The Office of Inspector General (OIG) at the Department of Transportation (DOT) contracted with CliftonLarsonAllen LLP (CLA), an independent public accounting firm, to conduct an audit to determine the effectiveness of DOT’s information security program and practices. CLA found that DOT’s information security program is at the Defined maturity level—the second lowest level in the maturity model for information security programs. As a result, the audit determined that DOT’s program is not currently effective.
CLA found the Department has, for the most part, formalized and documented its policies, procedures, and strategies; however, “DOT continues to face significant challenges in the consistent implementation of its information security program and monitoring of security controls across the Department”.
Longstanding Security Deficiencies
The audit revealed “longstanding security deficiencies similar in type and risk level to findings in prior years and an overall inconsistent implementation of the security program”. Specifically, the audit identified continuing deficiencies related to risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring and contingency planning practices designed to protect mission critical systems from unauthorized access, alteration, or destruction. CLA said many of these weaknesses can be attributed to an inconsistent enforcement of an agency-wide information security program across the enterprise, ineffective communication between the Department and the Operating Administrations, and the lack of progress in the remediation of prior year audit recommendations.
As a result of the audit, five recommendations have been made:
- Develop and communicate an organization wide Supply Chain Risk Management strategy and implementation plan to guide and govern supply chain risks.
- Undertake a strategic analysis of the Inspector General FISMA Metrics and the weaknesses identified in the audit, to develop a multi-year strategy and approach.
- Work with the Federal Aviation Administration’s CIO and Federal Motor Carrier Safety Administration’s Information Security System Manager (ISSM), to investigate and remediate cross-site scripting vulnerabilities identified in public facing web applications.
- Work and coordinate with system owners to identify and remediate weak and default authentication mechanisms within their systems and the Common Operating Environment.
- Develop and implement a process to facilitate centralized monitoring, oversight (by ISSMs and their alternates) and escalation efforts to ensure the timely completion of required security awareness training and role based training for all DOT personnel leveraging an automated integrated solution(s) and dashboards.
DOT has concurred with each recommendation and plans to complete work to address them by March 2023, with the majority of work expected to be complete by December 2022.
Unauthorized Access
Meanwhile, OIG has found vulnerabilities in another DOT component’s web servers.
The Federal Motor Carrier Safety Administration (FMCSA) regulates and oversees the safety of commercial motor vehicles. It partners with other agencies and the motor carrier industry to conduct this work. The Agency uses 13 web-based applications to aid vehicle registration, inspections, and other activities. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information (PII). Due to the importance of FMCSA’s programs to the transportation system and sensitivity of some Agency information, OIG conducted an audit of FMCSA’s information technology (IT) infrastructure.
OIG found vulnerabilities in several Agency web servers that allowed auditors to gain unauthorized access to FMCSA’s network. FMCSA did not detect OIG’s access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections. OIG also gained access to 13.6 million unencrypted PII records. Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees. Furthermore, the Agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.
Information Security Risks
OIG has also found security control deficiencies at the Federal Transit Administration (FTA).
FTA has received nearly $70 billion in CARES Act and other COVID-19 relief appropriations. FTA uses several financial management systems to approve, process, and disperse this funding for the transit industry’s COVID-19 response and recovery. Given the size of this investment, OIG has carried out an audit to assess the effectiveness of FTA’s financial management systems’ security controls designed to protect the confidentiality, integrity, and availability of the systems and their information.
OIG found that FTA’s financial management systems have security control deficiencies that could affect FTA’s ability to approve, process, and disburse COVID-19 funds. The audit determined that FTA security officials mislabeled and incorrectly documented control types for over 180 security controls in its fiscal year 2020 system security plans for these systems. OIG said FTA also does not adequately monitor security controls provided by or inherited from DOT’s common control provider. The watchdog pointed out in its report that FTA also has not remediated security control weaknesses identified since 2016. Lastly, OIG found FTA lacks sufficient contingency planning and incident response capabilities such as an alternate set of personnel to restore its financial management systems if its primary personnel are unavailable. Due to these security control weaknesses, OIG determined that FTA’s security officials cannot be sure financial management systems have the proper safeguards and countermeasures in place to protect the systems and that they effectively manage information security risk.
Spotlight Turns to High Value Asset Systems
DOT has much work to do to bring its information and cybersecurity systems up to spec. It will also be mindful of OIG’s forthcoming audit on DOT’s High Value Asset (HVA) systems. Since 2015, the Federal Government’s HVA initiative has focused on the protection of the most critical and high impact information and information systems. The loss of access or corruption to a HVA system would have a serious impact on the Department of Transportation and to transportation across the United States. The objectives of OIG’s audit will be to evaluate whether DOT established an effective organization-wide HVA governance program to identify and prioritize HVAs, and whether the Department assesses HVA security controls and ensures timely remediation of identified vulnerabilities.
