Federal Reports

What We Looked AtOver the past 10 years, the Department of Transportation (DOT) and its Operating Administrations (OA) have increased their migration to and adoption of cloud computing based on Federal requirements. In May 2021, the President issued Executive Order 14028 to modernize Federal Government cybersecurity by accelerating the movement to secure cloud services, adopting security best practices, and advancing towards zero trust architecture (ZTA). Given the administration's increased emphasis on cloud services, we initiated this audit. Our audit objectives were to assess the effectiveness of the Department's (1) cloud systems' security and privacy controls and (2) strategy to secure cloud services in order to implement ZTA.What We FoundDOT and its OAs do not consistently implement security and privacy controls to protect their cloud-based systems. First, the Department and several OAs did not effectively follow Federal requirements and best practices to protect their cloud systems from cyberattacks. Second, DOT does not always effectively manage and secure the computing resources for its cloud-based systems by using secure configuration baselines, implementing multifactor authentications, encrypting data, or updating software. Lastly, DOT does not consistently use the appropriate mechanisms to detect, mitigate, and report cyberattacks on the Department's and most of the OAs' cloud-based systems. As a result, DOT may not have visibility into cybersecurity incidents, exposing it to potential threats and security weaknesses. Furthermore, DOT lacks an effective strategy for securing its cloud services transition to ZTA because its current ZTA implementation plan does not include a proposed schedule or migration steps as required by Federal guidelines. This may cause DOT to miss key milestones for implementing ZTA by the end of fiscal year 2024. Therefore, the Department will not be well positioned to meet ZTA's intent to maximize security and minimize uncertainty of computing systems.Our RecommendationsWe made 21 recommendations to improve the Agency's cloud services program and transition its enterprise network to ZTA. DOT concurred with 19 of 21 recommendations, did not concur with 1 recommendation, and asked to close 1 recommendation. We consider 17 of 19 recommendations resolved but open pending completion of planned corrective actions and request DOT provide an updated response for the 2 other recommendations. We consider two recommendations unresolved and request the Agency reconsider its non-concurrence for the first recommendation and provide documentation to support closing the second recommendation.Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Relevant portions of this public version of the report have been redacted.

In March 2021, the Peace Corps shut down its Coordinated Incident Reporting System (CIRS), a repository of historical crime incidents reported by Volunteers, and replaced it with the Security Incident Management System (SIMS). SIMS autopopulates crime incident report links into VIDA (Volunteer Information Database Application) through the agency’s Customer Relationship Management (CRM) platform. During the SIMS data migration, some posts began to identify and assess potential sites for returning Volunteers following the 2020 global evacuation due to the COVID-19 pandemic. OIG raised concerns about whether field staff had access to the historical crime data necessary to assess the safety of reused sites, consistent with site development requirements. We conducted this review to address these concerns .

We found that a company bypassed safety valves and falsified safety tests associated with an oil and gas production platform in the Gulf of Mexico.

Objective: To determine whether the Social Security Administration had and used management controls over the service its 800 number employees provided callers during the COVID-19 pandemic.