OPIC Has Generally Implemented Controls in Support of FISMA for Fiscal Year 2018

Audit Report
Report Number
A-OPC-19-006-C

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with the independent certified public accounting firm Brown & Company CPAs and Management Consultants PLLC to conduct an audit of OPIC’s compliance with FISMA during fiscal year 2018. The audit firm concluded that OPIC generally complied with FISMA requirements by implementing 65 of 72 selected security controls for selected information systems. However, OPIC did not implement seven controls that safeguard the confidentiality, integrity, and availability of its information and information systems. To address the weaknesses identified, OIG made seven recommendations. The audit firm evaluated OPIC’s responses to the recommendations. We reviewed that evaluation and consider one recommendation closed and the others resolved but open pending completion of planned activities.

A-OPC-19-006-C.pdf938.85 KB

Recommendations

Recommendation
1

OPIC's chief information officer document and implement a process to update its Privacy Impact Assessments for the Corporation's information systems.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
2

OPIC's chief information officer remediate patch and configuration vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

Questioned Cost
0
Funds for Better Use
0
Recommendation
4

OPIC's chief information officer document and implement a process to verify (1) the account management system is updated promptly to support the management of information system accounts and (2) inactive accounts are promptly disabled after 30 days in accordance with the Corporation's access control procedures.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
5

OPIC's chief information officer document and implement procedures to record the date that system user accounts are disabled or deleted.

Questioned Cost
0
Close Date
Recommendation
6

OPIC's chief information officer document and implement a process to verify that interconnection security agreements and memorandums of understanding are annually reviewed and, if needed, updated.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
7

OPIC's chief information officer conduct (1) contingency training and (2) a test of the information system contingency plan in accordance with OPIC's policy.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
3

OPIC's chief information officer document and implement a process to verify that patches are applied in a timely manner.

Questioned Cost
0
Funds for Better Use
0