DOE Unclassified Cybersecurity Program Weaknesses Identified in FY2025

DOE OIG Reports

Published March 12th, 2026

Detected March 28th, 2026

Summary

The DOE Office of Inspector General identified weaknesses in the Department of Energy's unclassified cybersecurity program for Fiscal Year 2025. The report details 33 findings, including 13 repeat issues and a significant deficiency in access controls over financial systems, potentially compromising information systems and data.

View original document View source feed page

What changed

The Department of Energy's Office of Inspector General (OIG) has issued a management letter detailing significant weaknesses found in the Department's unclassified cybersecurity program during Fiscal Year 2025. The report, DOE-OIG-26-22, outlines 33 cybersecurity findings, 13 of which are repeat issues from previous years. A notable finding includes a significant deficiency related to access controls over various Department financial systems, stemming from management's failure to adequately respond to evolving risks and inappropriate system access.

These identified weaknesses pose a risk to the Department's ability to protect its information systems and data from compromise, loss, or unauthorized modification. Compliance officers within the Department should review the specific findings and recommendations within the full report to implement necessary corrective actions, particularly concerning access controls and risk management for information technology systems. Failure to address these issues could lead to data breaches and operational disruptions.

What to do next

Review the 33 cybersecurity findings detailed in DOE-OIG-26-22.
Implement corrective actions for repeat findings and the identified deficiency in access controls.
Enhance risk identification and management processes for information technology systems.

Source document (simplified)

Management Letter: DOE-OIG-26-22

Weaknesses Identified With the Department of Energy’s Unclassified Cybersecurity Program in Fiscal Year 2025

Office of Inspector General

March 12, 2026

March 9, 2026

Weaknesses Identified With the Department of Energy’s Unclassified Cybersecurity Program in Fiscal Year 2025

During fiscal year (FY) 2025, the Office of Inspector General (OIG) conducted cybersecurity reviews to determine whether the Department of Energy’s unclassified cybersecurity program was implemented in accordance with Federal and Department requirements. The OIG also performed the audit, The Department of Energy’s Fiscal Year 2025 Consolidated Financial Statements, which included test work over controls related to information technology.

The management letter discusses the results of cybersecurity reviews conducted by the OIG in FY 2025 and the results of our Federal Information Security Modernization Act of 2014 evaluation.

The OIG issued 33 cybersecurity findings (including 13 repeat prior year findings) to Department sites and programs related to information technology controls. However, three of those prior year findings, along with their recommendations, are being tracked in other OIG issued reports. Additionally, the audit, The Department of Energy’s Fiscal Year 2025 Consolidated Financial Statements, identified a significant deficiency related to access controls over various Department financial systems. The findings that led to the significant deficiency are included within this report.

The weaknesses occurred for a variety of reasons. For instance, deficiencies related to access controls occurred, in part, due to management not responding to changes in risks or identifying risks associated with inappropriate or unnecessary access to systems.

Without improvements to address the weaknesses identified in our report, the Department may be unable to adequately protect its information systems and data from compromise, loss, or unauthorized modification.