Top-to-bottom effort lifts DOT's IT security grade from D+ to A-
The Transportation Department's security success last year would be the envy of many a struggling student.
The department improved its IT security grade on the congressional scorecard to an A- from a D+. DOT was one of only two agencies to receive an A.
DOT's jump was one of the biggest among the 24 agencies that received grades last month from House Government Reform Committee, which rated agencies' efforts to secure their systems under the Federal Information Security Management Act.
To earn its top grade, the department certified and accredited the security for 96 percent of its major systems. 'During the last year, a concerted, standardized approach to the FISMA security process led to significant departmental improvements,' Transportation CIO Dan Matthews said.
Transportation began strengthening its IT security program nearly three years ago and in the last year incorporated a methodology that is now in use departmentwide. The standard process called for teams to work specifically on FISMA requirements with systems managers.
'Every security certification package in our agency has to be signed off on by the person who will operate it and by a person in my office,' said Dan Mehan, CIO of the Federal Aviation Administration, which accounts for 85 percent of Transportation's systems.
Transportation also had strong buy-in from the top. Secretary Norman Mineta drummed up support among department leadership to work together to make security a top priority through frequent FISMA discussions, Matthews said. 'His repeated reference to the subject kept everyone's attention clearly focused,' he said.
Mehan added, 'It was just a very concerted effort across the board to pull this off.'
Transportation did not rely heavily on contractors for the certification and accreditation process. In the house
The department hired an expert from Titan Corp. of San Diego who worked with Transportation to establish the standard approach and assist in the execution of the department's plan. The department used resources from all of its agencies and supplemented the teams with contractor personnel.
FAA put a lot of emphasis on its enterprise architecture last year, which its IT managers consider key to guiding both investment and security. 'We also will continue to advocate that software developers check code for flaws and bake in security,' Mehan said.