Audit Reports

-A A +A

Quality Control Review of an Independent Auditor’s Report on the Surface Transportation Board’s Information Security Program and Practices

Required by the Federal Information Security Modernization Act of 2014
Project ID: 
What We Looked At
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget (OMB). To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2021 FISMA review. We contracted with Williams Adley & Company-DC LLP (Williams Adley), an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
We performed a quality control review (QCR) of Williams Adley’s report and related documentation. Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards.
STB concurs with Williams Adley’s 27 recommendations.




No. 1 to STB

Develop an enterprise architecture that includes information security considerations and the resulting risk to the Agency, as well as incorporates STB’s existing cyber security architecture.

Closed on 04.14.2022
No. 2 to STB

Identify and define all software programs that are not authorized to execute on STB information systems.

Closed on 06.15.2022
No. 3 to STB

Establish and implement procedure to manage hardware asset inventory connected to STB’s network.

Closed on 03.28.2022
No. 4 to STB

Review all open Plan Of Actions & Milestones and assign scheduled completion dates which account for the required resources and corrective actions, including milestones, to manage and mitigate the identified risk.

No. 5 to STB

Develop a Supply Chain Risk Management strategy and supporting policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Closed on 04.14.2022
No. 6 to STB

Develop a process to make improvements to its baseline configuration, secure configuration, and flaw remediation policies and procedures through the use of lessons learned.

Closed on 06.15.2022
No. 7 to STB

Implement documented processes for configuration management changes as required by STB policies and procedures.

No. 8 to STB

Evaluate deviations from Center for Internet Security benchmarks and determine if the associated configurations should align with best practices or if deviations should be risk accepted.

Closed on 04.14.2022
No. 9 to STB

Update vulnerability management procedures to support implementation of STB’s Vulnerability Disclosure Policy.

Closed on 04.11.2022
No. 10 to STB

Update the Access Recertification Process document to align with STB’s existing practices to ensure users complete all required training and onboarding forms.

Closed on 04.11.2022
No. 11 to STB

Develop and implement a written policy or procedure to establish an internal control mechanism to identify all major transportation projects on the Federal Infrastructure Permitting Dashboard that should be tracked in the environmental performance measure and document reasons why projects are or are not determined to be major transportation projects.

Closed on 03.28.2022
No. 12 to STB

Develop a process to make improvements to the effectiveness of its Identity, Credential, and Access Management policy, strategy, and road map.

Closed on 06.15.2022
No. 13 to STB

Define procedures to review and remove unnecessary PII collection on an organization defined frequency.

Closed on 05.02.2022
No. 14 to STB

Perform the review of Privacy Threshold Analysis for STB General Support System, At Hoc, and Dynamic Case Management system on an annual basis.

No. 15 to STB

Implement data protection policies and procedures for Data at Rest, prevention and detection of untrusted removable media, and destruction or reuse of media containing PII or other sensitive agency data.

Closed on 06.15.2022
No. 16 to STB

Address the knowledge, skills, and abilities gaps identified during the FY 2020 skill gap assessment through training or talent acquisition.

No. 17 to STB

Complete the transition from traditional three (3) year authorizations to ongoing authorizations for STB-LAN.

No. 18 to STB

Implement documented processes for collecting and reporting performance metrics at the organization and system level to assess the effectiveness of Information Security Continuous Monitoring program.

No. 19 to STB

Develop a process to make improvements to the effectiveness of its ISCM program through the collection and reporting of quantitative and qualitative performance metrics, and lessons learned.

Closed on 03.28.2022
No. 20 to STB

Define the performance metrics for measuring the incident response capability.

Closed on 03.28.2022
No. 21 to STB

Update STB Incident Response Plan to include requirements for the technologies utilized to support Incident Response processes.

Closed on 03.28.2022
No. 22 to STB

Define the frequency for the performance of Post Incident activities.

Closed on 03.28.2022
No. 23 to STB

Update STB Incident Response plan containment strategies to reflect the current agencies risk prioritization processes.

Closed on 03.28.2022
No. 24 to STB

Implement documented processes for Incident Response resolutions of tickets in consistent manner, as required by STB policies and procedures.

Closed on 03.28.2022
No. 25 to STB

Define the frequency for the performance of system level Business Impact Analyses (BIA).

Closed on 06.15.2022
No. 26 to STB

Review the organization wide BIA on an annual basis.

Closed on 05.09.2023
No. 27 to STB

Conduct a tabletop exercise of the General Support System’s information system contingency plan (ISCP) on an annual basis.