IG: DOE lacks integrated enterprisewide cybersecurity strategy
Several issues continue to limit the efficiency and effectiveness of Energy Department cybersecurity incident management and adversely impact the ability of law enforcement to investigate such incidents, says a Dec. 11 DOE office of inspector general report (.pdf).
The issues stem in part from lack of unified, departmentwide cybersecurity incident management that encompasses the National Nuclear Security Administration, auditors say.
The current "decentralized and fragmented approach" places departmental systems and networks at increased risk and causes unnecessary spending, auditors say. Energy components and the NNSA--a semi-autonomous agency within the department--collectively spend more than $30 million annually on partially duplicative incident management capabilities, auditors say.
Following a similar January 2008 OIG report (.pdf), Energy and NNSA officials agreed to establish a joint incident management operation, but auditors say that in the nearly 5 years since, disparate functions have continued to exist.
Auditors also find that changes to DOE's incident management policy and guidance may have adversely impacted overall incident management and response by law enforcement and counterintelligence officials. Specifically, auditors say sites haven't always reported cybersecurity incidents because Energy Joint Cybersecurity Coordination Center reporting instructions lack detail and are subject to interpretation. The report also finds that incident reporting to law enforcement was not always timely or complete, which hindered investigations into events.
Energy officials told auditors they'll implement a new enterprisewide policy for incident categorization and reporting and an departmentwide incident management system that includes NNSA by Sept. 30, 2013
-download the audit report (.pdf)