Federal Reports

Our Objective(s)To determine whether security weaknesses exist in FHWA's information technology (IT) infrastructure that could lead to the compromise of the Agency's IT systems and data. Specifically, we reviewed FHWA's (1) adherence to cybersecurity policies and (2) compliance with the Rules of Engagement (ROE) and its cybersecurity incident response procedures.
Why This AuditFHWA's information systems support mission processes that aid in grant management, infrastructure inspections, inventory management, and research and development. Protecting these systems and the information stored in them prevents unauthorized access and compromise. This audit is the fourth in a series of reviews to determine whether the U.S. Department of Transportation (DOT) has the security controls in place to protect its networks and information systems from unauthorized access.
What We FoundDOT's lack of adherence to cybersecurity policies allowed the Office of Inspector General (OIG) to gain unauthorized access into FHWA's network.

FHWA and DOT's Office of the Chief Information Officer (OCIO) do not remediate vulnerabilities in FHWA's IT infrastructure according to policy.
OCIO had not implemented the required network boundary protection controls, which allowed us to access the Federal Aviation Administration's intranet site and sensitive proprietary data. FHWA did not replace default credentials in FHWA information systems, which allowed us to access network printers and sensitive information.
We also used open-source tools to crack and utilize weak and known passwords to compromise and penetrate FHWA IT infrastructure and gain access to two FHWA servers and an OCIO server.

DOT and FHWA officials did not consult with OIG in accordance with the ROE and did not fully follow DOT's incident response procedures, which prevented us from completing testing activities.

After we gained unauthorized access to three of DOT's servers, DOT disconnected one and started decommissioning the other two without consulting with OIG, as required by the ROE. According to DOT officials, FHWA and OCIO technicians did not notify OIG because they did not recognize OIG as the source of scanning and other intrusion attempts.
However, had DOT followed its incident response procedures, it could have identified OIG as an intruder and notified us they were aware of our intrusion so that we could consult and then complete further testing. As a result of these actions, we were unable to determine whether FHWA IT infrastructure is at risk of being further compromised.

RecommendationsWe have made eight recommendations to improve OCIO's IT security posture providing IT shared services to FHWA's IT infrastructure.
Unresolved Recommendations: Two
Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. 552. Relevant portions of this public version of the report have been redacted.

The National Security Agency (NSA) Office of the Inspector General (OIG) released its Semiannual Report (SAR) to Congress summarizing the OIG’s oversight work during the second half of Fiscal Year 2024.

The SAR covers a wide range of audits, evaluations, inspections, and investigations completed during the reporting period. As required by the Inspector General Act of 1978 (as amended), the SAR was transmitted to Congress on 22 November 2024.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.