Audit Reports

-A A +A
skip-to-content

FTA Does Not Effectively Assess Security Controls or Remediate Cybersecurity Weaknesses To Ensure the Proper Safeguards Are in Place to Protect Its Financial Management Systems

Self-Initiated
Project ID: 
IT2022005
What We Looked At
The Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 set up appropriations to support executive agency operations during the COVID-19 pandemic. The Federal Transit Administration (FTA) has received nearly $70 billion in CARES Act and other COVID-19 relief appropriations. FTA uses several financial management systems to approve, process, and disperse this funding for the transit industry’s COVID-19 response and recovery. Given the size of this investment, we initiated this audit. Our audit objective was to assess the effectiveness of FTA’s financial management systems’ security controls designed to protect the confidentiality, integrity, and availability of the systems and their information.
 
What We Found
FTA’s financial management systems have security control deficiencies that could affect FTA’s ability to approve, process, and disburse COVID-19 funds. FTA security officials mislabeled and incorrectly documented control types for over 180 security controls in its fiscal year 2020 system security plans for these systems. FTA also does not adequately monitor security controls provided by or inherited from DOT’s common control provider. FTA also has not remediated security control weaknesses identified since 2016. Lastly, FTA lacks sufficient contingency planning and incident response capabilities such as alternate set of personnel to restore its financial management systems if its primary personnel are unavailable. Due to these security control weaknesses, FTA’s security officials cannot be sure financial management systems have the proper safeguards and countermeasures in place to protect the systems and that they effectively manage information security risk.
 
Our Recommendations
FTA concurred with all of our 13 recommendations to help the Agency address its security control weaknesses and improve its systems’ cybersecurity posture.
 
Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

Recommendations

Open

Closed

Pandemic Oversight
No. 1 to FTA

Select and implement security control-process isolation to protect its financial management systems (FMS and ECHO-Web) against risk.

Pandemic Oversight
No. 2 to FTA

Perform an assessment of its financial management systems (FMS, ECHO-Web, and TrAMS) security controls that at a minimum reflect the correct security control types and update each system’s system security plan with the correct control types.

Pandemic Oversight
No. 3 to FTA

Update the security assessment documents for its financial management systems (FMS, ECHO-Web, and TrAMS) to properly reflect the results of all security controls (e.g., common, hybrid, and system-specific) for selection, implementation, and assessment, per DOT requirements.

Pandemic Oversight
No. 4 to FTA

Obtain and assess all up-to-date security authorization documents associated with its financial management systems (FMS, ECHO-Web, and TrAMS) inherited controls (e.g. common, hybrid) to determine and monitor the effectiveness of its inherited controls and risk per NIST & DOT security requirements.

Sensitive
Pandemic Oversight
No. 5 to FTA

Sensitive information redacted

Sensitive
Pandemic Oversight
No. 6 to FTA

Sensitive information redacted

Pandemic Oversight
No. 7 to FTA

Implement secure configuration settings for its financial management systems (FMS and ECHO-Web) databases in accordance with Federal and DOT policies.

Sensitive
Pandemic Oversight
No. 8 to FTA

Sensitive information redacted

Pandemic Oversight
No. 9 to FTA

Develop and implement a plan that ensures continuity of federal workforce and contractual resources to fulfill contingency responsibilities for its financial management systems (FMS and ECHO-Web) to maintain continued operations should an emergency event incapacitate the primary personnel.

Pandemic Oversight
No. 10 to FTA

Conduct, document, and communicate the results of its annual incident response and data breach plan testing for financial management systems before authorization to operate (ATO); to ensure effectiveness in the event of a security incident or data breach is discovered within FTA or an external party (e.g. FTA recipient, common control provider).

Pandemic Oversight
No. 11 to FTA

Establish, document, and implement a security incident reporting process and procedures for its recipients to report incidents that affect their login credentials.

Pandemic Oversight
No. 12 to FTA

Require the FTA Information System Security Manager (ISSM)/ Privacy Officer to adhere to its Incident and Data Breach Response Plan to report recipient cybersecurity incidents involving FTA information systems or user accounts.

Sensitive
Pandemic Oversight
No. 13 to FTA

Sensitive information redacted