DOT Falls Short in Annual FISMA Audit

CIO Responds that Lack of Resources Hinders Remediation
DOT Falls Short in Annual FISMA Audit
The Department of Transportation has once again failed to meet federal information security requirements, DOT's Office of Inspector General says in its annual Federal Information Security Management Act security audit.

See Also: From C&A to A&A: The RMF Shoe Has Dropped

"These weaknesses significantly increase the risk that systems will become victim to cyberattacks or disruptions that can compromise the integrity, availability and confidentiality of data needed to fulfill DOT's missions," DOT Inspector General Calvin Scovel III writes in the report dated Nov. 14.

DOT Chief Information Officer Nitin Pradhan, in a written response, outlined a number of steps his office has taken to improve IT security but conceded that the money and people to correct every shortfall the IG raised will be difficult to achieve.

"Resources are increasingly constrained and it is unlikely that our cybersecurity program will receive the additional resources as anticipated in our earlier planning," Pradhan says. "As a result, it is neither realistic nor plausible to commit to addressing all of the issues described in the OIG draft report in a single year. While the issues discussed in the OIG draft report are integral to FISMA objectives, it is imperative that we focus our constrained resources on the highest priority actions."

The inspector general audit says DOT showed improvement in the past year in improving IT security but points out that the department only successfully addressed 19 of the 25 recommendations the IG made in 2009 and six of 27 suggestions offered in 2010. Among the IG's findings for 2011, DOT:

  • Failed to develop a strong and flexible cybersecurity policy for the Office of the Secretary of Transportation. Pradhan told the IG that the secretary's office had differing views on needed policy changes and is operating without a policy.
  • Hadn't sufficiently implemented enterprise-level controls. For instance, the IG says, DOT cannot effectively track how many contractors it uses or manage security baseline configurations for all of its systems.

    In addition, the IG says, DOT's compliance with Federal Desktop Core Configuration requirements, which prescribe secure settings for Windows XP operating system, has dramatically declined to 70 percent from 90 percent since the IG's last review despite the availability of more administrative tools employed to assess compliance. DOT also failed to implement controls that ensure information security is incorporated in its capital planning and investment process.

  • Didn't establish adequate controls to protect its systems or to recover them in the event of a disruption. DOT did not properly test the minimum security controls of 54 percent of its 445 IT systems as required by National Institute of Standards and Technology. Half the systems in the IG's sample had missing or incomplete contingency plans for system recovery in case of disruptions, and more than 40 percent of critical systems did not have adequate backup facilities or testing of their contingency plans.
  • DOT also lacked adequate controls over continuous monitoring of system security, oversight of contractor-operated systems and its security and remote access and account management. The IG says the department doesn't use two-factor authentication to secure remote access to its systems, and it identified network accounts assigned to individuals no longer employed by DOT.

  • Hadn't adequately identified, tracked or prioritized information security weaknesses in plans of action and milestones to efficiently resolve weaknesses. DOT tracked some 4,700 system weaknesses but did not remediate more than one third of them within approved timeframes, a slip in performance compared with last year.

CIO Pradhan offers another explanation why the department can't address all of the IG's recommendations: "These efforts are complicated by the fact that our systems must be operational around the clock every day of the year, and any changes must be completed while 'keeping the lights on,' to support the critical day-to-day operations of the Department of Transportation."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.