The Transportation Department continues to have difficulty remediating cybersecurity vulnerabilities, the departmental inspector general says in an annual assessment on Federal Information Security Management Act compliance.

The Nov. 14 report reviews DOT FISMA performance during fiscal 2011, which ended on Sept. 30. Over the course of that year, DOT tracked 4,668 known vulnerabilities requiring a plan of action and milestones, but didn't resolve 1,565 of them on time. 374 of the vulnerabilities have been outstanding for more than 365 days, data from the report says

In the fiscal 2010 report, the DOT OIG criticized the Transportation chief information officer for instituting a policy that in effect prioritizes the remediation of lower priority problems by giving them a shorter timeframe than higher impact vulnerabilities in which resolution must occur.

That policy continues to be in place, although DOT has said it will change it, the report says. DOT "has yet to issue its final revised timeframes," the report adds, stating that a draft policy document would require the resolution of high and moderate POA&Ms within 90 days and give no deadline for low priority vulnerabilities.

DOT centrally tracks POA&Ms in a central system called Cyber Security Assessment and Management, but DOT component agencies don't always enter all known weaknesses into CSAM, the report says.

The report also says office of the secretary of transportation, which provides the network infrastructure support to DOT's headquarters and remote offices (except FAA and Federal Motor Carrier Safety Administration field sites) has disagreed with the office of CIO over a revision to cybersecurity policy, resulting in the OST operating without one.

In the official response to the audit, DOT CIO Nitin Pradhan says issues raised by auditors in the report are "integral to FISMA objectives," but that "it is neither realistic nor plausible to commit to addressing all of the issues described in the OIG draft report in a single year."

Rather, Pradhan adds that his office will focus cybersecurity efforts during the current fiscal year on higher priority actions such as improved perimeter security, implementation of automatic continuous monitoring, and use of federal identity cards required under HSPD-12 for two-factor logical access.

For more:
- download the report, FI-2012-007 (.pdf)

Related Articles:
DOT auditors fault CIO cybersecurity hole prioritization policy 
DOT CIO thinks small 
Air traffic control security penetration tests find vulnerabilities