March 20, 2019
Required by the Federal Information Security and Management Act of 2002
FISMA 2018: DOT’s Information Security Program and Practices
What We Looked At
The Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget (OMB). DOT’s operations rely on 471 information technology systems, which represent an annual investment of approximately $3.6 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT’s information security program and practices in five cyber function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
In all five function areas, DOT is at the Defined maturity level—the second lowest level in of maturity in the model for information security—because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, DOT still has policy gaps. We found a number of instances in which implementation of processes did not conform to policy.
DOT’s Identify, Protect, Detect, Respond, and Recover controls are currently inadequate. Identify controls include risk management, weakness remediation, and security authorization. Protect controls cover configuration management, identity and access management, data protection and privacy and security training. Detect controls identify cybersecurity incidents as part of information security continuous monitoring. Respond controls cover incident handling and reporting, and Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents.
We made 12 recommendations to help the Department address challenges in its development of a mature and effective information security program. DOT concurred with all 12 of our recommendations.