Skip to main content
Date Issued
Submitting OIG
Department of Transportation OIG
Agencies Reviewed/Investigated
Department of Transportation
Components
Federal Highway Administration
Report Number
IT2025012
Report Description

Our Objective(s)To determine whether security weaknesses exist in FHWA's information technology (IT) infrastructure that could lead to the compromise of the Agency's IT systems and data. Specifically, we reviewed FHWA's (1) adherence to cybersecurity policies and (2) compliance with the Rules of Engagement (ROE) and its cybersecurity incident response procedures.
Why This AuditFHWA's information systems support mission processes that aid in grant management, infrastructure inspections, inventory management, and research and development. Protecting these systems and the information stored in them prevents unauthorized access and compromise. This audit is the fourth in a series of reviews to determine whether the U.S. Department of Transportation (DOT) has the security controls in place to protect its networks and information systems from unauthorized access.
What We FoundDOT's lack of adherence to cybersecurity policies allowed the Office of Inspector General (OIG) to gain unauthorized access into FHWA's network.

FHWA and DOT's Office of the Chief Information Officer (OCIO) do not remediate vulnerabilities in FHWA's IT infrastructure according to policy.
OCIO had not implemented the required network boundary protection controls, which allowed us to access the Federal Aviation Administration's intranet site and sensitive proprietary data. FHWA did not replace default credentials in FHWA information systems, which allowed us to access network printers and sensitive information.
We also used open-source tools to crack and utilize weak and known passwords to compromise and penetrate FHWA IT infrastructure and gain access to two FHWA servers and an OCIO server.

DOT and FHWA officials did not consult with OIG in accordance with the ROE and did not fully follow DOT's incident response procedures, which prevented us from completing testing activities.

After we gained unauthorized access to three of DOT's servers, DOT disconnected one and started decommissioning the other two without consulting with OIG, as required by the ROE. According to DOT officials, FHWA and OCIO technicians did not notify OIG because they did not recognize OIG as the source of scanning and other intrusion attempts.
However, had DOT followed its incident response procedures, it could have identified OIG as an intruder and notified us they were aware of our intrusion so that we could consult and then complete further testing. As a result of these actions, we were unable to determine whether FHWA IT infrastructure is at risk of being further compromised.

RecommendationsWe have made eight recommendations to improve OCIO's IT security posture providing IT shared services to FHWA's IT infrastructure.
Unresolved Recommendations: Two
Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. 552. Relevant portions of this public version of the report have been redacted.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
0
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 8 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

OCIO to develop and implement a plan to remediate all identified critical, high, and medium vulnerabilities identified on OCIO devices providing services to Federal Highway information technology infrastructure within organization defined time periods required by DOT's Security Weakness Management Guide.

2 Yes $0 $0

OCIO to work with DOT's Operating Administrations and components to ensure least privilege and boundary protection controls are in place to restrict the logical access to only users authenticated to the IT systems and services for which they are authorized.

3 Yes $0 $0

OCIO to enforce DOT security policy for removal of default credentials and harden the device configurations for all identified compromised devices and devices that could be similarly compromised, including IT shared services/common operating environment network printers per the Departmental Cybersecurity Compendium security requirements to ensure data security.

4 Yes $0 $0

OCIO to establish a cybersecurity process to comply with NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment and the Department Cybersecurity Incident Response Plan requirements to effectively communicate and coordinate with OIG any planned significant changes that could impact an OIG security assessment and penetration testing audit before the audit begins and when taking action to implement said changes, to ensure coordination as per the Rules of Engagement requirements and to prevent interruption of OIG penetration testing activities.

5 Yes $0 $0

OCIO to establish a cybersecurity process to enforce the Department Cybersecurity Incident Response Plan requirements for departmental officials impacted by an incident to review audit logs and follow containment procedures to adequately support after-the-fact investigations of potential security incidents.

6 Yes $0 $0

OCIO to enforce DOT policy for audit log retention for the proper timeframe of 12 months.

7 Yes $0 $0

FHWA to enforce DOT security policy for removal of default credentials and harden the device configurations for all identified compromised devices and devices that could be similarly compromised, including FHWA network printers per the Departmental Cybersecurity Compendium security requirements to ensure data security.

8 Yes $0 $0

FHWA to conduct incident response exercises with appropriate personnel that test the retrieval of security audit logs in the event of an incident.

Department of Transportation OIG

United States