The Surface Transportation Board’s (STB) information security program is ineffective, according to an independent review.
The Office of Inspector General at the Department of Transportation tasked auditor Williams, Adley & Company-DC, LLP (Williams Adley) with the review and has agreed with its findings.
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget.
Although STB’s information security program was deemed ineffective for FY 2020, the audit found that STB made some progress in maturing its overall information security program by addressing previous recommendations.
The five FISMA security functions are: Identify, Protect, Detect, Respond and Recover.
Under the first function, Identify, Williams Adley found STB has taken steps towards improving its risk management program, such as developing a risk management plan, cybersecurity architecture, and security assessment and authorization process. In addition, STB developed its system inventory process in FY 2020, which documents the minimum hardware and software taxonomy requirements for tracking.
However, Williams Adley also identified that STB did not develop an information security risk management strategy at all three levels of organization. STB also did not use a standard data elements/taxonomy to develop and maintain an up-to-date inventory of hardware assets connected to the organization’s network, or the software or associated licenses with the detailed information necessary for tracking and reporting, in accordance with STB’s Configuration Management Policy.
For the Protect security function, Williams Adley found that STB did not assign end-user access to the STB General Support System (GSS) Local Area Network (LAN) in a consistent manner.
STB also did not properly remove user access for three terminated users in accordance with STB policies. Specifically, of ten sampled users, three user accounts were modified after the time of employment termination date.
In addition, the review found STB did not ensure that all its personnel, with access to STB systems, were properly screened or rescreened prior to granting them access to STB resources.
The risk of unauthorized access to STB’s information systems was found to be considerable, and could potentially result in the submission of false transactions, improper access, dissemination of confidential data, and other malicious activities.
Williams Adley found STB does not have a defined and adequate process to verify that its users (employees and contractors) completed the required role-based training and does not have a reliable process to provide evidence that the training requirements have been fulfilled. STB’s policy does not follow federal guidelines for issuing security training prior to a user being granted access to STB systems.
The review identified two primary deficiencies at STB within the third FISMA function – Detect. “STB’s Information Security Continuous Monitoring (ISCM) procedures do not define how the ISCM program will be monitored and account for changes in organizational missions and objectives, operational environments, and threats,” read Williams Adley’s report. Further, “STB’s ISCM policy and procedures do not define the process to provide individuals with significant security responsibilities and/or key stakeholders with the information necessary to make informed improvements to its ISCM program.”
According to STB management, the development of its ISCM policies and procedures is reliant on the implementation and support of DHS’ Continuous Diagnostic and Monitoring (CDM) program. Management cited delays encountered with CDM’s shared services program for micro agencies.
Williams Adley did not identify any issues relating to the Respond and Recover FISMA functions and notes that as work is underway, STB’s incident response program and contingency planning program will be evaluated during the next audit.
Regarding two outstanding recommendations made in the previous review, STB said it is developing a standard taxonomy for maintaining its inventories of hardware assets and software. Based on the further guidance received during the FY 2020 audit, the STB will define its information security risk strategy at all three levels of the organization, in accordance with NIST Special Publication 800-39. The STB expects to complete work on this recommendation by December 31, 2020.
In addition, STB is making progress toward developing a comprehensive privacy program, including finalizing a privacy program plan, incorporating privacy requirements into the STB incident response process, establishing privacy impact assessments, and developing policies and procedures associated with privacy. The STB will also develop privacy related processes and procedures, establish roles, and identify personnel responsible for performing data exfiltration exercises within the Board. The STB also expects to complete this work by December 31, 2020.
The auditors, supported by OIG, made six new recommendations to STB:
- Implement documented processes for granting and removing user access in a consistent manner, as required by STB policies and procedures.
- Implement processes for conducting, documenting, and maintaining Position Risk Designations in a consistent manner, as required by STB policies and procedures.
- Develop a process for ensuring that the completion of role-based training is tracked and maintained.
- Consistently implement the process to ensure all new users complete the mandatory security awareness training requirements prior to being granted access to STB systems.
- Fully develop the ISCM Strategy and all information system ISCM plans to include the required criteria documented in the NIST Special Publication 800-137.
- Define the process to ensure the timely collection of established metrics across its operational systems and reporting evaluation process to assist ISCM stakeholders to make informed decisions.
STB concurred and aims to meet the fourth recommendation by the end of November 2020, the third by the end of the year, the first by the end of February 2021, and the remaining recommendations by March 31, 2021.