IG raps DOE certification/accreditation program

The Energy Department's Office of Inspector General found fault with DOE'S IT security during its latest review of the troubled program. DOE's certification and accreditation (C&A) program still falls short of federally mandated requirements despite warnings in past IG reports that Energy's certification and accreditation process needs improvement.

The new IG report, 'Certification and Accreditation of Unclassified Information Systems,' notes that C&A evaluations required by law and departmental guidance must be performed on all systems and remain in effect for three years unless a system is substantially changed.

The IG pinpointed several shortcomings in Energy's C&A process, such as:
  • Nine of the 14 sites the auditors reviewed had not properly assessed the potential risk to their systems and had not adequately tested or evaluated system security controls.
  • In many cases, DOE officials accredited systems even though they had not received adequate or complete risk information.
  • Six of the 14 sites the IG's staff checked had not identified the 'residual risk' associated with systems that continued to operate.
  • At two sites, the responsibility for accepting IT system risk and clearing the systems to operate had been improperly delegated to a contractor employee.

The report went on to cite several causes for these problems, including:
  • Security procedures that did not comply with National Institute of Standards and Technology requirements.
  • Improper compliance reviews by the CIO and other department organizations; and
  • Rushed schedules to complete C & A reviews at field offices.

Department officials endorsed the IG's recommendations to strengthen DOE's technology security practices. They said that the task of improving the department's IT security would be a high priority in 2007, according to the report.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected