FISMA 2011: Persistent Weaknesses in DOT's Controls Challenge the Protection and Security of its Information Systems
On November 14, 2011, we issued a report on the results of our annual audit of DOT’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our overall objective was to determine the effectiveness of DOT’s information security program and practices. We found that since our last report, DOT has made some improvements in its cyber security. For example, it developed comprehensive cyber security policy for the entire Department, except for the Office of the Secretary, and reported all major security incidents to the Department of Homeland Security. However, the Department has not yet corrected weaknesses in its information security procedures, enterprise-level and system-level controls, and management of corrective actions. We are making new recommendations to address these vulnerabilities. DOT's Chief Information Officer will provide a description, along with milestone dates, of the specific actions to implement these recommendations.