IG raps DOE certification/accreditation program

The Energy Department's Office of Inspector General found fault with DOE'S IT security during its latest review of the troubled program. DOE's certification and accreditation (C&A) program still falls short of federally mandated requirements despite warnings in past IG reports that Energy's certification and accreditation process needs improvement.

The new IG report, 'Certification and Accreditation of Unclassified Information Systems,' notes that C&A evaluations required by law and departmental guidance must be performed on all systems and remain in effect for three years unless a system is substantially changed.

The IG pinpointed several shortcomings in Energy's C&A process, such as:
  • Nine of the 14 sites the auditors reviewed had not properly assessed the potential risk to their systems and had not adequately tested or evaluated system security controls.
  • In many cases, DOE officials accredited systems even though they had not received adequate or complete risk information.
  • Six of the 14 sites the IG's staff checked had not identified the 'residual risk' associated with systems that continued to operate.
  • At two sites, the responsibility for accepting IT system risk and clearing the systems to operate had been improperly delegated to a contractor employee.

The report went on to cite several causes for these problems, including:
  • Security procedures that did not comply with National Institute of Standards and Technology requirements.
  • Improper compliance reviews by the CIO and other department organizations; and
  • Rushed schedules to complete C & A reviews at field offices.

Department officials endorsed the IG's recommendations to strengthen DOE's technology security practices. They said that the task of improving the department's IT security would be a high priority in 2007, according to the report.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected