Skip to main content
Date Issued
Submitting OIG
Department of Energy OIG
Other Participating OIGs
Department of Energy OIG
Agencies Reviewed/Investigated
Department of Energy
Report Number
DOE-OIG-24-34
Report Type
Audit
Location

Vancouver, WA
United States

Number of Recommendations
18
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 18 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 No $0 $0

Ensure that systems are reauthorized to operate on the 3-year schedule until either moved to a continuous monitoring model or retired.

2 No $0 $0

Ensure that the Authorizing Official reviews and approves security control assessment plans prior to the assessments being conducted.

3 No $0 $0

Ensure that all required controls and control enhancements are assessed for implementation and effectiveness as part of the authorization or reauthorization process.

4 No $0 $0

Develop and implement risk assessments that analyze the likelihood of threats and mitigation measures in place specific to transmission systems.

5 No $0 $0

Ensure that critical- and high-risk vulnerabilities are remediated or mitigated in a timely manner.

6 No $0 $0

Develop processes to incorporate the cybersecurity change management board to seek its review and approval prior to making changes to all transmission systems.

7 No $0 $0

Ensure that all substation SSCPs include all information required by NIST SP 800-53, Revision 5, and consider the control overlay provided in NIST SP 800-82, Revision 3.

8 No $0 $0

Determine unnecessary ports, protocols, and services, and disable them to remove additional avenues for an attacker or a malicious user to exploit the system.

9 No $0 $0

Encrypt data at rest on servers and databases, as appropriate, to protect confidentiality and integrity of the data.

10 No $0 $0

Implement software, firmware, and information integrity checking tools, as appropriate, to identify unauthorized changes to all transmission systems.

11 No $0 $0

Implement separation of duties to help prevent issues and minimize errors.

12 No $0 $0

Ensure appropriate audit logs are capturing information necessary to identify changes to the system.

13 No $0 $0

Ensure continuous monitoring of BPA’s information systems and applications to gain assurance that required controls are implemented, working as intended, and continue to operate at an acceptable level of risk, including implementing a formal process.

14 No $0 $0

Develop a contingency training program that covers the appropriate topics associated with transmission systems and provide the training to those with contingency planning roles and responsibilities.

15 No $0 $0

Ensure all information system contingency plans are developed in accordance with Federal requirements.

16 No $0 $0

Develop policies and procedures to facilitate an effective cybersecurity program for the transmission infrastructure through the implementation of security controls in accordance with Federal and Department requirements.

17 No $0 $0

Implement an effective oversight structure at BPA that encompasses transmission program management activities, to include the development and implementation of continuous monitoring, risk management, and governance activities.

18 No $0 $0

Work to ensure adequate resources are available to implement a cybersecurity program for the transmission infrastructure by providing appropriate funding and personnel.

Department of Energy OIG

United States