Cookie control weak at DOT

The Transportation Department's inspector general blames weak technology

implementation controls for the use of banned "cookies" on DOT bureau Web

sites.

The Transportation IG's audit, performed between August and October,

is the third in a series of audits on telecommunications network security

at DOT headquarters. This audit focused on cookies, code placed on a Web

site visitor's hard drive that identifies visitors when they return to the

site.

The IG found that many DOT bureaus incorrectly reported their use of

cookies and that thousands of the more than 200,000 DOT Web pages had not

been checked to see if cookies were being used correctly.

The Office of Management and Budget issued a revised administration

policy in June that prohibits the use of "persistent" cookies without an

agency demonstrating a clear need for the technology, clear notification

of its use and the approval of the agency's top official. Persistent cookies

stay on a user's hard drive for a predetermined amount of time even after

the user shuts down the Web browser.

Deputy Secretary Mortimer Downey issued a directive Oct. 25 requiring

all DOT bureaus to certify that they are complying with OMB and departmental

policy by Nov. 7. But the IG's report found that "while DOT is now making

a concerted effort to correct the inappropriate use of cookies, much remains

to be done."

The weak security controls, noted in a September IG report, have led

to a lack of awareness of whether cookies are being used on DOT pages. At

least two Transportation bureaus said cookies were inadvertently created

on their sites because of improper configuration of the Web server software.

Following the September report, DOT chief information officer George

Molaski said his office would develop a self-certification checklist for

Web sites by 01/2001.

According to the new IG report, "to ensure that new Web sites are not

placed in service without proper review and approval for the use of cookies,

the DOT chief information officer needs to accelerate the development and

release of the checklist concerning use of cookies."

Also, to enforce compliance with this policy, the IG's office will perform

spot checks of all DOT sites.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.