DOT Continues to Make Progress, but the Department’s Information Security Posture Is Still Not Effective
This report presents the results of our annual audit of DOT’s information security program and practices required by the Federal Information Security Management Act of 2002 (FISMA), as amended. Consistent with FISMA and the Office of Management and Budget’s (OMB) requirements, our audit objective was to determine the effectiveness of DOT’s information security program. While the department continues to make improvements, its cybersecurity program remains ineffective. In the five function areas defined by OMB, DOT achieved low maturity levels because of deficiencies in its security authorization; risk management and weakness monitoring; user identity and access management; security training; information security continuous monitoring; incident handling and reporting; and contingency planning and testing. OMB requires agencies to achieve maturity levels of medium-high for their programs to be effective. We made recommendations to address these issues.