A new report from the Department of Energy’s (DOE) Office of Inspector General (OIG) reveals that while DOE has taken steps to address some previously identified cybersecurity weaknesses, a substantial number of vulnerabilities remain.
The report, which the OIG made public on Monday, analyzes the effectiveness of DOE’s unclassified cybersecurity program in fiscal year 2024. The evaluation is required under the Federal Information Security Modernization Act of 2014.
The report highlights that the Energy Department – including its National Nuclear Security Administration component – had taken corrective actions that resulted in the closure of 19 of 63 (30 percent) cybersecurity recommendations made during the OIG’s prior year audits and evaluations.
However, 44 prior year recommendations remained open, indicating persistent weaknesses in crucial areas such as risk management, configuration management, identity and access management, information security continuous monitoring, and security training.
Additionally, the OIG issued 79 new recommendations throughout the fiscal year related to various areas of cybersecurity programs – bringing the total number of recommendations to 123.
“The weaknesses identified occurred for a variety of reasons. For instance, findings at some Department sites had occurred due to vulnerability management processes that were not fully effective in identifying, addressing, and/or remediating vulnerabilities,” the report says.
“We also found that several sites had not fully developed and/or maintained policies and procedures to help facilitate the design and implementation of security controls,” it adds.
Additionally, the OIG said that DOE continues to lag in adopting updated federal cybersecurity standards.
For example, the OIG found that four of the six sites reviewed had not yet fully implemented the requirements of the National Institute of Standards and Technology (NIST) SP 800-53, Revision 5. Specifically, 82 of 101 systems at the four sites were still operating under the outdated NIST 800-53, Revision 4.
The OIG said that delayed implementation of federal cyber requirements, such as NIST 800-53, Revision 5, “continues to leave the Department’s data and information systems at risk to emerging threats and vulnerabilities.”
“Without improvements to address the weaknesses identified in our report, the Department may be unable to adequately protect its information systems and data from compromise, loss, or modification,” the report says.
The OIG urged DOE to close the 123 recommendations made during fiscal year 2024 “in a timely manner, especially those findings repeated from prior years.” It also stressed the need for the department to implement the latest federal cybersecurity requirements “to assist in ensuring adequate protection of the Department’s data and information systems at risk to emerging threats and vulnerabilities.”
The OIG noted that it provided program and site officials with detailed information regarding the vulnerabilities identified at their locations, and many have since started implementing corrective actions.