Publicly Released: April 4, 2023
The purpose of this management advisory is to provide U.S. Transportation Command (USTRANSCOM) leadership with the DoD Office of Inspector General (DoD OIG) findings and recommendations specific to USTRANSCOM’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA). We identified these findings during our FY 2021 review of the DoD’s compliance with FISMA, which was announced on November 18, 2020 (Project No. D2021-D000CP-0034.000). We conducted the work on this project with integrity, objectivity, and independence, as required by the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Federal Offices of Inspector General.
On December 17, 2002, the President signed the “Federal Information Security Management Act” into law as part of the E-Government Act of 2002 (Public Law 107-347, Title III). The law provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets and provides a mechanism for improved oversight of Federal agency information security programs. Congress amended the law on December 18, 2014, (Public Law 113-283) and renamed it the “Federal Information Security Modernization Act of 2014” (FISMA). The amendment also establishes the Director of the Office of Management and Budget’s (OMB) authority to oversee information security policies and practices for Federal agencies and the Secretary of the Department of Homeland Security’s authority to manage the information security policies and practices across the Government. FISMA requires that senior agency officials provide security for the information and information systems (information security program) that support the operations and assets under their control, including assessing the risk and magnitude of the harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. Federal agencies’ information security programs are supported by security policy issued through the OMB, Department of Homeland Security, and risk-based standards and guidelines published by the National Institute of Standards and Technology (NIST).
FISMA also requires that Federal agencies conduct an annual, independent review of the effectiveness of their information security program and practices. For a Federal agency with an IG appointed under the IG Act of 1978, that IG, or an independent external auditor designated by that IG, must conduct the review and submit the results to the OMB and Department of Homeland Security. Each year, the OMB issues guidance that requires the IGs to assess the effectiveness their agencies’ information security program using annual IG FISMA reporting metrics.1 The OMB, Department of Homeland Security, and Council of the Inspectors General on Integrity and Efficiency develop the IG FISMA reporting metrics, in consultation with the Federal Chief Information Officer Council.
As part of our FY 2021 independent review, we assessed selected portions of USTRANSCOM’s information security program and practices. We submitted the results of the overall effectiveness of the DoD’s information security program and practices to the Office of Management and Budget and Department of Homeland Security on October 28, 2021. We are issuing this advisory to report the results specific to USTRANSCOM and to issue recommendations for corrective action.
This management advisory contains six recommendations. We consider two recommendations unresolved, three recommendations resolved but open, and one recommendation closed. Therefore, as discussed in the Recommendations, Management Comments, and Our Response section, the unresolved recommendations will remain unresolved until an agreement is reached on the actions to be taken to address the recommendations. Once an agreement is reached, the recommendations will be considered resolved but will remain open until documentation is submitted showing that the agreed‑upon actions are complete. The three resolved recommendations will remain open until documentation is submitted showing that the agreed‑upon actions are complete. Once we verify that the actions are complete, we will close the recommendations.