IG: IT security faces time crunch at DOT

The Transportation Department’s information security program has a balancing act it must nail this year, according to a new report from the DOT inspector general.

DOT needs to strengthen the security of its air traffic control systems, while protecting its other information technology systems as the agency consolidates IT operations departmentwide, said Todd Zinser, DOT’s former acting IG, in the Oct. 23 report.

The IG report contains the results of the IG’s annual audit of the department’s information security program, in accordance with the Federal Information Security Management Act of 2002.

“Fiscal 2007 will be a particularly challenging year for the department in managing its IT security and investments,” Zinser said.

The agency is relocating all DOT divisions except the Federal Aviation Administration and the Surface Transportation Board – including more than 75 information systems – next year to a new campus in Southeast Washington, D.C.

As part of the transition, DOT centralized each division’s IT infrastructures, including e-mail, desktop computing and local-area networks, into a common IT operating environment. According to the IG, this will enhance efficiency and create new complications because the potential consequences of a disruption will affect multiple divisions rather than just one.

The schedule for implementing and testing this new infrastructure is still evolving because of move-related problems, the report states.

Separately, DOT will maintain the air traffic control system, which the president designated a national critical infrastructure. The IG criticized the department for not delivering on previous promises to fix weaknesses in the air traffic control systems infrastructure. For several years, the FAA has promised to review vulnerabilities on all operational systems and develop contingency plans for restoring essential air services in case of an outage.

The “FAA has not made adequate progress in implementing planned corrective actions,” Zinser said. “During fiscal 2006, FAA made limited progress in these areas due, according to FAA management, to funding constraints. We recognize that FAA faces critical decisions in balancing its priorities and using its funds at a time of increasingly tight budgets. Yet issues concerning the security of a critical national infrastructure should receive priority and immediate attention.”

The IG noted progress in the areas of tracking, prioritizing and correcting security weaknesses, which were major IG concerns last year. DOT also improved management of its IT investments by granting more purse power to the departmental Investment Review Board. Subsequently, the board tightened management of the FAA Telecommunications Infrastructure, a multibillion-dollar project.

Now the IG wants the agency to create finite performance measures, such as earned value management criteria, for each DOT division review board to use in monitoring projects. Zinser said EVM would provide managers with accurate cost and schedule data in making major IT business decisions.

OMB’s list of high-risk IT investments names 13 DOT projects, including 12 related to air traffic control modernization. The Government Accountability Office’s high-risk list has flagged these modernization projects for more than 10 years.

The Office of the Chief Information Officer reviewed a draft of the IG report and orally concurred with the findings and recommendations, according to the final report. The office said it will submit written comments detailing the actions it will take to fulfill the recommendations. The report requests that DOT return the comments within 30 days.