A report by Energy Department acting Inspector General Rickey Hass says DOE has made progress on its efforts to transition from a compliance-based information technology security management strategy to a risk-based method.
Hass said Nov. 4 the department adopted a new software application for analysis of system vulnerabilities but his office found that some DOE-run facilities do not properly categorize IT risks and use security controls.
The IG study showed the six DOE sites reviewed have not adopted a federal cybersecurity requirement to provide important risk information to authorizing personnel.
The facilities also lack initiatives to fully implement continuous monitoring programs that the DOE IG office believes can help the department manage cybersecurity data, the report noted.
“Without improvements to its cybersecurity risk management program, the department cannot ensure that it has an ongoing understanding of the risks to its systems and to what extent those risks have been or can be mitigated,” Hass noted.
DOE officials say the department has initiated or plans to implement corrective measures in response to the IG’s findings.