Recommendation Dashboard

USAID/Uganda take appropriate action regarding the statement contained in the training material for the Inter-Religious Council of Uganda's district interfaith networks and document the results.

The Chief Information Officer review the controls documented within the USAID common controls system security plan and update the descriptions to specifically describe the control that is planned or in place.

The Chief Information Officer review agency
system security plans to determine whether they point to the USAID common control system security plan. If so, determine whether that plan adequately addresses the referenced control.

The Chief Information Officer implement documented procedures to be sure that scheduled completion dates identified in the plan of action and milestones are reasonable.

The Chief Information Officer implement documented procedures to be sure that scheduled completion dates are met when applicable.

USAID's Director, Office of Human Resources; Director, Management Policy, Budget, and Performance; Director, Office of Security; and Director, Office of Acquisition and Assistance, coordinate with each other to implement documented procedures to notify USAID system administrators when an employee or contractor leaves the agency or is transferred.

The Chief Information Officer implement a documented process to test the AIDNet contingency plan annually in compliance with USAID policy.

The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7260 and 7687 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7691, 7692, 7693, 7694, 7695, 7696, 7697, and 7698 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7657, 7658, 7659, 7660, 7661, 7662, 7330, and 7679 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7689 and 7690 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer implement documented procedures to make sure that Agency Secure Image and Storage Tracking system accounts are removed or disabled in a timely manner.

The Chief Information Officer review inactive Agency Secure Image and Storage Tracking system accounts, and disable or delete them in accordance with USAID policy.

The Chief Information Officer review all security controls identified as inherited in the Agency Secure Image and Storage Tracking system security plan to make sure each control is categorized appropriately. When a portion of a control is handled within the system, the control should be identified as hybrid or specific to the system.

The Chief Information Officer complete planned corrective actions for the Agency Secure Image and Storage Tracking system to be sure that plan of action and milestone item 7447 is remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Director, Office of Foreign Disaster Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone item 2013-7790 is remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are disabled or deleted immediately when an individual with OFDANet access leaves the agency or no longer needs such access.

The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are reviewed when inactive for 90 days and disabled or deleted if no longer required.

The Director, Office of Foreign Disaster
Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone items 2013-7782, 2013-7783, and 2013-7784 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Financial Officer comply with National Institute of Standards and Technology, Office of Management and Budget, and USAID risk management requirements by carrying out formal security assessment and authorization procedures over the Electronic Cash Reconciliation Tool.

The Chief Financial Officer update Electronic
Cash Reconciliation Tool account management procedures to be sure they are addressing all National Institute of Standards and Technology Special Publication 800-53 revision 3 AC-2 controls, including reviewing accounts for inactivity, disabling accounts in a timely manner, recertifying accounts, and logging the activities of the system administrator's account management activities.

The Chief Financial Officer complete a
recertification of all Electronic Cash Reconciliation Tool user accounts on a periodic
basis in accordance with National Institute of Standards and Technology and USAID requirements to make sure that continued access remains appropriate and the level of access granted is commensurate with the individual's responsibilities.

The Chief Financial Officer implement documented procedures to disable Electronic Cash Reconciliation Tool user accounts that have never logged on or have not logged on within the specified time frame in accordance with National Institute of Standards and Technology and USAID
requirements.

The Chief Financial Officer implement documented procedures to remove Electronic Cash Reconciliation Tool accounts associated with individuals no longer supporting USAID in a timely manner.

The Chief Financial Officer implement documented procedures to audit Electronic Cash Reconciliation Tool account creations and removals.

The Director, Office of Acquisition and
Assistance, update the Global Acquisition and Assistance System security plan to document all National Institute of Standards and Technology Special Publication 800-53 revision 3 control descriptions and their implementation statements.

The Director, Office of Acquisition and Assistance, implement documented procedures to make sure all inactive Global Acquisition and Assistance System user accounts are identified and disabled or deleted if determined not needed.

The Director, Office of Acquisition and
Assistance, implement documented procedures for reviewing all Global Acquisition and Assistance System audit logs in accordance with USAID policy.

The Director, Office of Acquisition and
Assistance, implement documented procedures to test the Global Acquisition and Assistance System contingency plan annually in compliance with USAID policy.

The Chief Financial Officer document memorandums of understanding and/or service-level agreements with all agencies and organizations storing or processing Phoenix data, including but not limited to: a. Department of Health and Human Services; b. Carlson Wagonlit Travel; c. Department of Treasury; d. Department of State.

USAID/Dominican Republic work with its implementing partner to revise the program's performance management plan to include definitions for each indicator including the data source and collection methodology, results disaggregated by gender, and updated targets and actual results.

USAID/Dominican Republic update the education team's performance management plan, and confirm that it agrees with indicators being reported in the program performance management plan and the
performance plan and report.

USAID/Dominican Republic work with its implementing partner to implement an improved record-keeping system that supports each reported result.

USAID/Dominican Republic implement a site visit plan that includes frequent visits and data verification.

USAID/Dominican Republic, in conjunction with its implementing partner, verify in writing that all necessary training information is entered into USAID's Training Results and Information Network.

USAID/Dominican Republic provide and document training to its staff on how to report results in USAID's Training Results and Information Network.

USAID/Dominican Republic work with its implementing partner to implement a sustainability plan, and document the experiences
and lessons learned during the program as required by the agreement.

USAID/Dominican Republic work with its implementing partner to update its branding and marking plan, including the use of banners or posters with the USAID logo during training sessions.

USAID/Dominican Republic modify its agreement to include changes to the program's activity description and add required standard provisions.

USAID/Dominican Republic work with its implementing partner to document success stories in its partner's fiscal year 2013 annual report.

USAID/Yemen finalize its approach for the remainder of the Community Livelihoods Project by formally modifying the cooperative agreement.

USAID/Yemen require Creative Associates International Inc. to update its project and performance management plans to reflect the changes in the modification.

USAID/Yemen perform a documented review of its standard operating procedures with the Yemen Monitoring and Evaluation Project and, if necessary, amend the procedures to improve the communication of key findings.

USAID/Yemen require Creative Associates
International Inc. to implement a performance management plan that includes the Yemen Monitoring and Evaluation Project's role, authorities, and responsibilities as thirdparty
monitors for the Community Livelihoods Project, as outlined in the mission's procedures.

USAID/Yemen require Creative Associates
International Inc. to update its performance management plan to include a control system to validate the delivery of goods.

USAID/Yemen require Creative Associates
International Inc. to update its performance management plan to clearly delineate its
responsibility for monitoring project activities and reporting findings in an accurate, timely
fashion.

USAID/Yemen require Creative Associates
International Inc. to improve its data reporting by consolidating the data system, implementing a procedure manual to formalize data collection, and implementing a data validation system.

USAID/Yemen deobligate funds associated with activities eliminated from the project.

USAID/Yemen conduct a written analysis to
determine whether the project would benefit from creating a new funds control system. If so, it should implement the system to track funds for the remainder of the project.

The Inter-American Foundation Chief Information Officer remediate vulnerabilities in the network identified by the Office of Inspector General's contractor, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

The Inter-American Foundation Chief Information Officer establish in writing patch time frame requirements to make sure known vulnerabilities are remediated.

The Inter-American Foundation Chief Information Officer implement a written process to review the virtual private network device configuration and to either disable nonessential and insecure services or document acceptance of the risks.

The Inter-American Foundation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs on a schedule defined by the organization for indications of inappropriate or unusual activity.

The Inter-American Foundation Chief Information Officer document and implement a baseline configuration for the Enterprise Network.

The Inter-American Foundation Chief Information Officer either update the foundation's policies, procedures, and network password settings to ensure compliance with the U. S. Government Configuration Baseline standards or document deviations from those standards in the foundation's Information System Security Program and System Security Plan and document acceptance of the risk.

The Inter-American Foundation Chief Information Officer document and implement a process to maintain an up-to-date plan of action and milestones and to implement corrective actions in a timely manner.

The Inter-American Foundation Chief Information Officer implement a documented process to review and update the Enterprise Network System Security Plan annually or as significant system changes
occur to make sure the security requirements and controls for the system are documented adequately and reflect the current operating environment of the information system.

USAID/Morocco revise the memorandum of understanding with the Direction Generale des Collectivites Locales to reactivate and formalize the existence of the steering committee, and define its role and agenda.

USAID/Morocco perform a data quality assessment for activities under the Democracy and Governance Program in accordance with USAID requirements and document the results.

USAID/Morocco review its active awards portfolio to identify awards missing the required antitrafficking and environmental language, and implement a plan to include the missing language in future amendments to these awards.

USAID/Morocco require RTI International to include the required antitrafficking and environmental language in all active subawards.

The Overseas Private Investment Corporation Chief Information Officer develop, document, and implement National Institute of Standards and Technology-approved configuration baselines for the following software platforms utilized by OPICNet: Windows Server (all versions, Microsoft SQL Server (all versions), Oracle 9, Microsoft Internet Information Server.

The Overseas Private Investment Corporation Chief Information Officer conduct configuration baseline monitoring of the following software platforms in accordance with organizational policies and procedures and document the results: Windows Server (all versions), Microsoft SQL Server (all versions, Oracle 9, Microsoft Internet Information Server.

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that: Guest accounts are used as specified in organizational policies and procedures. Accounts inactive for more than 30 days are disabled. Temporary accounts are disabled or removed after 48 hours unless otherwise noted. Terminated individuals' accounts are removed or disabled within a Corporation-specified time frame upon departure. User accounts are disabled properly or removed upon the account expiration date. Account recertifications are conducted at least annually.

The Overseas Private Investment Corporation Chief Information Officer implement audit tools that effectively capture and report all auditable events as required by the Corporation's policies and procedures, and document the results, including: Successful and unsuccessful account logon events, Account management events, Object access, Policy change, Privilege functions, Process tracking, System events, Remote access sessions.

The Overseas Private Investment Corporation Chief Information Officer create a written plan of action and milestones item to track the remediation and establishment of an alternate processing site.

