Editor’s Note: The DOE OIG Evaluation Report, “The Department’s Unclassified Cyber Security Program – 2012” is attached here. As was explained here, cybersecurity defects that could allow for manipulation/corruption of agency data undermine the organization’s ability to comply with the Data Quality Act’s pre-dissemination review requirements for public release of information. The DQA requirements have been held by the US Court of Appeals for the DC Circuit to be “binding.”
Below are two excepts from the OIG report,
Failure to report to OMB as required:
Although many of the sites reviewed tracked weaknesses at a local level, we found that 28 of 56 cyber security deficiencies identified during our FY 2011 evaluation were not reported in the Department’s POA&Ms maintained by the OCIO and were not reported to OMB, as required. In addition, POA&Ms did not contain all cyber security weaknesses identified in numerous security related Office of Inspector General and U.S. Government Accountability Office reports. The official responsible for consolidating and submitting all POA&Ms to OMB stated that while programs and sites were informed of the missing cyber security weaknesses, they were never added to the POA&Ms;”
On the need for effective continuous monitoring:
The weaknesses identified occurred, in part, because Department elements had not ensured that cyber security requirements were fully developed and implemented. In addition, programs and sites had not always effectively monitored performance to ensure that appropriate controls were in place. For example, we noted Plans of Action and Milestones (POA&Ms) were not always effectively used to report, prioritize and track cyber security weaknesses through remediation. Specifically, POA&Ms excluded half of the findings identified during our prior year review and 39 percent of milestones had passed projected remediation dates, including many that were more than 1 year overdue. Without improvements to its unclassified cyber security program, including implementation of effective continuous monitoring practices and adopting processes to ensure security controls are in place and operating as intended, there is an increased risk of compromise and/or loss, modification and non-availability of the Department’s systems and the information. As such, we made several recommendations that, if fully implemented, should help the Department strengthen its unclassified cyber security program for protecting information systems and data.