Recommendation Dashboard

We recommend that the chief information officer document and implement a process to track and remediate persistent vulnerabilities, or document acceptance of the associated risks.

We recommend that the chief information officer document and implement a process to verify that vulnerability assessment tools are configured to detect vulnerabilities previously undiscovered by internal scans.

We recommend that the chief information officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. The risk and approval, including adequate compensating controls, should be documented if an exception must be made until the unsupported software is migrated to vendor-supported platforms.

We recommend that the chief information officer document and implement a process to verify that Microsoft Windows systems comply with the U.S. Government Configuration Baseline, and to grant and disseminate approved deviations from the baseline configuration settings.

We recommend that the chief information officer document and implement a plan to confirm all internal and external systems are currently authorized to operate.

We recommend that the chief information officer document and implement a plan to annually assess risks for all internal and external systems in accordance with agency policy.

We recommend that the chief information officer establish a process to monitor the operation of the automated script that disables accounts after 90 days of inactivity.

We recommend that the chief information officer (a) identify system owners; (b) require them to verify their procedures for revoking system access accounts for separated and transferred employees and contractors are enforced; and (c) document their responses.

We recommend that the chief information officer document and implement a procedure to check for unauthorized software at established intervals.

We recommend that the chief human capital officer document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.

We recommend that the chief information officer document and implement a
procedure to review and analyze remote access connections.

Determine the allowability of $75,728 in questioned costs, document the determination and recover any amount that is unallowable.

Request MCA-Indonesia submit a corrective action plan to correct the material instances of noncompliance described on pages 21 to 23 of the report

USADF's chief information security officer strengthen the organization-wide information security program in accordance with National Institute of Standards and Technology standards by establishing and implementing documented processes to:
-Establish, communicate, and implement an organization-wide risk management strategy for operation and use of the Foundation's information systems in accordance with National Institute of Standards and Technology standards.
-Review and update the system security plans to reflect National Institute of Standards and Technology Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations." At a minimum, this should include a determination whether the security requirements and controls for the system are adequately documented and reflect the current information system environment.
-Perform information system security assessments on an annual basis in accordance with USADF's policy.
-Review and update the system risk

USADF's chief information security officer develop and implement a documented process to track and remediate vulnerabilities in accordance with USADF's policy. This includes confirming patches are applied in a timely manner and tested prior to implementation in accordance with USADF policy.

USADF's chief information security officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. That process must document the risks, required approvals, and adequate mitigating controls that will be used for unsupported software until it can be migrated to vendor-supported platforms.

USADF's chief information security officer develop and implement a written process to enforce the immediate disabling of employee user accounts upon separation from the organization and perform account recertification in accordance with USADF policy, including adhering to the required frequency for recertifying accounts and providing responses.

We recommend that the Inter-American Foundation's chief information officer remediate unsupported software and configuration related vulnerabilities in the network identified by the Office of Inspector General, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

We recommend that the Inter-American Foundation's Chief Information Officer document and implement a process to test system changes and document the results of testing.

We recommend that the Inter-American Foundation's Chief Information Officer document and implement a process to test the Foundation's incident response capabilities.

Document and implement written procedures for account management that include: Completing, approving, and maintaining access request forms. Periodically recertifying users' access rights.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement procedures for approving access for global administrator accounts.

We recommend that the Millennium Challenge Corporation's Chief Information Officer perform a documented review of current procedures to identify any missing controls required by National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations. Based on that review, update the documented
procedures to address any missing controls.

We recommend that the Millennium Challenge Corporation's Chief Information Officer document and implement mobile device policies and procedures that address all applicable mobile device controls as required by the MCC Information System Security Policy.

We recommend that the Millennium Challenge Corporation's Chief Information Officer implement written procedures to conduct and maintain security impact analyses before approving change requests.

OPIC's chief information officer remediate network vulnerabilities identified by the Office of Inspector General's contractor, as appropriate, or document acceptance of the risks of those vulnerabilities.

OPIC's chief information officer prepare a written authorization to operate each application or service, or decommission them and document the results.

OPIC's chief information officer document and implement an automated process to track the annual reviews of the Information Security Program Plan and update it, if needed.

To help maximize the program's potential to achieve results, we recommend that USAID/Pakistan conduct an assessment of progress made on achieving the Strengthening Citizen Voice and Accountability Program's goals; determine if adjustments to program activities, work plans, or the contract are necessary; and if so implement any actions that can be done before the program ends.

To help maximize the program's potential to achieve results, we recommend that USAID/Pakistan implement a final review process by technical offices before awards are made to verify that they agree with the program's design.

To implement key components, we recommend that USAID/Pakistan implement a plan to increase its monitoring of the Strengthening Citizen Voice and Accountability Program, including making visits to grantee activities as security conditions permit and using the mission's monitoring contractor.

To implement key components, we recommend that USAID/Pakistan require the Trust for Democratic Education and Accountability to implement a plan to add more training in how to be effective civil society organizations, as well as a process to evaluate the impact of the training for ongoing and future grant cycles.

To implement key components, we recommend that USAID/Pakistan review the budget for the Strengthening Citizen Voice and Accountability Program to determine if the award should be amended to reflect a reduction in scope for the public accountability component of the program (component 3), and if so, make the amendment accordingly.

USAID/Zambia determine the allowability of the $463,327 in unsupported questioned costs identified on pages 14 to 15 of Deloitte & Touche's audit report and recover from Agribusiness in Sustainable Natural African Plant Product the amounts determined to be unallowable.

USAID/Zambia verify that Agribusiness in Sustainable Natural African Plant Product corrects the one material weakness in internal control detailed on page 20 of Deloitte & Touche's audit report.

USAID/Zambia verify that Agribusiness in Sustainable Natural African Plant Product corrects the two instances of material noncompliance detailed on pages 23 to 24 of Deloitte & Touche's audit report.

USAID/Zambia verify that all closeout requirements with Agribusiness in Sustainable Natural African Plant Product are finalized - that there are no outstanding advances or reimbursements and that a disposition plan is in place.

USAID/Zambia determine the allowability of the $156,500 in questioned costs ($1,697 ineligible and $154,803 unsupported) identified on pages 14 and 17 of Deloitte & Touche's audit report and recover from Agribusiness in Sustainable Natural African Plant Product the amounts determined to be unallowable.

USAID/Zambia verify that Agribusiness in Sustainable Natural African Plant Product corrects the three material weaknesses in internal control detailed on pages 21 to 24 of Deloitte & Touche's audit report.

USAID/Zambia verify that Agribusiness in Sustainable Natural African Plant Product corrects the eight instances of material noncompliance detailed on pages 27 to 35 of Deloitte & Touche's audit report.

USAID/Zambia determine the allowability of the $8,522 in questioned costs ($3,275 ineligible and $5,247 unsupported) identified on pages 14 to 15 of Deloitte & Touche's audit report and recover from Agribusiness in Sustainable Natural African Plant Product the amounts determined to be unallowable.

USAID/Zambia verify that Agribusiness in Sustainable Natural African Plant Product corrects the one material weakness and two significant deficiencies in internal control detailed on pages 21 to 24 of Deloitte & Touche's audit report.

USAID/Zambia verify that Agribusiness in Sustainable Natural African Plant Product corrects the six instances of material noncompliance detailed on pages 27 to 34 of Deloitte & Touche's audit report.