Audit of the U.S. African Development Foundation's Fiscal Year 2015 Compliance with the Federal Information Security Management Act of 2002, as Amended

The U.S. African Development Foundation's Chief Financial Officer develop and fully implement a documented process to confirm that the foundation's security assessment and authorization activities for systems transitioned to cloud service providers are compliant with National Institute of Standards
and Technology requirements. At a minimum, this should include a review of the security
authorization package for the cloud service provider and a determination of risk to the
foundation documented in an authorization-to-operate memo based on a completed security controls assessment and updated system security plan, risk assessment, and plan of action and milestones.

The U.S. African Development Foundation's Chief Financial Officer update the General Support System security plan to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

The U.S. African Development Foundation's
Chief Financial Officer develop and implement a documented process to review and update the General Support System's system security plan annually. At a minimum, this should include a determination whether the security requirements and controls for the system are documented adequately and reflect the current information system environment.

The U.S. African Development Foundation's Chief Financial Officer develop and implement a documented process to confirm that security assessment plans are documented for the General Support System that describe the scope of the assessment. At a minimum, this should include the security controls and control enhancements under assessment, and the assessment procedures to be used to determine security control effectiveness as required by the National Institute of Standards and Technology.

The U.S. African Development Foundation's Chief Financial Officer develop and fully implement a documented process to confirm that a security assessment is conducted annually for the General Support System, as required by foundation policy.

The U.S. African Development Foundation's Chief Financial Officer develop and fully implement a documented process to enforce the required review of user accounts by system owners to confirm that they are aligned with the individual's job function.

The U.S. African Development Foundation's President appoint a Senior Agency Official for Privacy/Chief Privacy Officer who has the authority within the foundation to consider information privacy policy issues at a national and agency-wide level.

The U.S. African Development Foundation's President develop and fully implement a documented process to confirm that the Senior Agency Official for Privacy/Chief Privacy Officer meets privacy reporting requirements as stipulated by National Institute of Standards and Technology and foundation policy.

The U.S. African Development Foundation's President develop and fully implement a documented process to confirm that privacy impact assessments are updated when a system change creates a new privacy risk, and the Senior Agency Official for Privacy/Chief Privacy Officer reviews and approves them.

The U.S. African Development Foundation's Chief Financial Officer update the contingency plan for the General Support System and Program Support System to reflect the transition to cloud-based service providers.

The U.S. African Development Foundation's Chief Financial Officer develop and fully implement a documented process to confirm that the contingency plan for the General Support System and Program Support System are tested to make sure foundation personnel are trained on how to respond in the event of a disruption of cloud-based services.

The U.S. African Development Foundation's Chief Financial Officer develop and fully implement a documented process to confirm that contracts for service providers include requirements for security and privacy controls in compliance with the foundation's information technology security policies, associated standards, and any applicable federal laws, directives, regulations, and guidance.