Audit Reports

-A A +A
skip-to-content
September 10, 2013

Security Weakness In DOT's Common Operating Environment Expose Its Systems and Data To Compromise

Self-Initiated
Project ID: 
FI2013123
View PDF Document

On September 10, 2013, we issued our self-initiated report on the Department of Transportation (DOT) Common Operating Environment (COE) information security controls. The COE provides Operating Administrations (OAs) at the Department's Headquarters in Washington, DC, with IT services, such as data storage, email and web application access, and database services. The COE also provides a centralized environment for applications that OAs use in support of their operations.

The objective of this audit was to determine the effectiveness of COE's information security controls, including whether or not DOT COE is as safe from compromise as possible and what, if any, security vulnerabilities the COE contains. Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY. The redacted version is posted to our website.

Recommendations

Open

Closed

Closed on 04.17.2014
Sensitive
No. 1 to OST

Sensitive information redacted

Closed on 02.05.2015
No. 2 to OST

Monitor OAs periodic exercises that test COE users' knowledge of security requirements when accessing emails on the Government network.

Closed on 09.28.2018
No. 3 to OST

Use automated tools, such as vulnerability scanners or Web application scanners to monitor applications residing in the COE on a constant basis, and require each OA to mitigate vulnerabilities in its system or remove the systems from the network.

Closed on 09.07.2016
No. 4 to OST

Develop and maintain a complete inventory (current registry) of authorized network devices (including wireless) accessible to staff who monitor departmental networks.

Closed on 09.07.2016
No. 5 to OST

Ensure the system owners perform regular vulnerability assessments and scans of all internal systems to identify known vulnerabilities and common misconfigurations, and establish a practice to ensure that OAs and OCIO are collaborating and agreeing on remediation plans.

Closed on 05.01.2014
No. 6 to OST

Perform annual penetration testing of the COE as required by DOT policy.