DOT vulnerable to serious security threats, says OIG
The Transportation Department's information systems are vulnerable to serious security threats due to deficiencies with its enterprise architecture, controls and vulnerability remediation.
The enterprise architecture direction offered in the department's procedural guidance is not detailed enough for the department's 13 operating administrations to create effective EA procedures, writes the DOT inspector general in its annual FISMA compliance report Nov. 22. Operating administrations also haven't implemented newly-released continuous monitoring policies because procedures outlined in the procedural guidance are incomplete, find auditors.
Controls are not in place enterprisewide to ensure contractors receive security training and personnel with significant security responsibilities receive specialized security training, finds the report. It adds that DOT's security training program is lacking and not aligned with investment plans.
Better controls could also ensure that all possible security incidents are reported to the Homeland Security Department and configuration baselines are appropriately managed, write auditors.
DOT's operating administrations lack controls for identifying and managing the risks associated with their systems, including the coordination of shared security controls and user identity verification and access control, says the report. These controls should be part of a risk management framework that includes mechanisms for identifying contractor-operated systems and cloud computing requirements--two more points of weakness identified in the report.
Auditors also say that remediation of security weaknesses is poorly managed at the department. Only 37 percent of DOT's open plans of action and milestones lack start dates and almost 65 percent lack risk remediation costs. Not all security weaknesses are reported to the central repository that the Department uses to track security weaknesses and their remediation, says the report.
The IG made eight recommendations for DOT to remedy these issues. The DOT chief information officer generally concurred with their recommendations.
The report wasn't all bad, however. The department has made progress in its information technology program, says the report. The CIO issued continuous monitoring guidance, continued to implement the personal identity verification program and undertook software configuration management, write auditors. Auditors project that to 83 percent of DOT computers are compliant with configuration standards.
- download the report, FI-2014-006 (.pdf)