View PDF Document

Summary

This report presents the results of our audit of the security controls for the John A. Volpe Center’s (Volpe) information technology infrastructure. Our objectives were to determine whether: (1) Volpe’s local area network (LAN) and Web sites are secure from compromise, and (2) security weaknesses exist in Volpe’s IT infrastructure.

Volpe’s LAN was not secure from compromise because the Center did not follow the National Institute of Standards and Technology’s (NIST) guidance on information security and DOT’s cybersecurity policy. Some Volpe management practices also created security weaknesses that made its IT infrastructure vulnerable to compromise. Furthermore, Volpe’s oversight practices for the network space it contracts out created risks for compromise. Finally, Volpe did not maintain a complete inventory of its network devices. NIST’s guidance and DOT’s policy require Operating Administrations to maintain up-to-date inventories of their systems’ components and devices. However, Volpe’s administrators did not have a complete inventory and could not identify unauthorized devices. Consequently, Volpe’s IT infrastructure and the systems and data on it are at risk for compromise. We made several recommendations to help the Center address these issues.

Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY. The redacted version is posted to our website.