IG raps DOE certification/accreditation program
- By Wilson P. Dizard III
- Jan 09, 2007
The Energy Department's Office of Inspector General found fault with DOE'S IT security during its latest review of the troubled program. DOE's certification and accreditation (C&A) program still falls short of federally mandated requirements despite warnings
in past IG reports that Energy's certification and accreditation process needs improvement.
The new IG report
, 'Certification and Accreditation of Unclassified Information Systems,' notes that C&A evaluations required by law and departmental guidance must be performed on all systems and remain in effect for three years unless a system is substantially changed.
The IG pinpointed several shortcomings in Energy's C&A process, such as:
- Nine of the 14 sites the auditors reviewed had not properly assessed the potential risk to their systems and had not adequately tested or evaluated system security controls.
- In many cases, DOE officials accredited systems even though they had not received adequate or complete risk information.
- Six of the 14 sites the IG's staff checked had not identified the 'residual risk' associated with systems that continued to operate.
- At two sites, the responsibility for accepting IT system risk and clearing the systems to operate had been improperly delegated to a contractor employee.
The report went on to cite several causes for these problems, including:
- Security procedures that did not comply with National Institute of Standards and Technology requirements.
- Improper compliance reviews by the CIO and other department organizations; and
- Rushed schedules to complete C & A reviews at field offices.
Department officials endorsed the IG's recommendations to strengthen DOE's technology security practices. They said that the task of improving the department's IT security would be a high priority in 2007, according to the report.