The Department of Energy is lacking in multifactor authentication for cybersecurity, according to an audit by the department’s Office of Inspector General.
Despite longstanding federal requirements for multifactor authentication, in which users must provide multiple types of authentication before logging in, DOE’s procedures still have weaknesses, the IG found.
“Our review of 18 federal information systems, including those systems operated by contractors, identified weaknesses related to ensuring adequate protections over access to network and application resources, and noted that information reported to [the Office of Management and Budget] related to the Cybersecurity Sprint was not always consistent,” said the audit.
“Although requirements existed for more than 10 years, none of the locations reviewed had fully implemented multifactor authentication for secure access to information systems and resources,” the audit said.
In addition, government and contractor sites have sometimes not even considered applying multifactor authentication for software, including apps that contain sensitive personal information.
“The weaknesses identified occurred, in part, because officials had not fully planned for implementation of multifactor authentication on information systems,” the IG concluded. “Department guidance and requirements related to multifactor authentication technologies also were not always communicated effectively.”
The IG recommended that DOE fully develop and disseminate multifactor authentication plans, and that authentication meet federal requirements.