The Department of Energy’s Office of Inspector General has warned that the DOE has yet to address a number of previously identified cyber vulnerabilities.
In its report published Tuesday, the OIG said failure to remediate vulnerabilities may expose the department’s information systems and data to malicious cyber actors.
What Did DOE OIG Find?
The OIG assessed the effectiveness of the DOE’s unclassified cybersecurity program to protect the department’s data and information systems, a requirement under the Federal Information Security Modernization Act, or FISMA, of 2014.
The OIG found that while the department has taken actions and resolved 19 of 63 cyber-related recommendations from previous audits, 44 remained unaddressed. The agency watchdog also identified 79 new recommendations throughout the fiscal year related to DOE’s cybersecurity programs.
One of the vulnerabilities cited in its report involves management processes in some department sites that the inspector general found were “not fully effective in identifying, addressing, and/or remediating vulnerabilities.”
The report also revealed that some DOE sites did not fully develop or maintain adequate policies and procedures for the design and implementation of security controls.
The OIG advised DOE to close findings from prior years and implement the latest federal cybersecurity requirements to protect data and information systems.
