- DOE OIG has identified eight areas for improvement in cybersecurity and IT governance
- KPMG has issued 11 recommendations to strengthen oversight, risk management and compliance
- The 2026 FedCiv Summit will cover AI, cybersecurity, cloud and more
The Department of Energy’s Office of Inspector General said an independent audit conducted by KPMG examined the department’s cybersecurity and IT governance program and identified eight areas for improvement.
As DOE works to strengthen cybersecurity governance, risk management and compliance across the enterprise, federal leaders continue to focus on the technologies and strategies needed to modernize government operations. Attend the 2026 FedCiv Summit on Oct. 29, where discussions will cover powering and scaling AI across the government; data, cloud and compute infrastructure; cybersecurity and compliance-driven initiatives; and cross-agency and enterprise-wide programs. Save your spot now!
OIG said Tuesday the audit assessed whether DOE developed and implemented a governance structure for its cybersecurity and IT activities. The watchdog also reviewed KPMG’s work and reported no instances in which the audit firm failed to comply with generally accepted government auditing standards in any material respect.
What Did the DOE OIG Find?
KPMG identified eight areas for improvement related to DOE’s cybersecurity and IT governance program.
The audit found issues involving outdated contracts, policies and requirements to include standard terms and conditions for prime contractors and subcontractors. KPMG also reported that DOE had not fully implemented a risk monitoring program, an enterprise data strategy or a comprehensive enterprise information system inventory that includes systems containing personally identifiable information.
In addition, the audit identified areas requiring improvement to ensure compliance with federal requirements, create a comprehensive workforce assessment and verify the accuracy and completeness of data requests submitted by DOE elements.
What Recommendations Did KPMG Make?
KPMG offered 11 recommendations to address the eight areas identified in the audit.
The recommendations called for enterprise-level approaches to ensure the timely implementation of current federal cybersecurity and IT governance requirements and their inclusion in contractual requirements. KPMG also recommended formalizing or completing enterprise-level initiatives such as a data strategy, system inventories and risk monitoring activities.
DOE concurred with all 11 recommendations and said it plans to take corrective actions.
How Does the Audit Align With DOE’s Cybersecurity Efforts?
The audit comes as DOE continues to advance cybersecurity initiatives across the department. In March, DOE’s Office of Cybersecurity, Energy Security and Emergency Response said it was preparing its first strategic plan to strengthen cybersecurity, according to a Federal News Network report.
The findings also follow an August 2025 OIG audit, which found unremediated vulnerabilities in the department’s unclassified cybersecurity program.
