DOT Uses Continuous Monitoring Tools To Automate Cybersecurity Monitoring But Needs To More Effectively Detect, Prevent, and Report Cybersecurity Threats

What We Looked AtFollowing a series of disruptive cyberattacks in the public and private sectors, the President issued an Executive Order in 2021 requiring civilian Federal agencies to protect and secure their critical infrastructure and computer systems, which underpin the American people’s security and privacy. The Continuous Diagnostics and Mitigation (CDM) program aims to provide a consistent, Governmentwide set of continuous monitoring tools to enhance the Federal Government’s ability to identify and respond in real-time or near real-time, to the risk of emerging cyber threats. The Department of Transportation (DOT) uses continuous monitoring tools on its networks to secure information technology assets. We initiated this audit to assess DOT’s continuous monitoring tools for detecting, preventing, and reporting cybersecurity threats that may compromise DOT’s information systems and data. Specifically, we evaluated DOT’s (1) automation of its continuous monitoring tools to provide near real-time detection of cybersecurity risks in key operational areas, (2) hardware asset inventory reports and the software installed on the Department’s hardware assets, and (3) configuration of its network software and remediation of known network asset vulnerabilities.What We FoundFirst, DOT uses continuous monitoring tools to automate cybersecurity monitoring, but FAA is not using tools to provide near real-time monitoring on all mission-critical NAS systems. Specifically, the Department uses continuous monitoring tools to support essential CDM requirements and has implemented a CDM Dashboard to automatically report cybersecurity information. However, FAA has not performed near real-time cyber monitoring activities on 62 of 85 National Airspace Systems Cyber Management Systems due to air traffic and safety concerns. Second, DOT did not maintain an accurate inventory of its hardware assets, and FAA is still developing policies for a software inventory reconciliation process. Third, DOT is not configuring all its network software in accordance with requirements nor mitigating its known network vulnerabilities associated with its continuous monitoring tools and network endpoints. Addressing our concerns is key to DOT’s progress in reducing its threat surface and improving its cybersecurity posture. Our RecommendationsWe made five recommendations to improve the DOT’s cybersecurity posture and reduce cybersecurity risks. DOT and FAA agreed with the recommendations. We consider all recommendations resolved but open pending completion of planned actions. Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Relevant portions of this public version of the report have been redacted.