This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. The act also requires agencies to have annual independent reviews to determine the effectiveness of their programs, and report the results of these reviews to the Office of Management and Budget (OMB). To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
We performed a QCR of CLA’s report and related documentation. Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.
DOT concurs with 1 of CLA’s 14 recommendations and partially concurs with the remaining 13 recommendations. ClA considers recommendations 1, 2, 4, 8, 9, 10, 11, and 12 resolved but open pending completion of planned actions. CLA considers recommendations 3, 5, 6, 7, 13, and 14 open and unresolved.
No. 1 to OST
Perform a review of all Plans of Action and Milestone (POA&M) items closed during the audit period to include supporting documentation and re-approve their closure.
No. 2 to OST
Revise current security weakness management policies and procedures (documenting within a revision history table) to require documented evidence such as calendar appointments, meeting minutes, etc. in support of POA&M closure decisions to be uploaded into CSAM.
No. 3 to OST
Work with the OA CIOs to review current assessment and authorization processes and implement a validation process to ensure updated security plans, ATOs and risk assessments are reviewed and updated to reflect all system (including privacy) controls, vulnerabilities, and that current risks are clearly presented to the authorizing officials.
No. 4 to OST
Work with the OA CIOs to develop mechanisms to ensure updated system security plans and assessments of security controls (that were previously assessed as not satisfied or partially satisfied) reflect current operational environments, including an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated.
No. 5 to OST
Document OA subnets and OA responsibilities for devices and systems operating on the Common Operating Environment.
No. 6 to OST
Document and implement network segmentation to reduce the attack surface or susceptibility of vulnerable and sensitive OA assets in the Common Operating Environment.
No. 7 to OST
Work with OAs to remediate outstanding identity and access management weaknesses through implementation and closure of POA&Ms and control assessments to determine whether these risks were addressed.
Closed on 09.04.2020
No. 8 to OST
Work with Component Privacy Officers (POs) to develop and implement procedures then verify the completion, review, tracking and approval through review of updated PTAs, PIAs and SORNs.
Closed on 07.19.2021
No. 9 to OST
Document and implement a process to ensure incident response procedures related to the timely notification, reporting, updating, and resolution of security incidents are followed in accordance with policy.
Closed on 07.19.2021
No. 10 to OST
Review and update the OCIO Cyber Security Incident Response Plan, documenting evidence of review and revisions within a history log.
No. 11 to OST
Resolve any inconsistencies with respect to Departmental policies and procedures, which prescribe conflicting directions on whether DOT components are required to provide, develop and update incident response plans, documenting evidence of review and revisions within a history log.
No. 12 to OST
Implement a process to ensure incident response plans are developed for all OAs and updated on at least an annual basis.
Closed on 09.09.2020
No. 13 to OST
Work with the OST's Office of Intelligence, Security and Emergency Response to ensure the DOT COOP is reviewed and updated (noting evidence of the review within a history/revision log).
Closed on 09.14.2022
No. 14 to OST
Work with the OA CIOs to remediate identified weaknesses in contingency plans and BIAs, such as missing information, lack of timely review, and inadequate approvals, demonstrated by updated contingency plans and BIAs.