MCC Generally Implemented an Effective Information Security Program for Fiscal Year 2018 in Support of FISMA

Audit Report
Report Number

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP to conduct an audit of MCC’s compliance with FISMA during fiscal year (FY) 2018. The audit firm concluded that MCC generally complied with FISMA requirements by implementing 66 of 74 selected security controls for selected information systems. However, MCC did not implement eight controls, which fall into five of the eight FISMA domains that Federal inspectors general used in FY 2018 to assess their agencies’ information security programs. To address the weaknesses identified in the report, OIG made five recommendations. After reviewing the accounting firm’s evaluation of MCC’s management comments, we consider all five recommendations resolved but open pending completion of planned activities.


Recommendation 1

MCC's chief risk officer develop and implement its enterprise risk management program to include a strategy to manage risks associated with the operations and use of information systems.

Questioned Cost:
Recommendation 2

MCC's chief information officer update the privacy threshold analysis for the MCC management information system with the revised template to determine whether a privacy impact assessment is required.

Questioned Cost:
Recommendation 3

MCC's Domestic and International Security Office update MCC's "Background Investigation and Clearances for Federal
Employment, Contract Service and/or Volunteer Service at the Millennium Challenge Corporation" policy to reflect the current personnel security controls.

Questioned Cost:
Recommendation 4

MCC's Domestic and International Security Office document and implement a process to review the data within the Background Investigation Access Database to validate whether the data are complete, accurate, and kept up-to-date.

Recommendation 5

MCC's Domestic and International Security Office document and implement a process to track reinvestigations of employees and contractors and initiate reinvestigations in a timely manner.