Audit of the Millennium Challenge Corporation's Fiscal Year 2014 Compliance with the Federal Information Security Management Act of 2002

We recommend that the Millennium Challenge Corporation's Chief Information Officer remediate, as appropriate, vulnerabilities on the network identified by the Office of Inspector General's contractor and document the results or document acceptance of the risks of those vulnerabilities.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a process to conduct periodic, as defined by the Corporation, reviews of MCCNet users to verify that appropriate access privileges have been assigned.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement an updated service account review process that includes follow-up and verification of actions taken after the reviews.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement a process for confirming that contractor systems are continuously monitored and assessed in accordance with the Corporation's policies.

We recommend that the Millennium Challenge Corporation's Chief Information Officer update the Corporation's Information Systems Security Policy to include requirements in National Institute of Standards and Technology Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

We recommend that the Millennium Challenge Corporation's Chief Information Officer complete and implement Post Phase 2 (enterprise architecture use and maintenance) of the Corporation's plan to establish its enterprise architecture program.

We recommend that the Millennium Challenge Corporation's Chief Information Officer update the MCCNet System Security Plan to document the system's security controls.