Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

DOT Continues to Make Progress, but the Department’s Information Security Posture Is Still Not Effective

Requested By
Required by the Federal Information Security Management Act of 2002, as amended
Project ID
FI2017008
File Attachment

This report presents the results of our annual audit of DOT’s information security program and practices required by the Federal Information Security Management Act of 2002 (FISMA), as amended. Consistent with FISMA and the Office of Management and Budget’s (OMB) requirements, our audit objective was to determine the effectiveness of DOT’s information security program. While the department continues to make improvements, its cybersecurity program remains ineffective. In the five function areas defined by OMB, DOT achieved low maturity levels because of deficiencies in its security authorization; risk management and weakness monitoring; user identity and access management; security training; information security continuous monitoring; incident handling and reporting; and contingency planning and testing. OMB requires agencies to achieve maturity levels of medium-high for their programs to be effective. We made recommendations to address these issues.

Recommendations

No. 1 to OST
Take action to work with all OAs to complete expired authorizations and reinforce or strengthen policy requiring systems be reauthorized prior to their expiration dates.
No. 2 to OST
Take action to work with all OAs to perform a thorough CSAM quality review to ensure system documentation matches what is entered into CSAM. At a minimum, the review should verify that: (1) system authorization dates in CSAM match what is approved by the authorizing official; (2) POAMs are created and reported once a security weakness is found; and (3) authorizing officials are provided accurate documentation on all risks accepted.
No. 3 to OST
Take action to work with FAA, FHWA, FMCSA, FTA, MARAD, NHTSA, and OST to develop risk acceptance memos for the expired systems identified in this report.
No. 4 to OST
The Deputy Secretary, or his designee, take action to work with OST COE, FTA, and FAA, the common control providers, to report and update risk acceptance for shared controls that are not implemented in DOT's Repository (e.g., CSAM) per FISMA, OMB, and DOT requirements.
No. 5 to OST
Take action to work with FAA and require them to review CSAM POA&M entries, and identify and correct cases where multiple weaknesses were entered as one.
No. 6 to OST
Perform a review of CSAM POA&Ms and assess if the entries are compliant with DOT policy. For deficient data, require OAs to provide a corrective action plan.
No. 7 to OST
The Deputy Secretary, or his designee, take action to identify and document OST COE compensating controls when used to address security weaknesses in CSAM and system authorizations.
No. 8 to OST
The Deputy Secretary, or his designee, take action to report/update OST COE security weaknesses found during vulnerability assessments in DOT's Repository (e.g., CSAM) per FISMA, OMB, and DOT requirements.