FISMA requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.
We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP to conduct an audit of USADF’s compliance with FISMA during fiscal year 2017. The audit objective was to determine whether USADF implemented certain security controls for selected information systems consistent with FISMA. The audit firm concluded that USADF implemented 71 of 91 selected security controls but did not completely implement the remaining 20 security controls. The audit firm made, and OIG agreed with, four recommendations to USADF’s management to address the weaknesses identified to tighten controls. USADF agreed with all four recommendations.