Top-to-bottom effort lifts DOT's IT security grade from D+ to A-

The Transportation Department's security success last year would be the envy of many a struggling student.

The department improved its IT security grade on the congressional scorecard to an A- from a D+. DOT was one of only two agencies to receive an A.

DOT's jump was one of the biggest among the 24 agencies that received grades last month from House Government Reform Committee, which rated agencies' efforts to secure their systems under the Federal Information Security Management Act.

To earn its top grade, the department certified and accredited the security for 96 percent of its major systems. 'During the last year, a concerted, standardized approach to the FISMA security process led to significant departmental improvements,' Transportation CIO Dan Matthews said.

Transportation began strengthening its IT security program nearly three years ago and in the last year incorporated a methodology that is now in use departmentwide. The standard process called for teams to work specifically on FISMA requirements with systems managers.

'Every security certification package in our agency has to be signed off on by the person who will operate it and by a person in my office,' said Dan Mehan, CIO of the Federal Aviation Administration, which accounts for 85 percent of Transportation's systems.

Transportation also had strong buy-in from the top. Secretary Norman Mineta drummed up support among department leadership to work together to make security a top priority through frequent FISMA discussions, Matthews said. 'His repeated reference to the subject kept everyone's attention clearly focused,' he said.

Mehan added, 'It was just a very concerted effort across the board to pull this off.'

Transportation did not rely heavily on contractors for the certification and accreditation process.

In the house

The department hired an expert from Titan Corp. of San Diego who worked with Transportation to establish the standard approach and assist in the execution of the department's plan. The department used resources from all of its agencies and supplemented the teams with contractor personnel.

FAA put a lot of emphasis on its enterprise architecture last year, which its IT managers consider key to guiding both investment and security. 'We also will continue to advocate that software developers check code for flaws and bake in security,' Mehan said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group