USAID Generally Implemented an Effective Information Security Program for Fiscal Year 2018 in Support of FISMA

Audit Report
Report Number
A-000-19-005-C

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.
We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP to conduct an audit of USAID’s compliance with FISMA during fiscal year (FY) 2018. The audit firm concluded that USAID generally complied with FISMA requirements by implementing 120 of 135 selected security controls for selected information systems. However, USAID did not implement 15 controls, which fall into 6 of the 8 FISMA domains that Federal inspectors general used in FY 2018 to assess the maturity of their agencies’ information security programs. To address the weaknesses identified in the report, OIG made nine recommendations. After reviewing the accounting firm’s evaluation of USAID’s management comments, we consider all the recommendations resolved but open pending completion and verification.

Recommendations

Recommendation
1

USAID's chief information officer update the Agency's Vulnerability Management Standard Operating Procedure to (1) define the timeframe for applying system patches and (2) document and implement a process to validate that system patches are applied according to the timeframe
specified in the procedure.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
2

USAID's chief information officer document and implement a process to validate that unsupported software is either upgraded or removed within 48 hours of identification, as specified in the Agency's Unauthorized/Unsupported Software Standard Operating Procedures, or document acceptance of the risk for allowing the unsupported software on the network.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
3

USAID's chief information officer document and implement a process to fully automate the disabling of accounts after 90 days of inactivity and document the results.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
4

USAID's chief information officer document and implement a process to validate that Agency account management policies are enforced for all USAID information systems, or formally document acceptance of the risk when implementing the account management policies is not feasible.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
5

USAID's chief information officer document and implement a process to validate that USAID procedures are followed for testing, conducting security impact analysis of, and approving system changes.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
6

USAID's chief information officer document and implement a process to validate that security assessment plans are documented and uploaded into the Cyber Security Assessment and Management tool.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
7

USAID's chief information officer document and implement a process for reviewing plans of action and milestones on a regular basis to validate that scheduled completion dates, milestone updates, and quarterly updates are documented.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
8

USAID's chief information officer document and implement a process to validate that USAID's privacy plan, policies, and procedures define personally identifiable information in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-122, and are reviewed and kept up-to-date at least on a biannual basis as recommended by NIST Special Publication 800-53 (revision 4).

Questioned Cost
0
Close Date
Recommendation
9

USAID's chief information officer document and implement a process to complete the rollout of the role-based security training to all required individuals.

Questioned Cost
0
Funds for Better Use
0
Close Date