Senior Reporter
IG Audit Rates DOT Information Systems ‘Not Effective’
[Stay on top of transportation news: Get TTNews in your inbox.]
The U.S. Department of Transportation’s information systems and the sensitive data they contain are “not effective” in all critical “maturity levels,” according to a new audit issued by the DOT Office of the Inspector General.
The audit, conducted on behalf of DOT IG by CliftonLarsonAllen LLP, took a detailed look at DOT’s information security program and practices, rating the system overall as at the “defined maturity level,” the second lowest level in the so-called maturity mode.
As a result, the contractor issued 14 recommendations for DOT’s information security program to improve the system. DOT concurred with only one of the recommendations, resulting in the auditors characterizing eight of the recommendations as resolved but open pending completion of planned action, and six of the recommendations as “open and unresolved.”
“Based upon our audit of DOT’s information security program and practices, we concluded that in all five function areas, DOT is at the Defined maturity level — the second-lowest level in the maturity model for an information security program, and thus not effective,” the audit said. “The department has, for the most part, formalized and documented its policies, procedures and strategies; however, DOT still faces significant challenges in the consistent implementation of its information security program across the department. Consequently, we noted weaknesses in each of the eight Inspector General Federal Information Security Modernization Act of 2014 metric domains encompassing the Department’s agencywide program.”
The FISM Act requires agencies to develop, implement and document an agencywide information security program and practices. The act also requires the IG to conduct an annual review of their agencies’ information security programs and report the results to the Office of Management and Budget.
For fiscal 2019, OMB required IGs to assess 67 metrics in five security function areas — identify, protect, detect, respond and recover — to determine the effectiveness of their agencies’ information security programs and the maturity level of each function area.
The contractor’s report identified continuing deficiencies, among them:
- Related to risk management.
- Vulnerability and configuration management.
- Identity and access management.
- Data protection and privacy.
- Security training.
- Information-security continuous monitoring.
- Incident response.
- Contingency planning practices designed to protect mission critical systems from unauthorized access, alteration or destruction.
The auditor said the goal of the agency’s cybersecurity program is the protection of DOT information systems and the sensitive data they contain from unauthorized access, use, disclosure, disruption, modification or destruction from threats that can impact confidentiality, integrity and availability of the information.
The auditor said departmental cybersecurity policy serves as the overarching, foundational directive for cybersecurity for DOT and authorizes the DOT chief information officer to develop and disseminate supplemental policies, guidance, procedures, standards and processes that implement mandatory cybersecurity requirements required of DOT by other entities.
“These entities include, but are not limited to, Congress, OMB, the National Institute of Standards and Technology and the Department of Homeland Security,” the audit said. “This collection of supplemental policies and guidance is collectively referred to as the Departmental Cybersecurity Compendium.”
Want more news? Listen to today's daily briefing: