What We Looked AtThis report presents the results of our quality control review (QCR) of an audit of the Department of Transportation's (DOT) information security program and practices. The Federal Information Security Modernization Act (FISMA) requires agencies to develop, implement, and document agency-wide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies' information security programs and report the results to the Office of Management and Budget.To meet this requirement, we contracted with CliftonLarsonAllen LLP (CLA) to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT's information security program and practices in five function areas--Identify, Protect, Detect, Respond, and Recover.What We FoundWe performed a QCR of CLA's report and related documentation. Our QCR disclosed no instances in which CLA did not comply, in all material respects, with generally accepted Government auditing standards.RecommendationsCLA made 18 recommendations. DOT concurs with recommendations 1, 3 through 15, and 17 and 18 and partially concurs with recommendations 2 and 16. CLA considers all 18 recommendations resolved but open pending completion of planned actions.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 10 | Yes | $0 | $0 | ||
| Consolidate to the enterprise Tenable Nessus system to ensure accessibility of baseline compliance and/or vulnerability assessment capabilities. | |||||
| 11 | Yes | $0 | $0 | ||
| Ensure that missing security patches are either applied in accordance with DOT policy or that vulnerable software is otherwise remediated on the affected endpoints. In addition, ensure that missing security patches attributable to specific mission/business requirements are identified, control weaknesses are appropriately documented in POA&Ms, and that the authorizing official is aware of and has accepted risk for the associated weaknesses. | |||||
| 12 | Yes | $0 | $0 | ||
| Document and implement a process to identify software end of life dates and require the development of implementation plans to eliminate unsupported software. | |||||
| 13 | Yes | $0 | $0 | ||
| Work with FAA to secure a reliable funding stream for background reinvestigations. | |||||
| 16 | Yes | $0 | $0 | ||
| Work with the OST IT Director to ensure an alternate processing site (including necessary agreements) is more clearly described within the contingency plan to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance. | |||||
| 17 | Yes | $0 | $0 | ||
| Work with the PHMSA CIO to ensure an alternate storage site (including necessary agreements) is described within contingency plans to permit the transfer and resumption of information system operations for essential missions/business functions consistent with recovery time objectives when the primary processing capabilities are unavailable, for those systems in accordance with the requirements of the Cybersecurity Compendium and NIST guidance. | |||||
| 2 | Yes | $0 | $0 | ||
| Work with OAs to update privacy risk management procedures to ensure the completion, tracking, review, and approval of privacy plans and compliance documentation prior to system authorization or reauthorization. Components should engage the Departmental Chief Privacy Officer as appropriate. | |||||
| 4 | Yes | $0 | $0 | ||
| Work with the Departmental Chief Privacy Officer to establish processes and procedures to determine Component compliance with Departmental policy requiring Privacy Risk Management plans be established prior to system authorization or reauthorization. | |||||
| 5 | Yes | $0 | $0 | ||
| Coordinate with appropriate offices within the Office of Secretary to develop and implement a strategy and solution(s) to ensure that supervisors, contracting officers, and contracting officer representatives enforce personnel onboarding and off boarding procedures, completion of the DOT Rules of Behavior and other IT requirements prior to being granted access to DOT networks, systems, and information, or have existing access revoked upon separation, in accordance with DOT policy. | |||||
| 6 | Yes | $0 | $0 | ||
| Strengthen its oversight of the configuration management processes performed by OAs to ensure configuration management plans are developed, kept up-to-date, and document requirements for each system. | |||||
| 8 | Yes | $0 | $0 | ||
| Work with OAs to implement oversight to address configuration change weaknesses and to ensure configuration changes to the information systems are properly documented and tracked through implementation, and undergo a post-implementation review to verify procedures are followed. | |||||
| 9 | Yes | $0 | $0 | ||
| Ensure that baseline configuration deviations are monitored and deviations are approved to ensure that baseline compliance reports demonstrate a consistent and accurate application of baseline standards. | |||||
