and Technology requirements.
  • Improper compliance reviews by the CIO and other department organizations; and
  • Rushed schedules to complete C & A reviews at field offices.

Department officials endorsed the IG's recommendations to strengthen DOE's technology security practices. They said that the task of improving the department's IT security would be a high priority in 2007, according to the report.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected