The Office of Management and Budget (OMB) requires Federal agencies to implement Information Security Continuous Monitoring (ISCM), which entails the near real-time detection of cybersecurity risks, threats, and malicious activity. ISCM enables agencies to more effectively address evolving, frequent, and increasingly aggressive cybersecurity attempts to compromise Federal information systems. A large number of systems at the Department of Transportation (DOT) contain sensitive data that require protection; accordingly, we initiated this audit. Our audit objectives were to assess (1) how DOT’s ISCM program conforms to OMB and National Institute of Standards and Technology requirements and (2) the status and progress of DOT’s implementation of its ISCM program. This review also supports our annual audit mandated by the Federal Information Security Modernization Act.
What We Found
DOT’s program lacks a procedure for verifying Federal Aviation Administration (FAA) performance data reported to OMB. While DOT has met the requirement to submit quarterly reports, we identified significant errors in one submission. The Department also lacks adequate procedures for providing accurate submissions to OMB. In addition, FAA has not yet completed phase 1 of the Continuous Diagnostics and Mitigation Program, which targets the management of cybersecurity assets and activities. Finally, FAA does not have procedures for reporting on or validating its Cross Agency Priority goal data and cannot be certain those data are accurate.
DOT concurred with our three recommendations to improve its ISCM program.
No. 1 to OST
To improve the DOT's information security continuous monitoring program, DOT Chief Information Officer needs to update the department's federal information security modernization act standard operating procedures to include steps for verifying the accuracyand completeness of the Federal Aviation Administration's (FAA) CrossAgency Priority (CAP) goal metrics.
No. 2 to FAA
To improve the accuracy and completeness of the data FAA uses to report on its CAP goal metrics, the Federal Aviation Administrator needs to implement procedures that: define the requirements for selecting the operating systems to be monitored; criteria for determining which tools should be used to collect data for the CAP goal metrics; and verify the accuracy and completeness of the CAP goal metrics.
Closed on 11.01.2021
No. 3 to FAA
To improve the accuracy and completeness of the data FAA uses to report on its CAP goal metrics, the Federal Aviation Administrator needs to develop and implement controls for verifying, validating, and retainingdata used to report on CAP performance-based goal metrics.