DOT Cybersecurity Incident Handling Is Ineffective and Incomplete
An effective response to cyber incidents minimizes disruptions to information systems and data losses. We conducted this audit because of DOT’s large number of information systems that contain sensitive data as well as the high number of cybersecurity incidents that the Department reports annually—2,200 in 2014 alone. Our audit objective was to determine whether DOT has effective cyber security monitoring in place for its networks and information systems. Specifically, we assessed DOT’s policies and procedures for (1) monitoring, detecting, and eradicating cyber incidents, and (2) reporting incidents and their resolutions to appropriate authorities.
DOT’s Office of Chief Information Officer (OCIO) has not ensured that the Department’s Security Operations Center (Center) has access to all departmental systems or required the Center to consider incident risk, thus limiting the Center’s ability to effectively monitor, detect, and eradicate cyber incidents.Federal law requires agency heads to ensure that information systems are secure and to delegate to chief information officers the authority to ensure Federal compliance. However, without OCIO’s approval, the Federal Aviation Administration (FAA) conducts its own monitoring of the national airspace system (NAS) through its Cyber Operations Center (NCO) and this monitoring is incomplete. FAA officials have initiated NCO’s monitoring of only 11 of 39 NAS systems that need monitoring. OCIO also has not ensured that the OCIO’s lack of enforcement of DOT’s cyber security policies coupled with the weaknesses in FAA’s monitoring puts the Department’s information systems at risk for compromise.
Because OCIO does not ensure that the OAs provide the Center complete system access, the Center’s reports to the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) is incomplete. Federal guidelines require departmental points of contact, such as the Center, to report to US-CERT in timely manner each incident. FAA’s policy calls for reporting to the Center, but FAA officials stated that during our review period, the Agency did not identify any incidents to report. However, we found incidents in the NAS’s systems that FAA should have reported, including a September 2014 fire at the Chicago air route traffic control center that affected NAS systems and flight operations. Lastly, the Center cannot report to US-CERT on departmental cloud systems because it does not monitor them. The Center’s inability to monitor all departmental networks and devices increases the likelihood that security incidents will not be reported and mitigated. Incomplete reporting from agencies undermines US-CERT’s and law enforcement’s efforts to address serious incidents.
We made four recommendations. The Department concurred with three as written and provided alternative actions for the fourth that meet the intent of the recommendation.
This report was marked For Official Use Only to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Accordingly, a redacted version of the report is posted to our Web site.