The Transportation Department has the second lowest maturity level for its information security systems and its cybersecurity functions are lacking, according to its inspector general.
In its yearly report of DOT’s compliance with the Federal Information Security Management Act, the inspector general found that all of DOT’s function areas -- identify, protect, detect, respond and recover – have weaknesses.
The five function areas fall at the Defined maturity level, which is the second lowest level of maturity in the model for information security. While the agency has mostly formalized and documented its policies and procedures in all function areas, it still has some policy gaps, the IG said.
These insufficiencies increase the likelihood of DOT’s information or systems suffering from compromises that “disrupt operations, impair safety, expose private data, or put tax dollars at risk,” the report said.
To address these inadequacies, the IG made a dozen recommendations to the agency chief information officer. Top among them: create policies and processes to confirm the accuracy of DOT’s key FISMA information tool, conduct annual cybersecurity performance analysis reviews of operating administrations’ cybersecurity programs, and ensure DOT has an accurate inventory of cloud systems, contractor systems and websites the public can access.