DOT IG critical of recurring FISMA security weaknesses

Tools

Despite a series of damning, yearly Federal Information Security Management Act compliance audits, the Transportation Department failed again in fiscal 2012 to remedy recurring weaknesses that expose the department to serious security threats, according to a Nov. 14 Office of Inspector General report (.pdf). Twenty-one of 35 open recommendations made since 2009 remain open, say report authors.

In 2009, the department's security program did not meet all federal requirements and the following year its lack of progress in other critical areas constituted a material weakness in internal controls. In 2011, DOT had not corrected weaknesses in its information security procedures, enterprise-level and system-level controls, and management of corrective actions.

"Overall, the department's information security system was still not effective," write report authors.

The OIG also called out three FISMA security program area problems that need the most attention. First, procedures for accepting and monitoring shared security controls have not been developed. Second, continuous monitoring procedures are in draft and require additional detail to guide operating administration personnel in the development of monitoring practices. And finally, capital planning and investment is lacking; procedures for managing security costs as part capital planning are not developed and there are no procedures for developing enterprise architecture, write report authors.

In addition to the 21 recommendations that remain open, the OIG recommends the DOT chief information officer work with operating administrations to help them better develop processes for inheriting controls, crafting continuous monitoring strategies and improving capital planning.

The OIG also recommends the department set timelines for incident remediation based on risk. The CIO should remove inactive computer devices from Active Directory by requiring administrations to formulate a process for their timely removal, reviewing those policies and seeing that the policies are implemented, recommend auditors.

The OIG also recommends the department develop, document and approve an enterprise-wide risk management program compliant with the National Institute of Standards and Technology's Special Publication 800-39 (.pdf).

In response to OIG recommendations, the department outlined its priorities for the coming year and committed to providing auditors with "specific planned actions and milestones" to address their numerous recommendations.

For more:
- download the report, FI-2013-014 (.pdf)

Related Articles:
EPA struggles with FISMA compliance
Cybersecurity weaknesses persist in Energy unclassified systems
DHS continuous monitoring can't automatically track devices or connections