Skip to main content
U.S. flag

An official website of the United States government

Audit Reports

Date

DOT’s Cloud-Based Systems’ Security Weaknesses Hinder Its Transition to a Zero Trust Architecture

Requested By
Self-Initiated
Project ID
IT2023043
File Attachment
What We Looked At
Over the past 10 years, the Department of Transportation (DOT) and its Operating Administrations (OA) have increased their migration to and adoption of cloud computing based on Federal requirements. In May 2021, the President issued Executive Order 14028 to modernize Federal Government cybersecurity by accelerating the movement to secure cloud services, adopting security best practices, and advancing towards zero trust architecture (ZTA). Given the administration’s increased emphasis on cloud services, we initiated this audit. Our audit objectives were to assess the effectiveness of the Department’s (1) cloud systems’ security and privacy controls and (2) strategy to secure cloud services in order to implement ZTA.
 
What We Found
DOT and its OAs do not consistently implement security and privacy controls to protect their cloud-based systems. First, the Department and several OAs did not effectively follow Federal requirements and best practices to protect their cloud systems from cyberattacks. Second, DOT does not always effectively manage and secure the computing resources for its cloud-based systems by using secure configuration baselines, implementing multifactor authentications, encrypting data, or updating software. Lastly, DOT does not consistently use the appropriate mechanisms to detect, mitigate, and report cyberattacks on the Department’s and most of the OAs’ cloud-based systems. As a result, DOT may not have visibility into cybersecurity incidents, exposing it to potential threats and security weaknesses. Furthermore, DOT lacks an effective strategy for securing its cloud services transition to ZTA because its current ZTA implementation plan does not include a proposed schedule or migration steps as required by Federal guidelines. This may cause DOT to miss key milestones for implementing ZTA by the end of fiscal year 2024. Therefore, the Department will not be well positioned to meet ZTA’s intent to maximize security and minimize uncertainty of computing systems.
 
Our Recommendations
We made 21 recommendations to improve the Agency’s cloud services program and transition its enterprise network to ZTA. DOT concurred with 19 of 21 recommendations, did not concur with 1 recommendation, and asked to close 1 recommendation. We consider 17 of 19 recommendations resolved but open pending completion of planned corrective actions and request DOT provide an updated response for the 2 other recommendations. We consider two recommendations unresolved and request the Agency reconsider its non-concurrence for the first recommendation and provide documentation to support closing the second recommendation.
 
Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Relevant portions of this public version of the report have been redacted.

Recommendations

No. 1 to OST
Develop and implement policies and procedures governing DOT components and Operating Administrations’ adoption and use of cloud services for their cloud-based system and at a minimum require system owners to: a. Submit an Authorization to Operate letter to the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office before adopting and using cloud services to ensure (1) cloud services comply with FedRAMP security baselines, and (2) FedRAMP has an accurate inventory of DOT cloud services and cloud service providers. b. Conduct a quality and risk review of the Department’s cloud service providers cloud service offering authorization package to ensure that it clearly and accurately reflects the cloud service offering’s security posture so DOT’s Authorizing Official can make an informed risk-based authorization decision, as required by FedRAMP. c. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of the respective cloud service providers’ continuous monitoring activities to ensure their cloud systems’ security posture remains sufficient for their own use and supports ongoing authorization as required by FedRAMP.
No. 2 to OST
Incorporate the required standard cloud security clauses in the Department’s enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.
No. 3 to OST
Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.
No. 4 to OST
Direct and require confirmation of completion from FMCSA's cloud-based system owners for the National Registry of Certified Medical Examiners—Software-as-a-Service to include in its Executive Summary Authorization to Operate Letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.
No. 5 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigator—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a security official to review system audit log files. e. Develop and implement a process to remove extracted data containing sensitive information within 90 days of extraction in accordance with DOT requirements.
No. 6 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management System—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.
No. 7 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environment—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.
No. 8 to OST
Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labs—Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Update its privacy threshold assessment and, if applicable, Privacy Impact Analysis to protect privacy, personally identifiable information, and other sensitive information stored in the cloud.
No. 9 to OST
Direct FAA's cloud-based system owner for the Emergency Notification System—Software-as-a-Service to provide evidence of the organizational administrator's quarterly reviews of Emergency Notification System application and documentation verifying they disable inactive accounts.
No. 10 to OST
Direct and require confirmation of completion from FRA's cloud-based system owner for its Cloud Application Services—Software-as-a-Service—to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.
No. 11 to OST
Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Web System—Platform-as-a-Service and Infrastructure-as-a-Service—to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA's audit and accountability plan.
No. 12 to OST
Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Advanced Retrieval Tire, Equipment, Motor Vehicle, Information System—Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Update the Privacy Impact Analysis to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.
No. 13 to OST
Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information System—Infrastructure-as-a-service—and PHMSA Data Mart—Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for PHMSA Data Mart.
No. 14 to OST
Direct and require confirmation of completion from FMCSA's cloud-based system owner for the Cloud Environment—Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to enforce multifactor authentication for privileged and non-privileged network accounts. d. Update the Privacy Threshold Assessment and Privacy Impact Analysis to protect the privacy of its system users' personally identifiable information and other sensitive information.
No. 15 to OST
Direct and require confirmation of completion from FRA's cloud-based system owner for the Multiple Case Incident Analysis—Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.
No. 16 to OST
Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)—Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews of the system audit logs to enhance its ability to identify suspicious, inappropriate, unusual, or malevolent activity. d. Develop and implement a process that requires timely updates to security patches that address software flaws which mitigate the risks associated with mission-related operating system patches and data exfiltration. e. Develop a Privacy Impact Analysis to identify and protect personally identifiable information and other sensitive information hosted in the COE cloud.
No. 17 to OST
Direct and require confirmation of completion from FAA's cloud-based system owner for the FAA Cloud Services—Infrastructure-as-a-service and Platform-as-a-Service to: a. Incorporate flaw remediation into ongoing configuration management processes. b. Develop and implement a process to regularly manage malicious code protection to detect and eradicate malicious code at the entry point for its Infrastructure-as-a-service and Platform-as-a-Service. c. Develop and implement a change control process and use baseline configuration settings and document configuration settings to establish a basis for future builds, releases, and/or changes. d. Develop and implement a process to perform an automated review of network accounts or implement an alternative method for identifying users on the network in real-time. e. Develop and implement a process to require the most current cryptographic mechanisms to protect data during network transmission to provide complete boundary protection and reduce the risk of compromise. f. Develop and implement a process to encrypt data transmitted within the Infrastructure-as-a-service environment to reduce the risk of compromise and data exposure. g. Develop and implement a process to review vulnerability scans results and remediate vulnerabilities within specified timeframes as required by FAA's security handbook.
No. 18 to OST
Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT’s Security Operations Center and require confirmation of completion.
No. 19 to OST
Develop and implement a process that enables FAA’s Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.
No. 20 to OST
Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.
No. 21 to OST
Update the Department’s zero trust architecture strategy and implementation plan to address the identified gaps and include migration steps and timelines consistent with direction from the Office of Management and Budget and National Institute of Standards and Technology guidelines.