Counterspies' PCs missing, an Energy report shows
Energy inspection report (.pdf)
The Energy Department, which repeatedly has bungled information technology security in recent years, took two more hits related fully or in part to the problems in recent reports from its inspector general.
DOE’s apparent loss of 14 desktop computers that had processed classified information surfaced in a report titled “Internal Controls Over Computer Property at the Department’s Counterintelligence Directorate.”
The inspection report states that DOE’s counterspies couldn’t locate 20 desktop computers that were part of its documented inventory. In addition to the 14 desktops that were known to have held classified data, the report noted that, “The remaining six computers may have been used to process such data.”
“Further[more], the inventory records were so imprecise and inaccurate that the directorate had to resort to extraordinary means to locate an additional 125 computers,” the report states. “Those computers should have been readily accessible, had property recordkeeping been current and complete.”
The report also states that:
- The Counterintelligence Directorate hadn’t entered an additional 57 computers in its property inventory.
- The directorate’s loan agreements for 96 computers that had been transferred from headquarters to field offices had expired.
- DOE officials had failed to put the proper security classification labels on 74 computers, as the department’s rules require.
“Problems with the control and accountability of desktop and laptop computers have plagued the department for a number of years,” the auditors observed. “As we found in several recent reviews, strict property management procedures need to be consistently applied to ensure the control of sensitive property, such as computers.”
DOE officials concurred with several recommendations the auditors offered on the computer inventory control issue. But the report noted that the officials failed to provide planned corrective actions with target completion dates, so further action by senior managers would be necessary. DOE responded by describing actions it had taken in response to previous similar reports, such as appointing an official responsible for keeping track of its inventories, and mandating the immediate reporting of property relocations.
DOE added that although not all its records complied with department policy, there were records that had been created in another format.
In a second report, titled “The Department’s Efforts to Implement Common Information Technology Services at Headquarters,” the inspector general’s office said DOE hadn’t fully met its goals in adopting a common operational environment.
The standardized IT framework, which cost the department $980 million in fiscal 2006, calls for a consolidated environment covering desktop support, application hosting and equipment distribution services. Various organizations at DOE headquarters had been managing the functions separately when the department launched the reorganization.
The department called the project Extended Common Integrated Technology Environment at first, but then renamed it the Department of Energy’s Common Operating Environment (DOE-COE).
The department’s chief information officer is overseeing the DOE-COE project. The IG’s audit found that:
- Five major organizations, accounting for 40 percent or 2,473 users from a total covered workforce of 6,199, hadn’t been migrated to the common environment within the project’s first 12 months, in a delay that eliminated $15 million of possible savings.
- In some organizations, officials did not cut off services provided to workers who had been shifted to the new environment, a mistake that cost $700,000 in needless user fees and caused “potential cybersecurity vulnerabilities.”
The auditors praised the DOE for completing the migration process for 23 of the 28 organizations within headquarters. But they cautioned that their review didn’t include DOE’s far-flung field offices.
The department’s CIO office agreed with the conclusions of the second report and described measures that it had taken to end the problems.Wilson P. Dizard III writes for Government Computer News
, an 1105 Government Information Group publication