Information Security Program at the Department of Transportation
On October 10, 2007, we issued our final report on the annual audit of the Department of Transportation’s Information Security Program as required by the Federal Information Security Management Act (FISMA). FY 2007 was a particularly challenging year for the Department in managing its IT resources. In addition to establishing a common IT infrastructure for the new Headquarters, it had to review, test, and certify security protection in more than half of its information systems to meet the recertification requirement. While the Department has completed most of the scheduled security recertification reviews, the overall effectiveness of its information security program declined this year because management had to divert resources and attention to resolving Headquarters move–related issues. Specifically, management did not meet Government security standards to protect information systems and did not take sufficient action to correct identified security deficiencies. We also found that commercial software products used in departmental systems were not configured in accordance with security standards and security incidents were incompletely and/or inaccurately reported. In terms of correcting the two security weaknesses identified previously in the air traffic control system––contingency planning and review of operational air traffic control systems security––FAA demonstrated renewed initiative in undertaking multiyear correction efforts starting in FY 2007. FAA also made modest progress in enhancing the implementation of Earned Value Management for major IT investment projects. Nonetheless, challenges remain in both areas.