Audit of the Millennium Challenge Corporation's Fiscal Year 2013 Compliance with the Federal Information Security Management Act of 2002

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 1 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer determine and document why the Corporation's vulnerability management tool is not identifying vulnerabilities identified by the Office of Inspector General's contractor.

After taking final action for Recommendation 2, we recommend that the Millennium Challenge Corporation Chief Information Officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor as appropriate, or document acceptance of the risks of those vulnerabilities.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 3 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a written process to review active service accounts that have not logged in over a specified period of time, as defined by the Corporation, or that have never logged into the system to determine whether accounts are necessary.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a full system authorization for the Millennium Challenge Corporation Management Information System in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a system reauthorization for MCC Integrated Data Analysis System in accordance with the Corporation's policy.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-13-001-P.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs for indications of inappropriate or unusual activity.

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to make sure changes are tested and test results are reviewed before the changes are implemented when appropriate.

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-11-004-P.

We recommend that the Millennium Challenge Corporation Vice President of Administration and Finance document its relationships with its third-party service providers, then take actions to get appropriate agreements in place with them.

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented process to make sure the disaster recovery plan is updated annually to reflect lessons learned from the disaster recovery testing.

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask that two-factor authentication, as required by Office of Management and Budget Memorandum M-06-16, be implemented for the Corporation's travel system. If it is not, document the Corporation's acceptance of the risk of not implementing the control as part of the security review of the system and obtain a written waiver from the Office of Management and Budget to exempt the Corporation from implementing two-factor authentication for its travel system.

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask the senior advisory board to make a written determination whether the Corporation should report, track, and monitor its information security program as a material weakness or reportable condition pursuant to the Federal Managers' Financial Integrity Act of 1982.