Skip to main content
U.S. flag

An official website of the United States government

Audit Reports


Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices

Requested By
Required by the Federal Information Security Modernization Act of 2014
Project ID
File Attachment
What We Looked At
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget. To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2018 FISMA review. We contracted with Williams Adley & Company DC LLP (Williams Adley), an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
We performed a quality control review (QCR) of Williams Adley’s report and related documentation. Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.
STB concurs with Williams Adley’s seven recommendations.


Closed on
No. 1 to STB
Fully develop and implement a risk management strategy and the supporting procedures for maintaining an accurate system inventory.
Closed on
No. 2 to STB
Develop a configuration management plan with supporting policies and procedures and ensure that the existing Change Management Charter aligns with the plan.
Closed on
No. 3 to STB
Develop an ICAM strategy to guide its ICAM process and activities, and modify existing identity and access management policies and procedures to adequately address: a. Processes to request, modify, and revoke privileged and non-privileged access; and b. Processes to ensure separation of duties within the organization.
Closed on
No. 4 to STB
Fully implement the use of PIV cards for personnel to access STB's facilities.
Closed on
No. 5 to STB
Develop a privacy program, including related plans, policies and procedures, for the protection of personally identifiable information that is collected used, maintained, shared and disposed of by STB’s information systems. Furthermore, identify roles and responsibilities for data exfiltration exercises.
Closed on
No. 6 to STB
Develop an Incident Response plan in accordance with NIST 800-61, rev. 2.
Closed on
No. 7 to STB
Modify incident response policies and procedures to incorporate the most recent incident attack vectors taxonomy in accordance with US-CERT.