Audit Reports

-A A +A
skip-to-content

FISMA: 2013 DOT Has Made Progress, But Its Systems Remain Vulnerable To Significant Security Threats

Required by the Federal Information Security Management Act of 2002
Project ID: 
FI2014006

On November 22, 2013, we issued our report that presents the results of our annual audit of the DOT’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices. Also, as required by OMB, we provided our results to OMB via its Website. DOT has made some progress in its information security program, but its systems remain vulnerable to significant security threats due to deficiencies in policies and procedures, enterprise-level controls, system controls, and management of known security weaknesses. We are making new recommendations to address these matters.

Recommendations

Open

Closed

No. 1 to OST

Obtain and review specialized training statistics and verify, as part of the compliance review process, that all employees with significant security responsibilities have completed the number of training hours required by policy. Report results to management and obtain evidence of corrective actions.

Closed on 02.11.2016
No. 2 to OST

Increase oversight of OA's processes for configuration management and verify that mitigating activities and initiated, executed, and completed in accordance with DOT policy and NIST guidance. Report exceptions to OA management.

Closed on 06.19.2015
No. 3 to OST

In conjunction with FAA's CIO, institute periodic scanning for USGCB and baseline compliance for the FAA LANs to include analysis of results to remediate deficiencies. Create a POA&M to track progress and verify completion of the action.

No. 4 to OST

Obtain and review plans from FMCSA, MARAD, OST, and RITA to authorize systems with expired accreditations. Perform security reviews of unauthorized systems to determine if the enterprise is exposed to unacceptable risk.

Closed on 02.11.2016
No. 5 to OST

Obtain a schedule and action plan from Operating Administrations to enhance and develop their internal procedures for continuous monitoring in accordance with NIST guidance. Report to OA management any delays in completing the procedural guidance.

Closed on 02.11.2016
No. 6 to OST

Review systems to determine which ones are contractor operated and update CSAM accordingly. As part of the compliance review process, review new systems to determine if they are contractor operated.

No. 7 to OST

Obtain a schedule and action plan for OAs to develop procedures for comprehensive cloud computing agreements to include security controls roles and responsibilities. Report to OA management any delays in completing the procedures.

No. 8 to OST

Obtain and review existing cloud computing agreements to assess compliance with agency policy, including security requirements. Report exceptions to OA management.