July 20, 2005
Letter to NTSB Chairman Rosenker regarding a forthcoming audit on NTSB's Information Security Program
The Office of Inspector General plans to perform an audit of the National Transportation Safety Board’s (NTSB) Information Security Program, as required by the Federal Information Security Management Act of 2002 (FISMA). NTSB and other small agencies have become subject to annual FISMA reporting requirements since FY 2004. Last year, we reported NTSB’s information security program as a material internal control weakness. NTSB management has agreed to take corrective actions. However, most of the planned actions have not yet been implemented. Accordingly, we will only perform a limited review to compile this year’s independent report. In addition to answering OMB questions on FISMA progress, we will evaluate whether NTSB (1) network connections to outside entities, including the Internet, are adequately protected to prevent cyber attacks; and (2) internal network computers are properly configured to reduce the risks of unauthorized access.