The Department of Energy needs to better its cybersecurity initiatives for the next fiscal year, according to DOE’s Office of Inspector General.

The OIG set out to determine whether the agency’s unclassified cybersecurity program provides proper protection for DOE’s information systems operations and assets, as required by the Federal Information Security Modernization Act of 2014.

The OIG’s FY 2017 independent evaluation found the closure of 13 of the prior fiscal year’s 16 weaknesses, and a reduction of nine vulnerability management findings in FY 2016 to five in FY 2017.

However, the report stated that “issues related to vulnerability management, system integrity of web applications, and access controls continue to exist.”

For example, DOE operates nearly 100 entities nationwide and the evaluation found at least three locations that had workstation and server software no longer supported by the vendor or that had missing security patches. There were also laptops, servers and workstations that were missing antivirus software updates that protected information system assets.

Further issues included one location’s security program’s inability to properly prevent malicious input data. The report indicated that should this ineffective program be exploited, it could allow unauthorized access to the DOE’s IT resources, potentially giving attackers the opportunity “to compromise legitimate users’ workstations and application login credentials.”

There were also issues related to control weaknesses, notably a lack of adequately enforced identification and verification requirements and poorly implemented logging capabilities for monitoring user activities. These factors led to the existence of still-registered user accounts for personnel no longer with the DOE and 223 privileged users still having system access despite exceeding password expiration limitations.

The report found that these issues persisted due to the DOE’s failure to fully develop/implement their intended cybersecurity policies and procedures.

For instance, the department’s “current configuration and security patch processes” did not ensure that their cybersecurity remained up to date, an issue leftover from prior fiscal year evaluations. The department also inconsistently implemented adequate risk and performance management programs, including security testing that ineffectively monitored IT programs at certain locations.

The report concluded that should there be a perpetual lack of cybersecurity improvements, particularly when it came to enhanced controls and vulnerability management, the DOE’s information systems’ program could become increasingly vulnerable to “higher-than-necessary risk of compromise, loss and/or modification” by cyber attackers.

Noting remediation efforts but also the DOE’s consistently pervading cybersecurity management issues, the OIG gave 30 recommendations to programs and sites to help better the department’s cybersecurity capabilities, including the need to address phishing and malware, continuous monitoring, multifactor authentication and PIV card implementation for local, remote and application access, among other areas of concern.

Management concurred, indicating that corrective actions had been initiated or were planned to address the issues identified in the report.