A Department of Transportation Office of Inspector General report finds weaknesses in the department’s cybersecurity planning processes that could hinder efficient use of resources in the future.

The department’s Office of the Chief Information Officer (OCIO) received $29 million for cyber needs between 2012 and 2015. The money all went to cyber, but the processes were found to be wanting.

“OCIO did not consistently apply billing procedures when expending funds through the Working Capital Fund,” OIG found. “Such errors make it difficult for OCIO to ensure that WCF customers are accurately and consistently charged for services as described in customer agreements.”

In addition, the report finds OCIO “did not adequately document or plan for its cybersecurity funding needs.” Nor did it provide adequate support documentation to justify its costs estimates for the amount of cybersecurity funds requested in budget years 2014 and 2015.

Transportation’s OIG cited a range of procedural shortfalls around cyber. Of $3.73 million billed through the WCF, for example, 7.65 percent of the funds were inconsistently billed.

The report also highlights planning shortfalls, saying OCIO failed to keep adequate documentation to support its budget estimates, did not always follow OMB or its own guidance when planning for its IT investments, and did not adequately plan for its near-term cybersecurity funding needs. In three projects totaling $20 million – or 68 percent of the cyber spend – OCIO “did not provide sufficient evidence” that the agency had developed and documented relevant planning documents called for by OMB.

The report recommends a range of process changes including implementation of the DOT Enterprise Program Management Review Framework and other procedures to ensure documentation complies with OMB requirements, including use of the virtual desktop infrastructure and continuous monitoring software.

Transportation is not the only agency to be dinged by its inspector general over process issues surrounding cybersecurity.

In April, the Federal Reserve Board OIG said the board could boost cyber capabilities by enhancing its oversight of third-party technology service providers that perform key services. In June, the acting inspector general at the Social Security Administration told the U.S. House Committee on Oversight and Government Reform that the agency needed to dedicate resources to information security controls to prevent unauthorized access to the sensitive information.

In a December 2016 audit the Defense Department OIG found cybersecurity weaknesses around risk management, identity and access management, security and privacy training, contractor systems, and configuration management.

Share:
In Other News
Load More