IAF Has Generally Implemented Controls in Support of FISMA for Fiscal Year 2018

Recommendations

Recommendation 1

IAF develop and implement an enterprise risk management policy that fully defines the Foundation's risk management policies, procedures, and strategy, including (a) the organization's processes and methodologies for categorizing risk; (b) developing a risk profile; (c) assessing risk and risk appetite/tolerance levels and responding to risk; and (d) monitoring risk.

Questioned Cost:
$0
Recommendation 2

IAF (a) create a change control board or related oversight body, composed of knowledgeable individuals from across functional departments that reviews, approves, and manages changes to configuration items; and (b) ensure that the oversight body formed in "a" above develops a configuration management plan that documents roles and responsibilities and configuration management processes, including identifying and managing configuration items at the appropriate point in an organization's software development life cycle; performing configuration monitoring; and applying configuration management requirements to contracted systems. The plan should also ensure that the originator and approver of changes are not the same person.

Questioned Cost:
$0
Recommendation 3

IAF test and exercise the Foundation's continuity of operations plan and document the specific test and exercise activities conducted, along with their results.

Questioned Cost:
$0
Recommendation 4

IAF remediate configuration-related vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities. 

Questioned Cost:
$0