Audit of the Millennium Challenge Corporation's Fiscal Year 2012 Compliance With the Federal Information Security Management Act of 2002

We recommend that the Millennium Challenge Corporation Chief Information Officer establish written time frames for implementing patches to ensure the remediation of known vulnerabilities.

We recommend that the Millennium Challenge Corporation Chief Information Officer review the critical and high-risk vulnerabilities identified by the Office of Inspector General contractor and document why the Corporation's vulnerability management tool is not identifying these vulnerabilities

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process for documenting management review, acceptance, and implementation of corresponding compensating controls for known vulnerability scan exclusions.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to conduct periodic reviews, as defined by the Corporation, of MCCNet users' access privileges to verify that they are appropriate.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to review active accounts whose owners have never logged into the system to determine whether the accounts are necessary.

We recommend that the Millennium Challenge Corporation Vice President of Administration and Finance document and implement a process to perform periodic, as defined by the Corporation, reviews of the exit clearance process to ensure its regular implementation.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct a full system reauthorization for MCCNet in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented validation process to ensure that security impact assessments are conducted prior to significant system changes in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented validation process to ensure that system risk assessments are reviewed and updated annually, as required by the Information Systems Security Policy.

We recommend that Millennium Challenge Corporation Chief Information Officer document and implement a continuous monitoring plan to assess an appropriate number of controls for the agency's information systems on a Corporation-defined frequency.

We recommend that the Millennium Challenge Corporation Chief Information Security Officer document and implement metrics for accepting Tip of the Day participation as annual security awareness training.

We recommend that the Millennium Challenge Corporation Chief Information Security Officer document and implement a process to track and validate that all employees and contractors receive the annual security awareness training through either the Tips of the Day program or by taking another acceptable security awareness training.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement asset management procedures to include processes for ensuring information system assets are tracked appropriately, and that periodic, as defined by the Corporation, information system asset inventories are performed.

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open Recommendation 9 in Office of Inspector General Audit Report No. M-000-10-004-P.

We recommend that Millennium Challenge Corporation Chief Information Officer implement a documented validation process to ensure the annual testing of contingency plans and timely reporting of lessons learned, as required by the Information System Security Policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open recommendation 9 in Office of Inspector General Audit Report No. M-000-11-004-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open recommendation 10 in Office of Inspector General Audit Report No. M-OOO-11-004-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open recommendation 13 in Office of Inspector General Audit Report No. M-000-11-001-0.