DOT's Information Security Program
During FY 2006, the Department made noticeable improvement in tracking, prioritizing, and correcting security weaknesses - a major concern identified last year. The Department also took aggressive action to identify systems containing personally identifiable information (PII) for proper security protection, including procuring encryption software to secure all laptop computers. In addition, the departmental Investment Review Board provided oversight to a multibillion-dollar IT investment project managed by FAA. FY 2007 will be a particularly challenging year for the Department in managing its IT security and investments. It has to recertify more than half of all its information systems, upgrade systems security to meet new Government standards, relocate its Headquarters (including more than 75 information systems), and take aggressive action to strengthen air traffic control systems security protection. In addition, the Department needs to develop a better methodology to validate the security configurations of commercial software products installed in DOT systems and continue enhancing oversight of IT investments. We made a series of recommendations to help the Department strengthen its information security program, the security protection of the critical air traffic control systems infrastructure, and oversight of its multibillion-dollar annual IT investments. The CIO agreed with our findings and recommendations. We have requested that DOT provide written comments describing the specific actions it will take to implement these recommendations.