Counterspies' PCs missing, an Energy report shows

Energy inspection report (.pdf)

The Energy Department, which repeatedly has bungled information technology security in recent years, took two more hits related fully or in part to the problems in recent reports from its inspector general.

DOE’s apparent loss of 14 desktop computers that had processed classified information surfaced in a report titled “Internal Controls Over Computer Property at the Department’s Counterintelligence Directorate.”

The inspection report states that DOE’s counterspies couldn’t locate 20 desktop computers that were part of its documented inventory. In addition to the 14 desktops that were known to have held classified data, the report noted that, “The remaining six computers may have been used to process such data.”

“Further[more], the inventory records were so imprecise and inaccurate that the directorate had to resort to extraordinary means to locate an additional 125 computers,” the report states. “Those computers should have been readily accessible, had property recordkeeping been current and complete.”

The report also states that:
  • The Counterintelligence Directorate hadn’t entered an additional 57 computers in its property inventory.
  • The directorate’s loan agreements for 96 computers that had been transferred from headquarters to field offices had expired.
  • DOE officials had failed to put the proper security classification labels on 74 computers, as the department’s rules require.
“Problems with the control and accountability of desktop and laptop computers have plagued the department for a number of years,” the auditors observed. “As we found in several recent reviews, strict property management procedures need to be consistently applied to ensure the control of sensitive property, such as computers.”

DOE officials concurred with several recommendations the auditors offered on the computer inventory control issue. But the report noted that the officials failed to provide planned corrective actions with target completion dates, so further action by senior managers would be necessary. DOE responded by describing actions it had taken in response to previous similar reports, such as appointing an official responsible for keeping track of its inventories, and mandating the immediate reporting of property relocations.

DOE added that although not all its records complied with department policy, there were records that had been created in another format.

In a second report, titled “The Department’s Efforts to Implement Common Information Technology Services at Headquarters,” the inspector general’s office said DOE hadn’t fully met its goals in adopting a common operational environment.

The standardized IT framework, which cost the department $980 million in fiscal 2006, calls for a consolidated environment covering desktop support, application hosting and equipment distribution services. Various organizations at DOE headquarters had been managing the functions separately when the department launched the reorganization.

The department called the project Extended Common Integrated Technology Environment at first, but then renamed it the Department of Energy’s Common Operating Environment (DOE-COE).

The department’s chief information officer is overseeing the DOE-COE project. The IG’s audit found that:
  • Five major organizations, accounting for 40 percent or 2,473 users from a total covered workforce of 6,199, hadn’t been migrated to the common environment within the project’s first 12 months, in a delay that eliminated $15 million of possible savings.
  • In some organizations, officials did not cut off services provided to workers who had been shifted to the new environment, a mistake that cost $700,000 in needless user fees and caused “potential cybersecurity vulnerabilities.”
The auditors praised the DOE for completing the migration process for 23 of the 28 organizations within headquarters. But they cautioned that their review didn’t include DOE’s far-flung field offices.

The department’s CIO office agreed with the conclusions of the second report and described measures that it had taken to end the problems.

Wilson P. Dizard III writes for Government Computer News, an 1105 Government Information Group publication.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.