The Chief Information Officer review the controls documented within the USAID common controls system security plan and update the descriptions to specifically describe the control that is planned or in place.
The Chief Information Officer review agency
system security plans to determine whether they point to the USAID common control system security plan. If so, determine whether that plan adequately addresses the referenced control.
The Chief Information Officer implement documented procedures to be sure that scheduled completion dates identified in the plan of action and milestones are reasonable.
The Chief Information Officer implement documented procedures to be sure that scheduled completion dates are met when applicable.
USAID's Director, Office of Human Resources; Director, Management Policy, Budget, and Performance; Director, Office of Security; and Director, Office of Acquisition and Assistance, coordinate with each other to implement documented procedures to notify USAID system administrators when an employee or contractor leaves the agency or is transferred.
The Chief Information Officer implement a documented process to test the AIDNet contingency plan annually in compliance with USAID policy.
The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7260 and 7687 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7691, 7692, 7693, 7694, 7695, 7696, 7697, and 7698 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7657, 7658, 7659, 7660, 7661, 7662, 7330, and 7679 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7689 and 7690 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Information Officer implement documented procedures to make sure that Agency Secure Image and Storage Tracking system accounts are removed or disabled in a timely manner.
The Chief Information Officer review inactive Agency Secure Image and Storage Tracking system accounts, and disable or delete them in accordance with USAID policy.
The Chief Information Officer review all security controls identified as inherited in the Agency Secure Image and Storage Tracking system security plan to make sure each control is categorized appropriately. When a portion of a control is handled within the system, the control should be identified as hybrid or specific to the system.
The Chief Information Officer complete planned corrective actions for the Agency Secure Image and Storage Tracking system to be sure that plan of action and milestone item 7447 is remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Director, Office of Foreign Disaster Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone item 2013-7790 is remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are disabled or deleted immediately when an individual with OFDANet access leaves the agency or no longer needs such access.
The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are reviewed when inactive for 90 days and disabled or deleted if no longer required.
The Director, Office of Foreign Disaster
Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone items 2013-7782, 2013-7783, and 2013-7784 are remediated in a timely manner or an appropriate acceptance of risk has been performed.
The Chief Financial Officer comply with National Institute of Standards and Technology, Office of Management and Budget, and USAID risk management requirements by carrying out formal security assessment and authorization procedures over the Electronic Cash Reconciliation Tool.
The Chief Financial Officer update Electronic
Cash Reconciliation Tool account management procedures to be sure they are addressing all National Institute of Standards and Technology Special Publication 800-53 revision 3 AC-2 controls, including reviewing accounts for inactivity, disabling accounts in a timely manner, recertifying accounts, and logging the activities of the system administrator's account management activities.
The Chief Financial Officer complete a
recertification of all Electronic Cash Reconciliation Tool user accounts on a periodic
basis in accordance with National Institute of Standards and Technology and USAID requirements to make sure that continued access remains appropriate and the level of access granted is commensurate with the individual's responsibilities.
The Chief Financial Officer implement documented procedures to disable Electronic Cash Reconciliation Tool user accounts that have never logged on or have not logged on within the specified time frame in accordance with National Institute of Standards and Technology and USAID
requirements.
The Chief Financial Officer implement documented procedures to remove Electronic Cash Reconciliation Tool accounts associated with individuals no longer supporting USAID in a timely manner.
The Chief Financial Officer implement documented procedures to audit Electronic Cash Reconciliation Tool account creations and removals.
The Director, Office of Acquisition and
Assistance, update the Global Acquisition and Assistance System security plan to document all National Institute of Standards and Technology Special Publication 800-53 revision 3 control descriptions and their implementation statements.
The Director, Office of Acquisition and Assistance, implement documented procedures to make sure all inactive Global Acquisition and Assistance System user accounts are identified and disabled or deleted if determined not needed.
The Director, Office of Acquisition and
Assistance, implement documented procedures for reviewing all Global Acquisition and Assistance System audit logs in accordance with USAID policy.
The Director, Office of Acquisition and
Assistance, implement documented procedures to test the Global Acquisition and Assistance System contingency plan annually in compliance with USAID policy.
The Chief Financial Officer document memorandums of understanding and/or service-level agreements with all agencies and organizations storing or processing Phoenix data, including but not limited to: a. Department of Health and Human Services; b. Carlson Wagonlit Travel; c. Department of Treasury; d. Department of State.