Timely Actions Needed to Improve DOT's Cybersecurity
On November 15, 2010, we issued our report presenting the results of our annual audit of the Department’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our overall audit objective was to determine the effectiveness of DOT’s information security program and practices. We found that, overall, the Department's information security program does not meet Federal requirements and is still not as effective as it should be. During fiscal year 2010, the Department succeeded in providing security awareness training to over 90 percent of its employees; five OAs provided this training to 100 percent of their employees. Despite these accomplishments, however, the Department has not made the needed progress in addressing information security policy and procedures, enterprise–level controls, management of information security weaknesses, and system–level controls. We are making 27 new recommendations to address urgent vulnerabilities in these areas. The DOT Chief Information Officer will provide a description of specific actions to be taken to implement these recommendations, along with their milestone dates.