The Department of Transportation (DoT) has released its annual financial report for fiscal year (FY) 2023 in which the agency shares its cybersecurity successes from 2023 and plans to further improve its cybersecurity posture in 2024.
According to the report, the DoT Office of the Chief Information Officer (OCIO) made progress on several cybersecurity initiatives last year, consistent with its authorities under the Federal Information Technology Acquisition Reform Act (FITARA) and the Federal Information Security Modernization Act (FISMA).
Notably, DoT has deployed endpoint detection and response (EDR) tools across 98 percent of its network.
The report also notes that the agency accelerated the implementation and integration of enterprise logging capabilities in support of President Biden’s cybersecurity executive order (EO), achieving more than 80 percent compliance by August 2023.
DoT said it plans to achieve the next level of maturity – EL3 – for the agency enterprise logging capability by the end of June 2024.
Additionally, the report points out that DoT prioritized the mandatory use of phishing-resistant multi-factor authentication (MFA) for access to DoT networks and systems. For example, DoT saw more than 99 percent mandatory use within its Federal Aviation Administration (FAA) component and more than 95 percent mandatory use within the rest of DoT.
However, the report also features some comments from the DoT Office of Inspector General (OIG), which believes DoT still has a long way to go on MFA in 2024.
“The Office of Management and Budget (OMB) requires agencies to achieve zero trust security goals for identity, devices, networks, applications, workloads, and data … by the end of fiscal year 2024,” the OIG said. “However, DoT faces challenges establishing multi-factor identity authentication (MFA) and data encryption – key elements of a zero trust architecture.”
The OIG said that DoT has yet to enable 72 information systems to use required personal identity verification (PIV) cards for MFA logins, leaving these systems susceptible to attack. Additionally, it said the agency has not enforced PIV authentication for 35 PIV-enabled systems.
Nevertheless, DoT said it has plans to accelerate the implementation of Federal Zero Trust Architecture (ZTA) requirements, especially MFA and encryption. The agency said it will update its zero trust architecture strategy and implementation plan by the end of 2024.
