Audit Reports

Revise the Department's AECM policy to develop procedural requirements that document activities components must complete to report and mitigate deficiencies identified through continuous monitoring.

Implement the revised AECM policy and procedural guidance and provide and work with components to establish planned action dates to mitigate deficiencies in their ISCM reporting and addressing security weaknesses.

Establish an enterprise-wide strategy that DOT components must adhere to implement and monitor Information Security Continuous Monitoring for Continuous Diagnostics and Mitigation requirements as outlined in OMB policy and NIST guidance.

Revise the Department's policy to address the mandatory use of a toolset and requisite processes to perform the Information Security Continuous Monitoring tasks outlined by OMB.

Start planning and assessing impact of the security requirements that will be affected by NIST SP 800-53 revision 4 and NIST SP 800-53A revision 4.

Revise DOT Cybersecurity policy and guidance to incorporate new or updated security requirements defined by NIST SP 800-53 revision 4 and NIST SP 800-53A revision 4.

Work with components to develop a plan to address NIST 800-53 revision 4 requirements for their systems. Create a POA&M with planned completion date to monitor and track progress.

Work with the components to develop a plan to complete annual SAT training within plan milestones and improve tracking. Assess training periodically to determine if the component will meet SAT training plan.

Work with FAA to ensure automated scripts are properly configured to disable inactive user accounts in a timely manner.  Create a POA&M with a planned completion date to monitor and track progress.

Work with the CSMC and individual components (including COE) to develop service level agreements needed to define responsibilities between CSMC and the components. These agreements should include a detailed description of services between parties, and at a minimum contain: CSMC and component responsibilities, frequency of periodic scans of DOT networks; access privileges to networks, devices, and monitoring tools; hardware and software asset discovery and on-going management requirements; vulnerability scanning.

Revise DOT policy to provide specific guidance for what data, format of data, and how often components should report system security status to the Authorizing Official throughout the continuous monitoring process.

Work with FAA to revise their plan to effectively transition the remaining 32,266 users to require unprivileged PIV login.  Create a POA&M with a planned completion date to monitor and track progress.

Develop a plan to periodically review waived accounts to determine if they should be transitioned to PIV required status.  Create a POA&M with a planned completion date to monitor and track progress.

Work with components to revise their plans to effectively transition the remaining users to require privileged PIV login.  Create a POA&M with a planned completion date to monitor and track progress.

Work with components to develop or revise their plans to effectively transition the remaining information systems to required PIV login. Create a POA&M with planned completion dates to monitor and track progress.

Work with the Director of DOT Security to develop or revise their plan to effectively transition the remaining facilities to required PIV cards.