U.S. DEPARTMENT OF TRANSPORTATION
CHIEF INFORMATION OFFICER
TESTIMONY BEFORE THE
HOUSE COMMITTEE ON GOVERNMENT REFORM
Mr. Chairman and members of the Committee, thank you for the opportunity to appear today to discuss the Department of Transportation’s implementation of the Federal Information Security Management Act of 2002 (FISMA).
I serve as the Department’s Chief Information Officer (CIO), and I also currently serve as the vice-chair of the Federal CIO Council.
The DOT Office of the Chief Information Officer (OCIO) has operational responsibility for Departmental network and communications infrastructure, as well as providing shared services for the Office of the Secretary and the Operating Administrations (OAs) currently engaged in the Department’s Information Technology (IT) services consolidation.
FISMA compliance at DOT is moving from the intensity of the past year’s implementation activities to a more operational mode. Our system inventory is mature, our certification and accreditation methodology is defined and we have begun oversight of the remediation of weaknesses identified over the course of the last two years. Additionally, we have been in the process of making assessments of the Department’s on-going security posture.
Securing the IT assets of the Department of Transportation is a critical responsibility that falls to the CIO’s office. In striving to secure those assets, many people from various areas must pull together. The strides the Department has made over the past year occurred in large measure because of the support of Secretary Norman Y. Mineta. His leadership and guidance combined with each and every modal administrator’s commitment are critical to the success of the Department’s efforts.
We are pleased to have achieved an A- rating on the FISMA Scorecard and note that DOT relied on teamwork across the agency; the establishment, refinement and validation of our system inventory, good communications, comprehensive training, and the support of the Inspector General throughout the year. This last point is critical. With our Inspector General who is engaged, involved and informed throughout the process, DOT makes sure that it approaches FISMA requirements appropriately and the end products and results are supportable. The teamwork for FISMA compliance was established through the acceptance of a single, department-wide methodology in lieu of individual approaches established by each operating administration. That methodology allowed us to focus and work collectively on a single plan in which all participants had confidence. This gave us the benefit of synergy, and an end greater than the sum of its parts. If we endeavored to proceed using Agency unique approaches some agencies may have been successful, some may have faltered. With the support of an industry recognized security subject matter expert from Titan Corporation, along with agency-wide buy-in and acceptance, DOT was able to reduce overall certification and accreditation schedules, manpower requirements, and costs. More importantly, DOT was able to ensure accuracy, consistency and completeness of each accreditation package.
The strides made over the last year to comply with FISMA requirements were impressive. DOT has accredited over 90% of all operational IT systems; established a program to ensure security is part of every system’s development life-cycle; significantly reduced vulnerabilities of public facing systems, and improved training and communications at all levels of the organization.
Moving forward DOT is using metrics to gauge FISMA implementation and compliance throughout the Department. This point is important. DOT recognizes that Plans of Action and Milestones (POA&Ms) are established from the certification and accreditation process required by FISMA and are reviewed by the Inspector General. DOT uses these POA&Ms as a mechanism to ensure we mitigate the risks and remediate vulnerabilities identified during the C&A process, knowing full well that taking the action prescribed in the POA&M specifically will improve DOT’s overall security posture.
To address the steps DOT is taking to further strengthen IT Security:
- DOT is coordinating and cooperating with the Department of Homeland Security on cyber exercises, reporting requirements, and critical new initiatives. One of these initiatives is the IT Security Line of Business. DOT is actively involved with the planning, design, and implementation of this effort.
- DOT is addressing the critical need of enterprise-wide vulnerability management. We are implementing a Department-wide vulnerability remediation program, in part to support an established quarterly compliance review process. The compliance reviews are used to ensure operating administrations are complying with FISMA and other important laws, such as the Privacy Act of 1974.
- DOT is implementing baseline security configuration standards for critical software.
- DOT is consolidating its IT services. This initiative is an important mechanism to secure DOT IT assets and infrastructure. Each operating administration having separately maintained networks across the Department requires multiple applications of patches. If one of those networks is vulnerable, then DOT as a whole is vulnerable. Through consolidation of networks DOT not only significantly improves network security but we gain the added advantage of avoiding redundant costs. Another significant benefit of the consolidation effort is a more complete view of the entire enterprise by the network operations center and the Department’s Cyber Incident Response function. Taking this thought one step further, DOT is in a better position to report to, work with, and respond to the Department of Homeland Security, especially when most needed.
More needs to be done. The FAA’s National Airspace System is part of the National Critical Infrastructure Program. I am working directly with FAA senior leadership and the Inspector General to ensure FAA secures and protects the important NAS systems and telecommunication infrastructure. Ensuring the FAA constructs measurable plans of actions in conjunction with its POA&M’s, audit reports, and IG findings, with follow-through to complete its commitments, is fundamental to DOT’s ability to maintain its current FISMA scorecard rating.
Finally, the Committee asks what additional guidance, procedures or resources are needed by the agencies to improve their information security and fully comply with FISMA?
DOT offers the following observations and suggestions:
- DOT supports the creation of an "as of date" for the annual FISMA Report to OMB. This date would be similar to the fiscal year-end date used in preparing financial reports. The benefits of adopting an “as of date” by federal agencies and IGs, is it would create a "common point" in time for measuring the status of an agency's IT security program, e.g., systems inventory and self-assessments. This "as of date" would eliminate timing differences between an agency's report and the IG report which may be infused by time issues.
- DOT believes existing FISMA guidance published by OMB and National Institute for Standards and Technology is adequate, but at the same time As the Vice Chair of the CIO Council, I am working towards having an annual government-wide FISMA kick-off meeting between Federal CIO Council and the President's Council on Integrity and Efficiency to ensure everyone consistently interprets and applies the guidance and the auditing standards.
In conclusion, it is my observation and experience at DOT that the Department’s cyber security initiatives are working well and support DOT’s ability to safely and securely deliver critical services to our customers.
Again, I thank you for the opportunity to comment on this important topic and I look forward to answering any questions that you may have.