USAID's senior Agency official should document and implement a process to confirm that approval of user access is documented prior to granting access to the system for which verbal approvals had been allowed.
USAID's chief information officer should update its hardware inventory policies to reflect the current operating environment.
USAID's senior Agency official for privacy should document and implement a process to continuously monitor and review privacy controls in accordance with the Privacy Continuous Monitoring Strategy.
USAID's chief information officer should update the system security plan to document the frequency with which position risk designations are to be reviewed and updated.
USAID's chief information officer should document backup procedures for the current operating environment.
USAID's chief information officer should update acquisition policies and procedures to include security requirements outlined in National Institute of Standards and Technology Special Publication 800-53, Revision 4, control SA 4 - Acquisition Process, for all information technology acquisitions.
USAID's chief information officer should conduct a documented review of National Institute of Standards and Technology Special Publication 800-160, Volume 1, to identify security engineering principles that are applicable to the Agency and update the Agency's "SDLC Process Description Document" accordingly.