The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems. We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP to conduct an audit of USAID’s compliance with FISMA during fiscal year 2017. The audit firm concluded that USAID generally complied with FISMA requirements by implementing 150 of 162 selected security controls for selected information systems. However, USAID did not implement 12 controls designed to preserve the confidentially, integrity, and availability of its information and information systems. To address the weaknesses identified in the report, the audit firm made and OIG agreed with 11 recommendations. USAID management agreed with all the recommendations, and one is closed.
USAID Has Implemented Controls in Support of FISMA, but Improvements Are Needed
Recommendations
We recommend that the chief information officer document and implement a process to track and remediate persistent vulnerabilities, or document acceptance of the associated risks.
We recommend that the chief information officer document and implement a process to verify that vulnerability assessment tools are configured to detect vulnerabilities previously undiscovered by internal scans.
We recommend that the chief information officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. The risk and approval, including adequate compensating controls, should be documented if an exception must be made until the unsupported software is migrated to vendor-supported platforms.
We recommend that the chief information officer document and implement a process to verify that Microsoft Windows systems comply with the U.S. Government Configuration Baseline, and to grant and disseminate approved deviations from the baseline configuration settings.
We recommend that the chief information officer document and implement a plan to confirm all internal and external systems are currently authorized to operate.
We recommend that the chief information officer document and implement a plan to annually assess risks for all internal and external systems in accordance with agency policy.
We recommend that the chief information officer establish a process to monitor the operation of the automated script that disables accounts after 90 days of inactivity.
We recommend that the chief information officer (a) identify system owners; (b) require them to verify their procedures for revoking system access accounts for separated and transferred employees and contractors are enforced; and (c) document their responses.
We recommend that the chief information officer document and implement a procedure to check for unauthorized software at established intervals.
We recommend that the chief human capital officer document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.
We recommend that the chief information officer document and implement a
procedure to review and analyze remote access connections.