Recommendation Dashboard

We recommend that USAID's Office of Acquisition and Assistance, Cost. Audit and Support determine the allowability of $2,400 in ineligible direct questioned costs, and $2,597 in unsupported direct questioned costs and collect as appropriate any disallowed amounts from The Mentor Initiative (see page 15 and 23 through 26 of the report).

USAID's Office of Acquisition and Assistance, Cost, Audit and Support ensure that The Mentor Initiative has implemented the auditor's recommendation for the significant deficiency in the report on internal control and the material instance of noncompliance in the report on compliance (see pages 23 through 26 of the report).

We recommend that USAID's Office of Acquisition and Assistance, Cost, Audit and Support, determine the allowabiltiy of $78,896 in unsupported direct questioned costs and collect as appropriate any disallowed amounts from Catholic Relief Services - United States Conference of Catholic Bishops and Affiliates (see page 22 of the report).

We recommend that USAID's Office of Acquisition and Assistance, Cost, Audit and Support, ensure that Catholic Relief Services - United States Conference of Catholic Bishops and Affiliates has implemented the auditor's recommendation for Findings 2016-001 through 2016-004 (see pages 20 through 22 of the report).

USAID/Philippines determine the allowability of and recover, as appropriate, ineligible questioned costs of $8,610 identified in the Fund Accountability Statement on page 10 and further detailed in Exhibit I on pages 22-23 of the report.

USAID/Philippines ensure that Campaigns & Grey Philippines corrects the one material instance of noncompliance identified in the report on compliance on page 20 and further detailed in Exhibit I (Details of Findings) on pages 22-23 of the report and the two issues which we considered as significant deficiencies in internal control as discussed on page 2 of this memorandum and further detailed in Exhibit II (Management Letter and Response) on page 24 of the report.

We recommend that the chief information officer document and implement a process to track and remediate persistent vulnerabilities, or document acceptance of the associated risks.

We recommend that the chief information officer document and implement a process to verify that vulnerability assessment tools are configured to detect vulnerabilities previously undiscovered by internal scans.

We recommend that the chief information officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. The risk and approval, including adequate compensating controls, should be documented if an exception must be made until the unsupported software is migrated to vendor-supported platforms.

We recommend that the chief information officer document and implement a process to verify that Microsoft Windows systems comply with the U.S. Government Configuration Baseline, and to grant and disseminate approved deviations from the baseline configuration settings.

We recommend that the chief information officer document and implement a plan to confirm all internal and external systems are currently authorized to operate.

We recommend that the chief information officer document and implement a plan to annually assess risks for all internal and external systems in accordance with agency policy.

We recommend that the chief information officer establish a process to monitor the operation of the automated script that disables accounts after 90 days of inactivity.

We recommend that the chief information officer (a) identify system owners; (b) require them to verify their procedures for revoking system access accounts for separated and transferred employees and contractors are enforced; and (c) document their responses.

We recommend that the chief information officer document and implement a procedure to check for unauthorized software at established intervals.

We recommend that the chief human capital officer document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.

We recommend that the chief information officer document and implement a
procedure to review and analyze remote access connections.

Determine the allowability of $75,728 in questioned costs, document the determination and recover any amount that is unallowable.

Request MCA-Indonesia submit a corrective action plan to correct the material instances of noncompliance described on pages 21 to 23 of the report

USADF's chief information security officer strengthen the organization-wide information security program in accordance with National Institute of Standards and Technology standards by establishing and implementing documented processes to:
-Establish, communicate, and implement an organization-wide risk management strategy for operation and use of the Foundation's information systems in accordance with National Institute of Standards and Technology standards.
-Review and update the system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations." At a minimum, this should include a determination whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.
-Perform information system security assessments on an annual basis in accordance with USADF's policy.
-Review and update the system risk

USADF's chief information security officer develop and implement a documented process to track and remediate vulnerabilities in accordance with USADF's policy. This includes confirming patches are applied in a timely manner and tested prior to implementation in accordance with USADF policy.

USADF's chief information security officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. That process must document the risks, required approvals, and adequate mitigating controls that will be used for unsupported software until it can be migrated to vendor-supported platforms.

USADF's chief information security officer develop and implement a written process to enforce the immediate disabling of employee user accounts upon separation from the organization and perform account recertification in accordance with USADF policy, including adhering to the required frequency for recertifying accounts and providing responses.

We recommend that the Inter-American Foundation's chief information officer remediate unsupported software and configuration related vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

We recommend that the Inter-American Foundation's Chief Information Officer document and implement a process to test system changes and document the results of testing.

We recommend that the Inter-American Foundation's Chief Information Officer document and implement a process to test the Foundation's incident response capabilities.

Document and implement written procedures for account management that include: Completing, approving, and maintaining access request forms. Periodically recertifying users' access rights.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement procedures for approving access for global administrator accounts.

We recommend that the Millennium Challenge Corporation's Chief Information Officer perform a documented review of current procedures to identify any missing controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations. Based on that review, update the documented
procedures to address any missing controls.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement mobile device policies and procedures that address all applicable mobile device controls as required by the MCC Information System Security Policy.

We recommend that the Millennium Challenge Corporation's Chief Information Officer implement written procedures to conduct and maintain security impact analyses before approving change requests.

OPIC's chief information officer remediate network vulnerabilities identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

OPIC's chief information officer prepare a written authorization to operate each application or service, or decommission them and document the results.

OPIC's chief information officer document and implement an automated process to track the annual reviews of the Information Security Program Plan and update it, if needed.

To help maximize the program's potential to achieve results, we recommend that USAID/Pakistan conduct an assessment of progress made on achieving the Strengthening Citizen Voice and Accountability Program's goals; determine if adjustments to program activities, work plans, or the contract are necessary; and if so implement any actions that can be done before the program ends.

To help maximize the program's potential to achieve results, we recommend that USAID/Pakistan implement a final review process by technical offices before awards are made to verify that they agree with the program's design.

To implement key components, we recommend that USAID/Pakistan implement a plan to increase its monitoring of the Strengthening Citizen Voice and Accountability Program, including making visits to grantee activities as security conditions permit and using the mission's monitoring contractor.

To implement key components, we recommend that USAID/Pakistan require the Trust for Democratic Education and Accountability to implement a plan to add more training in how to be effective civil society organizations, as well as a process to evaluate the impact of the training for ongoing and future grant cycles.

To implement key components, we recommend that USAID/Pakistan review the budget for the Strengthening Citizen Voice and Accountability Program to determine if the award should be amended to reflect a reduction in scope for the public accountability component of the program (component 3), and if so, make the amendment accordingly.