Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Timely Actions Needed to Improve DOT's Cybersecurity

Project ID
FI2011022
File Attachment

On November 15, 2010, we issued our report presenting the results of our annual audit of the Department’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our overall audit objective was to determine the effectiveness of DOT’s information security program and practices. We found that, overall, the Department's information security program does not meet Federal requirements and is still not as effective as it should be.  During fiscal year 2010, the Department succeeded in providing security awareness training to over 90 percent of its employees; five OAs  provided this training to 100 percent of their employees.  Despite these accomplishments, however, the Department has not made the needed progress in addressing information security policy and procedures, enterprise–level controls, management of information security weaknesses, and system–level controls. We are making 27 new recommendations to address urgent vulnerabilities in these areas.  The DOT Chief Information Officer will provide a description of specific actions to be taken to implement these recommendations, along with their milestone dates.

Recommendations

Closed on
No. 1 to OST
Address these policy and procedural weaknesses: Develop procedural guidance for the C&A process. In addition, modify existing certification and accreditation policy and procedures to address inheritance of common information security controls, and to provide procedural guidance to modes. Correct POA&M policy to prioritize weaknesses in a way that ensures that high priority weaknesses are resolved before medium priorities, and medium ones before low ones. In addition, develop procedural guidance to ensure consistency of the POA&M process and to facilitate CIO's oversight and management of weaknesses. In conjunction with the modes, develop procedural guidance for tracking and training personnel with significant security responsibilities. This guidance should address maintaining complete inventories of such personnel, and the training needed and provided.Enhance high-level policy with procedural guidance to ensure consistency of the network accounts and identity management. In conjunction with the Assistant Secretary for Administration, complete Department-wide PIV operating procedures, including procedures to terminate PIV cards.Review and revise all configuration management policy and develop specific details for activities that are common across the department. As part of this effort, develop procedural guidance that would define requirements for OAs to use when developing configuration management procedures specific to their operation.Develop procedural guidance that would define requirements for OAs to use when developing incident handling procedures specific to their operation.Enhance policy and procedural guidance to incorporate detailed guidance for managing, monitoring and reporting FDCC compliance, including the use of SCAP tools to ensure FDCC compliance.Once policy adequately addresses contractor oversight per Recommendation 4 of last year's report, develop relevant procedural guidance. This policy should establish the criteria and guidelines for DOT's identification and reporting of contractor systems consistent with OMB requirements. Enhance high-level policy with procedural guidance to ensure remote access and wireless networking is authorized, managed and monitored in compliance with OMB, NIST and DOT policies.
Closed on
No. 2 to OST
To the extent the OAs require their own guidance, review guidance to verify compliance with department policies and procedures.
Closed on
No. 3 to OST
Implement a quality assurance process to review OA specific configuration management procedures to ensure that they adhere to the departmental policy and Federal requirements.
Closed on
No. 4 to OST
Implement a process to review OAs security configuration management practices and software scanning capabilities. Provide monitoring of OAs practices to ensure they are adhering to the policy and practices.
Closed on
No. 5 to OST
Require OST to implement required system patches on their Delphi system.
Closed on
No. 6 to OST
Conduct scanning of all DOT networks to ensure compliance with FDCC requirements. In addition, review results of modal SCAP compliance scans to identify and resolve incorrect FDCC settings.
Closed on
No. 7 to OST
Require and approve deviation requests for those non-conforming settings that are truly needed and for which risks have been mitigated and accepted.
Closed on
No. 8 to OST
Conduct periodic tests to assess FDCC compliance and deployment of patches, including service packs.
Closed on
No. 9 to OST
Analyze the incorrect FDCC configuration settings identified in our testing, and for those that do not have approved deviations, require OAs to create POA&Ms to correct the settings.
Closed on
No. 10 to OST
Implement a practice to review OA specific incident handling procedures to ensure that they adhere to the departmental policy.
Closed on
No. 11 to OST
Implement a process to review reported incidents to ensure timely reporting to US-CERT. In addition, provide monitoring of incidents reported to ensure all required data in the tracking system(s) is up-to-date for incidents sent and data received back for US-CERT.
Closed on
No. 12 to OST
Review FHWA, FMCSA, FRA, FTA and RITA automated scans confirming timely resolution of vulnerabilities. If deficiency is found require OA to provide corrective action and to update plan of actions and milestone to address weakness.
Closed on
No. 13 to OST
Require OAs to reconcile their contractor records with DOT security department and update their records accordingly. Monitor and report to the Deputy Secretary, Operating Administrations progress in resolving the discrepancy with their contractor records and DOT security department.
Closed on
No. 14 to OST
Identify and implement automated tools to better track contractors and training requirements.
Closed on
No. 15 to MARAD
In conjunction with the MARAD, create a POAM for each system that is missing a certification and accreditation. This POAM should be properly prioritized to ensure this critical matter is immediately addressed.
Closed on
No. 16 to MARAD
In conjunction with MARAD, promptly update Cyber Security Assessment and Management (CSAM) system to reflect its current system inventory and related information (including status of certification and accreditation).
Closed on
No. 17 to MARAD
Work with MARAD to finalize agreements with C&A service providers to certify MARAD systems.
Closed on
No. 18 to OST
Review the results of OA assessments to determine an accurate inventory of contractor systems.
Closed on
No. 19 to OST
Work with the Department's acquisition personnel to develop common contract language that requires IT contractors to enforce applicable FISMA and OMB requirements. Once this language is approved, review all new planned IT acquisitions, prior to award, to verify that this clause is contained in the statement of work or comparable document.
Closed on
No. 20 to OST
Research and standardize automated tools that will proactively monitor remote devices connecting to DOT networks.
Closed on
No. 21 to OST
Conduct tests of remote access solutions to ensure they comply with Federal requirements and DOT guidance.
Closed on
No. 22 to OST
In conjunction with the Assistant Secretary for Administration, develop a Department-wide implementation plan that specifies resources needed, responsible parties, strategies for risk mitigation, etc., to ensure that all employees and contractors receive PIV cards by December 31, 2010.
Closed on
No. 23 to OST
Implement the use of PIV cards as the primary authentication mechanism to support multi-factor authentication at the system and application level for all DOT's employees and contractors.
Closed on
No. 24 to OST
Perform periodic reviews of active user accounts and network devices to identify accounts that need to be disabled
Closed on
No. 25 to OST
Work with OAs to identify and logically segregate user accounts and service (role) accounts.
Closed on
No. 26 to OST
Work with OAs to implement automated mechanisms to disable inactive accounts, as specified by DOT policies, and to audit account creation, modification, disabling, and termination actions.
Closed on
No. 27 to OST
Educate and assist OAs in implementing dual accounts for administrators. Subsequently, conduct reviews to determine that all DOT GSSs use these accounts.