National Transportation Safety Board:

Progress Made in Management Practices, Investigation Priorities, Training Center Use, and Information Security, But These Areas Continue to Need Improvement

GAO-08-652T: Published: Apr 23, 2008. Publicly Released: Apr 23, 2008.

Additional Materials:

Contact:

Gerald Dillingham, Ph.D.
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The National Transportation Safety Board (NTSB) plays a vital role in advancing transportation safety by investigating accidents, determining their causes, issuing safety recommendations, and conducting safety studies. To support its mission, NTSB's training center provides training to NTSB investigators and others. It is important that NTSB use its resources efficiently to carry out its mission. In 2006, GAO made recommendations to NTSB in most of these areas. In 2007, an independent auditor made information security recommendations. This testimony addresses NTSB's progress in following leading practices in selected management areas, increasing the efficiency of aspects of investigating accidents and conducting safety studies, increasing the utilization of its training center, and improving information security. This testimony is based on GAO's assessment of agency plans and procedures developed to address these recommendations.

NTSB has made progress in following leading management practices in the eight areas in which GAO made prior recommendations. For example, the agency has improved communication from staff to management by conducting periodic employee surveys, which should help build more constructive relationships within NTSB. Similarly, the agency has made significant progress in improving strategic planning, human capital management, and IT management. It has issued new strategic plans in each area. Although the plans still leave room for improvement, they establish a solid foundation for NTSB to move forward. However, until the agency has developed a full cost accounting system and a strategic training plan, it will miss other opportunities to strengthen the management of the agency. NTSB has improved the efficiency of activities related to investigating accidents and tracking the status of recommendations. For example, it has developed transparent, risk-based criteria for selecting which rail, pipeline, hazardous materials, and aviation accidents to investigate at the scene. The completion of similar criteria for marine accidents will help provide assurance that NTSB is managing its resources in a manner to ensure a maximum safety benefit. Also, it is in the process of automating its lengthy, paper-based process for closing-out recommendations. Although NTSB has increased the utilization of its training center--from 10 percent in fiscal year 2006 to a projected 24 percent fiscal year 2008--the classroom space remains significantly underutilized. The increased utilization has helped increase revenues and reduce the center's overall deficit, which declined from about $3.9 million in fiscal year 2005 to about $2.3 million in fiscal year 2007. For fiscal year 2008, NTSB expects the deficit to decline further to about $1.2 million due, in part, to increased revenues from subleasing some classrooms starting July 2008. However the agency's business plan for the training center lacks specific strategies to achieve further increases in utilization and revenue. NTSB has made progress toward correcting previously reported information security weaknesses. For example, in an effort to implement an effective information security program, the agency's Chief Information Officer is monitoring corrective actions and has procured and, in some cases, begun to implement automated processes and tools to help strengthen its information security controls. While improvements have been made, work remains before the agency is fully compliant with federal policies, requirements, and standards pertaining to information security, access controls, and data privacy. In addition, GAO identified new weaknesses related to unencrypted laptops and excessive user access privileges. Agency officials attributed these weaknesses to incompatible encryption software and a mission need for certain users. Until the agency addresses these weaknesses, the confidentiality, integrity, and availability of NTSB's information and information systems continue to be at risk.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: GAO found in 2008 that it was important that Congress have updated information on challenges that the agency faced in improving its management for its continuing oversight, but that there was no reporting requirement for its management challenges not related to information security. GAO recommended that NTSB report on the status of GAO recommendations concerning management practices in the agency's annual performance and accountability report or other congressionally approved reporting mechanism. In its 2009 Annual Report to Congress, issued in July 2010, NTSB reported on the status of GAO's recommendations concerning management practices. This ensures that Congress has updated information that it needs for oversight.

    Recommendation: To assist NTSB in continuing to strengthen its overall management of the agency as well as information security, and to ensure that Congress is kept informed of progress in improving the management of the agency, the Chairman of NTSB should report on the status of GAO recommendations concerning management practices in the agency's annual performance and accountability report or other congressionally approved reporting mechanism.

    Agency Affected: National Transportation Safety Board

  2. Status: Closed - Implemented

    Comments: In 2008, GAO found that NTSB information and information systems were at increased risk of unauthorized access and unauthorized disclosure. GAO recommended that NTSB encrypt information/data on all laptops unless the data were determined to be non-sensitive. GAO performed limited testing to verify that NT SB has implemented its recommendation to install encryption software. Agency officials confirmed, however, that while encryption software is operational on 410 of the agency's approximately 420 laptop computers, the remaining laptops do not have encryption software installed because they do not include sensitive information and are not removed from the headquarters building. With this action, NTSB has reduced the risk of unauthorized access or use of sensitive agency data/information.

    Recommendation: To assist NTSB in continuing to strengthen its overall management of the agency as well as information security, the Chairman should direct NTSB's Chief Information Officer to encrypt information/data on all laptops and mobile devices unless the data are determined to be non-sensitive by the agency's deputy director or his/her designate.

    Agency Affected: National Transportation Safety Board

  3. Status: Closed - Implemented

    Comments: In fiscal year 2008 we testified that National Transportation Safety Board (NTSB) had inappropriately granted excessive access privileges to users. Users with local administrator privileges on their workstations had complete control over all local resources, including accounts and files, and had the ability to load software with known vulnerabilities, either unintentionally or intentionally, and to modify or reconfigure their computers in a manner that could negate network security policies as well as provide an attack vector into the internal network. As a result, increased risk existed that these users could compromise NTSB computers and internal network. We recommended that NTSB remove user's local administrative privileges from all workstations except administrators' workstations, where applicable, and document any exceptions granted by the Chief Information Officer. In fiscal year 2011, we verified that NTSB, in response to our recommendation, has implemented a policy to ensure that administrator privileges are not available except on administrators' workstations, and has removed these privileges from workstations whose users do not require such access. In addition, we verified that NTSB is tracking exceptions to this policy. These steps increase assurance that NTSB computers and internal network will be protected from compromise

    Recommendation: To assist NTSB in continuing to strengthen its overall management of the agency as well as information security, the Chairman should remove user's local administrative privileges from all workstations except administrators' workstations, where applicable, and document any exceptions granted by the Chief Information Officer.

    Agency Affected: National Transportation Safety Board

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here