The Transportation Department’s (DoT) Office of Inspector General (OIG) found that the department had the second lowest maturity level for its information security systems, and that its cybersecurity functions were found to be inadequate in a Federal Information Security Management Act (FISMA) audit released last week.
DoT has 471 information systems that are supposed to maintain five cybersecurity functions – identify, protect, detect, respond, and recover – and OIG inspected 48 of them for its report.
Although DoT has formalized and documented its policies and procedures for these functions, OIG found policy gaps and situations in which implementation didn’t conform to policy. The office explained that the department’s lack of regulation for certain controls led to some internal control implementation pitfalls too.
“Together these policy gaps, implementation issues, and lack of understanding of internal control comprise significant deficiencies in security control that increase the possibility that DOT’s information or systems may suffer compromises that disrupt operations, impair safety, expose private data, or put tax dollars at risk,” OIG said.
OIG identified DoT’s improper categorization of information system inventories, expired operation authorizations, inadequate security system testing, insufficient controls, and undeveloped risk management procedures as some of the department’s key cybersecurity shortfalls. DoT’s response and recovery controls were also insufficient and not consistently implemented.
To help DoT bolster its information security program, OIG made 12 recommendations in its report. Among those:
OIG suggested that DoT develop policy and procedures to improve its Cyber Security Assessment Management tool and to keep an accurate inventory of its cloud and contractor systems.
DoT’s Office of the Chief Information Officer should also conduct annual cybersecurity performance analysis reviews of OA cybersecurity, and vulnerable OAs must be addressed and updated.
DoT’s Office of the Secretary must prioritize and develop security programs to address OIG’s identified weaknesses too, and OIG said DoT should develop a process to measure the performance of the programs over time.
On the training front, OIG made several recommendations for DoT to update its specialized cybersecurity training guidance, enhance security awareness training policy, and provide broad training on contingency planning and testing to appropriate security officials.