Audit of the Millennium Challenge Corporation's Fiscal Year 2013 Compliance with the Federal Information Security Management Act of 2002

Recommendations

Recommendation 1

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 1 in Office of Inspector General Audit Report No. M-000-13-001-P.

Questioned Cost:
$0
Close Date:
Recommendation 2

We recommend that the Millennium Challenge Corporation Chief Information Officer determine and document why the Corporation's vulnerability management tool is not identifying vulnerabilities identified by the Office of Inspector General's contractor.

Questioned Cost:
$0
Close Date:
Recommendation 3

After taking final action for Recommendation 2, we recommend that the Millennium Challenge Corporation Chief Information Officer remediate vulnerabilities on the network identified by the Office of Inspector General's contractor as appropriate, or document acceptance of the risks of those vulnerabilities.

Questioned Cost:
$0
Close Date:
Recommendation 4

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 3 in Office of Inspector General Audit Report No. M-000-13-001-P.

Questioned Cost:
$0
Close Date:
Recommendation 5

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a written process to review active service accounts that have not logged in over a specified period of time, as defined by the Corporation, or that have never logged into the system to determine whether accounts are necessary.

Questioned Cost:
$0
Close Date:
Recommendation 6

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a full system authorization for the Millennium Challenge Corporation Management Information System in accordance with the Corporation's policy.

Questioned Cost:
$0
Close Date:
Recommendation 7

We recommend that the Millennium Challenge Corporation Chief Information Officer conduct and document a system reauthorization for MCC Integrated Data Analysis System in accordance with the Corporation's policy.

Questioned Cost:
$0
Close Date:
Recommendation 8

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-13-001-P.

Questioned Cost:
$0
Close Date:
Recommendation 9

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs for indications of inappropriate or unusual activity.

Questioned Cost:
$0
Close Date:
Recommendation 10

We recommend that the Millennium Challenge Corporation Chief Information Officer document and implement a process to make sure changes are tested and test results are reviewed before the changes are implemented when appropriate.

Questioned Cost:
$0
Close Date:
Recommendation 11

We recommend that the Millennium Challenge Corporation Chief Information Officer reopen Recommendation 9 in Office of Inspector General Audit Report No. M-000-11-004-P.

Questioned Cost:
$0
Close Date:
Recommendation 12

We recommend that the Millennium Challenge Corporation Vice President of Administration and Finance document its relationships with its third-party service providers, then take actions to get appropriate agreements in place with them.

Questioned Cost:
$0
Close Date:
Recommendation 13

We recommend that the Millennium Challenge Corporation Chief Information Officer implement a documented process to make sure the disaster recovery plan is updated annually to reflect lessons learned from the disaster recovery testing.

Questioned Cost:
$0
Close Date:
Recommendation 14

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask that two-factor authentication, as required by Office of Management and Budget Memorandum M-06-16, be implemented for the Corporation's travel system. If it is not, document the Corporation's acceptance of the risk of not implementing the control as part of the security review of the system and obtain a written waiver from the Office of Management and Budget to exempt the Corporation from implementing two-factor authentication for its travel system.

Questioned Cost:
$0
Close Date:
Recommendation 15

We recommend that the Millennium Challenge Corporation's Chief Information Officer ask the senior advisory board to make a written determination whether the Corporation should report, track, and monitor its information security program as a material weakness or reportable condition pursuant to the Federal Managers' Financial Integrity Act of 1982.

Questioned Cost:
$0
Close Date: