FISMA: Overall Effectiveness of USADF’s Information Security Program for FY 2025 Could Not Be Determined and Weaknesses Exist

Why We Did This Audit

• Implementing an effective information security program is crucial for protecting the confidentiality, integrity, and availability of Federal agencies’ systems and the information they contain. Such safeguards address threats, ultimately protecting Americans and government resources from bad actors. To that end, the Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems.
• The statute requires agency heads to implement policies and procedures to protect their information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction. The act also directs USAID Office of Inspector General to annually assess the effectiveness of the U.S. African Development Foundation’s (USADF) information security programs and practices and report the results of the assessments to the Office of Management and Budget.
• We conducted this evaluation to determine whether USADF implemented an effective information security program. We focused on USADF’s information security program for fiscal year (FY) 2025 as of April 14, 2025, the last day Agency staff provided information for our evaluation. Following the February 19, 2025, executive order, “Commencing the Reduction of the Federal Bureaucracy,” USADF’s staffing was significantly reduced, and nearly all Agency personnel were placed on administrative leave.

What We Found

• OIG could not determine the overall effectiveness of USADF’s information security program. This was because nearly all of USADF’s staff were placed on administrative leave during our fieldwork and thus could not provide the documentation we needed for our evaluation. Still, we identified the following four areas of concern.
• USADF did not patch vulnerabilities in a timely manner. Specifically, 23 critical and 122 high-risk vulnerabilities remained unpatched beyond the 180-day remediation deadline mandated in Agency policy. This increases the risk that malicious actors will cause data breaches, system compromise, and operational disruption in USADF systems.
• USADF did not finalize its enterprise risk management plan. This plan would define roles, responsibilities, and authorities for responding to cybersecurity risks. As a result, USADF officials may not know who is responsible for managing cybersecurity risk, which could lead to unaddressed security gaps and vulnerabilities to cyber threats.
• USADF’s efforts to align cybersecurity training with workforce needs are unclear. The Agency did not provide documentation to show how it evaluated and aligned its annual security training with its workforce’s knowledge, skills, and ability to respond to current risks and needs. Thus, the Agency may be unable to fully prepare staff for emerging cybersecurity threats.
• Finally, USADF has not implemented two of the seven recommendations from OIG’s FY 2024 FISMA audit. One recommendation pertains to conducting reinvestigations of staff, and the other focuses on improving information security training.

What We Recommend

• We are making five recommendations to strengthen the effectiveness of USADF’s information security program. In addition, we reference two recommendations from our 2024 FISMA audit that the Agency has not yet implemented.