USAID Generally Implemented an Effective Information Security Program for Fiscal Year 2020 in Support of FISMA

Audit Report
Report Number
A-000-21-004-C
We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP (CLA) to conduct an audit of USAID’s information security program for fiscal year 2020 as required by the Federal Information Security Modernization Act of 2014 (FISMA). The audit firm concluded that USAID generally implemented an effective information security program by implementing 123 of 135 instances of selected security controls for selected information systems, but it also identified some weaknesses. We made seven recommendations to further strengthen USAID’s information security program.

Recommendations

Recommendation 1

USAID's Chief Information Officer should implement a process to document and implement mitigating controls for vulnerabilities that cannot be remediated in accordance with the timeframes defined by Agency policy.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 2

USAID's Chief Information Officer should collaborate with the Office of Human Capital and Talent Management to document and implement a process to verify that separated employees' accounts are disabled in a timely manner in accordance with Agency policy.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 3

USAID's Chief Human Capital Officer should implement a process to maintain records electronically for onboarding and off boarding staff.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 4

USAID's Chief Information Officer should implement a process to validate that all privileged personnel receive the required specialized training prior to gaining system access.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 5

USAID's Chief Information Officer should update the mobile device policy to specify the time period users must apply security and operating system updates on Agency mobile devices, and implement a process to deny access to Agency enterprise services for mobile devices that have not been updated within the prescribed period.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 6

USAID's Chief Information Officer should develop and implement a process to block unauthorized applications from installing on Agency mobile devices.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 7

USAID's Chief Information Officer should enhance the Agency's tracking process to include early warning indicators when testing of information system contingency plans will not be completed in the timeframes defined by USAID policy, and take corrective action.

Questioned Cost:
$0
Funds For Better Use:
$0