Audit Reports

-A A +A
skip-to-content
October 20, 2021

FMCSA’s IT Infrastructure Is at Risk of Compromise

Self-Initiated
Project ID: 
IT2022003
View PDF Document
What We Looked At
The Federal Motor Carrier Safety Administration (FMCSA) regulates and oversees the safety of commercial motor vehicles. It partners with other agencies and the motor carrier industry to conduct this work. The Agency uses 13 web-based applications to aid vehicle registration, inspections, and other activities. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information (PII). Due to the importance of FMCSA’s programs to the transportation system and sensitivity of some Agency information, we conducted this audit of FMCSA’s information technology (IT) infrastructure. Our objective was to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data.
 
What We Found
We found vulnerabilities in several Agency web servers that allowed us to gain unauthorized access to FMCSA’s network. FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections. We also gained access to 13.6 million unencrypted PII records. Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees. Furthermore, the Agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.
 
Our Recommendations
FMCSA concurred with our 13 recommendations. We consider all 13 recommendations resolved but open pending FMCSA’s completion of planned actions.
 
Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

Recommendations

Open

Closed

No. 1 to FMCSA

Change the passwords for the compromised web servers to strong passwords that meet DOT's Cybersecurity Compendium requirements.

Closed on 01.31.2022
No. 2 to FMCSA

Restrict access to administrator login pages to only verified administrators and computers.

Closed on 01.31.2022
No. 3 to FMCSA

Identify and remove all malware that was uploaded to FMCSA's web servers.

No. 4 to FMCSA

Develop and implement stronger malicious code protection and detection controls.

Sensitive
No. 5 to FMCSA

Sensitive information redacted

Closed on 01.31.2022
Sensitive
No. 6 to FMCSA

Sensitive information redacted

Closed on 01.31.2022
No. 7 to FMCSA

Change the passwords for FMCSA's compromised databases.

Closed on 01.31.2022
Sensitive
No. 8 to FMCSA

Sensitive information redacted

No. 9 to FMCSA

Validate whether production data is being used on other preproduction databases that FMCSA hosts.

Closed on 01.31.2022
$570,367,559
No. 10 to FMCSA

Establish and implement security safeguards for the protection of PII in accordance with DOT policy. Implementing this recommendation could put up to $570,367,559 of funds to better use by avoiding the cost of credit monitoring for affected individuals.

No. 11 to FMCSA

Implement monitoring controls and alerts to identify when database admin accounts log in from non-authorized IP addresses.

Closed on 01.20.2023
No. 12 to FMCSA

Implement real time security monitoring tools and alert features to monitor FMCSA web servers and databases for access from unauthorized IP addresses.

No. 13 to FMCSA

Develop and implement a plan to remediate all identified critical, high, and medium vulnerabilities on FMCSA devices older than October 8, 2019.