Complaints alleged the relatively new CESER misspent $11.7 million, though the inspector general could only substantiate some of those claims.
A special cybersecurity office established a few years ago within the Energy Department had some suspicious spending habits, most of which seemed to be resolved after a change in leadership, according to complaints investigated by the agency inspector general.
The Office of Cybersecurity, Energy Security and Emergency Response, or CESER, was created in 2018 to help protect the nation’s energy infrastructure from emerging threats, chiefly those coming from cyberspace and other digital means. The IG report notes Congress has given CESER $276 million to date—$120 million in fiscal 2019 and $156 million in 2020—and the office has requested $185 million in 2021.
An inspector general report released Monday compiles several complaints alleging mismanagement, including the inappropriate use of $11.7 million allocated to the office and a lack of staff dedicated to managing the budget.
The IG received several allegations, which the office divided into four buckets:
- CESER lacks internal control policies and procedures and a full-time staff to oversee its budget.
- $7.5 million in funding allocated to a national lab was used to finance a startup company.
- $2.2 million in software licenses were purchased but never used.
- $2 million in CESER funds were used to update a website run by the General Services Administration.
The audit substantiated two of the four claims—the lack of internal controls and purchase of unused software licenses. The other two complaints were not fully substantiated, though the IG questioned whether those funds were being spent wisely.
In a complaint filed with the IG, a tipster alleged that $7.5 million allocated to the Idaho National Laboratory were used to fund a startup company. The IG confirmed that CESER allotted funds to INL to “further develop the Cyber Analytics Tools and Techniques program,” but could not substantiate claims that the funds were funneled to a startup business.
That said, the program is suspicious, according to the report.
“While $4 million of the funds were returned to the department’s Office of the Chief Financial Officer after a change in management within CESER in February 2020, the project was being reconsidered near the end of our review,” the report states. “However, management indicated that this effort was paused pending completion of our review.”
Another complaint focused on the same program alleged CESER officials spent $2 million fixing the Login.gov web portal—a single sign-on tool developed by GSA and made available to federal agencies for a fee.
The IG determined that the funding was not used to upgrade the Login.gov web portal; however, $2 million was set aside for an interagency agreement between CESER and GSA to better integrate Login.gov tools in the Cyber Analytics Tools and Techniques program. While this use of funds was deemed appropriate, the IG had issues with the results.
“Despite the use of a portion of the allocated CESER resources, a CESER official stated that the program remained non-operational at the time of our review,” the report states. “Therefore, we questioned the use of more than $128,000 in expenditures by CESER.”
All of these issues stemmed from the first: a lack of budget controls and management.
“In particular, despite concerns being raised by several program officials, senior CESER management had not taken action to establish program-level internal controls, such as policies and procedures,” the IG wrote. “The lack of program-level internal controls also contributed to identified weaknesses related to software acquisitions, the direction of program funds, and contracting for GSA services prematurely. Had adequate controls been implemented, the weaknesses could have been identified and actions taken to ensure activities were conducted in accordance with laws and regulations.”
A special cybersecurity office established a few years ago within the Energy Department had some suspicious spending habits, most of which seemed to be resolved after a change in leadership, according to complaints investigated by the agency inspector general.
The Office of Cybersecurity, Energy Security and Emergency Response, or CESER, was created in 2018 to help protect the nation’s energy infrastructure from emerging threats, chiefly those coming from cyberspace and other digital means. The IG report notes Congress has given CESER $276 million to date—$120 million in fiscal 2019 and $156 million in 2020—and the office has requested $185 million in 2021.
An inspector general report released Monday compiles several complaints alleging mismanagement, including the inappropriate use of $11.7 million allocated to the office and a lack of staff dedicated to managing the budget.
The IG received several allegations, which the office divided into four buckets:
- CESER lacks internal control policies and procedures and a full-time staff to oversee its budget.
- $7.5 million in funding allocated to a national lab was used to finance a startup company.
- $2.2 million in software licenses were purchased but never used.
- $2 million in CESER funds were used to update a website run by the General Services Administration.
The audit substantiated two of the four claims—the lack of internal controls and purchase of unused software licenses. The other two complaints were not fully substantiated, though the IG questioned whether those funds were being spent wisely.
In a complaint filed with the IG, a tipster alleged that $7.5 million allocated to the Idaho National Laboratory were used to fund a startup company. The IG confirmed that CESER allotted funds to INL to “further develop the Cyber Analytics Tools and Techniques program,” but could not substantiate claims that the funds were funneled to a startup business.
That said, the program is suspicious, according to the report.
“While $4 million of the funds were returned to the department’s Office of the Chief Financial Officer after a change in management within CESER in February 2020, the project was being reconsidered near the end of our review,” the report states. “However, management indicated that this effort was paused pending completion of our review.”
Another complaint focused on the same program alleged CESER officials spent $2 million fixing the Login.gov web portal—a single sign-on tool developed by GSA and made available to federal agencies for a fee.
The IG determined that the funding was not used to upgrade the Login.gov web portal; however, $2 million was set aside for an interagency agreement between CESER and GSA to better integrate Login.gov tools in the Cyber Analytics Tools and Techniques program. While this use of funds was deemed appropriate, the IG had issues with the results.
“Despite the use of a portion of the allocated CESER resources, a CESER official stated that the program remained non-operational at the time of our review,” the report states. “Therefore, we questioned the use of more than $128,000 in expenditures by CESER.”
All of these issues stemmed from the first: a lack of budget controls and management.
“In particular, despite concerns being raised by several program officials, senior CESER management had not taken action to establish program-level internal controls, such as policies and procedures,” the IG wrote. “The lack of program-level internal controls also contributed to identified weaknesses related to software acquisitions, the direction of program funds, and contracting for GSA services prematurely. Had adequate controls been implemented, the weaknesses could have been identified and actions taken to ensure activities were conducted in accordance with laws and regulations.”
Source: https://www.nextgov.com/cybersecurity/2021/07/energys-cyber-response-office-misspent-millions-due-lack-budget-management/183683/