Federal Reports

What We Looked AtFollowing a series of disruptive cyberattacks in the public and private sectors, the President issued an Executive Order in 2021 requiring civilian Federal agencies to protect and secure their critical infrastructure and computer systems, which underpin the American people’s security and privacy. The Continuous Diagnostics and Mitigation (CDM) program aims to provide a consistent, Governmentwide set of continuous monitoring tools to enhance the Federal Government’s ability to identify and respond in real-time or near real-time, to the risk of emerging cyber threats. The Department of Transportation (DOT) uses continuous monitoring tools on its networks to secure information technology assets. We initiated this audit to assess DOT’s continuous monitoring tools for detecting, preventing, and reporting cybersecurity threats that may compromise DOT’s information systems and data. Specifically, we evaluated DOT’s (1) automation of its continuous monitoring tools to provide near real-time detection of cybersecurity risks in key operational areas, (2) hardware asset inventory reports and the software installed on the Department’s hardware assets, and (3) configuration of its network software and remediation of known network asset vulnerabilities.What We FoundFirst, DOT uses continuous monitoring tools to automate cybersecurity monitoring, but FAA is not using tools to provide near real-time monitoring on all mission-critical NAS systems. Specifically, the Department uses continuous monitoring tools to support essential CDM requirements and has implemented a CDM Dashboard to automatically report cybersecurity information. However, FAA has not performed near real-time cyber monitoring activities on 62 of 85 National Airspace Systems Cyber Management Systems due to air traffic and safety concerns. Second, DOT did not maintain an accurate inventory of its hardware assets, and FAA is still developing policies for a software inventory reconciliation process. Third, DOT is not configuring all its network software in accordance with requirements nor mitigating its known network vulnerabilities associated with its continuous monitoring tools and network endpoints. Addressing our concerns is key to DOT’s progress in reducing its threat surface and improving its cybersecurity posture. Our RecommendationsWe made five recommendations to improve the DOT’s cybersecurity posture and reduce cybersecurity risks. DOT and FAA agreed with the recommendations. We consider all recommendations resolved but open pending completion of planned actions. Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552. Relevant portions of this public version of the report have been redacted.

What We Looked At This report presents the results of our quality control review (QCR) of an audit of the Department of Transportation’s (DOT) information security program and practices. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, implement, and document agency-wide information security programs and practices. FISMA also requires inspectors general to conduct annual reviews of their agencies’ information security programs and report the results to the Office of Management and Budget. To meet this requirement, we contracted with Sikich to conduct this audit subject to our oversight. The audit objective was to determine the effectiveness of DOT’s information security program and practices in five function areas—Identify, Protect, Detect, Respond, and Recover.What We FoundOur QCR disclosed no instances in which Sikich did not comply, in all material respects, with generally accepted Government auditing standards.Our RecommendationsDOT concurs with all 10 of Sikich’s recommendations. Sikich considers 10 recommendations resolved but open pending completion of planned actions. 

Most of the 47 states that charged fees to CWSRF loan recipients did not provide some required fee information in either their intended use plan or annual report for 2022. This may have occurred because the Office of Water's guidance was not clear with respect to the definitions of the required information and how regional reviewers should obtain missing information. As a result, the EPA may not have had complete fee information available for its oversight activities. Additionally, the public may not have had access to all the required fee information, including the amount of accumulated fee revenue available for use.