The Department of Energy bolstered the security and awareness of its unclassified cybersecurity program in fiscal 2014, but additional effort is needed to ensure that the risks of operating systems are identified and that systems and information are adequately secured, the department’s inspector general has said following a review.
DoE management, in response to an earlier evaluation, said it intended to fully report metrics for all contractor systems, but a significant percentage of the metric information reported to DHS as part of annual FISMA reporting requirements excluded contractor systems (which comprise most of DoE’s systems), according to the IG.
It said that network systems and workstations at 13 locations had patch management weaknesses of varying degrees of criticality; Six locations had weaknesses related to system integrity of web applications (such as improper input validation); Eight locations had weaknesses in logical access controls; and, Four locations had weaknesses related to the configuration management process, including inadequate support for testing and approving changes.
The IG said the issues stem from a failure to ensure that cybersecurity policies and procedures were developed and properly implemented – and that could have eliminated weaknesses in some cases.
DoE management is reportedly pursuing corrective actions in response to the audit, DOE/IG-0925.
