The Department of Energy has failed to monitor user activity on all classified networks as required by federal insider threat policies, according to a congressional watchdog audit.
In a report examining nuclear security, the Government Accountability Office found that department staff were unaware of the full extent of the department’s non-compliance in part because they did not have a complete list of how many standalone classified IT networks are in operation at Energy.
Insider threats at the Energy Department represent a major national security risk because the agency houses the National Nuclear Security Administration, which is responsible for managing the U.S. nuclear stockpile. Eight years ago it launched an insider threat program to address risks to national security information stored on computer networks.
The cybersecurity failure is one of four areas where the agency is not minimum security requirements, which were first identified in March 2022, according to GAO. The other three areas are initial and recurring employee training, verification of insider threat awareness training, and oversight reviews for policy and legal compliance.
“Under the “monitor user activity on networks” topic area, minimum standards require that insider threat programs include the technical capability to monitor user activity on all classified networks,” GAO said in the report.
It added: “According to DOE officials, the Insider Threat Analysis and Referral Center has not met full user activity monitoring coverage requirements on all classified networks, but has processes for addressing concerns on unmonitored classified networks should an event be detected by other means.”
According to the report, which was published Wednesday, at least one component of the agency assessed that it needs additional resources to achieve compliance with insider threat program requirements and minimum federal security standards. In particular, one official from DOE’s Office of Counterintelligence said that its Analysis and Referral Center needs an extra $50 million to acquire software licensing and information technology.
The official added that the office needed $5 million to hire an extra 20 analysts over a five-year period to achieve compliance with minimum standards for user monitoring on classified networks.
GAO made seven concrete recommendations for DOE in order to address the identified cybersecurity deficiencies, which include that a senior insider threat program official work to establish what extra resources are needed to comply monitor user activity on all classified networks.
The Energy Department has agreed with all recommendations made by the watchdog.