Audit Reports

Develop and implement policies and procedures governing DOT components and Operating Administrations’ adoption and use of cloud services for their cloud-based system and at a minimum require system owners to: a. Submit an Authorization to Operate letter to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office before adopting and using cloud services to ensure (1) cloud services comply with FedRAMP security baselines, and (2) FedRAMP has an accurate inventory of DOT cloud services and cloud service providers. b. Conduct a quality and risk review of the Department’s cloud service providers cloud service offering authorization package to ensure that it clearly and accurately reflects the cloud service offering’s security posture so DOT’s Authorizing Official can make an informed risk-based authorization decision, as required by FedRAMP. c. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of the respective cloud service providers’ continuous monitoring activities to ensure their cloud systems’ security posture remains sufficient for their own use and supports ongoing authorization as required by FedRAMP.

Incorporate the required standard cloud security clauses in the Department’s enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.

Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.

Direct and require confirmation of completion from FMCSA's cloud-based system owners for the National Registry of Certified Medical Examinersâ€"Software-as-a-Service to include in its Executive Summary Authorization to Operate Letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.

Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigatorâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a security official to review system audit log files. e. Develop and implement a process to remove extracted data containing sensitive information within 90 days of extraction in accordance with DOT requirements.

Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management Systemâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.

Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environmentâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.

Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labsâ€"Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Update its privacy threshold assessment and, if applicable, Privacy Impact Analysis to protect privacy, personally identifiable information, and other sensitive information stored in the cloud.

Direct FAA’s cloud-based system owner for the Emergency Notification Systemâ€"Software-as-a-Service to provide evidence of the organizational administrator’s quarterly reviews of Emergency Notification System
application and documentation verifying they disable inactive accounts.

Direct and require confirmation of completion from FRA’s cloud-based system owner for its Cloud Application Servicesâ€"Software-as-a-Serviceâ€"to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.

Direct and require confirmation of completion from NHTSA’s cloud-based system owner for the Web Systemâ€"Platform-as-a-Service and Infrastructure-as-a-Serviceâ€"to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA’s audit and accountability plan.

Direct and require confirmation of completion from NHTSA’s cloud-based system owner for the Advanced Retrieval Tire, Equipment, Motor Vehicle, Information Systemâ€"Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Update the Privacy Impact Analysis to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.

Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information Systemâ€"Infrastructure-as-a-serviceâ€"and PHMSA Data Martâ€"Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for PHMSA Data Mart.

Direct and require confirmation of completion from FMCSA’s cloud-based system owner for the Cloud Environmentâ€"Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to enforce multifactor authentication for privileged and non-privileged network accounts. d. Update the Privacy Threshold Assessment and Privacy Impact Analysis to protect the privacy of its system users’ personally identifiable information and other sensitive information.

Direct and require confirmation of completion from FRA’s cloud-based system owner for the Multiple Case Incident Analysisâ€"Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.

Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)â€"Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider’s continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews of the system audit logs to enhance its ability to identify suspicious, inappropriate, unusual, or malevolent activity. d. Develop and implement a process that requires timely updates to security patches that address software flaws which mitigate the risks associated with mission-related operating system patches and data exfiltration. e. Develop a Privacy Impact Analysis to identify and protect personally identifiable information and other sensitive information hosted in the COE cloud.

Direct and require confirmation of completion from FAA’s cloud-based system owner for the FAA Cloud Servicesâ€"Infrastructure-as-a-service and Platform-as-a-Service to: a. Incorporate flaw remediation into ongoing configuration management processes. b. Develop and implement a process to regularly manage malicious code protection to detect and eradicate malicious code at the entry point for its Infrastructure-as-a-service and Platform-as-a-Service. c. Develop and implement a change control process and use baseline configuration settings and document configuration settings to establish a basis for future builds, releases, and/or changes. d. Develop and implement a process to perform an automated review of network accounts or implement an alternative method for identifying users on the network in real-time. e. Develop and implement a process to require the most current cryptographic mechanisms to protect data during network transmission to provide complete boundary protection and reduce the risk of compromise. f. Develop and implement a process to encrypt data transmitted within the Infrastructure-as-a-service environment to reduce the risk of compromise and data exposure. g. Develop and implement a process to review vulnerability scans results and remediate vulnerabilities within specified timeframes as required by FAA’s security handbook.

Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT’s Security Operations Center and require confirmation of completion.

Develop and implement a process that enables FAA’s Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.

Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.

Update the Department’s zero trust architecture strategy and implementation plan to address the identified gaps and include migration steps and timelines consistent with direction from the Office of Management and Budget and National Institute of Standards and Technology guidelines.