Audit Reports

-A A +A
skip-to-content
January 24, 2018

FISMA 2017: DOT’s Information Security Posture Is Still Not Effective

Required by the Federal Information Security and Management Act of 2002
Project ID: 
FI2018017
View PDF Document

What We Looked At
The Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget (OMB). DOT’s operations rely on 464 information technology systems, which represent an annual investment of approximately $3.5 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.

What We Found
In all five function areas, we found DOT to be at the Defined maturity level—the second lowest tier of the maturity model for information security—because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, these policies and procedures are not consistently implemented throughout DOT.

Identify controls include risk management, weakness remediation, and security authorization. Protect controls include configuration management, identity and access management, and security training. Detect controls are used to identify cybersecurity incidents as part of information security continuous monitoring (ISCM). Respond controls cover incident handling and reporting. Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents. DOT’s Identify, Protect, Detect, Respond, and Recover controls are currently inadequate.

Our Recommendations
We made eight recommendations to help the Department address the challenges in developing a mature and effective information security program. DOT concurred with six of our recommendations, partially concurred with one, and non-concurred with one.

Recommendations

Open

Closed

Closed on 09.04.2020
No. 1 to OST

Require MARAD, NHTSA, OST, and SLSDC to develop and disseminate policies and procedures for their risk management programs that include the appropriate elements such as criteria for making risk based decisions.

Closed on 08.13.2020
No. 2 to OST

Implement controls to verify that information on threat activity has been communicated to senior agency officials and require retention of supporting documentation.

No. 3 to OST

For the COE and FAA, update procedures and practices for monitoring and authorizing common security controls to (a) require supporting documentation for controls continual assessments, (b) complete reauthorization assessments for the controls, (c) finalize guidance for customers' use of controls, and (d) establish communication protocols between authorizing officials and common control providers regarding control status and risks.

Closed on 08.10.2022
No. 4 to FAA

Verify that FAA’s criteria regarding designation and definition of contractor systems conforms to DOT guidance, and that systems are correctly classified.

No. 5 to OST

Implement controls to continuously monitor and work with components to ensure network administrators are informed and action is taken to disable system accounts when users no longer require access or have been inactive beyond established thresholds.

Closed on 08.10.2022
No. 6 to OST

Complete PIV enablement and requirements for remaining information systems, except those that are subject to exclusions that are documented and approved.

Closed on 08.10.2022
No. 7 to OST

Take action to fully implement mandatory use of PIV cards for VDI access.

No. 8 to OST

Implement processes verifying that personnel performing certain security related roles receive specialized training needed to meet OCIO guidance.