IAF Has Implemented Controls in Support of FISMA for Fiscal Year 2017 but Improvements Are Needed

Audit Report
Report Number
A-IAF-18-002-C

FISMA requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with CliftonLarsonAllen LLP to conduct the annual assessment of IAF’s implementation of certain security controls for selected information systems in support of FISMA. The audit firm concluded that IAF implemented 86 of 94 selected security controls but did not implement 8 controls. To address the weaknesses identified in the report, OIG made three recommendations to IAF to fully implement the remaining security controls consistent with FISMA requirements. IAF agreed with all three.

a-iaf-18-002-c.pdf387.36 KB

Recommendations

Recommendation
1

We recommend that the Inter-American Foundation's chief information officer remediate unsupported software and configuration related vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

Questioned Cost
0
Close Date
Recommendation
2

We recommend that the Inter-American Foundation's Chief Information Officer document and implement a process to test system changes and document the results of testing.

Questioned Cost
0
Close Date
Recommendation
3

We recommend that the Inter-American Foundation's Chief Information Officer document and implement a process to test the Foundation's incident response capabilities.

Questioned Cost
0
Close Date