The Department of Transportation’s (DoT) Inspector General has flagged several broad cybersecurity categories as “top management challenges” for the agency in FY 2019, including what it called some “longstanding security weaknesses.”
In a report dated Nov. 15, the IG listed eight overall areas that pose top management challenges for the agency in FY 2019, including broad issues such as air carrier oversight, and aviation, rail, and highway safety.
Among those eight areas was cybersecurity generally, and within that category the IG flagged four issue areas:
- Standardizing cybersecurity processes to manage enterprise-wide risk;
- Increasing network visibility to proactively prevent and respond to security incidents;
- “Resolving longstanding security weaknesses to strengthen information technology infrastructure”; and
- Implementing congressionally mandated aviation security initiatives.
In the first category, the IG said its annual FISMA (Federal Information Security Modernization Act) evaluations “consistently find the Department faces challenges in implementing processes to protect information and information systems.” In particular, the IG said its 2017 FISMA review found that 71 DoT systems at eight operating centers were not authorized to operate by a senior official as required, and that DoT lacked “an effective process for Operating Administrations” to assess, authorize, and monitor common security controls that support multiple information systems.
“This inconsistent implementation of processes throughout the Department exposes it to increased and undetected cybersecurity risks,” the IG concluded.
In the second category, the IG said its previous recommendations for the agency to address numerous issues–including DoT’s Security Operations Center not having access to all department systems to monitor them for security incidents, and a failure to establish a ranking system to address incidents based on seriousness of risk–remained open.
Third, the IG said DoT has “faced longstanding challenges in tracking and effectively resolving” unidentified security weaknesses, and as of 2017 had more than 4,500 open security weaknesses documented in its Cybersecurity Assessment and Management (CSAM) system. The IG did not update that figure, but said, “incomplete information on security weaknesses in CSAM challenges the Department’s ability to assess risk and funding requirements and resolve its longstanding security weaknesses.”
And on the congressional mandates side, the IG reported that DoT has taken initial steps to comply with the 2016 FAA Extension, Safety, and Security Act, aimed at having the Federal Aviation Administration establish a new “total systems” approach to enhance cybersecurity efforts to secure the National Airspace System. Those initial steps, the IG said, include “completing a strategic plan with cybersecurity goals and objectives, developing a risk model to assess FAA operations, and establishing a research and development (R&D) plan to outline further cyber initiatives.
The IG added, however, that “FAA will be challenged to continue to implement the risk model across all of its lines of business and operations, establish priorities for its cyber R&D efforts, and coordinate ongoing efforts with other agencies (such as the Departments of Defense and Homeland Security) to prevent duplicative efforts and maximize the Federal investment in cybersecurity research.”