The Transportation Security Administration (TSA) is adopting an automated capability that will ensure inactive accounts on one of its critical IT systems are shut down within 45 days.
That is just one action the agency said it is taking after the Department of Homeland Security Inspector General (IG) recently called out cybersecurity gaps in TSA’s most critical information systems.
According to the report published this week, the IG found that TSA is less equipped to protect its high-value asset (HVA) systems and therefore “cannot ensure it will be able to quickly detect, respond to, and recover from a cyberattack.”
The watchdog said it found deficiencies in eight of 10 security and privacy controls, including supply chain risk management, access control, and training, among others.
“The deficiencies we identified demonstrate that TSA must strengthen its management of the selected HVA system to ensure compliance with policies designed to protect sensitive information processed in the system,” the report reads.
Specifically, the IG found that TSA did not require annual training for system users with “elevated privileges.” The report notes that one in nine privileged users did not receive role-based training.
Additionally, the report found that TSA did not ensure access for privileged users of the HVA system was properly authorized, updated as necessary, and removed according to established procedures. On top of that, TSA did not effectively track and manage separated individuals’ system access.
The agency’s watchdog listed 12 recommendations for the TSA chief information officer, including that they enforce users to receive security awareness training when they are given system access, that security updates and patches are applied to HVA vulnerabilities, and ensuring that user access agreements are developed and signed by users before users are given access to the system.
TSA concurred with all 12 recommendations.
In response to the IG report, TSA said it is updating management directives after the IG found the agency did not always patch critical vulnerabilities in that system.
TSA said it will also begin monthly manual reviews of all active accounts to ensure non-privileged users who have access are still active.
The agency also said it intends to strengthen its cybersecurity awareness training, and no user will be granted access to the HVA system until training has been confirmed and documented by TSA.
The watchdog said it conducted this review as part of the Federal Information Security Modernization Act of 2014 (FISMA) oversight to determine whether TSA implemented effective technical controls to protect the sensitive information processed by a selected HVA system.
TSA has designated the selected HVA system as tier 1 and categorized it with an overall security categorization as “high.”
This report, the IG said, is one from a series of reviews on the department’s HVAs that will be incorporated into the fiscal year 2023 FISMA submission.