Audit report calls DOT’s information security programs ‘inadequate’

Just weeks after the Federal Motor Carrier Safety Administration admitted its National Registry of Certified Medical Examiners website had been hacked, an audit report detailed flaws in the Department of Transportation’s information security programs.

The audit report, which was released on Jan. 24, said the DOT’s information security posture – or security plan in laymen’s terms – was still not secure.

The Federal Information Security Management Act of 2002 requires inspector generals to conduct annual reviews of their agencies’ information security programs and report the review results to the Office of Management and Budget. DOT’s operations rely on 464 information technology systems, which represent an annual investment of about $3.5 billion. The audit’s objective was to determine the effectiveness of DOT’s information security program and practices in five function areas — identify, protect, detect, respond and recover.

“DOT’s identify, protect, detect, respond and recover controls are currently inadequate,” the audit said. “DOT’s information systems remain vulnerable to serious security threats due to the deficiencies in the function areas.”

The audit tested two sample systems’ security controls for the FMCSA. According to the audit, both of the FMCSA’s systems had inadequate “authorization to operate” and inadequate “continuous monitoring.” One of the two sample systems had inadequate “security control assessments.”

The FMCSA received several poor marks in regards to contingency planning, which include not performing information system backup and storage as well as not communicating information on planning and performance of recovery activities to internal stakeholders and executive management teams to make risk-based decisions.

FMCSA was listed as one of DOT’s agencies that “did not ensure that contingency planning is developed, maintained and integrated with continuity plans.”

In response to several inquiries from Land Line, the FMCSA released a statement on Jan. 5 that said the CME websitehad been hacked.

“On Dec. 1, 2017, the Department of Transportation experienced an unanticipated system outage of the National Registry of Certified Medical Examiners,” the FMCSA said in an email to Land Line. “The department determined from its initial investigation that while there had been unauthorized access to the system, there was no evidence of exposure of the personal information of drivers, medical examiners, or motor carrier operators. The incident remains under investigation, and the department is working diligently to restore all impacted services to full functionality as soon as practicable.”

The website, which allows commercial drivers to confirm which doctors are on the national registry to perform Department of Transportation physicals, originally went down on either Nov. 30 or Dec. 1 and didn’t resume its functionality until Dec. 14. However, the site stopped working again on the afternoon of Dec. 15 and still wasn’t fully operational as of Friday afternoon, Jan. 26.

Until the site resumes full functionality, drivers are urged to contact healthcare professionals directly to verify that they are certified and on the national registry.

In addition, truck drivers who are preparing for a DOT exam can use the OOIDA website to read reviews on certified medical examiners.

The FMCSA said CMEs can continue to conduct DOT physicals and issue paper Medical Examiner’s Certificates, Form MCSA-5876 to qualified drivers.

The agency has remained quiet on any details regarding the security breach and the investigation. In addition, the FMCSA had declined to answer Land Line’s numerous requests for answers as to when the site is expected to be fully operational again.