Cybersecurity System Review of the Transportation Security Administration’s Selected High Value Asset

Date Issued

Monday, August 28, 2023

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Components

Transportation Security Administration (TSA)

Report Number

OIG-23-44

Report Description

The Transportation Security Administration (TSA) did not implement effective technical controls to protect the sensitive information processed by the selected High Value Asset (HVA) system. In our review and testing of this HVA, we identified security deficiencies in 8 of 10 security and privacy controls from National Institute of Standards and Technology Special Publication 800-53.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 12 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend the TSA Chief Information Officer require the selected High Value Asset system owner to document an approved secure baseline configuration and perform testing to verify that all approved settings are implemented.
2	No	$0	$0
We recommend the TSA Chief Information Officer enforce the requirement for the selected High Value Asset system owner to apply security updates and service patches to remediate vulnerabilities on all devices, as required by applicable DHS policies.
3	No	$0	$0
We recommend the TSA Chief Information Officer require the selected High Value Asset system owner to develop and implement a supply chain risk management plan to address and mitigate risks associated with the hardware components and software being used on the selected High Value Asset system.
4	No	$0	$0
We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to strengthen its user account management procedures to ensure user access agreements are developed and signed by users before users are given access to the selected High Value Asset system or when the agreement is revised.
5	No	$0	$0
We recommend the TSA Chief Information Officer require the selected High Value Asset system owner develop and implement detailed procedures on granting system access, including emergency or temporary access. In addition, the TSA Chief Information Officer should require the selected High Value Asset system owner to maintain a current list of system users and remove or disable inactive accounts according to applicable DHS and TSA policies.
6	No	$0	$0
We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to require all non-privileged users’ system access requests be reviewed, authorized, and documented before granting system access. In addition, users’ system access should be reviewed periodically and removed if it is no longer needed.
7	No	$0	$0
We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to review and document the approval of all privileged users’ system access before granting system access. In addition, privileged users’ system access should be reviewed and removed according to applicable DHS and TSA requirements if it is no longer needed.
8	No	$0	$0
We recommend the TSA Chief Information Officer require the selected High Value Asset system owner to develop and implement procedures to remove system access for separated users.
9	No	$0	$0
We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to require all system users sign Computer Access Agreements to acknowledge the rules of behavior when accessing the system.
10	No	$0	$0
We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to enforce users to receive security awareness training when they are given system access and annually thereafter.
11	No	$0	$0
We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to strengthen its system-level Information Security Continuous Monitoring by ensuring (1) security documents contain current and accurate information about the system; (2) relevant policies and procedures are developed, reviewed, and approved; and (3) Plans of Action and Milestones are remediated promptly and include all required information.
12	No	$0	$0
We recommend the TSA Chief Information Officer require the selected High Value Asset System’s Contingency Plan and Contingency Plan Test to be reviewed and approved in accordance with DHS and National Institute of Standards and Technology guidance.