August 7, 2017
Cybersecurity Planning Weaknesses May Hinder the Efficient Use of Future Resources
In its fiscal year 2011 budget request, DOT’s Office of the Chief Information Officer (OCIO) requested $30 million to close the Department’s most serious cybersecurity gaps. Between fiscal years 2012 through 2015, Congress appropriated almost $29 million for DOT’s cybersecurity initiatives. Persistent weaknesses—such as those described in our 2015 review required by the Federal Information Security Management Act of 2002 (FISMA)—underscore the importance of the Department’s use of available funds to the extent possible to secure its systems. Due to the large investments that OCIO has made in cybersecurity over recent years, we conducted this audit. Our objectives were to determine whether OCIO (1) expended the appropriated funds to support cybersecurity initiatives, and (2) adequately planned for its cybersecurity funding needs.
We found no instances in which OCIO expended its appropriated $29 million on non-cybersecurity initiatives. At the time of our review, OCIO had expended approximately $23.4 million of the $29 million. We sampled 61 of 181 transactions totaling $18.26 million of the $23.4 million, and all sampled transactions supported cybersecurity initiatives. However, OCIO did not consistently apply billing procedures when expending funds through its Working Capital Fund (WCF). We found that $285,352 of the $3.73 million in cybersecurity funds expended through the WCF paid for services outside of the period of performance and scope of work outlined in OCIO’s cybersecurity intra-agency agreements. Such errors make it difficult for OCIO to ensure that WCF customers are accurately and consistently charged for the services described in their customer agreements.
OCIO did not adequately plan for its cybersecurity funding needs, or maintain adequate documentation to justify costs estimates for the amount of cybersecurity funds requested in budget years 2014 and 2015. OCIO also did not always follow Office of Management and Budget or its own acquisition planning guidance for three information technology (IT) projects that accounted for about $20 million (68 percent) of the $29 million appropriated. As a result, we could not assess the reasonableness of OCIO’s IT costs. Lastly, while it developed strategic plans for long-term cybersecurity goals, OCIO did not develop tactical plans to prioritize which IT projects to invest in, raising questions about whether the Agency effectively planned near-term funding needs. This lack of sound planning and internal controls puts OCIO at risk of not being able to efficiently address DOT’s most serious cybersecurity gaps.
We made five recommendations to help OCIO improve its cybersecurity funding planning, three of which OCIO concurred with and two of which it non-concurred with.