The Department of Energy (DoE) had weaknesses that held the department back from effectively managing cybersecurity on its IT systems, according to a summary of DoE’s FISMA (Federal Information Security Modernization Act) audit released September 27 by the department’s inspector general.
The report, summarized to protect sensitive information, found that DoE’s enterprise-managed systems had weaknesses in their controls that increased the risk of compromise.
“We found the Department had not fully managed cybersecurity for selected Headquarters information systems in accordance with Federal and Department requirements,” the audit finds.
The Energy Department’s tested systems had weaknesses on data accuracy and technical controls to detect unauthorized changes. In addition, the department had gaps in acquisition policies on software licenses, policies for patching, and areas affected by high employee turnover, the IG said.
“Without improvements, the systems reviewed and the data they contain will continue to be at a higher-than-necessary risk of compromise, loss, or modification,” the inspector general wrote.
The department agreed to the recommendations offered by the inspector general.