Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Multiple DOT Operating Administrations Lack Effective Information System Disaster Recovery Plans and Exercises

Requested By
Self-Initiated
Project ID
FI2016024
File Attachment

The Department of Transportation (DOT) relies on more than 450 information systems, many of which provide fundamental capabilities for keeping the Nation’s transportation system safe and operational. Effective disaster recovery planning is critical to maintain information system safety and efficiency for DOT and its Operating Administrations (OA) during an unexpected event.

However, the disaster recovery plans for 4 of the Department’s 12 OAs—the Federal Highway Administration, Federal Railroad Administration (FRA), Federal Motor Carrier Safety Administration (FMCSA), and Pipeline and Hazardous Materials Safety Administration (PHMSA)—were not in compliance with DOT policy. In addition, the Department’s OAs have not all effectively tested their plans to ensure they will work in the event of a disruption. For example, the Federal Aviation Administration (FAA) did not conduct annual contingency plan testing for certain high-impact systems, as required. Furthermore, four OAs—FAA, FMCSA, PHMSA, and FRA—did not conduct required functional disaster recovery testing to ensure that their systems comply with DOT policy and can effectively handle operations during unexpected events.

We made nine recommendations to improve the effectiveness of information systems contingency planning and testing. The Department concurred with all nine of our recommendations, and we consider all resolved but open pending completion of planned actions.

Recommendations

Closed on
No. 1 to FMCSA
Develop, document, and implement user and system-level data backup processes for the FMCSA Enforcement Management Information System.
Closed on
No. 2 to FRA
Develop, document, and implement user and system-level data backup processes for the FRA Railroad Safety Information System.
Closed on
No. 3 to FMCSA
Specify alternate telecommunications services including necessary agreements for the FMCSA Enforcement Management Information System contingency plan.
Closed on
No. 4 to PHMSA
Specify alternate telecommunications services including necessary agreements for the PHMSA Hazardous Materials Information System contingency plan.
Closed on
No. 5 to FHWA
Update the contingency plans for the two FHWA systems: (1) Fiscal Management Information System and (2) Rapid Approval and State Payment System (RASPS) by: a. Developing a Business Impact Analysis for their two selected systems. b. Identifying allowable system unavailability timelines such as Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) for their system contingency plans. c. Reevaluating both systems' alternate backup data storage sites so they are geographically dispersed from the primary system operational site as required by DOT policy. d. Implementing a process for ensuring the encryption of backup data prior to transferring the data offsite.
Closed on
No. 6 to FAA
Conduct annual functional contingency plan testing for FAA systems, including (1) Enhanced Flight Standards Automation System and (2) Web-based Operations Safety System.
Closed on
No. 7 to FRA
Conduct annual functional contingency plan testing for the FRA Railroad Safety Information System.
Closed on
No. 8 to FMCSA
Conduct annual functional contingency plan testing for the FMCSA Enforcement Management Information System.
Closed on
No. 9 to PHMSA
Conduct annual functional contingency plan testing for the PHMSA Hazardous Materials Information System.