The Overseas Private Investment Corporation Chief Information Officer establish and approve an appropriate written agreement with an alternate processing site to permit the resumption of information system operations for critical mission/business functions when the primary processing capabilities are unavailable in accordance with National Institute of Standards and Technology requirements.

The Overseas Private Investment Corporation Chief Information Officer complete planned corrective actions for OPIC Network to confirm that the plan of action and milestones items for the following are remediated in a timely manner, or perform an appropriate acceptance of risk, and document the results: External access permitted to internal hosts; Insecure Outlook Web access; Unenforced policy (firewalls, demilitarized zone, Internet access content filtering); Unpatchable systems (APPX); Several vulnerabilities and misconfigurations were identified on publicly facing devices.

The Overseas Private Investment Corporation Chief Information Officer implement a written process to confirm that users complete initial security awareness training before they are granted access to the Corporation's network in accordance with OPIC Information System Security Policy, Version 1.0 (ISSP-2013-v1), section 7.3, Awareness and Training.

The Overseas Private Investment Corporation Chief Information Officer revise its OPIC Information System Security Policy to require annual role-based security training in accordance with National Institute of Standards and Technology requirements.

The Overseas Private Investment Corporation Chief Information Officer implement a written role-based security training course for users with significant security responsibilities.

The Overseas Private Investment Corporation Chief Information Officer fully implement procedures to confirm that the System for Awards Management and E2 Solutions system interconnections have been reviewed for appropriate implementation of external agencies' security controls and document the results.

Overseas Private Investment Corporation Chief Information Officer: Define and document information security risk tolerance consistent with the organizational risk tolerance. Implement written procedures to ensure future riskbased decisions are made taking into account the Corporation's defined information security risk tolerance.

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that all users sign the Corporation's rules of behavior prior to being granted access to OPIC Network.

The Overseas Private Investment Corporation Chief Information Officer include in the written plan of action and milestones an estimate of funding resources required to resolve weaknesses, as required by Office of Management and Budget Memorandum 02-01.

USAID/Afghanistan complete and implement a plan for sustaining the benefits derived from the Kandahar Helmand Power Project.

USAID/Afghanistan ascertain and document Black & Veatch's compliance with the Kandahar Helmand Power Project's final amended initial environmental examination.

USAID/Afghanistan determine the allowability
and recover, as appropriate, questioned costs of $164,157 in first- and business-class travel that were identified in Black & Veatch's invoices for the Kandahar Helmand Power Project.

USAID/El Salvador review the Regional Program for the Management of Aquatic Resources and Economic Alternatives contract and implement a plan for the completion of the program's objectives and targets, or terminate activities that cannot be completed and adjust the payment of the fixed fee to reflect actual accomplishments and document their decision.

USAID/El Salvador establish and implement, in conjunction with Chemonics, data collection and review procedures to correct errors identified in this report and to confirm that the data used in reporting progress are accurate.

USAID/El Salvador prepare a written site visit schedule for the remaining contract period.

USAID/El Salvador review the Regional Program for the Management of Aquatic Resources and Economic Alternatives contract, and develop performance indicators and targets for all of the program's expected results.

USAID/El Salvador revise the performance indicators identified in the audit as vague so they represent the intended results clearly and adequately.

USAID/El Salvador require in writing that the contractor provide an annual budget by activity and report on actual expenses compared with that budget.

USAID/El Salvador develop a list and submit all required documents in English to the Development Experience Clearinghouse.

USAID/El Salvador require Chemonics to conduct and document gender case studies as required by the contract.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 1 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer determine and document why the Corporation's vulnerability management tool is not identifying vulnerabilities identified by the Office of Inspector General's contractor.

After taking final action for Recommendation 2, we recommend that the Millennium Challenge Corporation Chief Information Officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor as appropriate, or document acceptance of the risks of those vulnerabilities.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 3 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a written process to review active service accounts that have not logged in over a specified period of time, as defined by the Corporation, or that have never logged into the system to determine whether accounts are necessary.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a full system authorization for the Millennium Challenge Corporation Management Information System in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a system reauthorization for MCC Integrated Data Analysis System in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs for indications of inappropriate or unusual activity.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to make sure changes are tested and test results are reviewed before the changes are implemented when appropriate.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-11-004-P.

We recommend that the Millennium Challenge Corporation Vice President of Administration and Finance document its relationships with its third-party service providers, then take actions to get appropriate agreements in place with them.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented process to make sure the disaster recovery plan is updated annually to reflect lessons learned from the disaster recovery testing.

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask that two-factor authentication, as required by Office of Management and Budget Memorandum M-06-16, be implemented for the Corporation's travel system. If it is not, document the Corporation's acceptance of the risk of not implementing the control as part of the security review of the system and obtain a written waiver from the Office of Management and Budget to exempt the Corporation from implementing two-factor authentication for its travel system.

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask the senior advisory board to make a written determination whether the Corporation should report, track, and monitor its information security program as a material weakness or reportable condition pursuant to the Federal Managers' Financial Integrity Act of 1982.