The DOT had 464 information technology systems, costing $3.5 billion per year – that awards, disburses, and manages about $99 billion in federal funds. Inspectors General require that each agency goes under a FISMA audit each year – FISMA standing for the he Federal Information Security Management Act of 2002 (FISMA). The audit assesses the agencies information security programs. The Department of Transportation got their results back, and they only scored a 2 out of 5 on their maturity level for each of the five components (Identify, Protect, Detect, Respond, and Recover). OMB defines effectiveness as being a 4 or a 5 in all function areas.
The FISMA report concludes that “DOT relies on hundreds of information systems to carry out its missions, including safe air traffic control operations, qualified commercial drivers, and safe vehicles. DOT must also ensure the integrity of data in reports that account for billions of dollars. DOT’s cyber security program must protect these systems from malicious attacks or other compromises that may inhibit the Department’s ability to carry out its functions and missions. While DOT has become adept at updating its policies and procedures, and consequently has achieved a defined level of maturity, we continue to find persistent deficiencies in processes such as system reauthorization. These deficiencies place DOT’s information systems at an increased risk of compromise and make them an easy target for malicious attackers.”
Number of Systems with Expired Authorizations to Operate