USAID Generally Implemented an Effective Information Security Program for Fiscal Year 2019 in Support of FISMA

Audit Report
Report Number
A-000-20-005-C

The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems.

We contracted with the independent certified public accounting firm CliftonLarsonAllen LLP to conduct an audit of USAID’s compliance with FISMA during fiscal year (FY) 2019. The audit firm concluded that USAID generally implemented an effective information security program by implementing 144 of 157 instances of selected security controls for selected information systems. However, USAID did not implement 13 control instances, which fall into 5 of the 8 FISMA domains that Federal inspectors general used in FY 2019 to assess the maturity of their agencies’ information security programs. To address the weaknesses identified in the report, OIG made seven recommendations.

Recommendations

Recommendation
1

USAID's senior Agency official should document and implement a process to confirm that approval of user access is documented prior to granting access to the system for which verbal approvals had been allowed.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
2

USAID's chief information officer should update its hardware inventory policies to reflect the current operating environment.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
3

USAID's senior Agency official for privacy should document and implement a process to continuously monitor and review privacy controls in accordance with the Privacy Continuous Monitoring Strategy.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
4

USAID's chief information officer should update the system security plan to document the frequency with which position risk designations are to be reviewed and updated.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
5

USAID's chief information officer should document backup procedures for the current operating environment.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
6

USAID's chief information officer should update acquisition policies and procedures to include security requirements outlined in National Institute of Standards and Technology Special Publication 800-53, Revision 4, control SA 4 - Acquisition Process, for all information technology acquisitions.

Questioned Cost
0
Funds for Better Use
0
Close Date
Recommendation
7

USAID's chief information officer should conduct a documented review of National Institute of Standards and Technology Special Publication 800-160, Volume 1, to identify security engineering principles that are applicable to the Agency and update the Agency's "SDLC Process Description Document" accordingly.

Questioned Cost
0
Funds for Better Use
0
Close Date