Audit Reports

-A A +A
skip-to-content

DOT Has Made Progress but Significant Weaknesses in Its Information Security Remain

Required by the Federal Information Security Management Act of 2002
Project ID: 
FI2015009

This report presents the results of our annual audit of DOT’s information security program and practices, as required by the Federal Information Security Management Act of 2002 (FISMA). Consistent with FISMA and the Office of Management and Budget’s (OMB) requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices. We provided these results to OMB via its Website. DOT made additional improvements to its program, but the Department’s systems are still vulnerable to serious threats due to deficiencies in policies and procedures, enterprise-level controls, system controls, and management of known security weaknesses. We made recommendations to address these issues.

Recommendations

Open

Closed

Closed on 02.11.2016
No. 1 to OST

Revise the Department's AECM policy to develop procedural requirements that document activities components must complete to report and mitigate deficiencies identified through continuous monitoring.

Closed on 02.11.2016
No. 2 to OST

Implement the revised AECM policy and procedural guidance and provide and work with components to establish planned action dates to mitigate deficiencies in their ISCM reporting and addressing security weaknesses.

Closed on 02.11.2016
No. 3 to OST

Establish an enterprise-wide strategy that DOT components must adhere to implement and monitor Information Security Continuous Monitoring for Continuous Diagnostics and Mitigation requirements as outlined in OMB policy and NIST guidance.

Closed on 02.11.2016
No. 4 to OST

Revise the Department's policy to address the mandatory use of a toolset and requisite processes to perform the Information Security Continuous Monitoring tasks outlined by OMB.

Closed on 08.17.2018
No. 5 to OST

Start planning and assessing impact of the security requirements that will be affected by NIST SP 800-53 revision 4 and NIST SP 800-53A revision 4.

Closed on 02.11.2016
No. 6 to OST

Revise DOT Cybersecurity policy and guidance to incorporate new or updated security requirements defined by NIST SP 800-53 revision 4 and NIST SP 800-53A revision 4.

Closed on 02.11.2016
No. 7 to OST

Work with components to develop a plan to address NIST 800-53 revision 4 requirements for their systems. Create a POA&M with planned completion date to monitor and track progress.

No. 8 to OST

Work with the components to develop a plan to complete annual SAT training within plan milestones and improve tracking.  Assess training periodically to determine if the component will meet SAT training plan.

Closed on 10.06.2015
No. 9 to FAA

Work with FAA to ensure automated scripts are properly configured to disable inactive user accounts in a timely manner.  Create a POA&M with a planned completion date to monitor and track progress.

Closed on 09.28.2018
No. 10 to OST

Work with the CSMC and individual components (including COE) to develop service level agreements needed to define responsibilities between CSMC and the components. These agreements should include a detailed description of services between parties, and at a minimum contain: CSMC and component responsibilities, frequency of periodic scans of DOT networks; access privileges to networks, devices, and monitoring tools; hardware and software asset discovery and on-going management requirements; vulnerability scanning.

Closed on 02.11.2016
No. 11 to OST

Revise DOT policy to provide specific guidance for what data, format of data, and how often components should report system security status to the Authorizing Official throughout the continuous monitoring process.

Closed on 02.11.2016
No. 12 to FAA

Work with FAA to revise their plan to effectively transition the remaining 32,266 users to require unprivileged PIV login.  Create a POA&M with a planned completion date to monitor and track progress.

Closed on 10.06.2015
No. 13 to OST

Develop a plan to periodically review waived accounts to determine if they should be transitioned to PIV required status.  Create a POA&M with a planned completion date to monitor and track progress.

Closed on 10.06.2015
No. 14 to OST

Work with components to revise their plans to effectively transition the remaining users to require privileged PIV login.  Create a POA&M with a planned completion date to monitor and track progress.

No. 15 to OST

Work with components to develop or revise their plans to effectively transition the remaining information systems to required PIV login.  Create a POA&M with planned completion dates to monitor and track progress.

No. 16 to OST

Work with the Director of DOT Security to develop or revise their plan to effectively transition the remaining facilities to required PIV cards.