MCC Generally Implemented an Effective Information Security Program for Fiscal Year 2020 in Support of FISMA

Audit Report
Report Number
A-MCC-21-001-C
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information systems. We contracted with the independent certified public accounting firm RMA Associates LLC to conduct an audit of MCC’s compliance with FISMA during fiscal year (FY) 2020. The audit firm concluded that MCC generally implemented an effective information security program by implementing 115 of 120 instances of selected security controls for selected information systems. However, MCC did not implement 5 control instances, which fall into 3 of the 8 FISMA domains that Federal inspectors general used in FY2020 to assess the maturity of their agencies’ information security programs. To address the weaknesses identified in the report, OIG made two recommendations.

Recommendations

Recommendation 1

MCC's chief information officer update the information system security policy and privacy policy to align with agency practices.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 2

MCC's chief information officer develop and administer role-based privacy training for personnel responsible for handling personally identifiable information.

Questioned Cost:
$0
Funds For Better Use:
$0