Editor’s Note: The DOT OIG Audit Report is attached below.
Eric Chabrow, Executive Editor, GovInfoSecurity.com
The Department of Transportation has once again failed to meet federal information security requirements, DOT’s Office of Inspector General says in its annual Federal Information Security Management Act security audit.
“These weaknesses significantly increase the risk that systems will become victim to cyberattacks or disruptions that can compromise the integrity, availability and confidentiality of data needed to fulfill DOT’s missions,” DOT Inspector General Calvin Scovel III writes in the report dated Nov. 14.
DOT Chief Information Officer Nitin Pradhan, in a written response, outlined a number of steps his office has taken to improve IT security but conceded that the money and people to correct every shortfall the IG raised will be difficult to achieve.
“Resources are increasingly constrained and it is unlikely that our cybersecurity program will receive the additional resources as anticipated in our earlier planning,” Pradhan says. “As a result, it is neither realistic nor plausible to commit to addressing all of the issues described in the OIG draft report in a single year. While the issues discussed in the OIG draft report are integral to FISMA objectives, it is imperative that we focus our constrained resources on the highest priority actions.”
The inspector general audit says DOT showed improvement in the past year in improving IT security but points out that the department only successfully addressed 19 of the 25 recommendations the IG made in 2009 and six of 27 suggestions offered in 2010. Among the IG’s findings for 2011, DOT:
- Failed to develop a strong and flexible cybersecurity policy for the Office of the Secretary of Transportation. Pradhan told the IG that the secretary’s office had differing views on needed policy changes and is operating without a policy.
- Hadn’t sufficiently implemented enterprise-level controls. For instance, the IG says, DOT cannot effectively track how many contractors it uses or manage security baseline configurations for all of its systems.
In addition, the IG says, DOT’s compliance with Federal Desktop Core Configuration requirements, which prescribe secure settings for Windows XP operating system, has dramatically declined to 70 percent from 90 percent since the IG’s last review despite the availability of more administrative tools employed to assess compliance. DOT also failed to implement controls that ensure information security is incorporated in its capital planning and investment process.
DOT also lacked adequate controls over continuous monitoring of system security, oversight of contractor-operated systems and its security and remote access and account management. The IG says the department doesn’t use two-factor authentication to secure remote access to its systems, and it identified network accounts assigned to individuals no longer employed by DOT.
CIO Pradhan offers another explanation why the department can’t address all of the IG’s recommendations: “These efforts are complicated by the fact that our systems must be operational around the clock every day of the year, and any changes must be completed while ‘keeping the lights on,’ to support the critical day-to-day operations of the Department of Transportation.”