Why We Did This Evaluation
Implementing an effective information security program is crucial for protecting the confidentiality, integrity, and availability of Federal agency systems and the information they contain. Such safeguards address threats, ultimately protecting Americans and government resources from bad actors. To that end, the Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems. The statute requires agency heads to implement policies and procedures to protect their information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction. The act also directs the USAID Office of Inspector General to conduct an annual independent assessment of the Inter-American Foundation’s (IAF) information security programs and practices and report the results of the assessments to the Office of Management and Budget.
We conducted this evaluation to determine whether IAF implemented an effective information security program. We focused on IAF’s information security program for fiscal year (FY) 2025 as of June 20, 2025, to ensure that we met the deadline to provide the results of our assessment to the Agency. Following the February 19, 2025, executive order, “Commencing the Reduction of the Federal Bureaucracy,” IAF’s staffing was significantly reduced, and many Agency personnel were placed on administrative leave.
What We Found
OIG could not determine the overall effectiveness of IAF’s information security program in FY 2025. However, the Agency met requirements for certain areas. For example, the Agency adhered to supply chain policies and procedures, established requirements for monitoring security incidents, and tested contingency plans. IAF also implemented two of our four prior recommendations. However, we identified multiple weaknesses.
IAF has continued challenges in timely remediating critical vulnerabilities. In addition, the Agency has not implemented a related prior recommendation. This makes it easier for attackers to exploit weaknesses by executing malicious code, stealing data, or compromising staff’s access to systems.
IAF has not fully implemented security logging requirements. The Agency logged only basic information about potential security breaches and not advanced information as required, such as user behavior monitoring to detect improper access and compromised systems. The Agency also has not implemented a related prior recommendation.
IAF lacked complete information for its software and hardware inventory. This increases the risk that it will misallocate resources for unneeded software and hardware and reduces its ability to implement effective security controls.
IAF did not conduct annual security control assessments or identify required controls for selected systems. This increases the Agency’s risk of exposure to cybersecurity threats and means that leadership cannot have assurance that all controls are operating as intended.
IAF did not consistently develop and maintain security plans for selected systems. Incomplete plans may lead to misinformed decisions on mitigating risk and increase risks of unauthorized access, disruption, and modification of systems.
What We Recommend
We made six recommendations to strengthen the effectiveness of IAF’s information security program. In addition, we referenced two recommendations from our 2024 FISMA audit that the Agency has not yet implemented.