Quality Control Review on the Independent Auditor’s Report on the Assessment of DOT’s Information Security System Program and Practices

Date Issued

Wednesday, September 28, 2022

Submitting OIG

Department of Transportation OIG

Agencies Reviewed/Investigated

Department of Transportation

Report Number

QC2022042

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Hide this report from display

Yes

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
The Department should ensure that adequate resources are made available and are prioritized to validate the accuracy and completeness of asset inventory counts prior to submission to the Department of Homeland Security (DHS) as part of CIO FISMA Metrics.
2	Yes	$0	$0
Coordinate with the components to develop or revise their plans to fully transition the remaining information systems to enable and enforce PIV, except those that are subject to exclusions that are documented and approved.
3	Yes	$0	$0
FAA should develop and implement procedures to perform periodic reviews of mobile devices to ensure non-compliant mobile devices are upgraded to the current operating system release.
4	Yes	$0	$0
Strengthen processes to ensure privileged account reviews are completed and privileged account activities are logged and periodically reviewed, in accordance with DOT policy.
5	Yes	$0	$0
In coordination with the OA system owners, complete DOTs plans to implement existing solutions where possible and create a plan to address all exceptions where there is not a current solution for encryption of data at rest and in transit.
6	Yes	$0	$0
In coordination with the OA system owners, complete the deployment of DOTs data loss prevention controls to include the utilization or activation of enhanced DLP features available within existing tools and to develop and implement policies and procedures which eliminate or restrict the ability of users to connect mass storage devices to DOT networks and systems.
7	Yes	$0	$0
Enhance current procedures to implement and require the retention of records to track when computer media are sanitized prior to disposal or reuse and implement procedures to validate the remediation of computer media that have failed media sanitization upon return to DOT.
8	Yes	$0	$0
In coordination with the OA system owners, strengthen DOTs oversight of the contingency planning processes to ensure contingency planning documentation is developed, updated, and tested in a timely manner, in accordance with policy.