Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

DOT Has Made Progress but Significant Weaknesses in Its Information Security Remain

Requested By
Required by the Federal Information Security Management Act of 2002
Project ID
FI2015009
File Attachment

This report presents the results of our annual audit of DOT’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and the Office of Management and Budget’s (OMB) requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices. We provided these results to OMB via its Website. DOT made additional improvements to its program, but the Department’s systems are still vulnerable to serious threats due to deficiencies in policies and procedures, enterprise-level controls, system controls, and management of known security weaknesses. We made recommendations to address these issues.

Recommendations

Closed on
No. 1 to OST
Revise the Department's AECM policy to develop procedural requirements that document activities components must complete to report and mitigate deficiencies identified through continuous monitoring.
Closed on
No. 2 to OST
Implement the revised AECM policy and procedural guidance and provide and work with components to establish planned action dates to mitigate deficiencies in their ISCM reporting and addressing security weaknesses.
Closed on
No. 3 to OST
Establish an enterprise-wide strategy that DOT components must adhere to implement and monitor Information Security Continuous Monitoring for Continuous Diagnostics and Mitigation requirements as outlined in OMB policy and NIST guidance.
Closed on
No. 4 to OST
Revise the Department's policy to address the mandatory use of a toolset and requisite processes to perform the Information Security Continuous Monitoring tasks outlined by OMB.
Closed on
No. 5 to OST
Start planning and assessing impact of the security requirements that will be affected by NIST SP 800-53 revision 4 and NIST SP 800-53A revision 4.
Closed on
No. 6 to OST
Revise DOT Cybersecurity policy and guidance to incorporate new or updated security requirements defined by NIST SP 800-53 revision 4 and NIST SP 800-53A revision 4.
Closed on
No. 7 to OST
Work with components to develop a plan to address NIST 800-53 revision 4 requirements for their systems. Create a POA&M with planned completion date to monitor and track progress.
Closed on
No. 8 to OST
Work with the components to develop a plan to complete annual SAT training within plan milestones and improve tracking. Assess training periodically to determine if the component will meet SAT training plan.
Closed on
No. 9 to FAA
Work with FAA to ensure automated scripts are properly configured to disable inactive user accounts in a timely manner.  Create a POA&M with a planned completion date to monitor and track progress.
Closed on
No. 10 to OST
Work with the CSMC and individual components (including COE) to develop service level agreements needed to define responsibilities between CSMC and the components. These agreements should include a detailed description of services between parties, and at a minimum contain: CSMC and component responsibilities, frequency of periodic scans of DOT networks; access privileges to networks, devices, and monitoring tools; hardware and software asset discovery and on-going management requirements; vulnerability scanning.
Closed on
No. 11 to OST
Revise DOT policy to provide specific guidance for what data, format of data, and how often components should report system security status to the Authorizing Official throughout the continuous monitoring process.
Closed on
No. 12 to FAA
Work with FAA to revise their plan to effectively transition the remaining 32,266 users to require unprivileged PIV login.  Create a POA&M with a planned completion date to monitor and track progress.
Closed on
No. 13 to OST
Develop a plan to periodically review waived accounts to determine if they should be transitioned to PIV required status.  Create a POA&M with a planned completion date to monitor and track progress.
Closed on
No. 14 to OST
Work with components to revise their plans to effectively transition the remaining users to require privileged PIV login.  Create a POA&M with a planned completion date to monitor and track progress.
Closed on
No. 15 to OST
Work with components to develop or revise their plans to effectively transition the remaining information systems to required PIV login. Create a POA&M with planned completion dates to monitor and track progress.
Closed on
No. 16 to OST
Work with the Director of DOT Security to develop or revise their plan to effectively transition the remaining facilities to required PIV cards.