USDOT leadership participate in a hurricane preparedness exercise at the Transportation Operations Center at USDOT HQ on May 8, 2019. The TOC allows USDOT to receive the latest status of potentially impacted infrastructure and to coordinate an effective storm response. (U.S. Department of Transportation/Facebook)

OIG Initiates FISMA Audits at Department of Transportation

The Office of Inspector General (OIG) at the Department of Transportation (DOT) has initiated two audits into information security.

Both are required by the Federal Information Security Modernization Act of 2014 (FISMA) which ensures that federal agencies implement information security programs. The act also requires agencies to conduct annual independent reviews to determine the effectiveness of their programs and report the reviews’ results to the Office of Management and Budget. 

DOT relies on over 450 information systems to carry out its mission, which includes safely managing air traffic control operations and administering billions of dollars. OIG identified 51 open recommendations through its 2020 FISMA audit. 

OIG has contracted with an independent public accounting firm to conduct the 2021 review of DOT’s information security program, subject to OIG oversight. This audit’s objective will be to determine the effectiveness of DOT’s information security program, including its performance in five function areas—Identify, Protect, Detect, Respond, and Recover. OIG will also submit an assessment of FISMA security metrics and performance measures through CyberScope, a web-based application that collects security data from federal agencies.

In addition, the Surface Transportation Board (STB) has requested that OIG perform its fiscal year 2021 FISMA review. OIG has contracted with Williams Adley & Company-DC LLP, an independent public accounting firm, to conduct this review—subject to oversight. Like the DOT audit, this will also determine the effectiveness of STB’s information security program, including its performance in the five function areas.

In October 2020, OIG listed cyber and information security as one of DOT’s biggest challenges. Then, the watchdog said DOT must address internal control weaknesses in order to protect information and systems from attacks and other compromises that may pose risks to safety or taxpayer dollars. 

Cloud security is another area in need of attention. Over the past decade, federal agencies have increasingly used cloud services to address their information technology needs. DOT has begun adopting cloud computing for transportation management services across its various Operating Administrations. However, securing information stored in the cloud from cyberattacks poses significant challenges. 

As of October 2020, DOT said it was not currently funded at a level to ensure that all cloud service providers in use are FedRAMP-authorized. The Department also does not have a complete inventory of cloud services authorized by each Operating Administration. Consequently, DOT’s information and systems may face increased vulnerability to cyber attacks.

This year’s audits will take place in the shadow of the large-scale cyber attack on federal government and agencies, the extent of which is not yet known.

(Visited 406 times, 1 visits today)

Kylie Bielby has more than 20 years' experience in reporting and editing a wide range of security topics, covering geopolitical and policy analysis to international and country-specific trends and events. Before joining GTSC's Homeland Security Today staff, she was an editor and contributor for Jane's, and a columnist and managing editor for security and counter-terror publications.

Leave a Reply

Latest from Airport & Aviation Security

Go to Top
X