The Office of Inspector General for the Department of Energy has issued its unclassified version of its evaluation of the FERC cybersecurity program.
Given that this is an “unclassified” or public version, it does not go into great detail about cyber threats and mostly centers upon the process it used to review the FERC program.
FERC is an independent agency within DOE. Its mission is to “assist consumers in obtaining reliable, efficient, and sustainable energy services at a reasonable cost through appropriate regulatory and market means,” OIG notes in the report.
“To accomplish this, the information technology that supports the Commission must be reliable and protected against attacks from malicious sources,” OIG said.
The Federal Information Security Modernization Act of 2014 established requirements for federal agencies to develop, implement, and manage agency-wide information security programs, including periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, hacks and various types of cyber disruptions.
The 2014 act mandated that OIG do an independent evaluation annually to determine the effectiveness of agency cyber security. OIG contracted with KPMG LLP to help perform the assessment for FY 2016.
In short, OIG and KPMG found that the FERC program was satisfactory.
The evaluation “found that the Commission had implemented the tested attributes of its cyber-security program in a manner that was generally consistent with requirements established by the National Institute of Standards and Technology, the Office of Management and Budget, and the Department of Homeland Security.
The evaluation found that FERC has required security safeguards built into its system.
“These topic areas included risk management, contractor systems, configuration management, identity and access management, security and privacy training, information security continuous monitoring, incident response, and contingency planning,” OIG said in its public report.
“In addition, we concluded, based on the results of KPMG’s test work, that the Commission had defined and initiated implementation of a continuous monitoring program based on the maturity model developed by the Council of the Inspectors General on Integrity and Efficiency. Although the Commission had strengthened its continuous monitoring program compared to the previous year, it was not yet fully implemented,” OIG said in the report.
“Because nothing came to our attention that would indicate significant control weaknesses in the areas tested by KPMG, we are not making any recommendations or suggested actions relative to this audit.
FERC management waived an exit conference on Oct. 27. The report was made public on Nov. 5.