The Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget (OMB). DOT’s operations rely on 471 information technology systems, which represent an annual investment of approximately $3.6 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices in five cyber function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
In all five function areas, DOT is at the Defined maturity level—the second lowest level in of maturity in the model for information security—because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, DOT still has policy gaps. We found a number of instances in which implementation of processes did not conform to policy.
DOT’s Identify, Protect, Detect, Respond, and Recover controls are currently inadequate. Identify controls include risk management, weakness remediation, and security authorization. Protect controls cover configuration management, identity and access management, data protection and privacy and security training. Detect controls identify cybersecurity incidents as part of information security continuous monitoring. Respond controls cover incident handling and reporting, and Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents.
We made 12 recommendations to help the Department address challenges in its development of a mature and effective information security program. DOT concurred with all 12 of our recommendations.
No. 1 to OST
Develop policy and procedures to verify and validate theaccuracy and completeness of the Department's key FISMA information repositoryand tool, currently the Cyber Security Assessment and Management tool (CSAM).
No. 2 to OST
Direct OCIO to follow policy and conduct annual cybersecurity performance analysis reviews of OAs' cybersecurity programs, and submit reports to OAs with recommendations to address cybersecurity weaknesses.
No. 3 to OST
Develop a process and policy where applicable to ensure the Department develops and maintain a comprehensive and accurate inventory of cloud systems, contractor systems, and websites that the public can access.
No. 4 to OST
Direct OST to prioritize and resolve COE security weaknesses identified by assessor, and develop POA&Ms that realistically reflect resources and timeframes for completions of these actions.
No. 5 to OST
Direct OST to establish MOUs that delineate the responsibilities for COE common controls with each of the following OAs: FHWA, FMCSA, FRA, FTA, OIG, MARAD, SLSDC, and NHTSA.
No. 6 to OST
Direct OAs (FAA, FHWA, FMCSA, FRA, FTA, OST, PHMSA, MARAD, and NHTSA) with weaknesses in data protection and privacy to update the status and develop POA&Ms to address the weaknesses.
No. 7 to OST
Update specialized training guidance in DOT Cybersecurity Action Memos policy and DOT Cybersecurity Compendium policy to clearly define requirements.
No. 8 to OST
Enhance security awareness training policy to define processes to tailor this training to DOT's unique environment and use feedback to enhance its program.
No. 9 to OST
Develop and define a taxonomy that describes the content of the hardware and software inventory and the process to assemble, verify and maintain adequate support for the inventory data as well as the related information reported to OMB and other external parties.
No. 10 to OST
Develop a process to define its performance measures--that consider DOT's business environment--to assess the effectiveness of DOT's information security program, including its ISCM program.
No. 11 to OST
Using NIST guidance, test and authorize CDM applications (such as BigFix) that have been placed into operation on DOT's networks without proper security control assessments.
No. 12 to OST
Provide enterprise wide specialized training on contingencyplanning and testing on a periodic basis to appropriate security officials andstakeholders. Training should reinforcecrucial role contingency planning and testing plays in an effective informationsecurity program.