MCC Implemented an Effective Information Security Program for Fiscal Year 2021 in Support of FISMA

Audit Report
Report Number
A-MCC-22-004-C

We contracted with the independent certified public accounting firm RMA Associates LLC to conduct an audit of the Millennium Challenge Corporation’s (MCC’s) information security program for fiscal year 2021 in support of the Federal Information Security Modernization Act of 2014 (FISMA). The audit firm concluded that MCC implemented an effective information security program, which was defined as having an overall mature program based on the fiscal year 2021 inspector general FISMA reporting metrics, but also identified some weaknesses. We made seven recommendations to further strengthen MCC’s information security program.

Recommendations

Recommendation
1

We recommend that MCC's Chief Information Officer develop and implement processes to document and implement lessons learned related to risk management, configuration management and identity and access management

Questioned Cost
0
Funds for Better Use
0
Recommendation
2

We recommend that MCC's Chief Information Officer develop and document supply chain policies, procedures and strategies

Questioned Cost
0
Funds for Better Use
0
Recommendation
3

We recommend that MCC's Chief Information Officer revise and implement MCC's Vulnerability Patch Compliance Policy to align with timeframes in the Department of Homeland's Fiscal Year 2021 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics

Questioned Cost
0
Funds for Better Use
0
Recommendation
4

We recommend that MCC's Chief Information Officer develop and implement a process to conduct an independent periodic review of MCC's privacy program.

Questioned Cost
0
Funds for Better Use
0
Recommendation
5

We recommend that MCC's Chief Information Officer fully develop and implement a security awareness training strategy.

Questioned Cost
0
Funds for Better Use
0
Recommendation
6

We recommend that MCC's Chief Information Officer document and implement a process to monitor and enforce MCC's procedures for security training

Questioned Cost
0
Funds for Better Use
0
Recommendation
7

We recommend that MCC's Chief Information Officer document and implement a written process for obtaining and evaluating feedback on MCC's privacy and security training content, including role-based training

Questioned Cost
0
Funds for Better Use
0