Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security System Program and Practices

Requested By
Required by the Federal Information Security Modernization Act of 2014
Project ID
QC2022006
File Attachment
What We Looked At
This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
 
What We Found
We performed a QCR of CLA’s report and related documentation. Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.
 
Our Recommendations
DOT concurs with all five of CLA’s recommendations. CLA considers all five recommendations resolved but open pending completion of planned actions.

Recommendations

No. 1 to OST
Develop and communicate an organization wide Supply Chain Risk Management strategy and implementation plan to guide and govern supply chain risks.
No. 2 to OST
Undertake a strategic analysis of the Inspector General FISMA Metrics and the weaknesses identified in the audit, to develop a multi-year strategy and approach to include objective milestones, and resource commitments by the Department and the CIO that address the corrective actions necessary to show steady, measurable improvements towards an effective information security program.
No. 3 to OST
Work with the Federal Aviation Administration’s CIO and Federal Motor Carrier Safety Administration’s Information Security System Manager (ISSM), to investigate and remediate cross-site scripting vulnerabilities identified in public facing web applications.
No. 4 to OST
Work and coordinate with system owners to identify and remediate weak and default authentication mechanisms within their systems and the Common Operating Environment.
No. 5 to OST
Develop and implement a process to facilitate centralized monitoring, oversight (by ISSMs and their alternates) and escalation efforts to ensure the timely completion of required security awareness training and role based training for all DOT personnel leveraging an automated integrated solution(s) and dashboards.