We recommend that USAID's Chief Information Officer update the
event logging checklist to include details of event logging level 3 (advanced) applicability and implement requirements as specified by Office of Management and Budget Memorandum M-21-31.
We recommend that USAID's Chief Information Officer implement accurate automated dashboards to provide enterprise-wide metrics to inform top management of its information technology risks.
We recommend that USAID's Chief Information Officer establish and implement a process to track the progress of conducting annual reviews and related lessons learned from the implementation of its Information Security Continuous Monitoring Strategy.
We recommend that USAID's Chief Information Officer develop and
implement procedures to document deviations from Agency policy on security control assessments, including acceptance of the risk of such deviations.
We recommend that USAID's Chief Information Officer establish a
formal training program in counterfeit component detection to educate responsible personnel. The training should cover identifying counterfeit hardware, software, and firmware components and should be updated regularly.
We recommend that USAID's Chief Human Capital Officer request its
cognizant Management Council on Risk and Internal Control to report and track as a significant deficiency to the Agency the risk of not maintaining records evidencing that staff have been offboarded in accordance with Agency policy, as identified in Office of Inspector General Report
No. A-000-21-004-C, Recommendation 3.
We recommend that USAID's Chief Information Officer request its
cognizant Management Council on Risk and Internal Control to report and track as a significant deficiency to the Agency the risk of not timely disabling network accounts for separated employees and contractors, as identified in Office of Inspector General Report No. A-000-21-004-C, Recommendation 2.