Federal Reports

U.S. Customs and Border Protection (CBP) did not fully implement the requirements of the Synthetic Opioid Exposure Prevention and Training Act. Specifically, CBP did not: • issue a component-wide policy to safely handle potential synthetic opioids; • make naloxone available or readily accessible to all personnel at risk of exposure to opioids; and • require initial and recurrent training for all personnel at risk of opioid exposure. This happened because CBP did not ensure that the Act’s requirements were implemented.

U.S. Customs and Border Protection (CBP) did not fully implement the requirements of the Synthetic Opioid Exposure Prevention and Training Act. Specifically, CBP did not: • issue a component-wide policy to safely handle potential synthetic opioids; • make naloxone available or readily accessible to all personnel at risk of exposure to opioids; and • require initial and recurrent training for all personnel at risk of opioid exposure. This happened because CBP did not ensure that the Act’s requirements were implemented.

What We Looked AtHigh value assets (HVA) are information systems, information, and data for which unauthorized access, use, disclosure, disruption, modification, or destruction could have a significant impact on U.S. national security, or public health and safety of the American people. Given the impact that cyberattacks on HVAs can have on the security and resilience of the Nation's transportation infrastructure, we initiated this audit of DOT's HVA Program. At the time of our review, DOT identified that it had 21 HVAs. Our objectives were to evaluate whether DOT (1) established an organization-wide HVA governance program to identify and prioritize HVAs and (2) assesses HVA security controls and ensures timely remediation of identified vulnerabilities.Our RecommendationsWe made seven recommendations to strengthen DOT's HVA Program cybersecurity. DOT concurred with five recommendations and did not concur with and asked to close the other two recommendations. We consider the five recommendations resolved but open pending completion of planned corrective actions. We consider the remaining two recommendations unresolved and request that DOT provide an updated response, reconsider its non-concurrence, or provide documentation to support closing the recommendations.Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552.We plan to post a redacted version of the report when it becomes available.