[Federal Register: July 2, 2010 (Volume 75, Number 127)]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
DEPARTMENT OF TRANSPORTATION
Federal Motor Carrier Safety Administration
Guidance to States Regarding Driver History Record Information
Security, Continuity of Operation Planning, and Disaster Recovery
AGENCY: Federal Motor Carrier Safety Administration (FMCSA), DOT.
SUMMARY: The Federal Motor Carrier Safety Administration (FMCSA)
announces guidance to State driver licensing agencies (SDLAs) to
support their efforts at maintaining the security of information
contained in the driver history record of commercial driver's license
(CDL) holders. Further, FMCSA provides States with recommendations
related to continuity of operation and disaster recovery planning to
ensure the permanence of information contained in the driver history
record of a CDL holder. This action is in response to the Department of
Transportation Office of the Inspector General's (OIG) 2009 report
Audit of the Data Integrity of the Commercial Driver's License
Information System (CDLIS).
FOR FURTHER INFORMATION CONTACT: Selden Fritschner, Chief, Commercial
Driver's License Division, E-mail: firstname.lastname@example.org,
Telephone: 202-366-0677, or Kelvin Taylor, Information Systems Security
Officer, E-mail: email@example.com, Telephone: 202-366-4028.
Federal Motor Carrier Safety Administration, 1200 New Jersey Ave., SE.,
Washington, DC 20590.
In July 2009, the Department of Transportation's Office of
Inspector General released the report Audit of the Data Integrity of
the Commercial Driver's License Information System as required by the
Safe, Accountable, Flexible, Efficient Transportation Equity Act: A
Legacy for Users (SAFETEA-LU) (Pub. L. 109-59). CDLIS consists of a
database, known as the Central Site, which maintains individual Master
Pointer Records (MPR) with identifying information for each CDL holder
in the United States. This database directs or points inquirers to the
database of each of the 51 CDL-issuing jurisdictions for more complete
driver history records. Connectivity for the system is provided through
an encrypted communications network. The FMCSA has designated the
American Association of Motor Vehicle Administrators (AAMVA) as the
operator of the Central Site and the communications network. States are
responsible for ensuring their systems comply with the CDLIS
specifications and procedures as published by AAMVA.
In preparing its report, OIG evaluated several factors related to
the information stored at the CDLIS Central Site and on State
databases. Specifically, OIG attempted to determine "whether CDLIS and
State department of motor vehicles (DMV) information systems were
adequately secured," and "the adequacy of contingency plans to ensure
continued CDLIS service to DMVs following a disaster or emergency."
(Note: The OIG report refers to DMVs. However, as States continue to
reorganize their organizations away from all-inclusive DMVs, FMCSA has
used the term "State Driver Licensing Agencies" in previous
rulemakings to refer to these same agencies responsible for issuing
The identifying information on the MPR at the CDLIS Central Site
includes the name, date of birth, social security number, State of
Record, and driver's license number. Because this information, both as
individual and cumulative data elements, is considered personally
identifiable information (PII), possessors of the information must take
specific steps to prevent unauthorized access and dissemination. At the
same time, because the information contained at the CDLIS Central Site
and on SDLA databases is crucial to highway safety during the CDL
issuance process and at roadside enforcement/inspection, it is
paramount that the data be available to all authorized users with
In its report, OIG noted that FMCSA had neither developed and
implemented sufficient comprehensive security policies and procedures
to protect the portal it uses to access CDLIS, nor had it developed
complete contingency and testing plans for this system to ensure
uninterrupted CDL information services in the event of a disaster or
system outage. The FMCSA is currently addressing these findings by
working directly with its service providers and is reporting its
progress to OIG through corrective action plan updates. As the operator
of CDLIS, AAMVA is also modernizing the system to adhere to standards
established by the Federal Information Security Management Act (FISMA).
Similar FISMA standards are being applied to the portal FMCSA owns and
uses to access CDLIS.
The OIG also noted similar deficiencies in some State systems and
programs. In five of nine States reviewed, the OIG found that
information security practices, including continuity of operation and
disaster recovery policies and plans, were either non-existent or
informal, and that State continuity of operations, disaster recovery,
and information system contingency planners had never engaged in
adequate testing exercises.
