USADF Has Generally Implemented Controls in Support of FISMA for Fiscal Year 2018

Audit Report
Report Number
A-ADF-19-002-C

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with the independent certified public accounting firm Brown and Company CPAs and Management Consultants PLLC to conduct an audit of USADF’s compliance with FISMA during fiscal year (FY) 2018. The audit firm concluded that USADF generally complied with FISMA requirements by implementing 46 of 59 selected security controls for selected information systems. However, the 13 controls USADF did not implement expose it to risks and constitute weaknesses. To address them, OIG made three recommendations; at the time of report issuance, they were resolved but open pending completion of planned activities.

Recommendations

Recommendation 1

United States African Development Foundation's chief information security officer fully develop and document a risk management strategy for information technology operations that requires the Foundation to identify: (i) risk assumptions; (ii) risk constraints (iii) risk tolerance; and (iv) priorities and trade-offs.

Questioned Cost:
$0
Recommendation 2

United States African Development Foundation's chief information security officer update the Foundation's access control policies and procedures to include the use of personal identity verification credentials and how the credentials are enforced for logical access to USADF's information technology resources.

Questioned Cost:
$0
Recommendation 3

United States African Development Foundation's chief information security officer update the Foundation's continuous monitoring policies and procedures to include how its chief Information officer, information technology systems administrator, and security analyst gather, document, assess, and remediate information system vulnerabilities, threats, and risks in a timely manner and then implement the procedures.

Questioned Cost:
$0