In its fiscal year 2011 budget request, DOT’s Office of the Chief Information Officer (OCIO) requested $30 million to close the Department’s most serious cybersecurity gaps. Between fiscal years 2012 through 2015, Congress appropriated almost $29 million for DOT’s cybersecurity initiatives. Persistent weaknesses—such as those described in our 2015 review required by the Federal Information Security Management Act of 2002 (FISMA)—underscore the importance of the Department’s use of available funds to the extent possible to secure its systems. Due to the large investments that OCIO has made in cybersecurity over recent years, we conducted this audit. Our objectives were to determine whether OCIO (1) expended the appropriated funds to support cybersecurity initiatives, and (2) adequately planned for its cybersecurity funding needs.
We found no instances in which OCIO expended its appropriated $29 million on non-cybersecurity initiatives. At the time of our review, OCIO had expended approximately $23.4 million of the $29 million. We sampled 61 of 181 transactions totaling $18.26 million of the $23.4 million, and all sampled transactions supported cybersecurity initiatives. However, OCIO did not consistently apply billing procedures when expending funds through its Working Capital Fund (WCF). We found that $285,352 of the $3.73 million in cybersecurity funds expended through the WCF paid for services outside of the period of performance and scope of work outlined in OCIO’s cybersecurity intra-agency agreements. Such errors make it difficult for OCIO to ensure that WCF customers are accurately and consistently charged for the services described in their customer agreements.
OCIO did not adequately plan for its cybersecurity funding needs, or maintain adequate documentation to justify costs estimates for the amount of cybersecurity funds requested in budget years 2014 and 2015. OCIO also did not always follow Office of Management and Budget or its own acquisition planning guidance for three information technology (IT) projects that accounted for about $20 million (68 percent) of the $29 million appropriated. As a result, we could not assess the reasonableness of OCIO’s IT costs. Lastly, while it developed strategic plans for long-term cybersecurity goals, OCIO did not develop tactical plans to prioritize which IT projects to invest in, raising questions about whether the Agency effectively planned near-term funding needs. This lack of sound planning and internal controls puts OCIO at risk of not being able to efficiently address DOT’s most serious cybersecurity gaps.
We made five recommendations to help OCIO improve its cybersecurity funding planning, three of which OCIO concurred with and two of which it non-concurred with.
Closed on 01.17.2020
No. 1 to OST
Update OCIO-WCF billing procedures to ensure billings are accurately and consistently applied to intra-agency agreements for products and services, within specified scopes of work and periods of performance.
Closed on 06.01.2021
No. 2 to OST
Document OCIO’s process for preparing cost estimates that support its cybersecurity budget request and maintaining support documentation justifying the basis of estimates.
No. 3 to OST
Implement the DOT Enterprise Program Management Review Framework and procedures for maintaining support documentation that complies with OMB design and planning requirements to justify its IT investments, including the Virtual Desktop Infrastructure and the Continuous Monitoring Software, and require the use of planning tools such as cost-benefit analyses to monitor the costs, schedule, and performance goals.
Closed on 03.11.2020
No. 4 to OST
Develop and manage a business case consistent with OMB guidance for cybersecurity investments, and ensure that Continuous Diagnostic and Mitigation program is incorporated into that investment for reporting of costs, and other criteria as required by OMB.
No. 5 to OST
Develop and implement a process specifying how OCIO prioritizes its cybersecurity IT investments, and follow through on its plan to develop separate plans that include which cybersecurity projects it plans to focus on to address near-term threats, important tactical cybersecurity goals, and remediation challenges.