Skip to main content
U.S. flag

An official website of the United States government

Audit Reports


Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices

Requested By
Required by the Federal Information Security Modernization Act of 2014
Project ID
File Attachment
What We Looked At
This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.
Our Recommendations
DOT concurs with both of CLA’s recommendations. We consider both recommendations resolved but open pending completion of planned actions.


No. 1 to OST
Develop and implement DOT’s zero trust architecture plan for network traffic that cannot be routed through traditional Trusted-Internet Connections (TIC) access points as required by OMB M-19-26, Update to the TIC Initiative.
No. 2 to OST
In coordination with Federal Aviation Administration (FAA), complete the pilot and testing of TIC 3.0 use cases and revise FAA policies to reflect requirements in OMB M-19-26, Update to TIC Initiative.