Open Recommendations

Incorporate the required standard cloud security clauses in the Department's enterprise cloud service contracts as well as other cloud services contracts for FAA, MARAD, and OST to ensure the cloud services are secure.

Working with the appropriate DOT procurement officials for FAA, FMCSA, FHWA, MARAD, FRA, NHTSA, PHMSA, and OST, set up service level agreements as required, with each of their cloud service providers to define and set agency expectations and cloud service provider-specific responsibilities.

Direct departmental security officials working with appropriate procurement officials to verify that service level agreements contain a requirement to report security incidents to DOT's Security Operations Center and require confirmation of completion.

Develop and implement a process that enables FAA's Security Operations Center to receive the necessary log data for ensuring proper cybersecurity incident monitoring for all departmental cloud-based systems.

Report DOT plans for fully adopting multifactor authentication and encryption for data at rest and in transit in accordance with Executive Order 14028.

Direct and require confirmation of completion from OST's cloud-based system owner for the Federal Human Resources Navigator-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Use personal identity verification cards as the primary authentication mechanism to ensure secure system login. c. Develop a Privacy Impact Analysis to help identify and manage personally identifiable information and privacy risks. d. Identify a…

Direct and require confirmation of completion from OST's cloud-based system owner for the Electronic Document Management System-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Require multifactor authentication for non-DOT system users. c. Develop and implement a process to automatically disable inactive system accounts after 60 days of inactivity.

Direct and require confirmation of completion from OST's cloud-based system owner for the Data Analysis Visualization Environment-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Develop and implement a process to conduct monthly vulnerability scans as required by DOT.

Direct and require confirmation of completion from MARAD's cloud-based system owner for US Merchant Marine Academy/Campus Labs-Software-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP. b. Complete an annual security authorization process and obtain a full authorization to operate for its Software-as-a-Service cloud information system to ensure all system risks have been properly identified and accepted in accordance with departmental cybersecurity…

Direct and require confirmation of completion from FRA's cloud-based system owner for its Cloud Application Services-Software-as-a-Service-to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as, required by FedRAMP. b. Update the Privacy Impact Analysis for the Railroad Compliance System to ensure the proper privacy controls are in place to identify and protect personally identifiable information and other sensitive information.

Direct and require confirmation of completion from NHTSA's cloud-based system owner for the Web System-Platform-as-a-Service and Infrastructure-as-a-Service-to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop and implement a process to review audit logs and analyze vulnerability scan reports on its Platform-as-a-Service on a weekly basis to check for various risks, including software flaws per NHTSA's audit and accountability plan.

Direct and require confirmation of completion from PHMSA's cloud-based system owner for the Pipeline Risk Management Information System-Infrastructure-as-a-service-and PHMSA Data Mart-Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as FedRAMP requires for Pipeline Risk Management Information System. b. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its…

Direct and require confirmation of completion from FMCSA's cloud-based system owner for the Cloud Environment-Infrastructure-as-a-service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use as required by FedRAMP. b. Complete its annual security authorization process and obtain a full Authorization to Operate for its cloud information system to ensure all systems risks have been properly identified and accepted in accordance with departmental cybersecurity policies. c. Develop and implement a process to…

Direct and require confirmation of completion from FRA's cloud-based system owner for the Multiple Case Incident Analysis-Infrastructure-as-a-service to include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its review of cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization, as required by FedRAMP.

Direct and require confirmation of completion from OST's cloud-based system owner for the Infrastructure and Operations Common Operating Environment (COE)-Software-as-a-Service, Infrastructure-as-a-service, and Platform-as-a-Service to: a. Include in its executive summary/Authorization to Operate letter to the Authorizing Official proof of its cloud service provider's continuous monitoring activities to ensure its cloud system security posture remains sufficient for its own use and supports its ongoing authorization as required by FedRAMP. b. Develop security baseline configuration settings and a checklist and assess whether the COE cloud-based system is properly configured and the network secure. c. Develop and implement a process to conduct reviews…

Direct and require confirmation of completion from FAA's cloud-based system owner for the FAA Cloud Services-Infrastructure-as-a-service and Platform-as-a-Service to: a. Incorporate flaw remediation into ongoing configuration management processes. b. Develop and implement a process to regularly manage malicious code protection to detect and eradicate malicious code at the entry point for its Infrastructure-as-a-service and Platform-as-a-Service. c. Develop and implement a change control process and use baseline configuration settings and document configuration settings to establish a basis for future builds, releases, and/or changes. d. Develop and implement a process to perform an automated review of network accounts or implement an alternative…

Direct FAA's cloud-based system owner for the Emergency Notification System-Software-as-a-Service to provide evidence of the organizational administrator's quarterly reviews of Emergency Notification System application and documentation verifying they disable inactive accounts.

1. We recommend that the Director of the U.S. Census Bureau evaluate alternative strategies to achieve target response rates, particularly in underrepresented units.

5. We recommend that the Director of the U.S. Census Bureau ensure that regional offices adhere to prescribed telephone interview rates or work with the Bureau of Labor Statistics to adjust them as needed.

6. We recommend that the Director of the U.S. Census Bureau ensure all surveys and regional offices maximize the use of data analysis and monitoring tools to oversee survey quality and performance.

7. We recommend that the Director of the U.S. Census Bureau ensure RI requirements are met and completed in a timely manner.

8. We recommend that the Director of the U.S. Census Bureau reevaluate the effectiveness of the CED survey RI lag time metric.

12. We recommend that the Director of the U.S. Census Bureau ensure that staff are trained on completing adequate falsification investigations.

13. We recommend that the Director of the U.S. Census Bureau strengthen the quality control plan for the CPS by evaluating cases worked by FRS with confirmed falsifications to assess the impact on survey estimates.

15. We recommend that the Director of the U.S. Census Bureau implement a system for tracking FRs with confirmed falsifications so that applicants for FR positions can be appropriately vetted prior to reemployment.