Federal Reports

The objective of the performance audit was to determine whether the Social Security Administration’s (SSA) overall information security program and practices were effective and consistent with Federal Information Security Modernization Act of 2014 (FISMA)1 requirements, as defined by the Department of Homeland Security (DHS).

To see our report, click on the link below

What We Looked AtThe Federal Motor Carrier Safety Administration (FMCSA) regulates and oversees the safety of commercial motor vehicles. It partners with other agencies and the motor carrier industry to conduct this work. The Agency uses 13 web-based applications to aid vehicle registration, inspections, and other activities. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information (PII). Due to the importance of FMCSA’s programs to the transportation system and sensitivity of some Agency information, we conducted this audit of FMCSA’s information technology (IT) infrastructure. Our objective was to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data. What We FoundWe found vulnerabilities in several Agency web servers that allowed us to gain unauthorized access to FMCSA’s network. FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections. We also gained access to 13.6 million unencrypted PII records. Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees. Furthermore, the Agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise. Our RecommendationsFMCSA concurred with our 13 recommendations. We consider all 13 recommendations resolved but open pending FMCSA’s completion of planned actions. Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

What We Looked AtThe Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 set up appropriations to support executive agency operations during the COVID-19 pandemic. The Federal Transit Administration (FTA) has received nearly $70 billion in CARES Act and other COVID-19 relief appropriations. FTA uses several financial management systems to approve, process, and disperse this funding for the transit industry’s COVID-19 response and recovery. Given the size of this investment, we initiated this audit. Our audit objective was to assess the effectiveness of FTA’s financial management systems’ security controls designed to protect the confidentiality, integrity, and availability of the systems and their information. What We FoundFTA’s financial management systems have security control deficiencies that could affect FTA’s ability to approve, process, and disburse COVID-19 funds. FTA security officials mislabeled and incorrectly documented control types for over 180 security controls in its fiscal year 2020 system security plans for these systems. FTA also does not adequately monitor security controls provided by or inherited from DOT’s common control provider. FTA also has not remediated security control weaknesses identified since 2016. Lastly, FTA lacks sufficient contingency planning and incident response capabilities such as alternate set of personnel to restore its financial management systems if its primary personnel are unavailable. Due to these security control weaknesses, FTA’s security officials cannot be sure financial management systems have the proper safeguards and countermeasures in place to protect the systems and that they effectively manage information security risk. Our RecommendationsFTA concurred with all of our 13 recommendations to help the Agency address its security control weaknesses and improve its systems’ cybersecurity posture. Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.

What We Looked AtAmerican Airlines, one of the world’s largest commercial air carriers, has not experienced a fatal accident in nearly two decades. Despite this safety record, reports of potentially unsafe maintenance practices have raised concerns about the Federal Aviation Administration’s (FAA) oversight of the carrier’s maintenance programs. At the request of then-ranking members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee, we initiated this review. Specifically, we examined whether FAA ensures that American Airlines implemented effective corrective actions to address the root causes of maintenance problems and FAA’s oversight of American Airlines’ safety management systems (SMS). What We FoundFAA lacks effective oversight controls to ensure American Airlines’ corrective actions for maintenance non-compliances addressed root causes. According to FAA guidance, FAA inspectors should collaborate with the air carrier to correctly identify and fix the root cause(s) of deviations or non-compliances. However, in 171 of 185 (92 percent) of cases we sampled, FAA inspectors accepted root cause analyses by the air carrier that did not identify the true root cause of the problem. Furthermore, FAA closed compliance actions before the air carrier implemented its corrective actions. FAA’s oversight controls are also not effective for evaluating if American Airlines’ SMS sufficiently assesses and mitigates risk. FAA requires American Airlines to use its SMS to determine the level of risk associated with maintenance non-compliances. However, we found that FAA inspectors did not routinely or consistently evaluate whether the carrier adequately and effectively assessed and rated risks. This is in part because FAA did not provide its inspectors with comprehensive training and tools for overseeing and evaluating the carrier’s SMS. Our RecommendationsFAA concurred with five and partially concurred with two of our seven recommendations to improve FAA’s oversight of American Airlines maintenance programs. We consider recommendations 1, 2, 4, and 6 resolved but open, pending completion of planned actions. However, we are asking FAA for additional information and to reconsider its actions for recommendations 3, 5, and 7.