Skip to main content
U.S. flag

An official website of the United States government

Audit Reports


DOT Had Major Success in PIV Implementation, But Problems Persist In Other Cybersecurity Areas

Requested By
Required by the Federal Information Security Management Act of 2002, as amended
Project ID
File Attachment

This report presents the results of our annual audit of DOT’s information security program and practices required by the Federal Information Security Management Act of 2002 (FISMA), as amended. Consistent with FISMA and the Office of Management and Budget’s requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices. DOT has made significant progress in implementing the use of personal identity verification cards. However, the Department’s information systems remain vulnerable to serious security threats due to deficiencies in policies and procedures, enterprise controls, system controls, and management of known security weaknesses. We made recommendations to address these issues. To post the report on our Web site, we have redacted sensitive information.


Closed on
No. 1 to OST
Ensure that the OCIO revises the Departmental policy to document its practice of prohibiting user-based waivers or exclusions for PIV required use for network and system access.
No. 2 to OST
The Deputy Secretary, or his designees, takes the following action to work with the OAs to develop a formal transition plan to the proposed ISCM target architecture that includes but is not limited to: (1) continuously assessing security controls; (2) reviewing system configuration settings; and (3) assessing timely remediation of security weaknesses. During the transition period, establish processes and practices for effectively collecting, validating, and reporting ISCM data.
Closed on
No. 3 to OST
Ensure that FAA, FHWA, FMCSA, FRA, FTA, NHTSA, MARAD/USMMA, OST, and SLSDC perform actions to immediately disable user accounts that have been inactive for over 90 days, as required by the DOT compendium. Report completion of this effort to OCIO. Create a POA&M to track progress and verify completion of the action.
Closed on
No. 4 to OST
Work with OAs to develop internal controls to ensure network administrators are informed and action is taken to disable accounts when users no longer require access.
Closed on
No. 5 to OST
Work with the OCIO to develop a quality assurance process to ensure OAs and network administrators are following DOT Cybersecurity procedures that require them to periodically review user accounts and ensure they are effectively managing these accounts.
Closed on
No. 6 to OST
Revise DOT's existing Cybersecurity policy to incorporate specific requirements for review and cleanup of service accounts.
Closed on
No. 7 to OST
Work with the COE's management to ensure review and cleanup activities of service accounts are successfully completed.
No. 8 to OST
Work with FAA to improve its assessment process to meet DOT Cybersecurity Compendium and Security Authorization & Continuous Monitoring Performance Guide. DOT CIO in conjunction with the FAA CIO review the FAA quality assurance process to ensure all security documents are reviewed and updated to reflect the system controls, vulnerabilities, and that the current risks are clearly presented to the authorizing officials.
No. 9 to OST
Work with the OAs to ensure they update open POA&Ms with the required data fields.