MCC Implemented Controls in Support of FISMA for Fiscal Year 2017 but Improvements Are Needed

Audit Report
Report Number
A-MCC-17-006-C

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. FISMA also requires agencies to have an annual assessment of their information systems.

OIG contracted with the independent certified public accounting firm Clifton Larson Allen LLP to audit the Millennium Challenge Corporation’s (MCC) implementation of certain security controls for selected information systems in support of FISMA during fiscal year 2017.

The auditors found that MCC implemented 97 of the 108 selected security controls. However, MCC did not fully implement the remaining 11 selected security controls.

OIG made five recommendations to MCC to help address the weaknesses identified. MCC made management decisions on all of them.

Recommendations

Recommendation
1

Document and implement written procedures for account management that include: Completing, approving, and maintaining access request forms. Periodically recertifying users' access rights.

Questioned Cost
0
Close Date
Recommendation
2

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement procedures for approving access for global administrator accounts.

Questioned Cost
0
Close Date
Recommendation
3

We recommend that the Millennium Challenge Corporation's Chief Information Officer perform a documented review of current procedures to identify any missing controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations. Based on that review, update the documented
procedures to address any missing controls.

Questioned Cost
0
Close Date
Recommendation
4

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement mobile device policies and procedures that address all applicable mobile device controls as required by the MCC Information System Security Policy.

Questioned Cost
0
Close Date
Recommendation
5

We recommend that the Millennium Challenge Corporation's Chief Information Officer implement written procedures to conduct and maintain security impact analyses before approving change requests.

Questioned Cost
0
Close Date