Transportation Needs to Improve Cyber Policy Implementation, Watchdog Finds

Sarayut Thaneerat / EyeEm/Getty Images

The Department of Transportation should better implement its policies for established cyber roles, including improving training and role expectations, according to a recent GAO report.

The Department of Transportation needs to improve how it implements its cybersecurity policies, despite some progress in such policies, according to a Government Accountability Office report released Monday. 

The report release comes just days after the agency disclosed a cybersecurity attack that impacted its administrative systems. 

According to the report, Transportation has established cybersecurity roles and responsibilities for officials managing these policies at agencies within Transportation. While its chief information officer “regularly communicates with staff about cyber threats and provides cybersecurity tools and technical assistance,” Transportation could “improve how it implements cybersecurity policies,” GAO stated.

Specifically, Transportation reviewed cybersecurity programs for its component agencies, but did not use these reviews to address long term cybersecurity issues. As a result, GAO noted that these reviews have “not been effective” to help take the necessary actions to implement the 63 unresolved cybersecurity recommendations from the agency’s inspector general. 

Furthermore, while Transportation lists cybersecurity as a priority, a majority of component agency managers’ performance plans—15 out of 18—did not include cybersecurity expectations. In addition, Transportation’s CIO did not always participate in component agency CIO evaluations, despite agency regulations requiring such participation, resulting in “less assurance that component agencies are aligned with the department in carrying out cybersecurity-related responsibilities,” according to GAO. 

As reported by the agency’s Inspector General and GAO, Transportation’s cybersecurity training for roles had “deficiencies” and recommendations to fix these have yet to be implemented.

“The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing as security threats continue to evolve and become more sophisticated,” GAO stated. “Therefore, it is imperative for agencies to clearly define cybersecurity-related roles and responsibilities and effectively oversee their cybersecurity programs in order to manage the risks associated with the operation and use of information systems.”

The watchdog made three recommendations, with which the agency agreed. 

In particular, GAO recommended that the Secretary of Transportation should direct the agency’s CIO to: take advantage of its IT program reviews to address recommendations that have not been implemented; work with human resources to create and implement a policy mandating Operating Administration senior IT managers’ performance plans include cybersecurity-related performance expectations; and take part in the reviews of OA CIOs and their equivalents.