IAF Has Generally Implemented Controls in Support of FISMA for Fiscal Year 2018

Audit Report
Report Number
A-IAF-19-003-C

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with the independent certified public accounting firm Brown and Company CPAs and Management Consultants PLLC to conduct an audit of IAF’s compliance with FISMA during fiscal year 2018. The audit firm concluded that IAF generally complied with FISMA requirements by implementing 63 of 72 selected security controls for selected information systems. However, IAF did not implement nine controls that safeguard the confidentiality, integrity, and availability of its information and information systems. To address the weaknesses identified, OIG made four recommendations. The audit firm evaluated IAF’s responses to the recommendations. We reviewed that evaluation and consider all four recommendations resolved but open pending completion of planned activities.

Recommendations

Recommendation 1

IAF develop and implement an enterprise risk management policy that fully defines the Foundation's risk management policies, procedures, and strategy, including (a) the organization's processes and methodologies for categorizing risk; (b) developing a risk profile; (c) assessing risk and risk appetite/tolerance levels and responding to risk; and (d) monitoring risk.

Questioned Cost:
$0
Recommendation 2

IAF (a) create a change control board or related oversight body, composed of knowledgeable individuals from across functional departments that reviews, approves, and manages changes to configuration items; and (b) ensure that the oversight body formed in "a" above develops a configuration management plan that documents roles and responsibilities and configuration management processes, including identifying and managing configuration items at the appropriate point in an organization's software development life cycle; performing configuration monitoring; and applying configuration management requirements to contracted systems. The plan should also ensure that the originator and approver of changes are not the same person.

Questioned Cost:
$0
Recommendation 3

IAF test and exercise the Foundation's continuity of operations plan and document the specific test and exercise activities conducted, along with their results.

Questioned Cost:
$0
Recommendation 4

IAF remediate configuration-related vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

Questioned Cost:
$0