Audit of the Millennium Challenge Corporation's Fiscal Year 2012 Compliance With the Federal Information Security Management Act of 2002

Recommendations

Recommendation 1

We recommend that the Millennium Challenge Corporation Chief Information Officer establish written time frames for implementing patches to ensure the remediation of known vulnerabilities.

Questioned Cost:
$0
Close Date:
Recommendation 2

We recommend that the Millennium Challenge Corporation Chief Information Officer review the critical and high-risk vulnerabilities identified by the Office of Inspector General contractor and document why the Corporation's vulnerability management tool is not identifying these vulnerabilities

Questioned Cost:
$0
Close Date:
Recommendation 3

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process for documenting management review, acceptance, and implementation of corresponding compensating controls for known vulnerability scan exclusions.

Questioned Cost:
$0
Close Date:
Recommendation 4

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to conduct periodic reviews, as defined by the Corporation, of MCCNet users' access privileges to verify that they are appropriate.

Questioned Cost:
$0
Close Date:
Recommendation 5

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to review active accounts whose owners have never logged into the system to determine whether the accounts are necessary.

Questioned Cost:
$0
Close Date:
Recommendation 6

We recommend that the Millennium Challenge Corporation Vice President of Administration and Finance document and implement a process to perform periodic, as defined by the Corporation, reviews of the exit clearance process to ensure its regular implementation.

Questioned Cost:
$0
Close Date:
Recommendation 7

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct a full system reauthorization for MCCNet in accordance with the Corporation's policy.

Questioned Cost:
$0
Close Date:
Recommendation 8

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented validation process to ensure that security impact assessments are conducted prior to significant system changes in accordance with the Corporation's policy.

Questioned Cost:
$0
Close Date:
Recommendation 9

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented validation process to ensure that system risk assessments are reviewed and updated annually, as required by the Information Systems Security Policy.

Questioned Cost:
$0
Close Date:
Recommendation 10

We recommend that Millennium Challenge Corporation Chief Information Officer document and implement a continuous monitoring plan to assess an appropriate number of controls for the agency's information systems on a Corporation-defined frequency.

Questioned Cost:
$0
Close Date:
Recommendation 11

We recommend that the Millennium Challenge Corporation Chief Information Security Officer document and implement metrics for accepting Tip of the Day participation as annual security awareness training.

Questioned Cost:
$0
Close Date:
Recommendation 12

We recommend that the Millennium Challenge Corporation Chief Information Security Officer document and implement a process to track and validate that all employees and contractors receive the annual security awareness training through either the Tips of the Day program or by taking another acceptable security awareness training.

Questioned Cost:
$0
Close Date:
Recommendation 13

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement asset management procedures to include processes for ensuring information system assets are tracked appropriately, and that periodic, as defined by the Corporation, information system asset inventories are performed.

Questioned Cost:
$0
Close Date:
Recommendation 14

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open Recommendation 9 in Office of Inspector General Audit Report No. M-000-10-004-P.

Questioned Cost:
$0
Close Date:
Recommendation 15

We recommend that Millennium Challenge Corporation Chief Information Officer implement a documented validation process to ensure the annual testing of contingency plans and timely reporting of lessons learned, as required by the Information System Security Policy.

Questioned Cost:
$0
Close Date:
Recommendation 16

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open recommendation 9 in Office of Inspector General Audit Report No. M-000-11-004-P.

Questioned Cost:
$0
Close Date:
Recommendation 17

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open recommendation 10 in Office of Inspector General Audit Report No. M-OOO-11-004-P.

Questioned Cost:
$0
Close Date:
Recommendation 18

We recommend that the Millennium Challenge Corporation Chief Information Officer re-open recommendation 13 in Office of Inspector General Audit Report No. M-000-11-001-0.

Questioned Cost:
$0
Close Date: