DOT auditors fault CIO cybersecurity hole prioritization policy
A new Transportation Department chief information officer policy for prioritizing the remediation of cybersecurity vulnerabilities wrongly incentivizes staff to resolve low-priority weaknesses before high-priority weaknesses, says the DOT inspector general.
In an annual audit of departmental cybersecurity released Nov. 15, Transportation auditors say DOT computers "remain vulnerable to predators." Auditors cite a whole list of cybersecurity problems, including the fact that in September 2010, the CIO implemented a new plan of action and milestones policy for the prioritization of vulnerability fixing.
Under the previous policy, the higher the POA&M risk categorization, the less time cybersecurity staff had to remediate the problem. Now, the higher the risk, the more time staff have to plug the hole. Under the new policy, staff must come up with a remediation plan within 90 days for high impact vulnerabilities, whereas previously they were supposed to have them solved within 24 hours. The new policy also gives staff 90 days to remediate moderate priority items and 30 days to resolve low priority vulnerabilities. Before, they had 20 and 60 days, respectively.
Transportation currently has 4,794 open POA&M items, 1,200 of which are already overdue--but under the new policy, all POA&Ms are "expected to become overdue," the report states.
Auditors also fault the CIO for not developing procedural guidance to implement the first departmentwide security policy it issued in 2009. The policy lacks important elements anyway, such as addressing how contractor operating systems should be reported, auditors add.
As of Sept. 30, 2010, the department had not certified and accredited 41 of its systems - nearly 10 percent of its 436 systems, auditors say.
In the department's official response to the audit, DOT CIO Nitin Pradhan said Transportation "has initiated a paradigm shift from a reactive, gradual and segmented cybersecurity approach to a holistic, predictive, proactive, rapid and agile process that is responsive to the evolving cyber threats matrix." The CIO's response does not include specific responses to OIG recommendations.
- download the audit, FI-2011-022 (.pdf)