OPIC Implemented Controls in Support of FISMA for Fiscal Year 2017 but Improvements Are Needed

Audit Report
Report Number

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. FISMA also requires agencies to have an annual assessment of their information systems.

OIG contracted with Clifton Larson Allen LLP to conduct an audit to determine whether OPIC implemented certain security controls for selected information systems during fiscal year 2017.

Although OPIC implemented 98 of 104 selected security controls, the auditors found OPIC did not effectively implement the remaining six controls.

The auditors made three recommendations to help OPIC strengthen its information security programs. OPIC made management decisions on all of them.


Recommendation 1

OPIC's chief information officer remediate network vulnerabilities identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

Questioned Cost:
Recommendation 2

OPIC's chief information officer prepare a written authorization to operate each application or service, or decommission them and document the results.

Questioned Cost:
Recommendation 3

OPIC's chief information officer document and implement an automated process to track the annual reviews of the Information Security Program Plan and update it, if needed.

Questioned Cost:
Close Date: