Recommendation Dashboard

We recommend that the Vice President of the Millennium Challenge Corporation's Department of Compact Operations recover the ineligible cost of $84,362, as described on page 28, and provide our office with documentation to verify the amount recovered.

We recommend that the Vice President of the Millennium Challenge Corporation's Department of Compact Operations request MCA-Jordan to submit a corrective action plan to correct the significant internal control deficiencies and the material instances of noncompliance described on pages 42 to 60.

Develop and implement policy and operational guidance from the findings and recommendations made in its October 2012 Operations Review to improve sustainability planning.

Develop and implement policy and operational guidance that require countries in future compacts to develop and annually update sustainability plans that specifically identify the risks and challenges to sustainability and proposed options to manage and mitigate these risks, as recommended in the Operations Review. In addition, such plans should establish (1) a clear vision of goals to be achieved, (2) a mechanism to assess their effectiveness in terms of the completeness, robustness, and cohesiveness of sustainability measures and (3) a mechanism to monitor and report on progress of sustainability measures.

The Director of OAA implement policies and procedures for procurements related to transporting the Office of U.S. Foreign Disaster Assistance's emergency commodities. Policies and procedures should require the segregation of duties-so that Transportation contracting officers have clear lines of authority and adequate management oversight-and routine updates to the division's Web page so that it contains current, accurate information.

The Director of OAA update the Transportation Division's portion of USAID's Web site to reflect current information, and provide guidance to potential contractors on the procurement process for Office of U.S. Foreign Disaster Assistance emergency commodity transportation.

The Director of OAA initiate the closeout of award AID-OAA-O-15-00003.

The Director of OAA deobligate the reported unliquidated balance of $11,532,247 from award no. AID-OAA-O-15-00003, and put the funds to better use.

The Director of OAA review its Ebola portfolio, and verify that each applicable award file is entered completely into the Agency Secure Image and Storage Tracking database.

The Director of OAA review its current training program on the use of the Agency Secure Image and Storage Tracking database, and incorporate identified improvements to promote greater policy
compliance.

The Director of OAA review its Office of U.S. Foreign Disaster Assistance Ebola portfolio and confirm that each of the awards has an agreement officer's representative designated by the agreement officer and that the designation letter is in the official award file.

USAID/M/OAA/CAS/CAM determine the allowability of $28,739 in questioned costs ($16,270 ineligible and $12,469 unsupported) identified on page 9 of Akus Consult's audit report and recover from EQUIP Liberia the amounts determined to be unallowable.

USAID/M/OAA/CAS/CAM ensure that EQUIP Liberia corrects the four instances of material noncompliance detailed on pages 13 to 14 and 16 to 18 of Akus Consult's audit report.

We recommend that MCC's Department of Administration and Finance and the chief financial officer update its Expense Accruals Financial Management Procedure Manual to a) Require justification and analysis to be documented, supported, and approved by MCC's management when deviating from its accrual policy and procedures. This should include MCC verification of information provided by the Millennium Challenge Account to support the accrual. b) Include the guidance provided to the Millennium Challenge Accounts on how and what each Millennium Challenge Account will provide as support in addressing the reasonableness of their accrual.

We recommend that MCC's Department of Administration and Finance and the chief financial officer conduct a comprehensive review and formalize the Grant Accrual Validation Whitepaper as an official policy and procedures document that includes: a) Establishing a documented supervisory review of the grant accrual validation to ensure that the validation is performed correctly and is in accordance with MCC's validation methodology. b) Establishing procedures that clearly state how the accrual validation will be carried out when a Millennium Challenge Account is closed out and no longer exists.

We recommend that MCC's Department of Administration and Finance and the chief financial officer establish internal control procedures to properly review the accounting and reporting of funds returned by the Millennium Challenge Accounts and foreign governments, and other transactions that are not routinely prepared in its financial operations to ensure that these transactions are recorded correctly and in accordance with United States Standard General Ledger.

We recommend that MCC's Department of Administration and Finance and the chief financial officer establish an internal control process to ensure that financial statements are prepared in accordance with the most current version of Office of Management and Budget A-136.

We recommend that MCC's Department of Administration and Finance and the chief financial officer conduct a quarterly reconciliation between the status of budgetary resources and the Office of Management and Budget SF-132, Apportionment and Reapportionment Schedule.

We recommend that MCC's Department of Administration and Finance and the chief financial officer implement a management control to properly review and approve unapportioned funds by programs/projects at the fund level before entries are made.

We recommend that MCC's Department of Administration and Finance and the chief financial officer implement a management control to review the impact of funds unapportioned at the fund level before apportionment and recoveries adjustments are recorded.

We recommend that MCC's Department of Administration and Finance and the chief financial officer continue requiring all compact obligating documents be accompanied by an entry-into-force memo prior to recognizing obligation.

The Office of the Chief Financial Officer resolve all unexplained differences between USAID's Fund Balance With Treasury account and the Department of the Treasury by December 31, 2016, and institutionalize the monthly reconciliation of the Fund Balance With Treasury account.

The Office of the Chief Financial Officer implement a quality assurance program to validate the quarterly information that missions submit.

The Office of the Chief Financial Officer implement a plan to immediately investigate all potential funds control violations reported as of September 30, 2016, and resolve them by June 30, 2017.

The Office of the Chief Financial Officer enhance its policies and procedures to evaluate potential funds control violations so that they are investigated and resolved promptly.

The Overseas Private Investment Corporation's chief information officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

(SBU) The Overseas Private Investment Corporation's chief information officer document a separation-of-duties matrix for Oracle E-Business Suite user roles and responsibilities.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to recertify Oracle EBusiness Suite accounts annually, including evaluating the separation of duties.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a written process to disable inactive Oracle E=Business Suite accounts.

(SBU) The Overseas Private Investment Corporation's chief information officer implement Homeland Security Presidential Directive 12 personal identity verification for authentication of network user accounts as required by Office of Management and Budget M-16-04, "Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government," (October 30, 2015)
and document the results.

(SBU) The Overseas Private Investment Corporation's chief information officer either disable Citrix local drive mapping where non-Corporation equipment is used, and document the results, or document acceptance of the risk of allowing Citrix local drive mapping where non-Corporation equipment is used.

The Overseas Private Investment Corporation's chief information officer document and implement asset management procedures, including inventorying information system assets on an organization-defined frequency.

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement a separation-of-duties matrix for OPIC Insight user roles and responsibilities.

The Overseas Private Investment Corporation's chief information security officer, in coordination with the security officer, document and implement physical and environmental security policies and procedures including reviews of physical access as defined by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

The Overseas Private Investment Corporation's chief information officer document and implement an enterprise architecture methodology in line with the Federal enterprise architecture and risk
management framework.

The Overseas Private Investment Corporation's chief information officer update the Corporation's incident response plan to include the time frames for reporting incidents as specified in the "United States Computer Emergency Readiness Team Federal Incident Notification Guidelines."

The Overseas Private Investment Corporation's chief information officer complete the implementation of the Training Management System and verify in writing that records are retained for the Corporation-specified period.

(SBU) The Overseas Private Investment Corporation's chief information officer implement a documented process to validate whether the annual testing of the Corporation's information system contingency plan is completed.

(SBU) The Overseas Private Investment Corporation's chief information officer document and implement processes to achieve acceptable compliance with configuration baseline settings for Windows 2003, Windows 2008, and CentOS servers.

The Overseas Private Investment Corporation's chief information officer implement the process to validate whether plans of action and milestones are completed and updated on time and document the results.

(SBU) The Overseas Private Investment Corporation's chief information security officer review the accreditation boundaries of the OPIC External Services system, align external services with related mission functions, and document the results.

(SBU) The Overseas Private Investment Corporation's chief information security officer implement a written process to assess external services before their authorizations to operate expire.

The United States African Development Foundation's president appoint in writing a senior-level chief information security officer in accordance with the Federal Information Security Modernization Act and the National Institute of Standards and Technology.

The United States African Development Foundation's chief information security officer document and implement a process to review and update system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for
Federal Information Systems and Organizations." At a minimum, this process should include determining whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.

The United States African Development Foundation's chief information security officer document and implement a process to perform security assessments in accordance with National Institute of Standards and Technology standards. This process should include documenting assessment
procedures to be used to determine security control effectiveness and testing the operating effectiveness of security controls.

The United States African Development Foundation's chief information security officer document and implement a process for assessing risk in internal and cloud service provider's systems-taking into account all known vulnerabilities and threat sources, security controls planned or in place, and
residual risk-to make the authorizing official for each system aware of its security state.

The United States African Development Foundation's chief information security officer document and implement a process to update all known security weaknesses and associated corrective plans quarterly as required by the foundation's policy and include them in the plan of action and
milestones.

The United States African Development Foundation's chief information security officer document and implement a process to develop, communicate, and implement an organization-wide risk management strategy associated with the operation and use of the foundation's information systems in accordance with National Institute of Standards and Technology standards.

The United States African Development Foundation's chief information security officer document and implement a process to review and maintain an up-to-date information system inventory.

The United States African Development Foundation's chief information security officer document and implement a process to develop, document, and implement an enterprise architecture in accordance with National Institute of Standards and Technology standards.

The United States African Development Foundation's chief information security officer document and implement a process to perform quarterly scans of all Internet protocol ranges in the network.

The United States African Development Foundation's chief information security officer document and implement a process to track and remediate vulnerabilities timely in accordance with the foundation's policy. This process should include ascertaining that patches are tested before being put into production and applied promptly in accordance with policy.

The United States African Development Foundation's chief information security officer document and implement a process to migrate unsupported applications to platforms supported by vendors. For unsupported applications that cannot be migrated immediately, this process must include
documenting the risk of leaving them on their current platforms, acceptance of that risk, and compensating controls that will be used until migration is possible.

