The Office of Inspector General (OIG) at the Department of Transportation (DOT) has initiated two audits into information security.
Both are required by the Federal Information Security Modernization Act of 2014 (FISMA) which ensures that federal agencies implement information security programs. The act also requires agencies to conduct annual independent reviews to determine the effectiveness of their programs and report the reviews’ results to the Office of Management and Budget.
DOT relies on over 450 information systems to carry out its mission, which includes safely managing air traffic control operations and administering billions of dollars. OIG identified 51 open recommendations through its 2020 FISMA audit.
OIG has contracted with an independent public accounting firm to conduct the 2021 review of DOT’s information security program, subject to OIG oversight. This audit’s objective will be to determine the effectiveness of DOT’s information security program, including its performance in five function areas—Identify, Protect, Detect, Respond, and Recover. OIG will also submit an assessment of FISMA security metrics and performance measures through CyberScope, a web-based application that collects security data from federal agencies.
In addition, the Surface Transportation Board (STB) has requested that OIG perform its fiscal year 2021 FISMA review. OIG has contracted with Williams Adley & Company-DC LLP, an independent public accounting firm, to conduct this review—subject to oversight. Like the DOT audit, this will also determine the effectiveness of STB’s information security program, including its performance in the five function areas.
In October 2020, OIG listed cyber and information security as one of DOT’s biggest challenges. Then, the watchdog said DOT must address internal control weaknesses in order to protect information and systems from attacks and other compromises that may pose risks to safety or taxpayer dollars.
Cloud security is another area in need of attention. Over the past decade, federal agencies have increasingly used cloud services to address their information technology needs. DOT has begun adopting cloud computing for transportation management services across its various Operating Administrations. However, securing information stored in the cloud from cyberattacks poses significant challenges.
As of October 2020, DOT said it was not currently funded at a level to ensure that all cloud service providers in use are FedRAMP-authorized. The Department also does not have a complete inventory of cloud services authorized by each Operating Administration. Consequently, DOT’s information and systems may face increased vulnerability to cyber attacks.
This year’s audits will take place in the shadow of the large-scale cyber attack on federal government and agencies, the extent of which is not yet known.