Cyber Security Investment at the Department of Transportation

Published: July 28, 2021

Federal Market AnalysisCybersecurityForecasts and SpendingInformation TechnologyDOT

The DOT requested $39.4M for its department-wide Cybersecurity Initiative in FY 2022, but this isn’t the only effort underway.

Key Takeaways

  • The DOT requested extra funding for FY 2022 to address SolarWinds vulnerabilities.
  • Cyber security investment should provide opportunities for industry partners of all sizes.
  • More than 10,000 identified vulnerabilities in DOT systems remain to be addressed.

Just as several other federal agencies fell victim to the SolarWinds breach, the Department of Transportation (DOT) also saw its systems penetrated. The exposure of this vulnerability is spurring the department to invest in its cyber security posture. The sense of urgency at the DOT about securing its systems makes even more sense following a Federal Information Security Modernization Act (FISMA) audit by the Office of the Inspector General (OIG) in fiscal 2020 that identified 10,385 security weaknesses the department still needs to address.

Here are some of the steps being taken.

More Funding: After receiving $22M for its Cybersecurity Initiative in fiscal year (FY) 2021, the DOT asked for $39.4M in FY 2022. This request includes $38M to address SolarWinds vulnerabilities at the Federal Aviation Administration (FAA). It does not include funding for cyber investments related to National Airspace Systems (NAS) or NextGen Airspace Transportation Systems.

Planned Investments: DOT will address the vulnerabilities identified during the FISMA audit of FY 2020, in addition to the infrastructure weaknesses revealed by the SolarWinds hack. DOT leadership plans equipment upgrades for its wide area network and IT infrastructure, as well as support for key program enhancements. The Chief Information Officer plans to compete contracts for cyber support. 

Addressing Vulnerabilities: The DOT’s efforts to implement a Risk Management Framework developed by the National Institute of Standards and Technology have advanced very slowly. Part of that framework entails converting 50% of the department’s information and data management systems to a Security Assessment and Authorization Process that accredits systems on an ongoing basis. DOT reached 22% of its assessment goal in FY 2020 and has set 50% as the goal for FY 2022. 

Cloud Security: Cloud adoption is outpacing DOT security policy development. The department is therefore developing a policy to validate the proper adoption and security of cloud-based computing services. Related investments planned for FY 2022 include $24.1M for Microsoft 365 license upgrades from G3 to G5 for additional protection features, upgraded email security and a new Cloud Access Security Broker capability.

FAA Challenges: In addition to requesting $38M to replace compromised SolarWinds hardware, the FAA requested an additional $3.9M to address vulnerabilities in air traffic control systems. Enhancements planned by the FAA include Security Operations Center (SOC) encryption, Multi-Factor Authentication, increased threat logging functions and advanced monitoring tools.

The identification of significant cyber vulnerabilities by the DOT is generating investment that provides potential business opportunities for industry partners of all sizes. The replacement of compromised computing equipment will require upgraded hardware while the pivot toward a Cloud Access Security Broker and advanced security analytics may offer some openings for software providers. The DOT is likely to call on service providers, finally, to support cyber security assessments and address other vulnerabilities.