FISMA: Despite Challenges, MCC Generally Implemented an Effective Information Security Program for Fiscal Year 2024

Why We Did This Audit

• We contracted with the independent certified public accounting firm of RMA Associates LLC (RMA) to conduct an audit of the Millenium Challenge Corporation’s (MCC’s) information security program in support of the Federal Information Security Modernization Act of 2014 (FISMA) and in accordance with generally accepted government auditing standards.
• FISMA requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems. FISMA also requires the agency Inspectors General (IGs) to assess the effectiveness of agency information security programs and practices and report the results of the assessments to the Office of Management and Budget.
• The audit objective was to determine whether MCC implemented an effective information security program.

What We Found

• RMA concluded that MCC generally implemented an effective information security program. However, RMA found weaknesses in all nine IG FISMA metric domains.
• RMA also concluded that MCC did not take final corrective action on four open recommendations from the fiscal year 2021 and fiscal year 2023 FISMA audits.

Why It Matters

• FISMA provides a comprehensive framework for ensuring effective security controls over information resources supporting Federal operations and assets.
• We made one new recommendation in addition to the four prior FISMA audit recommendations that MCC has not yet implemented to address the weaknesses identified in the report.  MCC concurred with the recommendation.