MCC Implemented Controls in Support of FISMA for Fiscal Year 2017 but Improvements Are Needed

Audit Report
Report Number

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. FISMA also requires agencies to have an annual assessment of their information systems.

OIG contracted with the independent certified public accounting firm Clifton Larson Allen LLP to audit the Millennium Challenge Corporation’s (MCC) implementation of certain security controls for selected information systems in support of FISMA during fiscal year 2017.

The auditors found that MCC implemented 97 of the 108 selected security controls. However, MCC did not fully implement the remaining 11 selected security controls.

OIG made five recommendations to MCC to help address the weaknesses identified. MCC made management decisions on all of them.