FTA Does Not Effectively Assess Security Controls or Remediate Cybersecurity Weaknesses To Ensure the Proper Safeguards Are in Place To Protect Its Financial Management Systems

What We Looked AtThe Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 set up appropriations to support executive agency operations during the COVID-19 pandemic. The Federal Transit Administration (FTA) has received nearly $70 billion in CARES Act and other COVID-19 relief appropriations. FTA uses several financial management systems to approve, process, and disperse this funding for the transit industry’s COVID-19 response and recovery. Given the size of this investment, we initiated this audit. Our audit objective was to assess the effectiveness of FTA’s financial management systems’ security controls designed to protect the confidentiality, integrity, and availability of the systems and their information. What We FoundFTA’s financial management systems have security control deficiencies that could affect FTA’s ability to approve, process, and disburse COVID-19 funds. FTA security officials mislabeled and incorrectly documented control types for over 180 security controls in its fiscal year 2020 system security plans for these systems. FTA also does not adequately monitor security controls provided by or inherited from DOT’s common control provider. FTA also has not remediated security control weaknesses identified since 2016. Lastly, FTA lacks sufficient contingency planning and incident response capabilities such as alternate set of personnel to restore its financial management systems if its primary personnel are unavailable. Due to these security control weaknesses, FTA’s security officials cannot be sure financial management systems have the proper safeguards and countermeasures in place to protect the systems and that they effectively manage information security risk. Our RecommendationsFTA concurred with all of our 13 recommendations to help the Agency address its security control weaknesses and improve its systems’ cybersecurity posture. Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.