What We Looked At The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget. To meet this requirement, the Surface Transportation Board (STB) requested that we perform its fiscal year 2024 FISMA review. We contracted with Williams Adley & Company-DC LLP, an independent public accounting firm, to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of STB’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover. We performed a quality control review (QCR) of Williams Adley’s report and related documentation. What We Found Our QCR disclosed no instances in which Williams Adley did not comply, in all material respects, with generally accepted Government auditing standards. Our Recommendations STB concurs with Williams Adley’s audit’s findings and nine recommendations.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | Yes | $0 | $0 | ||
| Develop and implement a formal process to integrate the results of the STB's business impact analysis (BIA) with its enterprise risk management activities. | |||||
| 2 | Yes | $0 | $0 | ||
| Update existing methods of resource allocation to account for system categorization. | |||||
| 3 | Yes | $0 | $0 | ||
| Perform a cost benefit analysis of introducing automation to support a centralized view of cybersecurity risks, manage risk designations, maintain privileged accounts, and test system contingency plans; and apply the appropriate risk mitigation strategy. | |||||
| 4 | Yes | $0 | $0 | ||
| Develop profiles of expected activities on its networks and systems. | |||||
| 6 | Yes | $0 | $0 | ||
| Develop a formal process to collect, analyze, and respond to feedback on the performance of its secure configuration policies and procedures and security awareness and training program. | |||||
| 5 | Yes | $0 | $0 | ||
| Develop qualitative and quantitative performance measures to evaluate the effectiveness of the following: Configuration management plan and change control activities; Data exfiltration and enhanced network defenses; Data breach response plan; Privacy awareness training program; Incident response capability; ISCM policies, strategy, and processes; Incident detection, analysis, handling, and response activities; Information system contingency plans. For all performance measures, ensure that supporting data is obtained accurately, consistently, and in a reproducible format. | |||||
| 7 | Yes | $0 | $0 | ||
| Resume the assessment of the skills and knowledge of its workforce to tailor its awareness and specialized security training. | |||||
| 8 | Yes | $0 | $0 | ||
| Obtain access to the appropriate subject matter experts or training to assist with the implementation of secure configuration settings for its information systems. | |||||
| 9 | Yes | $0 | $0 | ||
| Implement the logging requirements outlined within OMB's M-21-31. | |||||
