IG: DOT can't find 70% of its computers

Its not just healthcare.gov that's a major security risk. DOT/FAA has lots of security problems, issues with recoverability of data on system shutdowns, and apparently a major problem with finding stuff.

Report Number: FI-2014-006
Date Issued: -November 22, 2013

Highlights from FI-2014-006

DOT’s 13 OAs manage the Department’s 454 information systems. DOT relies on these systems to carry out its mission, including safe air traffic control operations, preventing unqualified drivers from obtaining commercial driver’s licenses, and identifying safety defects in vehicles. The Department must also protect billions of dollars for highway reconstruction, high-speed rail development, and law enforcement grants

• OCIO AND OAs HAVE NOT COMPLETED THE REQUIRED SECURITY PROCEDURES
• DOT LACKS THE ENTERPRISE-LEVEL CONTROLS NEEDED TO SAFEGUARD ITS IT SYSTEMS
• The Department Lacks Data To Track Required Security Training for DOT Contractors
• Most DOT Personnel With Significant Security Responsibilities Did Not Meet Specialized Security Training Requirements
• DOT’s Incident Reporting and Remediation Practices Reflect Minimal Improvement
• DOT Has Not Fully Complied With Configuration Standards

  To test DOT compliance, we selected a statistical sample of 994 of 79,759 computers from all OAs, but OAs could not locate 712 of the 994. Based on this, we estimate that OAs could not find 56,376, or 70.7 percent, of the Department’s 79,759 computers

. This is an increase of 14.3 percentage points from 2012’s 56.4 percent.

DOT Has Not Implemented All Required Controls for Configuration Management

We tested 55 systems and found multiple instances in which configuration controls had not been implemented or were only partially implemented, or documentation did not identify whether the control was in place (see Table 6)

DOT Continues To Lack a Comprehensive Departmentwide Risk Management Program

The Department’s Capital Planning and Investment Control Process Does Not Address IT Security

DOT’S SYSTEM-LEVEL CONTROLS ARE INSUFFICIENT TO KEEP SYSTEMS SECURE OR ENSURE RECOVERY

OAs That Use Cloud Computing Have Not Complied With Requirements

Despite Progress, the Department Continues To Have Problems Identifying Contractor-Operated Systems

DOT LACKS AN EFFECTIVE PROCESS FOR THE REMEDIATION OF SECURITY WEAKNESSES

There are just the IG report section highlights/titles, when you drill down into the specific sections, it gets even worse than it sounds here. I excerpted some of that type detail for two sections above. That's the kind of stuff you'll find in all the section details.

They don't know where 70% of their computers are?!?!
Seriously? No shit?