The Department of Energy has taken steps to improve security over its national security information systems, but additional actions as part of its certification and accreditation process are needed to reduce the risk of compromise to these systems, the Energy inspector general has said.
It said that at five of six sites it audited, risks such as a lack of separation of duties and the presence of unclassified and classified systems operating in the same environment, had not been addressed in system security plans.
It also said that in many instances, security plans, or changes to systems, were not appropriately approved by department officials, and that at five of the six sites reviewed, contingency plans had not been developed for national security information systems a critical activity required to mitigate the risk of service disruption.
The department has yet to fully develop and implement adequate cyber security policies to ensure that national security information systems are adequately protected, according to IG-0800.
It said federal and contractor officials did not always utilize effective mechanisms to monitor performance of security controls, adding that the issues it found were similar to conditions at Los Alamos National Laboratory’s in 2006 that contributed to the theft of classified information there.
While the department took action to address problems uncovered in the wake of that incident, for example, by requiring sites to assess their security procedures, they have not adequately resolved weaknesses in controls over national security information systems, the IG said.
