The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.
We contracted with the independent certified public accounting firm Brown and Company CPAs and Management Consultants PLLC to conduct an audit of IAF’s compliance with FISMA during fiscal year 2018. The audit firm concluded that IAF generally complied with FISMA requirements by implementing 63 of 72 selected security controls for selected information systems. However, IAF did not implement nine controls that safeguard the confidentiality, integrity, and availability of its information and information systems. To address the weaknesses identified, OIG made four recommendations. The audit firm evaluated IAF’s responses to the recommendations. We reviewed that evaluation and consider all four recommendations resolved but open pending completion of planned activities.