The Energy Department failed to secure the site in line with federal cyber standards.
The Energy Department failed to enact proper cybersecurity controls at one of its radioactive waste management facilities, leaving the site potentially vulnerable to digital attacks, according to an internal watchdog.
The agency inspector general found the site’s digital security fell short of the standards outlined in the Federal Information Security Management Act, the government’s primary cybersecurity regulation. The unnamed facility lacked proper physical and logical access controls, and officials also failed to properly monitor networks, manage vulnerabilities and develop a contingency plan, according to the IG.
“The integrity, confidentiality and availability of systems and data managed by the site may be impacted by the vulnerabilities identified during our review,” auditors wrote in a summary of their findings. The public version of the report included few details on specific vulnerabilities.
Auditors attributed the vulnerabilities to shoddy oversight, calling out the site’s cybersecurity officials for not ensuring FISMA requirements were fully implemented. Department leaders also never created specific performance metrics to incentivize the site’s primary contractor to follow robust cybersecurity practices, they said.
Additionally, they found the facility’s cyber posture suffered because it didn’t have enough resources to implement proper security controls.
When asked about the nature of the facility and vulnerabilities, auditors said they couldn’t provide any additional information.
“Release of such information could result in additional cybersecurity weaknesses to the department,” an IG spokesperson told Nextgov.
The department agreed with the IG’s three recommendations, and officials said they were already creating plans to address the specific weaknesses.
While few agencies are responsible for handling radioactive material, many have struggled to stand up the cybersecurity controls highlighted in the IG’s report.
Last week, the Government Accountability Office found the IRS had yet to move forward with more than 100 cybersecurity improvements auditors had identified over the years, and last month Senate lawmakers released a scathing report detailing the government’s struggles to implement even the most basic measures to defend their IT infrastructure.
“The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats,” Sen. Rob Portman, R-Ohio, who heads subpanel that published the report, said in a statement.