FISMA: Despite Weaknesses, USADF Generally Implemented an Effective Information Security Program for Fiscal Year 2024

Audit Report
Report Number
A-ADF-24-003-C

Why We Did This Audit

  • We contracted with the independent certified public accounting firm of RMA Associates LLC (RMA) to conduct an audit of the U.S. African Development Foundation’s (USADF’s) information security program in support of the Federal Information Security Modernization Act of 2014 (FISMA) and in accordance with generally accepted government auditing standards.
  • FISMA requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems. FISMA also requires the agency Inspectors General (IGs) to assess the effectiveness of agency information security programs and practices and report the results of the assessments to the Office of Management and Budget.
  • The audit objective was to determine whether USADF implemented an effective information security program.

What We Found

  • RMA concluded that USADF generally implemented an effective information security program. However, RMA found weaknesses in five of nine IG FISMA metric domains.
  • RMA also determined that USADF took final corrective action on one open recommendation from the FY2021 FISMA audit, but Agency management had not submitted a request to close it.

Why It Matters

  • FISMA provides a comprehensive framework for ensuring effective security controls over information resources supporting Federal operations and assets.
  • We made seven new recommendations to address the weaknesses identified in the report.  USADF concurred with the recommendations.
A-ADF-24-003-C_0.pdf1.1 MB

Recommendations

Recommendation
5

Chief Information Officer update the change management charter to designate in writing the responsibilities for monitoring performance metrics, conducting lessons-learned activities, and documenting routine updates and minor changes.

Questioned Cost
0
Funds for Better Use
0
Recommendation
6

Chief Information Officer update the system security plan to include the frequency for reviewing and updating the contingency plan.

Questioned Cost
0
Funds for Better Use
0
Recommendation
7

Chief Information Officer develop and implement policies and procedures to obtain feedback on the agency's specialized security training, update the training program, and request that third-party providers update their training content, as appropriate, to keep current with security practices.

Questioned Cost
0
Funds for Better Use
0
Recommendation
4

Chief Information Officer develop and implement policies and procedures for agency personnel to monitor performance metrics for information technology services provided by third parties.

Questioned Cost
0
Funds for Better Use
0
Recommendation
1

Chief Information Officer develop and implement procedures to assess whether position risk designations are reviewed for all personnel.

Questioned Cost
0
Funds for Better Use
0
Recommendation
2

Chief Information Officer develop and implement procedures to assess whether reinvestigations are performed timely for individuals who possess critical-sensitive/high-risk roles that require system access.

Questioned Cost
0
Funds for Better Use
0
Recommendation
3

Chief Information Officer develop and implement policies and procedures to periodically assess its cybersecurity workforce's knowledge, skills, and abilities to confirm that security training and development activities align with agency needs.

Questioned Cost
0
Funds for Better Use
0