This audit, performed by KPMG LLP (KPMG) on behalf of the Department of Energy Office of Inspector General (OIG), examined the Department’s cybersecurity and information technology (IT) governance program.
The audit’s objective was to determine whether the Department developed and implemented a governance structure over its cybersecurity and IT activities.
In contracting with an independent audit firm and drawing from the results of the audit, auditing standards require the OIG to review the work performed. Accordingly, the OIG oversaw the audit and reviewed the results. Our review disclosed no instances where KPMG did not comply, in all material respects, with generally accepted government auditing standards.
KPMG identified eight areas for improvement to the Department’s cybersecurity and IT governance program. Specifically, KPMG identified findings related to areas such as outdated contracts, policies, and/or requirements to include standard terms and conditions for prime and subcontractors. In addition, the Department had not fully implemented an enterprise data strategy, risk monitoring program, or comprehensive enterprise information system inventory to include those with personally identifiable information. Further, improvements were needed for ensuring compliance with Federal requirements, developing a comprehensive workforce assessment, and verifying the completeness and accuracy over various requests for data from Department elements.
KPMG made 11 recommendations to the Department to address the report’s 8 areas for improvement. These areas include enterprise-level approaches for ensuring the most recent Federal cybersecurity and IT governance requirements are more timely implemented and contractually required, enterprise-level areas, such as a data strategy, risk monitoring, and systems inventories, are either formalized and/or completed, and data call information is verified for completeness and accuracy.
The Department concurred with each of the 11 recommendations and planned to take corrective actions.
