An audit commissioned by the Office of Inspector General (OIG) and the Department of Transportation (DOT) has determined the effectiveness of the Surface Transportation Board’s (STB) information security program and practices.
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to implement information security programs. FISMA also requires agencies to have annual independent evaluations performed to determine the effectiveness of their programs and report the results of these reviews to the Office of Management and Budget (OMB). To meet this requirement, STB requested that OIG perform its fiscal year 2021 FISMA review. OIG contracted with Williams Adley & Company-DC LLP (Williams Adley), an independent public accounting firm, to conduct the audit subject to the watchdog’s oversight.
Williams Adley found that STB’s information security program and practices had improved but remained ineffective.
The FISMA metrics are organized around the five security functions—Identify, Protect, Detect, Respond, and Recover— as outlined in National Institute of Standards and Technology (NIST)’s cybersecurity framework. For fiscal year 2021, two additional metrics were added: Supply Chain Risk Management (SCRM), expanded the Identify function which focuses on the maturity of agency SCRM strategies, policies and procedures, plans, and processes to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements. A new question was also added to measure the extent to which agencies utilize a vulnerability disclosure policy as part of their vulnerability management program for internet-accessible federal systems.
Issues identified by Williams Adley’s audit include an absence of identification and documentation for all software programs that are not authorized to execute on STB’s information systems. Instead, the agency has taken a phased approach to address FISMA requirements and related complex cybersecurity challenges. Due to limited resources to operate the information security program, the agency is still working to define risk management process.
The audit found that STB has not defined its procedures to provide oversight over the management of hardware assets connected to the STB network by third party agency, DOT. STB management said the agency relies on DOT’s processes for managing its hardware assets and has not developed its own guidance and requirements for maintaining and updating its hardware inventory.
Williams Adley also found that STB has no defined and implemented blacklist, which means the agency may face challenges blocking known malicious software from being installed on workstations and servers. Further, the auditors noted that a delay in defining and implementing the newly required SCRM program may result in unknown risks being introduced by new or existing products, system components, systems, and services of external providers.
Furthermore, Williams Adley found that the STB Local Area Network (LAN) General Support System is not configured to meet CIS Benchmarks Guidelines. Specifically, 23 deviations were identified due to either baseline configurations not being configured or implemented correctly.
In most cases, STB attributed the shortcomings identified to the COVID-19 pandemic which it says had a significant impact on overall operations including training and contingency planning.
Williams Adley has made 27 recommendations to help STB improve its information security programs. These include developing an enterprise architecture that includes information security considerations and holding an annual tabletop exercise to test contingency plans. STB has concurred with all of the recommendations and provided estimated completion dates, with the bulk being before the end of December 2022.