Audit of USAID's Fiscal Year 2015 Compliance with the Federal Information Security Management Act of 2002, as Amended

Recommendations

Recommendation
1

The Chief Information Officer document and implement procedures to review active network accounts that have not logged in over a specified period of time, as defined by Automated Directives System Chapter 545, "Systems Security Policy," or that have never logged into the system to determine whether accounts are necessary and disable or delete accounts that are unnecessary.

Questioned Cost
0
Close Date
Recommendation
2

The Director of the Office of Management Policy, Budget, and Performance, in coordination with the Chief Information Officer, the Chief Human Capital Officer, and the Director of the Office of Acquisition and Assistance, document and implement procedures to promptly remove system accounts associated with people no longer at USAID.

Questioned Cost
0
Close Date
Recommendation
3

The Chief Information Officer implement improved procedures to make sure approved access request forms are maintained for anyone with access to the network.

Questioned Cost
0
Close Date
Recommendation
4

The Chief Information Officer work with the AIDtracker system owner to update AIDtracker security settings for user inactivity to comply with policy, or issue a written authorization for deviations.

Questioned Cost
0
Close Date
Recommendation
5

The Chief Information Officer work with the AIDtracker system owner to document and implement procedures to make sure approved access request forms are maintained for anyone with access to the system.

Questioned Cost
0
Close Date
Recommendation
6

The Director for the Office of Security document and implement procedures to review Partner Vetting System accounts that have not logged in over a specified period of time, as defined by USAID, or that have never logged into the system to determine whether accounts are necessary.

Questioned Cost
0
Close Date
Recommendation
7

The Chief Information Officer work with the State Department's Director for the Office of U.S. Foreign Assistance Resources to implement procedures to complete, approve, and maintain approved access request forms for privileged users with access to the Foreign Assistance Coordination and Tracking System Info as required in accordance with policies.

Questioned Cost
0
Close Date
Recommendation
8

The Chief Information Officer work with the State Department's Director for the Office of U.S. Foreign Assistance Resources to document and implement procedures to review active Foreign Assistance Coordination and Tracking System Info accounts that have not logged in over a specified period of time or that have never logged into the system to determine whether accounts are necessary.

Questioned Cost
0
Close Date
Recommendation
9

The Chief Information Officer work with the State Department's Director for the Office of U.S. Foreign Assistance Resources to document and implement procedures to review Foreign Assistance Coordination and Tracking System Info accounts periodically for appropriateness.

Questioned Cost
0
Close Date
Recommendation
10

The Chief Information Officer conduct a full system reauthorization for the AIDtracker system in accordance with USAID's policy.

Questioned Cost
0
Close Date
Recommendation
11

The Chief Information Officer conduct a full system reauthorization for the Partner Vetting System in accordance with USAID's policy.

Questioned Cost
0
Close Date
Recommendation
12

The Chief Information Officer implement a documented validation process to confirm that continuous monitoring activities-such as updating system security plans, risk assessments, security assessments, and plans of action and milestones-are occurring for all USAID systems on a periodic basis, as defined by USAID, and as significant system changes occur.

Questioned Cost
0
Close Date
Recommendation
13

The Chief Information Officer document and implement a process to confirm that the role-based training program is implemented as applicable for all employees and contractors requiring role-based training, and be sure the training is tracked and documented.

Questioned Cost
0
Close Date
Recommendation
14

The Chief Information Officer update the AIDNet system security plan to fully document the system's security controls.

Questioned Cost
0
Close Date
Recommendation
15

The Director for the Office of Security implement a documented validation process to confirm that the Partner Vetting System contingency plan is reviewed, updated, and tested annually.

Questioned Cost
0
Close Date
Recommendation
16

The Chief Information Officer document a formal memorandum of understanding with the alternate processing vendor.

Questioned Cost
0
Close Date
Recommendation
17

The Director for the Office of Security document, implement, test, and maintain a current, accurate baseline configuration for the Partner Vetting System.

Questioned Cost
0
Close Date