IG raps DOE certification/accreditation program

The Energy Department's Office of Inspector General found fault with DOE'S IT security during its latest review of the troubled program. DOE's certification and accreditation (C&A) program still falls short of federally mandated requirements despite warnings in past IG reports that Energy's certification and accreditation process needs improvement.

The new IG report, 'Certification and Accreditation of Unclassified Information Systems,' notes that C&A evaluations required by law and departmental guidance must be performed on all systems and remain in effect for three years unless a system is substantially changed.

The IG pinpointed several shortcomings in Energy's C&A process, such as:
  • Nine of the 14 sites the auditors reviewed had not properly assessed the potential risk to their systems and had not adequately tested or evaluated system security controls.
  • In many cases, DOE officials accredited systems even though they had not received adequate or complete risk information.
  • Six of the 14 sites the IG's staff checked had not identified the 'residual risk' associated with systems that continued to operate.
  • At two sites, the responsibility for accepting IT system risk and clearing the systems to operate had been improperly delegated to a contractor employee.

The report went on to cite several causes for these problems, including:
  • Security procedures that did not comply with National Institute of Standards and Technology requirements.
  • Improper compliance reviews by the CIO and other department organizations; and
  • Rushed schedules to complete C & A reviews at field offices.

Department officials endorsed the IG's recommendations to strengthen DOE's technology security practices. They said that the task of improving the department's IT security would be a high priority in 2007, according to the report.

inside gcn

  • power grid (elxeneize/Shutterstock.com)

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group