The Future of Cybersecurity at DOE

Published: January 27, 2022

Federal Market AnalysisCybersecurityDOEGovernment PerformanceInformation Technology

Despite criticism by oversight bodies, the Department of Energy’s recent and forthcoming cyber initiatives reveal the agency’s commitment to enterprise security visibility and performance.

Few can really argue that the Department of Energy’s mission is a diverse one, spanning nuclear security, open science, environmental management, and energy development responsibilities. Understandably so, DOE’s cybersecurity programs are varied to meet these missions, each with component leaders that are provided autonomy to manage them. Hence, robust coordination and collaboration is needed at the enterprise level to ensure cyber compliance and performance at the department.    

Nonetheless, DOE received a “D” in cyber on the latest FITARA scorecard. However, Energy is indeed making progress in protecting its networks and data and meeting compliance requirements, argued CIO Ann Dunkin during a testimony before a House subcommitee hearing last week.

In fact, Dunkin explained, the DOE enterprise is focused on several cyber objectives:

  • Increasing enterprise visibility and situational awareness
  • Responding to advanced threats
  • Developing interagency partnerships to protect infrastructure
  • Leveraging information sharing
  • Strengthening policy and guidance
  • Implementing cyber defense technologies

Moreover, DOE acquired additional security tools, including hardware and software asset management solutions through DHS’ Continuous Diagnostic and Mitigation (CDM) program to increase enterprise visibility. Other recent cyber investments include, “targeting vulnerability management, big data analytics, crowdsourced penetration testing, enhanced training initiatives and workforce engagement,” stated Dunkin.  Additionally, DOE’s Big Data Platform is now operational, providing enterprise-wide cyber monitoring and analysis of cyber data on a cloud-based platform.

On the people front, Energy is leveraging its direct hire authority to fill cyber positions and is increasing incentives for cybersecurity personnel. The department also recently launched the Omni Technology Alliance Internship program to employ students from underserved communities with paid internship opportunities at DOE to build a cyber pipeline at the department.

Looking forward, expanding cyber awareness is prevalent in Energy’s FY 2022 budget request, which seeks $642M for cybersecurity activities in FY 2022, an increase of nearly $190M over FY 2021. According to the budget request, increased funds would target Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) to focus on the department’s threat intelligence and response for electric grid operators. Additional budget dollars would also contribute to DOE’s cyber reserve fund.

Forthcoming DOE cyber initiatives, according to Dunkin, will also include:

  • Establishing Supply Chain Risk Management (SCRM) timeframes and assessment capabilities into the SCRM process that has been integrated into all DOE IT acquisitions
  • Exploring the option of creating a new Working Capital Fund (WCF) for IT modernization as well as adding more services to DOE’s current WCF
  • Awaiting decisions on three Technology Modernization Fund (TMF) proposals, totaling $55M, in areas of secure cloud architecture, business secure client service architecture and reduced technical debt at the Office of Science.

 With regards to the Biden Administration cybersecurity Executive Order, Dunkin explained at a recent ATARC summit that the department will primarily focus on the EO’s compliance requirements and zero-trust directive. When approaching the EO’s requirements and those out of CISA, etc., Dunkin explained that the DOE cannot do it all, but will rather maintain a constant balance of compliance and risk. The department plans to act on the compliance directives and initiatives that will reduce the most risk first.

Taking all this into consideration and more, Deltek anticipates a 5.9% Compound Annual Growth Rate (CAGR) in DOE’s cyber addressable market from FY 2021 to 2023. For more insight into DOE’s cyber portfolio and the overall federal cybersecurity marketplace, refer to Deltek’s Federal Information Security Market, 2021 – 2023 report.