The Department of Energy (DoE) still has significant work to do to address open priority recommendations from the Government Accountability Office (GAO) related to insider threats and cybersecurity.
A new report from GAO, published on Monday, outlines that DoE still has 27 open recommendations that it should prioritize, including seven cyber-related recommendations.
“Recent high-profile disclosures of classified information and cyberattacks targeting public and private energy sector components highlight the urgent need to address insider threats in Federal agencies and cybersecurity weaknesses, as indicated in our High Risk List area related to the nation’s critical infrastructure,” GAO Comptroller General Gene Dodaro said in a letter accompanying the report.
“We have seven priority recommendations in this area – two related to insider threats and five related to cybersecurity,” he noted.
The two related to insider threats stem from a 2023 GAO report that called on DoE to fully implement its Insider Threat Program. Dodaro said implementing the recommendations would improve DoE’s ability to “identify insider risks before an incident occurs.”
The additional five recommendations aim to improve DoE’s ability to manage cybersecurity risks.
“For example, fully implementing our recommendation to develop a cybersecurity risk management strategy would help DoE to clarify risk management strategies across the department to protect its systems and data,” Dodaro said.
Other cyber recommendations are directed at DoE’s National Nuclear Security Administration (NNSA). These recommendations stem from a 2022 GAO report that found six key cybersecurity practices NNSA has neglected to fully implement.
GAO recommended that NNSA identify the necessary resources to implement the cyber best practices and clarify to management and operating (M&O) contractors that they are required to monitor subcontractor’s cybersecurity measures.
“Fully implementing these two recommendations will better position NNSA to marshal the resources necessary to develop a cybersecurity management framework and help ensure more consistent protection of information and systems,” Dodaro explained.
Finally, GAO urged DoE to implement its priority recommendation to develop a plan for implementing the Federal cybersecurity strategy for the electric grid. GAO detailed this recommendation in a 2019 report, which DoE agreed with.
As of April 2024, GAO said DoE still did not have an estimated date for issuing that plan.
“Until DoE develops a plan and ensures it addresses all of the key characteristics of a national strategy – including a full assessment of cybersecurity risks – decision-makers responsible for allocating resources to address risks and challenges will be operating with limited guidance,” GAO said in the report.