Sorry, you need to enable JavaScript to visit this website.
Skip to main content
Date Issued
Submitting OIG
Department of Transportation OIG
Agencies Reviewed/Investigated
Department of Transportation
Components
Office of the Secretary of Transportation
Report Number
QC2025049
Report Description

Our Objective(s)
To perform a quality control review (QCR) of Sikich's fiscal year 2025 audit of the effectiveness of the Department of Transportation's (DOT) information security program and practices.

Why This Audit
The Federal Information Security Modernization Act of 2014 requires agencies to develop, implement, and document agencywide information security programs and practices. The Act also requires inspectors general to conduct annual reviews to determine the effectiveness of their agencies' information security programs and report their review results to the Office of Management and Budget. To meet this requirement, we contracted with Sikich to conduct this audit subject to our oversight. We performed a QCR of Sikich's report and related documentation.

What We Found
The independent auditor, Sikich, found that DOT's information security program and practices were not effective and made seven recommendations to improve DOT's information security program.
Establish and implement guidance for performing Cybersecurity Framework 2.0 activities through policies and procedures, including the development of current and target cybersecurity profiles which consider anticipated changes in DOT's cybersecurity posture.
Define and implement policies and procedures that utilize standard data elements and taxonomy to develop and maintain an up-to-date inventory of all software assets and associated licenses, including Executive Order critical software.
Document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for DOT's data types.
Create and maintain a comprehensive inventory of data and corresponding metadata.
Work with Federal Aviation Administration (FAA) Chief Information Officer (CIO) to secure a reliable funding stream for continuous vetting.
Work with FAA CIO to initiate and complete the background investigation of FAA employees in public trust positions.
Work with FAA CIO to enroll FAA employees into continuous vetting through Trusted Workforce.

Our QCR disclosed no instances in which Sikich did not comply, in all material respects, with generally accepted Government auditing standards.

Recommendations
DOT concurs with Sikich's seven recommendations.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
7
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No
External Link
https://www.oig.dot.gov/library-item/46976

Open Recommendations

This report has 7 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

Establish and implement guidance for performing Cybersecurity Framework 2.0 activities through policies and procedures, including the development of current and target cybersecurity profiles which consider anticipated changes in DOT's cybersecurity posture.

5 Yes $0 $0

Work with FAA CIO to secure a reliable funding stream for continuous vetting.

6 Yes $0 $0

Work with FAA CIO to initiate and complete the background investigation of FAA employees in public trust positions.

7 Yes $0 $0

Work with FAA CIO to enroll FAA employees into continuous vetting through Trusted Workforce.

3 Yes $0 $0

Document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for DOT's data types.

4 Yes $0 $0

Create and maintain a comprehensive inventory of data and corresponding metadata.

2 Yes $0 $0

Define and implement policies and procedures that utilize standard data elements and taxonomy to develop and maintain an up-to-date inventory of all software assets and associated licenses, including Executive Order-critical software.

Department of Transportation OIG

United States