Why We Did This Audit
· Implementing an effective information security program is crucial for protecting the confidentiality, integrity, and availability of Federal agencies’ systems and the information they contain. Such safeguards address threats, ultimately protecting Americans and government resources from bad actors. To that end, the Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems.
· The statute requires agency heads to implement policies and procedures to protect their information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction. The act also directs USAID Office of Inspector General to annually assess the effectiveness of the Millennium Challenge Corporation’s (MCC) information security programs and practices and report the results of the assessments to the Office of Management and Budget.
· We conducted this evaluation to determine whether MCC implemented an effective information security program. We focused on MCC’s information security program for fiscal year (FY) 2025 through July 24, 2025, the date we reported the FISMA assessment results to OMB.
What We Found
· OIG determined that MCC implemented an effective information security program in FY 2025. Still, we identified the following three areas of concern.
· MCC did not fully implement supply chain procedures. The Agency issued supply chain procedures in response to a prior OIG recommendation but canceled or put on hold necessary procurement actions due to the administration’s review of foreign assistance. A MCC official said the Agency expects to fully implement the procedures by December 2025. Doing so will better position MCC to mitigate the risk of threats from actors who can compromise the integrity of its information systems.
· MCC did not ensure security assessments were performed for two significant systems. Agency officials said they intentionally delayed the security assessment for an internal system because they planned to make major changes to it and move it to a data center. MCC contracts with an external provider to host and operate an external system, but the contract did not require the provider to perform security assessments or state how often they should be performed. Thus, in addition to noncompliance with Federal requirements, MCC may be susceptible to cybersecurity threats and data breaches, putting sensitive Agency data at risk.
· MCC did not implement two prior OIG FISMA recommendations. Specifically, the Agency did not implement a recommendation to update its policies and procedures to comply with National Institute of Standards and Technology requirements for security controls. MCC also did not implement certain event logging requirements established by OMB.
What We Recommend
· We made two recommendations to improve MCC’s security assessments of its internal and external information systems. In addition, we identified two recommendations from our prior FISMA audits that the Agency has not yet addressed.