As a result of OIG's findings, FMCSA encourages States to evaluate
their information security programs and either establish or update
policies, plans, and procedures, to provide an adequate level of
protection to sustain their operational mission and responsibilities.
While States are not required to meet Federal information security
standards, each State should ensure that it has adequate and
comprehensive processes and procedures in place to protect PII and
sensitive information and to sustain its key operations during an
outage. The National Institute of Standards and Technology's (NIST)
Computer Security Division maintains a Computer Security Resource
Center (CSRC) that provides free information to government and non-
governmental entities in an effort to protect information systems
against threats and ensure availability of information and services.
FMCSA recommends that States consider NIST standards and review the
publications available at its Web site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/index.html.
I. Information Security
The key deficiency in States that OIG noted was the lack of current
information security plans. Adequate planning is necessary to document
standards and provide for continuous review and improvement. FMCSA
strongly encourages States to develop an Information Security Strategic
Plan (ISSP) that addresses organizational structure and governance,
roles and responsibilities, and enterprise architecture. From this
ISSP, the State should develop specific policies and guidance to ensure
information security. Further, a coordinated plan allows for systematic
monitoring and improvement.
While obviously not intended to be comprehensive for large
organizations such as State driver licensing agencies, NIST Interagency
Report (IR) 7621, Small Business Information Security: The Fundamentals
provides basic information about information security issues. Topics in
this publication include: Protecting information systems from damage by
viruses, spyware, and malicious code; protecting internet connections;
using firewalls; updating operating systems and applications; securing
wireless access points and networks; controlling physical access to
network components; training employees about information security; and
limiting employee authority to install software, access certain
websites, and gain access to network controls. Though States are not
required to comply with FISMA, NIST Special Publication (SP) 800-53,
Recommended Security Controls for Federal Information Systems and
Organizations (Rev. 3, August 2009), provides a comprehensive guide to
information security standards. NIST SP 800-100, Information Security
Handbook: A Guide for Managers, also provides overview information for
developing a security plan. NIST currently makes available over 30
additional publications related specifically to information security on
topics ranging from wireless network access authentication to
enterprise password management.
II. System and Service Unavailability
To mitigate the risks associated with system and service
unavailability, FMCSA encourages States to establish and implement:
Continuity of Operations Plan (COOP)--A plan that focuses on
restoring an organization's essential functions at an alternate site
and performing those functions for up to 30 days before returning to
Disaster Recovery Plan (DRP)--An information technology plan
designed to restore operability of a system, application, or computer
facility after an emergency.
Information Technology Contingency Plan (ITCP)--A plan focused on
ensuring continuity-of-support for major applications in the event of a
disruption in normal operations due to an emergency.
These plans should include a business impact analysis (BIA) to
determine: the interdependence of systems and work priorities in the
event of a disruption; actions necessary to restore system operations
on a short term basis after a disruption until a more permanent
solution can be implemented; and actions necessary to reconstitute a
disrupted facility or lost data to its previous level of capability.
The BIA should also include an analysis of the organization's reliance
upon contracted support and connectivity, a prioritization list of the
systems necessary for the organization's mission-critical functions,
maximum allowable outages for system components (measured in hours or
days), and responsibilities associated with restoring critical
functions (including a line of succession in cases of staff
unavailability). For further information on contingency planning,
consult NIST's Special Publication 800-34: Contingency Planning Guide
for Information Technology Systems.
In addition to establishing plans for service disruption and
disaster recovery, it is critical to perform tests that assure the
plans will work. These tests should be designed as cost-effective ways
of determining if contingency systems and personnel perform as
expected. The tests also provide the organization and its personnel
with the confidence and experience necessary to respond to a real
event. Tests can range from classroom exercises to full system testing
that simulates a real event. Tests should be documented and the results
examined for lessons learned and improvements necessary to the
contingency plans. For further information on contingency testing,
consult NIST's Special Publication 800-84: Guide to Test, Training, and
Exercise Programs for IT Plans and Capabilities.
Issued on: June 23, 2010.
Anne S. Ferro,
[FR Doc. 2010-16226 Filed 7-1-10; 8:45 am]
BILLING CODE 4910-EX-P