President Donald Trump has signed into law bipartisan legislation introduced by Rep. Paul Mitchell (R-Mich.), H.R. 4921, the STB Information Security Improvement Act, which requires that the Surface Transportation Board (STB) implement an information security plan that follows recommendations set out in a recent unfavorable Department of Transportation Office of the Inspector General (DOT IG) report.
According to the October 2017 DOT IG report, the STB’s information security program was found “not effective,” increasing its “susceptibility to external threats and to non-compliance with federal requirements and guidelines.” These vulnerabilities leave STB employees’ and railroad stakeholders’ personal information and work unsecured and vulnerable.
The DOT IG issued several recommendations. Among them was a complete implementation of policies and procedures for risk management, including a risk management plan and assessment, system authorization, and plans of actions and milestones. The IG also called for complete service-level agreements or similar documents that permit STB or its auditor to perform tests and/or obtain supporting documentation to demonstrate that cloud systems are properly authorized to operate.
STB was also asked to develop and implement a formal process for measuring the effectiveness of its security awareness and training program, and to modify the training plan to include missing elements such as funding, goals and use of technology.
Mitchell describes the bill as a “simple, straightforward measure that solves a serious problem,” adding that companies and individuals from across the nation that interact with and report to the STB need to be assured their personal and proprietary information is not at risk.