DOT Needs To Improve Its High-Value Assets Governance Program To Effectively Identify, Prioritize, and Secure Its Most Critical Systems
What We Looked At
High value assets (HVA) are information systems, information, and data for which unauthorized access, use, disclosure, disruption, modification, or destruction could have a significant impact on U.S. national security, or public health and safety of the American people. Given the impact that cyberattacks on HVAs can have on the security and resilience of the Nation’s transportation infrastructure, we initiated this audit of DOT’s HVA Program. At the time of our review, DOT identified that it had 21 HVAs. Our objectives were to evaluate whether DOT (1) established an organization-wide HVA governance program to identify and prioritize HVAs and (2) assesses HVA security controls and ensures timely remediation of identified vulnerabilities.
We made seven recommendations to strengthen DOT’s HVA Program cybersecurity. DOT concurred with five recommendations and did not concur with and asked to close the other two recommendations. We consider the five recommendations resolved but open pending completion of planned corrective actions. We consider the remaining two recommendations unresolved and request that DOT provide an updated response, reconsider its non-concurrence, or provide documentation to support closing the recommendations.
Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. We plan to post a redacted version of the report when it becomes available.