FISMA requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.
We contracted with CliftonLarsonAllen LLP to conduct the annual assessment of IAF’s implementation of certain security controls for selected information systems in support of FISMA. The audit firm concluded that IAF implemented 86 of 94 selected security controls but did not implement 8 controls. To address the weaknesses identified in the report, OIG made three recommendations to IAF to fully implement the remaining security controls consistent with FISMA requirements. IAF agreed with all three.