USAID Has Implemented Controls in Support of FISMA, but Improvements Are Needed

The Deputy Administrator develop and implement a plan to ensure the chief information officer position reports directly to the Administrator or Deputy Administrator as required by the Federal Information Technology Acquisition Reform Act of 2014 and the Clinger-Cohen Act of 1996.

The Deputy Administrator develop a written plan to ensure the chief information officer has a significant role in the management, governance, and oversight of information technology as required by the Federal Information Technology Acquisition Reform Act of 2014.

The chief information officer implement a plan to segregate the deputy chief information officer and chief information security officer positions and appoint in writing a senior-level chief information security officer in accordance with the Federal Information Security Modernization Act.

The chief information officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

The chief information officer document and
implement a process to track and remediate persistent vulnerabilities promptly, or document acceptance of the risk of those vulnerabilities.

The chief information officer document and implement a process to ensure vulnerability assessment tools are configured to detect vulnerabilities previously not detected by internal scans.

The chief information officer document and implement a process to centrally manage printers and apply hardened security configurations prior to placing printers into the production environment.

The chief information officer document and implement a plan to make sure all internal and external systems have a current authority to operate.

The chief information officer, in coordination with the chief financial officer, document and implement a procedure to minimize exposure of personally identifiable information in webTA.

The chief information officer, in coordination with the chief financial officer, document and implement a procedure to complete, approve, and maintain access request forms for webTA users in accordance with policies, or document acceptance of the risk of not having such controls.

The chief information officer, in coordination with the chief financial officer, document and implement a procedure to review webTA accounts periodically for appropriateness in accordance with policies or document acceptance of the risk of not having such controls.

The chief information officer develop and implement a written process to validate that the AIDnet plan of action and milestones is completed and updated promptly.

The director of the Office of Management Policy, Budget, and Performance, in coordination with the chief information officer and the chief human capital officer, document and implement a procedure to promptly remove system accounts associated with people no longer at the Agency.

The chief information officer, in coordination with the chief human capital officer, document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.

The chief information officer document and implement a procedure to complete, approve, and maintain access request forms for individuals requiring access to the information technology rooms in the Ronald Reagan Building and Two Potomac Yard locations.

The chief information officer document and implement a procedure to review individual access periodically and ensure only authorized personnel have access to information technology rooms in the Ronald Reagan Building and Two Potomac Yard locations.

The chief information officer document and implement a validation process to confirm that all memorandums of understanding and interconnection security agreements are current and approved.

The chief financial officer document and implement a procedure to review third-party assessment reports to ensure complementary user entity controls have been implemented for the Enterprise Loan Management System.

The chief financial officer document and implement a procedure to review active Enterprise Loan Management System accounts that have not been used for a specified period and disable them as necessary in accordance with agency policy.

The chief financial officer document and implement a procedure to periodically review the Department of State vulnerability scan results and remediation actions supporting the Phoenix application.