This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agencywide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.
What We Found
Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.
DOT concurs with all eight of CLA’s recommendations. CLA considers all eight recommendations resolved but open pending completion of planned actions.
No. 1 to OST
The Department should ensure that adequate resources are made available and are prioritized to validate the accuracy and completeness of asset inventory counts prior to submission to the Department of Homeland Security (DHS) as part of CIO FISMA Metrics.
No. 2 to OST
Coordinate with the components to develop or revise their plans to fully transition the remaining information systems to enable and enforce PIV, except those that are subject to exclusions that are documented and approved.
No. 3 to OST
FAA should develop and implement procedures to perform periodic reviews of mobile devices to ensure non-compliant mobile devices are upgraded to the current operating system release.
No. 4 to OST
Strengthen processes to ensure privileged account reviews are completed and privileged account activities are logged and periodically reviewed, in accordance with DOT policy.
No. 5 to OST
In coordination with the OA system owners, complete DOT’s plans to implement existing solutions where possible and create a plan to address all exceptions where there is not a current solution for encryption of data at rest and in transit.
No. 6 to OST
In coordination with the OA system owners, complete the deployment of DOT’s data loss prevention controls to include the utilization or activation of enhanced DLP features available within existing tools and to develop and implement policies and procedures which eliminate or restrict the ability of users to connect mass storage devices to DOT networks and systems.
No. 7 to OST
Enhance current procedures to implement and require the retention of records to track when computer media are sanitized prior to disposal or reuse and implement procedures to validate the remediation of computer media that have failed media sanitization upon return to DOT.
No. 8 to OST
In coordination with the OA system owners, strengthen DOT’s oversight of the contingency planning processes to ensure contingency planning documentation is developed, updated, and tested in a timely manner, in accordance with policy.