Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

FISMA 2011: Persistent Weaknesses in DOT's Controls Challenge the Protection and Security of its Information Systems

Project ID
FI2012007
File Attachment

On November 14, 2011, we issued a report on the results of our annual audit of DOT’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our overall objective was to determine the effectiveness of DOT’s information security program and practices. We found that since our last report, DOT has made some improvements in its cyber security. For example, it developed comprehensive cyber security policy for the entire Department, except for the Office of the Secretary, and reported all major security incidents to the Department of Homeland Security. However, the Department has not yet corrected weaknesses in its information security procedures, enterprise-level and system-level controls, and management of corrective actions. We are making new recommendations to address these vulnerabilities. DOT's Chief Information Officer will provide a description, along with milestone dates, of the specific actions to implement these recommendations.

Recommendations

Closed on
No. 1a to OST
Issue information security policy for OST.
No. 1b to OST
Enhance existing policy to address security awareness training for non-computer users, address security costs as part of capital planning, correct the definition of government system"
Closed on
No. 1c to OST
In conjunction with the OA CIOs, execute a strategy to ensure that sufficient procedural guidance exists for DOT and the Components.
Closed on
No. 2 to OST
In conjunction with OA CIO's establish incident monitoring and detection capabilities to include all of the Department's systems and facilitate central and real-time reporting.
Closed on
No. 3 to OST
In conjunction with OA CIOs, create, complete or test contingency plans for deficient systems.
Closed on
No. 4 to OST
In conjunction with OA CIOs, verify that backup media are properly secured and regularly tested.
Closed on
No. 5 to OST
In conjunction with OA CIOs, verify that minimum security controls are adequately tested for deficient systems.