Audit Reports

Perform a review of all Plans of Action and Milestone (POA&M) items closed during the audit period to include supporting documentation and re-approve their closure.

Revise current security weakness management policies and procedures (documenting within a revision history table) to require documented evidence such as calendar appointments, meeting minutes, etc. in support of POA&M closure decisions to be uploaded into CSAM.

Work with the OA CIOs to review current assessment and authorization processes and implement a validation process to ensure updated security plans, ATOs and risk assessments are reviewed and updated to reflect all system (including privacy) controls, vulnerabilities, and that current risks are clearly presented to the authorizing officials.

Work with the OA CIOs to develop mechanisms to ensure updated system security plans and assessments of security controls (that were previously assessed as not satisfied or partially satisfied) reflect current operational environments, including an accurate status of the implementation of system security controls, and all applicable security controls are properly evaluated.

Document OA subnets and OA responsibilities for devices and systems operating on the Common Operating Environment.

Document and implement network segmentation to reduce the attack surface or susceptibility of vulnerable and sensitive OA assets in the Common Operating Environment.

Work with OAs to remediate outstanding identity and access management weaknesses through implementation and closure of POA&Ms and control assessments to determine whether these risks were addressed.

Work with Component Privacy Officers (POs) to develop and implement procedures then verify the completion, review, tracking and approval through review of updated PTAs, PIAs and SORNs.

Document and implement a process to ensure incident response procedures related to the timely notification, reporting, updating, and resolution of security incidents are followed in accordance with policy.

Review and update the OCIO Cyber Security Incident Response Plan, documenting evidence of review and revisions within a history log.

Resolve any inconsistencies with respect to Departmental policies and procedures, which prescribe conflicting directions on whether DOT components are required to provide, develop and update incident response plans, documenting evidence of review and revisions within a history log.

Implement a process to ensure incident response plans are developed for all OAs and updated on at least an annual basis.

Work with the OST's Office of Intelligence, Security and Emergency Response to ensure the DOT COOP is reviewed and updated (noting evidence of the review within a history/revision log).

Work with the OA CIOs to remediate identified weaknesses in contingency plans and BIAs, such as missing information, lack of timely review, and inadequate approvals, demonstrated by updated contingency plans and BIAs.