Audit Reports

Require OST to either start utilizing the CSAM tool for its security control assessments or develop its own risk assessment policies and procedures as required by DOT's Cybersecurity Compendium.

Work with OAs to update privacy risk management procedures to ensure the completion, tracking, review, and approval of privacy plans and compliance documentation prior to system authorization or reauthorization. Components should engage the Departmental Chief Privacy Officer as appropriate.

Work with the Departmental Chief Privacy Officer to establish processes and procedures to notify Component Privacy Officers of systems scheduled for reauthorization so that required privacy risk management plans may be completed as required by policy.

Work with the Departmental Chief Privacy Officer to establish processes and procedures to determine Component compliance with Departmental policy requiring Privacy Risk Management plans be established prior to system authorization or reauthorization.

Coordinate with appropriate offices within the Office of Secretary to develop and implement a strategy and solution(s) to ensure that supervisors, contracting officers, and contracting officer representatives enforce personnel onboarding and off boarding procedures, completion of the DOT Rules of Behavior and other IT requirements prior to being granted access to DOT networks, systems, and information, or have existing access revoked upon separation, in accordance with DOT policy.

Strengthen its oversight of the configuration management processes performed by OAs to ensure configuration management plans are developed, kept up-to-date, and document requirements for each system.

Work with the FAA CIO to complete the revision of FAA Order 1800.66, Configuration Management Policy.

Work with OAs to implement oversight to address configuration change weaknesses and to ensure configuration changes to the information systems are properly documented and tracked through implementation, and undergo a post-implementation review to verify procedures are followed.

Ensure that baseline configuration deviations are monitored and deviations are approved to ensure that baseline compliance reports demonstrate a consistent and accurate application of baseline standards.

Consolidate to the enterprise Tenable Nessus system to ensure accessibility of baseline compliance and/or vulnerability assessment capabilities.

Ensure that missing security patches are either applied in accordance with DOT policy or that vulnerable software is otherwise remediated on the affected endpoints. In addition, ensure that missing security patches attributable to specific mission/business requirements are identified, control weaknesses are appropriately documented in POA&Ms, and that the authorizing official is aware of and has accepted risk for the associated weaknesses.

Document and implement a process to identify software end of life dates and require the development of implementation plans to eliminate unsupported software.

Work with FAA to secure a reliable funding stream for background reinvestigations.

DOT should devise strategies, consistent with Federal policies and guidance, to overcome the logistical challenges of fingerprinting during a pandemic or other events and circumstances which prevent the timely completion of background reinvestigations.

Work with the FAA CIO to review all systems listed in Appendix B of the FAA Air Traffic Operations (ATO) Information Security Continuous Monitoring (ISCM) Plan for NAS and Mission Support (MS) Systems to ensure the FAA ISCM plan is complete and accurate, making updates as needed.

Work with the OST IT Director to ensure an alternate processing site (including necessary agreements) is more clearly described within the contingency plan to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance.

Work with the PHMSA CIO to ensure an alternate storage site (including necessary agreements) is described within contingency plans to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance.

Strengthen its oversight of the contingency planning processes performed by FMCSA, OST COE, OST VOLPE, FAA, FRA, and MARAD to ensure contingency planning documentation is developed, updated and tested in a timely manner, in accordance with policy.