Throughout the global pandemic, the transportation sector has been one of the hardest hit. But this is only one of the challenges it faces, and it will have an impact, either direct or indirect on the other issues troubling both air, sea and land travel in 2020 and beyond.
The Office of Inspector General (OIG) at the Department of Transportation (DOT) reports annually on the most significant challenges to meeting its mission.
This year, as we approach Critical Infrastructure Security and Resilience month, OIG recognizes that DOT faces the extraordinary task of meeting these challenges while also responding to the COVID-19 global pandemic, including implementing the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
OIG identified the current biggest challenges facing DOT as aviation safety, surface transportation safety, air traffic control and airspace modernization, surface transportation infrastructure, contract and grant fund stewardship, information security, financial management, and innovation and the future of transportation. This latter challenge includes the safe integration of unmanned aerial systems (UAS) or drones, a topic that has come under increasing scrutiny for both FAA and other departments and agencies, with an audit now underway on counter-UAS systems.
The full report can be found at OIG but we are going to take a closer look at the challenges that most impact the security community.
Cyber and Information Security
DOT relies on over 450 information systems to carry out its mission, which includes safely managing air traffic control operations and administering billions of dollars. However, the Department faces challenges in strengthening oversight to address longstanding cybersecurity weaknesses. Addressing internal control weaknesses will be key to protect information and systems from attacks and other compromises that may pose risks to safety or taxpayer dollars.
OIG identified 51 open recommendations through its 2020 Federal Information Security Management Act (FISMA) audit. This includes addressing the risk associated with the 10,385 security weaknesses identified in DOT’s plans of actions and milestones.
Cloud security is another area in need of attention. Over the past decade, federal agencies have increasingly used cloud services to address their information technology needs. DOT has begun adopting cloud computing for transportation management services across its various Operating Administrations. However, securing information stored in the cloud from cyberattacks poses significant challenges.
Since 2015, DOT has yet to establish Federal Risk and Authorization Management Program (FedRAMP) compliance guidelines and oversight for the Department and ensure that each Operating Administration puts plans in place to meet FedRAMP requirements on how to securely adopt and manage the use of cloud services.
Furthermore, OIG has found that several Operating Administrations employed cloud services but did not ensure the cloud providers adhered to FedRAMP requirements before authorizing them for use. According to DOT, the Department is not currently funded at a level to ensure that all cloud service providers in use are FedRAMP-authorized. The Department also does not have a complete inventory of cloud services authorized by each Operating Administration. Consequently, DOT’s information and systems may face increased vulnerability to cyber attacks.
The COVID-19 emergency has also increased the sense of urgency for the Federal Aviation Administration (FAA) to approve integrated and expanded use of UAS (i.e., drones) into daily life, such as delivery of medical goods and supplies.
Since issuing a rule permitting small UAS operations in 2016, FAA has issued more than 4,000 waivers for operations that are restricted under the rule. However, while these types of operations, such as flying at night, are valued by industry, they are considered high-risk by FAA. FAA has acknowledged the need for additional rulemaking on issues such as remote identification, which should accelerate approval of more complex operations, including package delivery and flying beyond line of sight. But there is much to be done and while the Agency plans to issue the final rule by the end of 2020, FAA is still addressing over 50,000 public comments on the Notice of Proposed Rulemaking.
To accelerate safe UAS integration into the National Airspace System, FAA partnered with private and government entities through the Integration Pilot Program. However, this three-year program is set to end in October 2020, and FAA has not yet reported any lessons learned from this effort.
The watchdog has also identified weaknesses in DOT’s annual security training process. Initially, DOT’s policies and procedures were not sufficiently developed to guide Operating Administrations in identifying, tracking, and validating contractors’ required annual security training. Despite some of these weaknesses being pointed out a decade ago, OIG says DOT has yet to identify and implement automated tools to better track contractors and training requirements.
Safety, too, will be a high priority. Legacy systems that may have been due for replacement could wait longer than planned due to financial shortfalls from the pandemic. DOT must perform a careful balancing act to ensure one safety hazard in the form of COVID-19 is not replaced by another.
It is worth noting however, that DOT has received funding throughout 2020 that is specifically targeted at improving safety, whether that be at ports, on the highways, on the railtrack, or for air travel. It is therefore vital that DOT place sustained focus on its contract and grant awards and oversight to ensure these funds are efficiently and effectively spent for their intended purpose and result in the expected quality of services, products, and performance.
Because of the pandemic, traveler numbers have fallen to an unprecedented level. This inevitably means a huge financial knock for the industry and probably not one that federal funding alone can repair. However, it isn’t all bad. The reduced number of travelers has given operators and agencies time to fine tune processes, undertake additional training, and consider new methods and technologies to securing transportation. Increased web conferences have shared best practices and international meetings to align policy have been quicker and far less expensive to hold.
There is no getting away from the fact that transportation is going to need more dollars to rebuild, even after the generous $36 billion to date in CARES Act funding, but this reset can also work in the sector’s favor.