What We Looked AtThe Federal Information Security Management Act of 2002 (FISMA), as amended, requires inspectors general to conduct annual reviews of their agencies' information security programs and report the review results to the Office of Management and Budget (OMB). DOT's operations rely on 471 information technology systems, which represent an annual investment of approximately $3.6 billion. Consistent with FISMA and OMB requirements, our audit objective was to determine the effectiveness of DOT's information security program and practices in five cyber function areas--Identify, Protect, Detect, Respond, and Recover.What We FoundIn all five function areas, DOT is at the Defined maturity level--the second lowest level in of maturity in the model for information security--because the Department has, for the most part, formalized and documented its policies, procedures, and strategies. However, DOT still has policy gaps. We found a number of instances in which implementation of processes did not conform to policy.DOT's Identify, Protect, Detect, Respond, and Recover controls are currently inadequate. Identify controls include risk management, weakness remediation, and security authorization. Protect controls cover configuration management, identity and access management, data protection and privacy and security training. Detect controls identify cybersecurity incidents as part of information security continuous monitoring. Respond controls cover incident handling and reporting, and Recover controls cover development and implementation of plans to restore capabilities and services impaired by cybersecurity incidents.RecommendationsWe made 12 recommendations to help the Department address challenges in its development of a mature and effective information security program. DOT concurred with all 12 of our recommendations.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 10 | Yes | $0 | $0 | ||
| Develop a process to define its performance measures--that consider DOT's business environment--to assess the effectiveness of DOT's information security program, including its ISCM program. | |||||
| 11 | Yes | $0 | $0 | ||
| Using NIST guidance, test and authorize CDM applications (such as BigFix) that have been placed into operation on DOT's networks without proper security control assessments. | |||||
| 2 | Yes | $0 | $0 | ||
| Direct OCIO to follow policy and conduct annual cybersecurity performance analysis reviews of OAs' cybersecurity programs, and submit reports to OAs with recommendations to address cybersecurity weaknesses. | |||||
| 4 | Yes | $0 | $0 | ||
| Direct OST to prioritize and resolve COE security weaknesses identified by assessor, and develop POA&Ms that realistically reflect resources and timeframes for completions of these actions. | |||||
| 5 | Yes | $0 | $0 | ||
| Direct OST to establish MOUs that delineate the responsibilities for COE common controls with each of the following OAs: FHWA, FMCSA, FRA, FTA, OIG, MARAD, SLSDC, and NHTSA. | |||||
| 6 | Yes | $0 | $0 | ||
| Direct OAs (FAA, FHWA, FMCSA, FRA, FTA, OST, PHMSA, MARAD, and NHTSA) with weaknesses in data protection and privacy to update the status and develop POA&Ms to address the weaknesses. | |||||
| 8 | Yes | $0 | $0 | ||
| Enhance security awareness training policy to define processes to tailor this training to DOT's unique environment and use feedback to enhance its program. | |||||
| 9 | Yes | $0 | $0 | ||
| Develop and define a taxonomy that describes the content of the hardware and software inventory and the process to assemble, verify and maintain adequate support for the inventory data as well as the related information reported to OMB and other external parties. | |||||
