USADF Implemented Controls in Support of FISMA for Fiscal Year 2017 but Improvements Are Needed

Audit Report
Report Number
A-ADF-18-001-C

FISMA requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP to conduct an audit of USADF’s compliance with FISMA during fiscal year 2017. The audit objective was to determine whether USADF implemented certain security controls for selected information systems consistent with FISMA. The audit firm concluded that USADF implemented 71 of 91 selected security controls but did not completely implement the remaining 20 security controls. The audit firm made, and OIG agreed with, four recommendations to USADF’s management to address the weaknesses identified to tighten controls. USADF agreed with all four recommendations.

Recommendations

Recommendation 1

USADF's chief information security officer strengthen the organization-wide information security program in accordance with National Institute of Standards and Technology standards by establishing and implementing documented processes to:

  • Establish, communicate, and implement an organization-wide risk management strategy for operation and use of the Foundation's information systems in accordance with National Institute of Standards and Technology standards.
  • Review and update the system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations." At a minimum, this should include a determination whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.
  • Perform information system security assessments on an annual basis in accordance with USADF's policy.
  • Review and update the system
Questioned Cost:
$0
Recommendation 2

USADF's chief information security officer develop and implement a documented process to track and remediate vulnerabilities in accordance with USADF's policy. This includes confirming patches are applied in a timely manner and tested prior to implementation in accordance with USADF policy.

Questioned Cost:
$0
Recommendation 3

USADF's chief information security officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. That process must document the risks, required approvals, and adequate mitigating controls that will be used for unsupported software until it can be migrated to vendor-supported platforms.

Questioned Cost:
$0
Recommendation 4

USADF's chief information security officer develop and implement a written process to enforce the immediate disabling of employee user accounts upon separation from the organization and perform account recertification in accordance with USADF policy, including adhering to the required frequency for recertifying accounts and providing responses.

Questioned Cost:
$0