The Department of Energy’s D grade for cybersecurity on the FITARA 13.0 scorecard doesn’t accurately reflect its security posture, according to Chief Information Officer Ann Dunkin.
DOE plans to deploy hardware and software tools through the Continuous Diagnostics and Mitigation (CDM) Program that will improve asset management within three to six months, Dunkin said, during the House Oversight and Reform Subcommittee on Government Operations’ FITARA hearing Thursday.
Dunkin was responding to criticism from Rep. Andrew Clyde, R-Ga., that DOE’s cyber priorities don’t seem in order, given its purview over weapons-grade nuclear material — not to mention the electric grid and potentially pipelines if House legislation passes.
“We believe that our security posture is stronger than the FISMA score reflects,” Dunkin said. “And you will start to see, over the next few months in the quarterly reports, improvements in those metrics as we implement some specific CDM capabilities that we have not yet implemented.”
Clyde took issue with DOE’s stated priorities of addressing the climate crisis, clean energy union jobs and energy justice, which Dunkin was quick to point out are set by Secretary Jennifer Granholm and not specific to her office.
The representative asked if — given DOE’s Federal Information Security Management Act (FISMA) grade on FITARA 13.0 — U.S. infrastructure, national security sites, or soft or hard targets had been exposed to cyberattacks.
“With a grade of D, that doesn’t give me a whole lot of confidence,” Clyde said. “I think that the Department of Energy’s priorities are a little misguided here.”
The specifics of DOE’s security posture and cyberattacks should be discussed in a classified briefing, Dunkin said — which both Clyde and subcommittee chair Rep. Gerry Connolly, D-Va., expressed interest in holding.
At a high level DOE continues to enhance visibility into IT resources and investments, support CIO and IT management authorities, improve its cyber posture, issue policies for IT management, and strengthen governance and oversight, Dunkin said.
DOE scored an A on its data center optimization but still plans to close seven more by 2025, Dunkin said.
The department uses a working capital fund for some of its IT acquisitions but is exploring the creation of a second such fund for modernization, Dunkin said.
In addition to the forthcoming CDM tools, DOE invested in vulnerability management, data analytics, crowdsourced penetration testing and enhanced training. DOE also recently launched the Omni Technology Alliance Internship Program to create a cyber and IT talent pipeline.
Multiple panelists at Thursday’s hearing, not just Dunkin, criticized FITARA’s current cyber component for not adequately measuring agencies’ cyber postures. Several proposed tying FITARA metrics to recent cyber directives.
“The good news is that the recent executive order on cybersecurity, issued in May of 2021, can serve as a blueprint for what federal agencies should be doing to enhance their cybersecurity position,” said Richard Spires, former CIO at the Department of Homeland Security. “In particular the EO places special emphasis on agencies implementing a zero-trust architecture, having holistic visibility across one’s IT infrastructure, implementing secure guidelines in cloud computing environments, focusing on protecting high-value data and assets, and dealing with supply chain issues.”