Why We Did This Evaluation
· Implementing an effective information security program is crucial for protecting the confidentiality, integrity, and availability of Federal agencies’ systems and the information they contain. Such safeguards address threats, ultimately protecting Americans and government resources from bad actors. To that end, the Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems.
· The statute requires agency heads to implement policies and procedures to protect their information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction. The act also directs the USAID Office of Inspector General to annually assess the effectiveness of the Agency’s information security programs and practices and report the results of the assessments to the Office of Management and Budget.
· We conducted this evaluation to determine whether USAID implemented an effective information security program. We focused on USAID’s information security program for fiscal year 2025 through April 14, 2025, the last day USAID staff provided information to us.
What We Found
· USAID implemented an effective information security program as of April 14, 2025. For example, USAID used secure configurations for its information systems, ensured that administrative accounts were compliant with Agency policies and procedures, implemented processes for responding to incidents and its contingency plans, and effectively mitigated software vulnerabilities on its network. Although we could not assess the effectiveness for the full fiscal year, we identified certain required actions that USAID failed to take but could not determine the reasons why due to the unavailability of responsible Agency staff.
· USAID did not perform risk assessments and security controls assessments for two of six selected systems as required. Inconsistent risk assessments can impact an agency’s ability to effectively manage cybersecurity risks, respond to threats to its system security environment, and identify vulnerabilities and weaknesses in the security posture.
· USAID could not demonstrate that it had formalized cybersecurity duties, policies for maintaining data inventories, or mechanisms for network monitoring and enforcement. As a result, USAID faced the risk that sensitive data might be lost or misused, which could result in legal action and reputational harm. The Agency also increased the risk of miscommunication, unaddressed security gaps, and vulnerabilities across its information technology environment. Finally, without monitoring and enforcement mechanisms, the Agency may not have been able to quickly mitigate the risks from noncompliant devices.
· USAID did not implement four of eight prior OIG recommendations pertaining to disabling network accounts and maintaining records for offboarded staff.
What We Recommend
· We made five recommendations to USAID to perform risk and security control assessments for two systems, include cybersecurity duties in position descriptions and performance plans, develop and implement policies and procedures for maintaining data and metadata inventories, and implement network monitoring and enforcement mechanisms.
· We also referenced four prior recommendations the Agency has not implemented.
· USAID did not have any comments on the draft report.