Report Required by Cybersecurity Act of 2015
In December 2015, President Obama signed into law the Cybersecurity Act of 2015. Section 406—Federal Computer Security—of the act requires that by August 14, 2016, inspectors general submit reports to Congress that contain information on their agencies’ systems covered by the act—national security systems (NSS) and Federal computer systems that provide access to personally identifiable information. A national security system is one whose operation involves intelligence activities; cryptologic activities related to national security; command and control of military forces; equipment integral to a weapon or weapon system; or is critical to military or intelligence missions.
As required by the act, we conducted this audit to identify DOT’s (1) access controls, and (2) other information security management practices to safeguard information stored in DOT’s systems covered by the Cybersecurity Act of 2015.
DOT has policies and practices for logical access and multifactor user identity authentication for most covered systems. The Department also has procedures for multifactor authentication of privileged users’ identities, but has not implemented them for many covered systems. Lastly, the Department does not have policies and practices for logical access to its NSS and does not use multifactor authentication for this system. According to OCIO officials, the Department has not completed its implementation of multifactor user identity authentication due in part to unclear guidance and a lack of resources.
DOT does not have adequate safeguards for much of the information stored in its covered systems because it has either not established or not implemented the following requirements or best practices: (1) policies and procedures for conducting inventories of software and associated licenses; (2) capabilities for data-loss prevention; (3) forensics and visibility capabilities sufficient to identify PII and monitor its movements; and (4) digital rights management capabilities. Furthermore, the Department has acquired digital rights capabilities, but has not implemented them for any sampled system. OCIO officials informed us that the Department has not implemented these capabilities due to a lack of resources.