Energy Department's cybersecurity program features critical weaknesses, report says

An inspector general's report issued 35 new recommendations centered on the Department of Energy's unclassified cybersecurity program.

An inspector general's report issued 35 new recommendations centered on the Department of Energy's unclassified cybersecurity program. Oscar Wong / Getty Images

The Department of Energy is suffering from significant issues surrounding identity and access management, in addition to dozens of other concerns detailed in a new inspector general’s report. 

The Department of Energy is failing to address a wide range of weaknesses related to its unclassified cybersecurity program and is risking the integrity of its information systems and data, according to a new report.

The inspector general’s report, released May 2, notes that the Energy Department and its components — including the National Nuclear Security Administration — have not addressed dozens of previously identified weaknesses associated with the program around risk management, configuration management, identity and access controls and security continuous monitoring.

The Energy Department’s Office of the Inspector General issued 35 new recommendations and said 38 recommendations remained open when the latest evaluation was conducted between March 2022 and March 2023. At least 22 of the new recommendations focus on identity and access management issues after the OIG observed a range of significant concerns across numerous DOE facilities.

The department is failing to conduct access reviews for accounts at multiple locations and had not fully implemented access controls to properly manage privileged user access in at least one facility, the report said. At that site, general users were able to "masquerade as a 'superuser'" on its systems.

"Failure to regularly review and validate user access increases the risk that unauthorized users could retain access to and potentially modify information," the report said.

Several sites had not removed unnecessary or expired user accounts in a timely manner, while one location was not properly managing and monitoring database shared accounts.  The lack of adequate access reviews are in contrast to National Institute of Standards and Technology requirements and the facilities' own policies, the report said. 

The Federal Information Security Modernization Act of 2014 tasks federal agencies with establishing information security programs that support and protect information systems, operations and government assets. The law also requires the OIG to evaluate DOE's unclassified cybersecurity program. 

DOE earned a "C" rating in the most recent Federal Information Technology Acquisition Reform Act scorecard — one of the lowest scores among federal agencies.

In response to the report, the department said that  it will "continue to address each of these weaknesses at all the organizational levels to adequately protect DOE's information assets and systems from harm."