We contracted with the independent certified public accounting firm of CliftonLarsonAllen LLP to conduct an audit of the U.S. International Development Finance Corporation’s (DFC’s) information security program for fiscal year 2021 in support of the Federal Information Security Modernization Act of 2014 (FISMA). The audit firm concluded that DFC implemented an effective information security program, which was defined as having an overall mature program based on the fiscal year 2021 inspector general FISMA reporting metrics. Nevertheless, CLA identified weaknesses in four of nine FISMA reporting metric domains. We made three recommendations to address these weaknesses and further strengthen DFC’s information security program.
DFC Implemented an Effective Information Security Program for Fiscal Year 2021 in Support of FISMA
Develop and implement a process to include compensating controls to
mitigate risk when accepting the risk of known vulnerabilities.
Document and implement a process to verify that laptops are encrypted and remediate instances of nonencrypted laptops.
Document and implement a strategy, policy, and procedures to manage supply chain risks with suppliers, contractors, and systems.