DOT Falls Short in Annual FISMA AuditCIO Responds that Lack of Resources Hinders Remediation
"These weaknesses significantly increase the risk that systems will become victim to cyberattacks or disruptions that can compromise the integrity, availability and confidentiality of data needed to fulfill DOT's missions," DOT Inspector General Calvin Scovel III writes in the report dated Nov. 14.
DOT Chief Information Officer Nitin Pradhan, in a written response, outlined a number of steps his office has taken to improve IT security but conceded that the money and people to correct every shortfall the IG raised will be difficult to achieve.
"Resources are increasingly constrained and it is unlikely that our cybersecurity program will receive the additional resources as anticipated in our earlier planning," Pradhan says. "As a result, it is neither realistic nor plausible to commit to addressing all of the issues described in the OIG draft report in a single year. While the issues discussed in the OIG draft report are integral to FISMA objectives, it is imperative that we focus our constrained resources on the highest priority actions."
The inspector general audit says DOT showed improvement in the past year in improving IT security but points out that the department only successfully addressed 19 of the 25 recommendations the IG made in 2009 and six of 27 suggestions offered in 2010. Among the IG's findings for 2011, DOT:
- Failed to develop a strong and flexible cybersecurity policy for the Office of the Secretary of Transportation. Pradhan told the IG that the secretary's office had differing views on needed policy changes and is operating without a policy.
- Hadn't sufficiently implemented enterprise-level controls. For instance, the IG says, DOT cannot effectively track how many contractors it uses or manage security baseline configurations for all of its systems.
In addition, the IG says, DOT's compliance with Federal Desktop Core Configuration requirements, which prescribe secure settings for Windows XP operating system, has dramatically declined to 70 percent from 90 percent since the IG's last review despite the availability of more administrative tools employed to assess compliance. DOT also failed to implement controls that ensure information security is incorporated in its capital planning and investment process.
- Didn't establish adequate controls to protect its systems or to recover them in the event of a disruption. DOT did not properly test the minimum security controls of 54 percent of its 445 IT systems as required by National Institute of Standards and Technology. Half the systems in the IG's sample had missing or incomplete contingency plans for system recovery in case of disruptions, and more than 40 percent of critical systems did not have adequate backup facilities or testing of their contingency plans.
- Hadn't adequately identified, tracked or prioritized information security weaknesses in plans of action and milestones to efficiently resolve weaknesses. DOT tracked some 4,700 system weaknesses but did not remediate more than one third of them within approved timeframes, a slip in performance compared with last year.
DOT also lacked adequate controls over continuous monitoring of system security, oversight of contractor-operated systems and its security and remote access and account management. The IG says the department doesn't use two-factor authentication to secure remote access to its systems, and it identified network accounts assigned to individuals no longer employed by DOT.
CIO Pradhan offers another explanation why the department can't address all of the IG's recommendations: "These efforts are complicated by the fact that our systems must be operational around the clock every day of the year, and any changes must be completed while 'keeping the lights on,' to support the critical day-to-day operations of the Department of Transportation."