Audit Reports

-A A +A
skip-to-content
March 20, 2019

FISMA 2018: DOT’s Information Security Program and Practices

Required by the Federal Information Security and Management Act of 2002
Project ID: 
FI2019023
View PDF Document
What We Looked At
The Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget (OMB). DOT’s operations rely on 471 information technology systems, which represent an annual investment of approximately $3.6 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices in five cyber function areas—Identify, Protect, Detect, Respond, and Recover.
 
What We Found
In all five function areas, DOT is at the Defined maturity level—the second lowest level in of maturity in the model for information security—because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, DOT still has policy gaps. We found a number of instances in which implementation of processes did not conform to policy.
 
DOT’s Identify, Protect, Detect, Respond, and Recover controls are currently inadequate. Identify controls include risk management, weakness remediation, and security authorization. Protect controls cover configuration management, identity and access management, data protection and privacy and security training. Detect controls identify cybersecurity incidents as part of information security continuous monitoring. Respond controls cover incident handling and reporting, and Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents.
 
Recommendations
We made 12 recommendations to help the Department address challenges in its development of a mature and effective information security program. DOT concurred with all 12 of our recommendations.

Recommendations

Open

Closed

No. 1 to OST

Develop policy and procedures to verify and validate theaccuracy and completeness of the Department's key FISMA information repositoryand tool, currently the Cyber Security Assessment and Management tool (CSAM).

No. 2 to OST

Direct OCIO to follow policy and conduct annual cybersecurity performance analysis reviews of OAs' cybersecurity programs, and submit reports to OAs with recommendations to address cybersecurity weaknesses.

No. 3 to OST

Develop a process and policy where applicable to ensure the Department develops and maintain a comprehensive and accurate inventory of cloud systems, contractor systems, and websites that the public can access.

No. 4 to OST

Direct OST to prioritize and resolve COE security weaknesses identified by assessor, and develop POA&Ms that realistically reflect resources and timeframes for completions of these actions.

No. 5 to OST

Direct OST to establish MOUs that delineate the responsibilities for COE common controls with each of the following OAs: FHWA, FMCSA, FRA, FTA, OIG, MARAD, SLSDC, and NHTSA.

No. 6 to OST

Direct OAs (FAA, FHWA, FMCSA, FRA, FTA, OST, PHMSA, MARAD, and NHTSA) with weaknesses in data protection and privacy to update the status and develop POA&Ms to address the weaknesses.

No. 7 to OST

Update specialized training guidance in DOT Cybersecurity Action Memos policy and DOT Cybersecurity Compendium policy to clearly define requirements.

No. 8 to OST

Enhance security awareness training policy to define processes to tailor this training to DOT's unique environment and use feedback to enhance its program.

No. 9 to OST

Develop and define a taxonomy that describes the content of the hardware and software inventory and the process to assemble, verify and maintain adequate support for the inventory data as well as the related information reported to OMB and other external parties.

No. 10 to OST

Develop a process to define its performance measures--that consider DOT's business environment--to assess the effectiveness of DOT's information security program, including its ISCM program.

No. 11 to OST

Using NIST guidance, test and authorize CDM applications (such as BigFix) that have been placed into operation on DOT's networks without proper security control assessments.

No. 12 to OST

Provide enterprise wide specialized training on contingencyplanning and testing on a periodic basis to appropriate security officials andstakeholders. Training should reinforcecrucial role contingency planning and testing plays in an effective informationsecurity program.