The Federal Energy Regulatory Commission (Commission) has developed and
implemented a number of information systems to support its mission of regulating the
natural gas industry, hydroelectric projects, oil pipelines, and wholesale rates for
electricity. Because of the increasing frequency and sophistication of cyber attacks, the
potential for malicious intrusion and damage to these information technology assets and
the information they contain continues to grow. During 2006, the Commission estimated
that it spent almost $1 million to protect its $27 million information technology
investment from cyber related threats. The importance of maintaining a robust cyber
security program is well demonstrated by the debilitating effects that recent attacks on
Federal organizations have had on mission performance, agency reputation, and on
constituents that have been subjected to compromise of personally identifiable or
sensitive data.
As required by the Federal Information Security Management Act (FISMA), and
consistent with Congress's desire to develop a comprehensive framework to protect the
government's information technology operations and assets, the Office of Inspector
General is required to perform an annual independent evaluation of the Commission's
cyber security program. This evaluation is designed to assess the adequacy and
effectiveness of information security policies, procedures, and practices, and compliance
with the requirements of the FISMA. This memorandum and the attached report present
the results of our 2006 evaluation.
