Audit Reports

-A A +A
skip-to-content

FISMA 2011: Persistent Weaknesses in DOT's Controls Challenge the Protection and Security of its Information Systems

Project ID: 
FI2012007

On November 14, 2011, we issued a report on the results of our annual audit of DOT’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and OMB requirements, our overall objective was to determine the effectiveness of DOT’s information security program and practices. We found that since our last report, DOT has made some improvements in its cyber security. For example, it developed comprehensive cyber security policy for the entire Department, except for the Office of the Secretary, and reported all major security incidents to the Department of Homeland Security. However, the Department has not yet corrected weaknesses in its information security procedures, enterprise-level and system-level controls, and management of corrective actions. We are making new recommendations to address these vulnerabilities. DOT's Chief Information Officer will provide a description, along with milestone dates, of the specific actions to implement these recommendations.

Recommendations

Open

Closed

Closed on 02.06.2012
No. 1a to OST

Issue information security policy for OST.

No. 1b to OST

Enhance existing policy to address security awareness training for non-computer users, address security costs as part of capital planning, correct the definition of government system"

Closed on 02.11.2016
No. 1c to OST

In conjunction with the OA CIOs, execute a strategy to ensure that sufficient procedural guidance exists for DOT and the Components.

Closed on 10.06.2015
No. 2 to OST

In conjunction with OA CIO's establish incident monitoring and detection capabilities to include all of the Department's systems and facilitate central and real-time reporting.

Closed on 08.10.2022
No. 3 to OST

In conjunction with OA CIOs, create, complete or test contingency plans for deficient systems.

Closed on 10.02.2012
No. 4 to OST

In conjunction with OA CIOs, verify that backup media are properly secured and regularly tested.

Closed on 02.11.2016
No. 5 to OST

In conjunction with OA CIOs, verify that minimum security controls are adequately tested for deficient systems.