Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Independent Auditor’s Report on the Assessment of DOT’s Information Security Program and Practices

Required by the Federal Information Security Modernization Act of 2014
Project ID: 
QC2021003
What We Looked At
This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act (FISMA) requires agencies to develop, implement, and document agency–wide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget.
 
To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
 
What We Found
We performed a QCR of CLA’s report and related documentation. Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
CLA made 18 recommendations. DOT concurs with recommendations 1, 3 through 15, and 17 and 18 and partially concurs with recommendations 2 and 16. CLA considers all 18 recommendations resolved but open pending completion of planned actions.

Recommendations

Open

Closed

No. 1 to OST

Require OST to either start utilizing the CSAM tool for its security control assessments or develop its own risk assessment policies and procedures as required by DOT's Cybersecurity Compendium.

No. 2 to OST

Work with OAs to update privacy risk management procedures to ensure the completion, tracking, review, and approval of privacy plans and compliance documentation prior to system authorization or reauthorization. Components should engage the Departmental Chief Privacy Officer as appropriate.

No. 3 to OST

Work with the Departmental Chief Privacy Officer to establish processes and procedures to notify Component Privacy Officers of systems scheduled for reauthorization so that required privacy risk management plans may be completed as required by policy.

No. 4 to OST

Work with the Departmental Chief Privacy Officer to establish processes and procedures to determine Component compliance with Departmental policy requiring Privacy Risk Management plans be established prior to system authorization or reauthorization.

No. 5 to OST

Coordinate with appropriate offices within the Office of Secretary to develop and implement a strategy and solution(s) to ensure that supervisors, contracting officers, and contracting officer representatives enforce personnel onboarding and off boarding procedures, completion of the DOT Rules of Behavior and other IT requirements prior to being granted access to DOT networks, systems, and information, or have existing access revoked upon separation, in accordance with DOT policy.

No. 6 to OST

Strengthen its oversight of the configuration management processes performed by OAs to ensure configuration management plans are developed, kept up-to-date, and document requirements for each system.

No. 7 to OST

Work with the FAA CIO to complete the revision of FAA Order 1800.66, Configuration Management Policy.

No. 8 to OST

Work with OAs to implement oversight to address configuration change weaknesses and to ensure configuration changes to the information systems are properly documented and tracked through implementation, and undergo a post-implementation review to verify procedures are followed.

No. 9 to OST

Ensure that baseline configuration deviations are monitored and deviations are approved to ensure that baseline compliance reports demonstrate a consistent and accurate application of baseline standards.

No. 10 to OST

Consolidate to the enterprise Tenable Nessus system to ensure accessibility of baseline compliance and/or vulnerability assessment capabilities.

No. 11 to OST

Ensure that missing security patches are either applied in accordance with DOT policy or that vulnerable software is otherwise remediated on the affected endpoints. In addition, ensure that missing security patches attributable to specific mission/business requirements are identified, control weaknesses are appropriately documented in POA&Ms, and that the authorizing official is aware of and has accepted risk for the associated weaknesses.

No. 12 to OST

Document and implement a process to identify software end of life dates and require the development of implementation plans to eliminate unsupported software.

No. 13 to OST

Work with FAA to secure a reliable funding stream for background reinvestigations.

No. 14 to OST

DOT should devise strategies, consistent with Federal policies and guidance, to overcome the logistical challenges of fingerprinting during a pandemic or other events and circumstances which prevent the timely completion of background reinvestigations.

No. 15 to OST

Work with the FAA CIO to review all systems listed in Appendix B of the FAA Air Traffic Operations (ATO) Information Security Continuous Monitoring (ISCM) Plan for NAS and Mission Support (MS) Systems to ensure the FAA ISCM plan is complete and accurate, making updates as needed.

No. 16 to OST

Work with the OST IT Director to ensure an alternate processing site (including necessary agreements) is more clearly described within the contingency plan to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance.

No. 17 to OST

Work with the PHMSA CIO to ensure an alternate storage site (including necessary agreements) is described within contingency plans to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance.

No. 18 to OST

Strengthen its oversight of the contingency planning processes performed by FMCSA, OST COE, OST VOLPE, FAA, FRA, and MARAD to ensure contingency planning documentation is developed, updated and tested in a timely manner, in accordance with policy.