Audit of USAID's Fiscal Year 2014 Compliance With the Federal Information Security Management Act of 2002

The Chief Information Officer document and fully implement a plan to ensure that security assessments and authorizations for all USAID major and minor applications are updated to address requirements in National Institute of Standards and Technology Special Publication 800-53, Revision 4.

The Chief Information Officer update the AIDNet contingency plan to include all information required by the National Institute of Standards and Technology, including contingency roles and responsibilities, and activities associated with restoring the system after a disruption or failure, concurrent processing, testing, cleanup, documentation, business impact analysis, and to fully address operations at the Miami Terremark data center.

The Chief Information Officer document and implement a process to periodically review and update the AIDNet contingency plan in accordance with USAID policy.

The Chief Information Officer develop and implement a policy to retain results of backup tests in a central location to allow Agency
managers to verify that the testing is being performed in accordance with USAID policy.

The Chief Information Officer document and fully implement a process to include all weaknesses identified through continuous monitoring in the respective system's plan of action and milestones.

The Chief Information Officer, pending implementation of an automated solution, document and implement a temporary process to identify deviations from baseline configurations, and track and remediate them
appropriately.

The Chief Information Officer document and implement procedures to manage USAID access to the server room at Two Potomac Yards. At a minimum, procedures should cover approving, periodically reviewing, and revoking access to the room.

The Chief Financial Officer update Phoenix security settings to comply with Agency policy, or obtain written authorization from the Chief Information Officer for deviations.

The Chief Financial Officer implement automated controls when possible to ensure that inactive Phoenix accounts are disabled when they reach the inactivity threshold. If management determines that using such controls is not feasible, they should document this decision formally and ensure that mitigating manual controls are in place.

The Chief Information Officer update the existing security assessment and authorization policy to require that the authorizing official and system owner be different individuals.

The Chief Information Officer review and update all system security assessment and authorization packages to ensure that the authorizing official and system owner are different individuals.

The Director for the Office of Acquisition and
Assistance document and implement procedures to ensure that accounts are reviewed and disabled or deleted in accordance with USAID policy.

The Director for the Office of Acquisition and
Assistance review all accounts in GLAAS to determine whether any users have conflicting roles based on updated separation-of-duties guidance, and take action to remove any conflicting roles. If management determines that certain individuals require access in violation of the policy, these exceptions should be documented formally and approved by management. In addition, compensating controls should be identified and put in place to mitigate risks related to these exceptions.

The Director, Office of Education, document and implement formal procedures to review Visa Compliance System accounts periodically for appropriateness.

The Director, Office of Education, document and implement procedures for reviewing Visa Compliance System logs. Procedures should include confirming that logs are reviewed by an individual who does not have high-level administrator access.

The Chief Financial Officer update appropriate Payment Management System agreements with the Department of Health and Human Services to require it to provide information about account management to USAID upon request.

The Director of Management Services update E2 Travel Management Service User Guide to address the following account management activities and implement them accordingly:
- Requiring appropriate approvals for requests to establish accounts
- Activating, modifying, disabling, and removing accounts
- Authorizing and monitoring the use of guest/anonymous and temporary accounts
- Notifying account managers when temporary accounts are no longer required
- Deactivating accounts when required
- Granting access
- Reviewing accounts quarterly

The Director, Office of Human Resources, document and implement a process for verifying that all employees complete the employee exit process before leaving the Agency.