What We Looked At This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agency-wide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. To meet this requirement, we contracted with Sikich to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.What We FoundOur QCR disclosed no instances in which Sikich did not comply, in all material respects, with generally accepted Government auditing standards.Our RecommendationsDOT concurs with all 10 of Sikich’s recommendations. Sikich considers 10 recommendations resolved but open pending completion of planned actions.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 9 | Yes | $0 | $0 | ||
| Update the Office of Chief Information Officer Cybersecurity Incident Response Plan to incorporate lessons learned from the security incident and ensure that it reviews and updates the plan annually. | |||||
| 10 | Yes | $0 | $0 | ||
| Document and implement a plan to issue policy, implementation instructions, procedures, and configuration guidance to support Departmental enterprise event logging in accordance with OMB M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents. | |||||
| 8 | Yes | $0 | $0 | ||
| Complete the DOT workforce assessment, which includes the entire DOT IT and cybersecurity workforce. | |||||
| 7 | Yes | $0 | $0 | ||
| Direct the DOT Information Assurance and Privacy Management Office and Breach Assessment and Response Team to implement annual testing of the Breach Notification Controls, as required by DOT Order 1351.19, Personally Identifiable Information Breach Notification Controls. | |||||
| 1 | Yes | $0 | $0 | ||
| Work with the Cyber Security Assessment and Management (CSAM) system owner to resolve the technical issues to ensure the CSAM Plan of Action and Milestones (POA&M) reporting function is accurate and conduct oversight of the Operating Administrations to ensure that the POA&M entries meet the requirements of Information Technology (IT) Implementation Memorandum 2023-010A, DOT Supplemental Requirements for IT Security POA&M Management. | |||||
| 2 | Yes | $0 | $0 | ||
| Strengthen procedures for maintaining a comprehensive and accurate cloud system inventory, which includes reconciling CSAM data to the listing of cloud service providers submitted by the Operating Administrations. | |||||
| 3 | Yes | $0 | $0 | ||
| Enforce password polices to ensure passwords are harder to guess and extend the timeframe in which individuals can enter the next password. Further, use cryptographically protected channels to transmit passwords. | |||||
| 4 | Yes | $0 | $0 | ||
| Document and implement procedures to review on a periodic basis users with administrative rights and privileged groups with access to domain controllers. | |||||
| 5 | Yes | $0 | $0 | ||
| Implement protections to restrict access to system tools used to create and manage shadow copies of the hard drive. | |||||
| 6 | Yes | $0 | $0 | ||
| Document and implement procedures to analyze user account passwords against lists of commonly used and compromised passwords and require users to reset weak or compromised passwords. | |||||
