IAF Generally Implemented an Effective Information Security Program for Fiscal Year 2020 in Support of FISMA

Audit Report
Report Number
A-IAF-21-002-C
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement an information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or source. FISMA also requires agencies to have an annual assessment of their information system. We contracted with the independent certified public accounting firm of RMA Associates LLC to conduct an audit of IAF’s compliance with FISMA during fiscal year 2020. The audit firm concluded that IAF generally complied with FISMA requirements by implementing 87 of 100 instances of selected security controls for selected information systems. However, IAF did not implement controls across the eight FISMA metric domains to fully safeguard the confidentiality, integrity, and availability of its information and information systems. In addition, IAF had not taken final corrective action on two recommendations made in our 2016 and 2019 FISMA audit reports. To address the weaknesses identified, OIG made two new recommendations. The audit firm evaluated IAF’s responses to the recommendations. We reviewed that evaluation and consider both recommendations resolved but open pending completion of planned activities.

Recommendations

Recommendation 1

IAF's Chief Information Officer Develop and implement policies and procedures related to Plan of Action and Milestones to ensure all identified security weaknesses are tracked, prioritized, and remediated in a timely manner, including a process to evaluate the adequacy of justifications to extend estimated completion dates and determine the dependencies and completion of milestones that affect the estimated due dates to ensure that they are met.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 2

IAF's Chief Information Officer create a monitoring plan to review and update policies and procedures in accordance with the timeliness requirements established in agency policies.

Questioned Cost:
$0
Funds For Better Use:
$0