Skip to main content
U.S. flag

An official website of the United States government

Audit Reports


FISMA 2017: DOT’s Information Security Posture Is Still Not Effective

Requested By
Required by the Federal Information Security and Management Act of 2002
Project ID
File Attachment

What We Looked At
The Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget (OMB). DOT’s operations rely on 464 information technology systems, which represent an annual investment of approximately $3.5 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.

What We Found
In all five function areas, we found DOT to be at the Defined maturity level—the second lowest tier of the maturity model for information security—because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, these policies and procedures are not consistently implemented throughout DOT.

Identify controls include risk management, weakness remediation, and security authorization. Protect controls include configuration management, identity and access management, and security training. Detect controls are used to identify cybersecurity incidents as part of information security continuous monitoring (ISCM). Respond controls cover incident handling and reporting. Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents. DOT’s Identify, Protect, Detect, Respond, and Recover controls are currently inadequate.

Our Recommendations
We made eight recommendations to help the Department address the challenges in developing a mature and effective information security program. DOT concurred with six of our recommendations, partially concurred with one, and non-concurred with one.


Closed on
No. 1 to OST
Require MARAD, NHTSA, OST, and SLSDC to develop and disseminate policies and procedures for their risk management programs that include the appropriate elements such as criteria for making risk based decisions.
Closed on
No. 2 to OST
Implement controls to verify that information on threat activity has been communicated to senior agency officials and require retention of supporting documentation.
No. 3 to OST
For the COE and FAA, update procedures and practices for monitoring and authorizing common security controls to (a) require supporting documentation for controls continual assessments, (b) complete reauthorization assessments for the controls, (c) finalize guidance for customers' use of controls, and (d) establish communication protocols between authorizing officials and common control providers regarding control status and risks.
Closed on
No. 4 to FAA
Verify that FAA’s criteria regarding designation and definition of contractor systems conforms to DOT guidance, and that systems are correctly classified.
No. 5 to OST
Implement controls to continuously monitor and work with components to ensure network administrators are informed and action is taken to disable system accounts when users no longer require access or have been inactive beyond established thresholds.
Closed on
No. 6 to OST
Complete PIV enablement and requirements for remaining information systems, except those that are subject to exclusions that are documented and approved.
Closed on
No. 7 to OST
Take action to fully implement mandatory use of PIV cards for VDI access.
No. 8 to OST
Implement processes verifying that personnel performing certain security related roles receive specialized training needed to meet OCIO guidance.