Skip to main content
Date Issued
Submitting OIG
Department of Transportation OIG
Agencies Reviewed/Investigated
Department of Transportation
Components
Office of the Secretary of Transportation
Report Number
IT2025018
Report Description

Our Objective(s)To determine whether DOT has established and implemented effective controls to secure and manage its mobile devices. As part of our review of DOT's mobile device management, we also assessed DOT's processes for maintaining an inventory of mobile devices and monitoring the costs of their use.
Why This AuditMany Federal employees use mobile devices, including smart phones to access their agencies' networks and systems, including those that process sensitive information. However, these devices can leave sensitive data vulnerable to cybersecurity threats and malicious software. Given increased use of mobile devices by DOT personnel and the cybersecurity risks associated with this use, we initiated this audit.
What We FoundDOT is taking steps to secure its mobile devices but has not yet implemented sufficient controls to effectively secure and manage all devices.

DOT's Office of the Chief Information Officer (OCIO), the Federal Aviation Administration (FAA), the U.S. Merchant Marine Academy (USMMA), and the Office of Inspector General (OIG) have begun implementing user and device authentication and data protection controls for their use of mobile devices. However, FAA and USMMA have not rapidly adopted software updates to ensure mobile operating systems are configured securely.
FAA and USMMA do not always restrict the use of mobile applications and do not have effective policies and procedures to manage and secure their mobile devices. In addition, OCIO and USMMA have not addressed security control weaknesses for their mobile device management solutions.

FAA has not maintained accurate inventories, and DOT OCIO and FAA have not ensured efficient spending for mobile devices.

Maintaining accurate inventories and monitoring spending are keys to efficient mobile device management. However, FAA did not maintain accurate inventories of its mobile devices. We found 157 personally owned mobile devices that had been granted access to FAA's network resources that FAA did not report to OIG when we took inventory.
DOT OCIO and FAA did not have effective controls in place to ensure efficient spending on mobile devices and services. We identified that FAA and OCIO were spending money on many mobile devices with zero usage, resulting in our identification of up to $422,838.45 for FAA and up to $203,884.19 for OCIO in funds that could be put to better use.

RecommendationsWe made 6 recommendations to improve DOT's process for managing and securing mobile devices within DOT's enterprise.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$626,722
Report updated under NDAA 5274
No

Open Recommendations

This report has 6 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
2 Yes $0 $0

Direct FAA to update its policies and procedures and implement corresponding controls and processes to align with the Department's new requirements for mobile device management identified in its Information Technology Implementation Memo (ITIM) 2023-009, and verify completion.

3 Yes $0 $0

Direct FAA to develop and implement a process to identify and maintain an accurate mobile device inventory in accordance with National Institute for Standards and Technology (NIST) Special Publications 800-124, and verify completion.

5 Yes $0 $0

Direct USMMA to update its policies and procedures and implement corresponding controls and processes to align with the Department's new requirements for mobile device management identified in its ITIM 2023-009, and verify completion.

6 Yes $0 $0

Direct USMMA to develop and implement a process to conduct vulnerability assessments on its mobile device solution component and update the solution with the latest available patches/software updates to address specific vulnerabilities in accordance with NIST SP 800-124, and verify completion.

1 Yes $0 $203,884

Develop and implement a process for the Office of the Chief Information Officer to identify and disconnect mobile and MIFI devices with zero usage (considering mission-critical exceptions) in accordance with Executive Order 13589, and verify completion. Completing this recommendation could put up to $203,884.19 to better use.

4 Yes $0 $422,838

Direct FAA to update and enforce its process to identify and disconnect mobile and MIFI devices with zero usage (considering mission-critical exceptions) in accordance with Executive Order 13589, and verify completion. Completing this recommendation could put up to $422,838.60 to better use.

Department of Transportation OIG

United States