The Millennium Challenge Corporation Has Implemented Many Controls In Support Of FISMA, But Improvements Are Needed

Recommendations

Recommendation 1

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement a process to update baseline configurations for workstations periodically or document acceptance of the risk.

Questioned Cost:
$0
Close Date:
Recommendation 2

We recommend that Millennium Challenge Corporation's Chief Information Officer implement written procedures to complete, approve, and maintain users' access request forms for the Contract Management System Audit Tracking and Reporting System in accordance with "MCC Access Control Procedures."

Questioned Cost:
$0
Close Date:
Recommendation 3

We recommend that Millennium Challenge Corporation's Chief Information Officer either implement environmental controls for the secondary data center and document results or document acceptance of the risk.

Questioned Cost:
$0
Close Date:
Recommendation 4

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement a written physical and environmental protection policy that includes all security controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations," and reflects the current operating environment.

Questioned Cost:
$0
Close Date:
Recommendation 5

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement written procedures to manage access to the secondary data center. At a minimum, the procedures should include periodically reviewing logs of personnel entering the data center, and implementing a visitor access log for the data center.

Questioned Cost:
$0
Close Date:
Recommendation 6

We recommend that the Millennium Challenge Corporation's Chief Information Officer activate the alarm in the secondary data center and document the results.

Questioned Cost:
$0
Close Date:
Recommendation 7

We recommend that Millennium Challenge Corporation's Chief Information Officer update the "Configuration Management Policies and Procedures" to include testing and approval requirements by the type of system changes.

Questioned Cost:
$0
Close Date:
Recommendation 8

We recommend that Millennium Challenge Corporation's Chief Information Officer document and implement policy and procedures that include all personnel security controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations."

Questioned Cost:
$0
Close Date:
Recommendation 9

We recommend that the Millennium Challenge Corporation obtain a written, fully executed Interconnection Security Agreement with the Department of Interior's Interior Business Center.

Questioned Cost:
$0
Close Date: