Title: Audit Report on "The Office of Science's Management of Information Technology Resources"

The Department of Energy's Office of Science (Science) and its facility contractors are aggressive users of information technology (IT) to support fundamental research in areas such as energy, environmental remediation and computational sciences. Of its $4 billion Fiscal Year 2008 budget, Science spent about $287 million to manage its IT program. This included cyber security activities, acquisition of hardware and software, and support service costs used to maintain the operating environments necessary to support the missions of the program. Prior Office of Inspector General reports have identified various issues with Science's management of its IT programs and resources. For instance, our report on Facility Contractor Acquisition and Management of Information Technology Hardware (DOE/IG-0768, June 2007) noted that the Science sites reviewed spent more than necessary when acquiring IT hardware. In another example, our review of The Department's Efforts to Implement Common Information Technology Services at Headquarters (DOE/IG-0763, March 2007) disclosed that Science's reluctance to adopt the Department of Energy Common Operating Environment (DOE-COE) at Headquarters contributed to the Department's inability to fully realize potential cost savings through consolidation and economies of scale. In light of the magnitude of the Office of Science IT program and previously identified program weaknesses, we initiated this audit to determine whether Science adequately managed its IT resources. Science had taken a number of actions to improve its cyber security posture and align its program to Federal requirements. Yet, our review disclosed that it had not taken some basic steps to enhance security and reduce costs. In particular, we found that: (1) For their non-scientific computing environments, all seven of the field sites reviewed (two Federal, five contractor) had implemented security configurations that were less stringent than those included in the Federal Desktop Core Configuration. This configuration was designed by the National Institute of Standards and Technology and its use was mandated by the Office of Management and Budget; (2) Although we previously highlighted weaknesses and recommended corrective actions, Science still had not fully established or enforced IT hardware standards for acquiring hardware such as desktop and laptop computers or related peripherals, contributing to significant unnecessary expenditures; and (3) While we have noted in a series of past reports that significant savings could be realized from aggregating demand for IT services and products across the enterprise, Science had not implemented a common infrastructure for users at its Federal sites and continued to maintain an IT environment independent of the Department's Common IT Operating Environment. The weaknesses identified were attributable, at least in part, to a lack of adequate policies and procedures for ensuring effective cyber security and hardware acquisition practices. In addition, Science had not effectively monitored the performance of its field sites to ensure that previously reported internal control weaknesses were addressed and had not implemented an appropriate mechanism to track its IT-related costs. Without improvements, Science may be unable to realize the benefits of improved security over its information systems, reduce costs associated with hardware acquisition, and lower IT support costs through consolidation of services. In particular, we determined that Science could potentially realize savings of more than $3.3 million over the next three years by better controlling hardware costs and implementing standards for certain equipment. Furthermore, Science could continue to pay for duplicative IT support services and fail to take advantage of opportunities to lower costs and apply potential savings to mission-related work. During the course of our audit work, we learned from Science officials that they had initiated the process of revising the Program Cyber Security Plan to better clarify its policy for implementing Federal cyber security requirements. In addition, we noted that the Oak Ridge National Laboratory had taken action to establish and enforce hardware standards on both its administrative and scientific workforce. Although these actions are positive steps, additional action is needed to strengthen Science's IT program. To that end, our report contains several recommendations that, if fully implemented, should help Science improve the management of its IT resources.