Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

FMCSA’s IT Infrastructure Is at Risk of Compromise

Requested By
Self-Initiated
Project ID
IT2022003
File Attachment
What We Looked At
The Federal Motor Carrier Safety Administration (FMCSA) regulates and oversees the safety of commercial motor vehicles. It partners with other agencies and the motor carrier industry to conduct this work. The Agency uses 13 web-based applications to aid vehicle registration, inspections, and other activities. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information (PII). Due to the importance of FMCSA’s programs to the transportation system and sensitivity of some Agency information, we conducted this audit of FMCSA’s information technology (IT) infrastructure. Our objective was to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data.
 
What We Found
We found vulnerabilities in several Agency web servers that allowed us to gain unauthorized access to FMCSA’s network. FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections. We also gained access to 13.6 million unencrypted PII records. Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees. Furthermore, the Agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.
 
Our Recommendations
FMCSA concurred with our 13 recommendations. We consider all 13 recommendations resolved but open pending FMCSA’s completion of planned actions.
 
Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

Recommendations

Closed on
No. 1 to FMCSA
Change the passwords for the compromised web servers to strong passwords that meet DOT's Cybersecurity Compendium requirements.
Closed on
No. 2 to FMCSA
Restrict access to administrator login pages to only verified administrators and computers.
Closed on
No. 3 to FMCSA
Identify and remove all malware that was uploaded to FMCSA's web servers.
Closed on
No. 4 to FMCSA
Develop and implement stronger malicious code protection and detection controls.
Closed on Sensitive
No. 5 to FMCSA
Sensitive information redacted
Closed on Sensitive
No. 6 to FMCSA
Sensitive information redacted
Closed on
No. 7 to FMCSA
Change the passwords for FMCSA's compromised databases.
Closed on Sensitive
No. 8 to FMCSA
Sensitive information redacted
Closed on
No. 9 to FMCSA
Validate whether production data is being used on other preproduction databases that FMCSA hosts.
Closed on $570,367,559
No. 10 to FMCSA
Establish and implement security safeguards for the protection of PII in accordance with DOT policy. Implementing this recommendation could put up to $570,367,559 of funds to better use by avoiding the cost of credit monitoring for affected individuals.
Closed on
No. 11 to FMCSA
Implement monitoring controls and alerts to identify when database admin accounts log in from non-authorized IP addresses.
Closed on
No. 12 to FMCSA
Implement real time security monitoring tools and alert features to monitor FMCSA web servers and databases for access from unauthorized IP addresses.
Closed on
No. 13 to FMCSA
Develop and implement a plan to remediate all identified critical, high, and medium vulnerabilities on FMCSA devices older than October 8, 2019.