Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices

Requested By
Required by the Federal Information Security Modernization Act of 2014
Project ID
QC2022001
File Attachment
What We Looked At
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget (OMB). To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2021 FISMA review. We contracted with Williams Adley & Company-DC LLP (Williams Adley), an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
 
What We Found
We performed a quality control review (QCR) of Williams Adley’s report and related documentation. Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.
 
Recommendations
STB concurs with Williams Adley’s 27 recommendations.

Recommendations

No. 1 to STB
Develop an enterprise architecture that includes information security considerations and the resulting risk to the Agency, as well as incorporates STB’s existing cyber security architecture.
Closed on
No. 2 to STB
Identify and define all software programs that are not authorized to execute on STB information systems.
Closed on
No. 3 to STB
Establish and implement procedure to manage hardware asset inventory connected to STB’s network.
Closed on
No. 4 to STB
Review all open Plan Of Actions & Milestones and assign scheduled completion dates which account for the required resources and corrective actions, including milestones, to manage and mitigate the identified risk.
No. 5 to STB
Develop a Supply Chain Risk Management strategy and supporting policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.
Closed on
No. 6 to STB
Develop a process to make improvements to its baseline configuration, secure configuration, and flaw remediation policies and procedures through the use of lessons learned.
Closed on
No. 7 to STB
Implement documented processes for configuration management changes as required by STB policies and procedures.
No. 8 to STB
Evaluate deviations from Center for Internet Security benchmarks and determine if the associated configurations should align with best practices or if deviations should be risk accepted.
Closed on
No. 9 to STB
Update vulnerability management procedures to support implementation of STB’s Vulnerability Disclosure Policy.
Closed on
No. 10 to STB
Update the Access Recertification Process document to align with STB’s existing practices to ensure users complete all required training and onboarding forms.
Closed on
No. 11 to STB
Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.
Closed on
No. 12 to STB
Develop a process to make improvements to the effectiveness of its Identity, Credential, and Access Management policy, strategy, and road map.
Closed on
No. 13 to STB
Define procedures to review and remove unnecessary PII collection on an organization defined frequency.
Closed on
No. 14 to STB
Perform the review of Privacy Threshold Analysis for STB General Support System, At Hoc, and Dynamic Case Management system on an annual basis.
No. 15 to STB
Implement data protection policies and procedures for Data at Rest, prevention and detection of untrusted removable media, and destruction or reuse of media containing PII or other sensitive agency data.
Closed on
No. 16 to STB
Address the knowledge, skills, and abilities gaps identified during the FY 2020 skill gap assessment through training or talent acquisition.
No. 17 to STB
Complete the transition from traditional three (3) year authorizations to ongoing authorizations for STB-LAN.
No. 18 to STB
Implement documented processes for collecting and reporting performance metrics at the organization and system level to assess the effectiveness of Information Security Continuous Monitoring program.
No. 19 to STB
Develop a process to make improvements to the effectiveness of its ISCM program through the collection and reporting of quantitative and qualitative performance metrics, and lessons learned.
Closed on
No. 20 to STB
Define the performance metrics for measuring the incident response capability.
Closed on
No. 21 to STB
Update STB Incident Response Plan to include requirements for the technologies utilized to support Incident Response processes.
Closed on
No. 22 to STB
Define the frequency for the performance of Post Incident activities.
Closed on
No. 23 to STB
Update STB Incident Response plan containment strategies to reflect the current agencies risk prioritization processes.
Closed on
No. 24 to STB
Implement documented processes for Incident Response resolutions of tickets in consistent manner, as required by STB policies and procedures.
Closed on
No. 25 to STB
Define the frequency for the performance of system level Business Impact Analyses (BIA).
Closed on
No. 26 to STB
Review the organization wide BIA on an annual basis.
Closed on
No. 27 to STB
Conduct a tabletop exercise of the General Support System’s information system contingency plan (ISCP) on an annual basis.