The United States African Development Foundation's chief information security officer document and implement a process to scan each workstation for compliance with the United States Government
Configuration Baseline settings, including remediating any noncompliant settings.

The United States African Development Foundation's chief information security officer document and implement a process to remove users' administrator access to foundation workstations and prevent
granting that access in the future. This process must include documenting the risk of such access and documenting the approval of any exceptions, along with adequate compensating controls.

The United States African Development Foundation's chief information security officer document and implement a process to document, approve, and disseminate approved deviations from the United States Government Configuration Baseline settings.

The United States African Development Foundation's chief information security officer document and implement a process to configure and regularly monitor password settings in accordance with the foundation's policy and encrypt passwords during authentication.

The United States African Development Foundation's chief information security officer document and implement a process to specify an organization-defined frequency for reviewing and updating the inventory of information system components.

The United States African Development Foundation's chief information security officer document and implement a process to maintain the inventory according to policy.

The United States African Development Foundation's chief information security officer document and implement a process to remove and decommission unused systems promptly.

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce multifactor authentication for network access to privileged accounts.

The United States African Development Foundation's chief information security officer document and implement a process to implement and enforce the use of personal identity verification credentials for access to the foundation's facilities, computers, and network.

The United States African Development Foundation's chief information security officer document and implement a process to change default usernames and passwords before system installation.

The United States African Development Foundation's chief information security officer document and implement a process to review and analyze all required audit logs in accordance with National Institute of Standards and Technology standards and the foundation's policy.

The United States African Development Foundation's chief information security officer document and implement a process to reevaluate the security categorization of the general support, travel, and
human resources systems in accordance with the Office of Management and Budget and National Institute of Standards and Technology guidance given that the systems contain personally identifiable information.

The United States African Development Foundation's chief information security officer document and implement a process to maintain a current interconnection security agreement and memorandum of understanding between the foundation and the U.S. Department of Interior's Interior Business Center.

The United States African Development Foundation's chief information security officer document and implement a process to provide annual security awareness training to overseas partners.

The United States African Development Foundation's chief information security officer document and implement a process to provide annual role-based training to all personnel with significant information security responsibilities.

The Inter-American Foundation's chief information officer remediate vulnerabilities in the network identified by the Office of Inspector General's contractor and document the results or document acceptance of the risks of those vulnerabilities.

The Inter-American Foundation's chief information officer develop and implement a continuous monitoring plan and program.

The Inter-American Foundation's chief information officer develop and implement monitoring controls of baseline configurations for the Enterprise Network and document the results.

The Inter-American Foundation's chief information officer complete a system risk assessment for the Enterprise Network that takes into account all known vulnerabilities, threat sources, and security controls planned or in place, determine the residual risk, and inform the authorizing official of the security state of the information system.

The Inter-American Foundation's chief information officer obtain a current authorization to operate the Enterprise Network that results from a completed security controls assessment and updated system security plan, risk assessment, and plan of action and milestones.

The Inter-American Foundation's chief information officer document and implement a process to review and analyze auditable events.

The Inter-American Foundation's chief information officer implement multifactor authentication for all network accounts and document the results.

The Inter-American Foundation's chief information officer update the continuity of operations plan to include a business impact analysis.

The Inter-American Foundation's chief information officer document and implement a process to validate annual testing of the continuity of operations plan.

The Inter-American Foundation's chief information officer develop and implement a written process to validate whether the plan of action and milestones is completed and updated promptly and includes all applicable control weaknesses.

The Inter-American Foundation's chief information officer update and implement the Information System Security Program Standard Operating Procedures to include the privacy controls identified in National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

The Inter-American Foundation's chief information officer update the organization's Enterprise Network and Software Applications System Security Plan to reflect the current operating environment.

The Inter-American Foundation chief information officer obtain a written, fully executed Interconnection Security Agreement with the Department of Interior Business Center.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement a process to update baseline configurations for workstations periodically or document acceptance of the risk.

We recommend that Millennium Challenge Corporation's Chief Information Officer implement written procedures to complete, approve, and maintain users' access request forms for the Contract Management System Audit Tracking and Reporting System in accordance with "MCC Access Control Procedures."

We recommend that Millennium Challenge Corporation's Chief Information Officer either implement environmental controls for the secondary data center and document results or document acceptance of the risk.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement a written physical and environmental protection policy that includes all security controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations," and reflects the current operating environment.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement written procedures to manage access to the secondary data center. At a minimum, the procedures should include periodically reviewing logs of personnel entering the data center, and implementing a visitor access log for the data center.

We recommend that the Millennium Challenge Corporation's Chief Information Officer activate the alarm in the secondary data center and document the results.

We recommend that Millennium Challenge Corporation's Chief Information Officer update the "Configuration Management Policies and Procedures" to include testing and approval requirements by the type of system changes.

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement policy and procedures that include all personnel security controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

We recommend that the Millennium Challenge Corporation obtain a written, fully executed Interconnection Security Agreement with the Department of Interior's Interior Business Center.