Evaluation Report: The Department of Energy's Unclassified Cybersecurity Program - 2014 [open pdf - 713KB]
From the Details of Finding section: "The 'Federal Information Security Management Act of 2002' (FISMA) mandated that agency Offices of Inspector General conduct annual independent evaluations to determine whether unclassified cybersecurity programs adequately protected data and information systems. During Fiscal Year (FY) 2014, we reviewed the unclassified cybersecurity programs at 24 Department of Energy (Department) locations, including Headquarters. The scope of our fieldwork activities included validating corrective actions taken to remediate prior year weaknesses, reviewing information technology controls over networks and applications, and conducting technical vulnerability scanning both within and external to the networks. Actions taken to improve the Department's unclassified cybersecurity program since our prior evaluation resulted in the closure of 25 of the 39 deficiencies reported in our FY 2013 review. However, test work performed in conjunction with the current year's review continued to identify weaknesses in the same areas reported in past years. Specifically, our review of the Department's Under Secretary for Nuclear Security, Under Secretary for Science and Energy, and Under Secretary for Management and Performance organizations found that additional effort is needed to ensure that systems and information are adequately secured, and the risks of operating systems are known. Based on the results of our FY 2014 evaluation, we identified vulnerabilities at many of the 24 locations reviewed, including 11 new and 14 unresolved weaknesses from prior years' reviews."
Department of Energy, Office of Inspector General, Report No. DOE/IG-0925
Department of Energy: http://www.energy.gov/