From Protection of the Department of Energy’s Unclassified Sensitive Electronic Information, DOE/IG-0818:
The Department of Energy and its contractors store and process massive quantities of sensitive information to accomplish national security, energy, science, and environmental missions. Sensitive unclassified data, such as personally identifiable information (PII), official use only, and unclassified controlled nuclear information require special handling and protection to prevent misuse of the information for inappropriate purposes.
[…]
Prior reports involving the loss of sensitive information have highlighted weaknesses in the Department’s ability to protect sensitive data. Our report on Security Over Personally Identifiable Information (DOE/IG-0771, July 2007) disclosed that the Department had not fully implemented all measures recommended by the Office of Management and Budget (OMB) and required by the National Institute of Standards and Technology (NIST) to protect PII, including failures to identify and encrypt PII maintained on information systems. Similarly, the Government Accountability Office recently reported that the Department had not yet installed encryption technology to protect sensitive data on the vast majority of laptop computers and handheld devices. Because of the potential for harm, we initiated this audit to determine whether the Department and its contractors adequately safeguarded sensitive electronic information.
RESULTS OF AUDIT
The Department had taken a number of steps to improve protection of PII. Our review, however, identified opportunities to strengthen the protection of all types of sensitive unclassified electronic information and reduce the risk that such data could fall into the hands of individuals with malicious intent. In particular, for the seven sites we reviewed:
- Four sites had either not ensured that sensitive information maintained on mobile devices was encrypted. Or, they had improperly permitted sensitive unclassified information to be transmitted unencrypted through email or to offsite backup storage facilities;
- One site had not ensured that laptops taken on foreign travel, including travel to sensitive countries, were protected against security threats; and,
- Although required by the OMB since 2003, we learned that programs and sites were still working to complete Privacy Impact Assessments – analyses designed to examine the risks and ramifications of using information systems to collect, maintain, and disseminate personal information.
Our testing revealed that the weaknesses identified were attributable, at least in part, to Headquarters programs and field sites that had not implemented existing policies and procedures requiring protection of sensitive electronic information. In addition, a lack of performance monitoring contributed to the inability of the Department and the National Nuclear Security Administration (NNSA) to ensure that measures were in place to fully protect sensitive information.
[…]
OTHER MATTERS
Our review also revealed that sites we reviewed were not encrypting sensitive data contained on desktops, servers and other network-based storage devices. This practice, currently in place or planned at certain Department of Defense activities to protect sensitive information, has been identified by NIST as a best practice and as part of an effective risk-based management approach to data protection. Our report, in Appendix 2, discusses the benefits and limitations of encryption for these types of devices and
suggests additional actions that the Department may wish to consider.