Audit of USAID's Fiscal Year 2013 Compliance With the Federal Information Security Management Act of 2002

Recommendation
1

The Chief Information Officer review the controls documented within the USAID common controls system security plan and update the descriptions to specifically describe the control that is planned or in place.

Questioned Cost
0
Close Date
Recommendation
2

The Chief Information Officer review agency
system security plans to determine whether they point to the USAID common control system security plan. If so, determine whether that plan adequately addresses the referenced control.

Questioned Cost
0
Close Date
Recommendation
3

The Chief Information Officer implement documented procedures to be sure that scheduled completion dates identified in the plan of action and milestones are reasonable.

Questioned Cost
0
Close Date
Recommendation
4

The Chief Information Officer implement documented procedures to be sure that scheduled completion dates are met when applicable.

Questioned Cost
0
Close Date
Recommendation
5

USAID's Director, Office of Human Resources; Director, Management Policy, Budget, and Performance; Director, Office of Security; and Director, Office of Acquisition and Assistance, coordinate with each other to implement documented procedures to notify USAID system administrators when an employee or contractor leaves the agency or is transferred.

Questioned Cost
0
Close Date
Recommendation
6

The Chief Information Officer implement a documented process to test the AIDNet contingency plan annually in compliance with USAID policy.

Questioned Cost
0
Close Date
Recommendation
7

The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7260 and 7687 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
8

The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7691, 7692, 7693, 7694, 7695, 7696, 7697, and 7698 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
9

The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7657, 7658, 7659, 7660, 7661, 7662, 7330, and 7679 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
10

The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7689 and 7690 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
11

The Chief Information Officer implement documented procedures to make sure that Agency Secure Image and Storage Tracking system accounts are removed or disabled in a timely manner.

Questioned Cost
0
Close Date
Recommendation
12

The Chief Information Officer review inactive Agency Secure Image and Storage Tracking system accounts, and disable or delete them in accordance with USAID policy.

Questioned Cost
0
Close Date
Recommendation
13

The Chief Information Officer review all security controls identified as inherited in the Agency Secure Image and Storage Tracking system security plan to make sure each control is categorized appropriately. When a portion of a control is handled within the system, the control should be identified as hybrid or specific to the system.

Questioned Cost
0
Close Date
Recommendation
14

The Chief Information Officer complete planned corrective actions for the Agency Secure Image and Storage Tracking system to be sure that plan of action and milestone item 7447 is remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
15

The Director, Office of Foreign Disaster Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone item 2013-7790 is remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
16

The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are disabled or deleted immediately when an individual with OFDANet access leaves the agency or no longer needs such access.

Questioned Cost
0
Close Date
Recommendation
17

The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are reviewed when inactive for 90 days and disabled or deleted if no longer required.

Questioned Cost
0
Close Date
Recommendation
18

The Director, Office of Foreign Disaster
Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone items 2013-7782, 2013-7783, and 2013-7784 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

Questioned Cost
0
Close Date
Recommendation
19

The Chief Financial Officer comply with National Institute of Standards and Technology, Office of Management and Budget, and USAID risk management requirements by carrying out formal security assessment and authorization procedures over the Electronic Cash Reconciliation Tool.

Questioned Cost
0
Close Date
Recommendation
20

The Chief Financial Officer update Electronic
Cash Reconciliation Tool account management procedures to be sure they are addressing all National Institute of Standards and Technology Special Publication 800-53 revision 3 AC-2 controls, including reviewing accounts for inactivity, disabling accounts in a timely manner, recertifying accounts, and logging the activities of the system administrator's account management activities.

Questioned Cost
0
Close Date
Recommendation
21

The Chief Financial Officer complete a
recertification of all Electronic Cash Reconciliation Tool user accounts on a periodic
basis in accordance with National Institute of Standards and Technology and USAID requirements to make sure that continued access remains appropriate and the level of access granted is commensurate with the individual's responsibilities.

Questioned Cost
0
Close Date
Recommendation
22

The Chief Financial Officer implement documented procedures to disable Electronic Cash Reconciliation Tool user accounts that have never logged on or have not logged on within the specified time frame in accordance with National Institute of Standards and Technology and USAID
requirements.

Questioned Cost
0
Close Date
Recommendation
23

The Chief Financial Officer implement documented procedures to remove Electronic Cash Reconciliation Tool accounts associated with individuals no longer supporting USAID in a timely manner.

Questioned Cost
0
Close Date
Recommendation
24

The Chief Financial Officer implement documented procedures to audit Electronic Cash Reconciliation Tool account creations and removals.

Questioned Cost
0
Close Date
Recommendation
25

The Director, Office of Acquisition and
Assistance, update the Global Acquisition and Assistance System security plan to document all National Institute of Standards and Technology Special Publication 800-53 revision 3 control descriptions and their implementation statements.

Questioned Cost
0
Close Date
Recommendation
26

The Director, Office of Acquisition and Assistance, implement documented procedures to make sure all inactive Global Acquisition and Assistance System user accounts are identified and disabled or deleted if determined not needed.

Questioned Cost
0
Close Date
Recommendation
27

The Director, Office of Acquisition and
Assistance, implement documented procedures for reviewing all Global Acquisition and Assistance System audit logs in accordance with USAID policy.

Questioned Cost
0
Close Date
Recommendation
28

The Director, Office of Acquisition and
Assistance, implement documented procedures to test the Global Acquisition and Assistance System contingency plan annually in compliance with USAID policy.

Questioned Cost
0
Close Date
Recommendation
29

The Chief Financial Officer document memorandums of understanding and/or service-level agreements with all agencies and organizations storing or processing Phoenix data, including but not limited to: a. Department of Health and Human Services; b. Carlson Wagonlit Travel; c. Department of Treasury; d. Department of State.

Questioned Cost
0
Close Date