FISMA 2017: DOT’s Information Security Posture Is Still Not Effective
What We Looked At
The Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget (OMB). DOT’s operations rely on 464 information technology systems, which represent an annual investment of approximately $3.5 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
In all five function areas, we found DOT to be at the Defined maturity level—the second lowest tier of the maturity model for information security—because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, these policies and procedures are not consistently implemented throughout DOT.
Identify controls include risk management, weakness remediation, and security authorization. Protect controls include configuration management, identity and access management, and security training. Detect controls are used to identify cybersecurity incidents as part of information security continuous monitoring (ISCM). Respond controls cover incident handling and reporting. Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents. DOT’s Identify, Protect, Detect, Respond, and Recover controls are currently inadequate.
We made eight recommendations to help the Department address the challenges in developing a mature and effective information security program. DOT concurred with six of our recommendations, partially concurred with one, and non-concurred with one.