Inspector General Says Energy Department Cybersecurity Program Still Faces Issues

The Department of Energy’s Office of the Inspector General says several weaknesses remain in the agency’s unclassified cybersecurity program despite the watchdog flagging such issues in previous assessments.

In a report finalized on May 2, the OIG shared that 38 out of 61 recommendations from 2022 remain open and issued 35 new ones, 22 of which deal with identity and access management concerns. The other issues found are related to continuous monitoring and risk and configuration management.

According to the report, some Energy Department sites have not had access reviews conducted for accounts, and at least one facility has not completed a proper implementation of privileged user access controls. Meanwhile, some agency locations were said to have been slow to remove old user accounts.

The OIG said that regular user access checks can prevent unauthorized actors from making changes to information. It noted that the Energy Department has not been adhering to National Institute of Standards and Technology policies or internal rules, FCW reported.

In April, the OIG published another report detailing problems with the Energy Department’s authorization and continuous monitoring practices on the cloud.