In its annual cybersecurity audit, the IG said that the Department of Transportation (DOT) had only addressed two of the 27 recommendations to improve cybersecurity in last year’s audit. The IG prepares the annual audit as required by the Federal Information Security Management Act (FISMA).
The IG report criticized the department's Office of the Chief Information Officer (OCIO) for faulty revision of its high-level security policy. The new policy does not address reporting on contractor-operator IT systems and prioritizes the wrong cybersecurity weaknesses, the IG said.
“In September 2010, the OCIO issued a revised plan of action and milestones (POA&M) policy that addressed many of our prior year concerns, but the policy incorrectly prioritizes weakness resolution by providing shorter timeframes for resolving low priority weaknesses than for resolving high ones”, the IG report observed.
In addition, DOT has not made enough progress putting in place enterprise-level cybersecurity controls. “For example, DOT is still unable to effectively track how many contractors it has on board, has no controls to confirm that all major security incidents reported to the Department of Homeland Security (DHS) were actually received by DHS, and does not have security baseline configurations for all of its systems”, the audit warned.
Also, the DOT’s common operating environment compliance with the Federal Desktop Core Configuration (FDCC) requirements has declined since the 2009 audit. The IG said the DOT’s largest agency, the Federal Aviation Administration, does not have the FDCC-mandated security tools and “is unable to determine whether its networks comply with FDCC requirements”.
The IG charged that the department has failed to correct 25% of the 4800 security weaknesses identified on its networks within “approved timeframes”. The DOT did not effectively identify, track, and prioritize cybersecurity weaknesses in its POA&M, the audit added.
The department also has not established adequate controls to protect its high-impact cybersecurity systems or to recover them in the event the systems are taken down by an attack, the IG said.
In a sample of 33 out of the DOT's 436 cybersecurity systems, the IG found that half had one or more serious deficiencies, such as failure to meet National Institute of Standards and Technology standards for cybersecurity system certification and annual testing.
“The department also lacked adequate controls over continuous monitoring, oversight of contractor-operated systems, remote access and account management. For example, the department does not use two-factor authentication to secure remote access to its systems. We also identified network accounts assigned to deceased individuals”, the IG found.
The IG said that the DOT should implement its recommendations from the 2009 report and added 27 additional recommendations to address the cybersecurity weaknesses identified in the 2010 report.
In its response to the IG’s audit, the OCIO touted the department’s recent cybersecurity successes, which included the implementation of a new cybersecurity framework, as well as expanded staff training programs and IT infrastructure upgrades. However, the office did not address the IG’s findings or recommendations directly.