Recommendation Dashboard

The Chief Information Officer update the USAID FISMA Cybersecurity Roadmap and Work Plan to address each activity and milestone clearly in the Federal Information Security Management Act action plan.

The Chief Information Officer fully implement a process to test FISMA Action Plan activities identified as complete before closing them in the USAID FISMA Cybersecurity Roadmap and Work Plan.

The Chief Information Officer test activities already identified as complete to verify they have been implemented fully and effectively.

The Chief Information Officer document and implement a formal process to centrally review all USAID security assessment packages for proper selection, documentation, and evaluation of security controls before the packages are sent to the Chief Information Officer for approval.

The Chief Information Officer document and fully implement a plan to ensure that security assessments and authorizations for all USAID major and minor applications are updated to address requirements in National Institute of Standards and Technology Special Publication 800-53, Revision 4.

The Chief Information Officer update the AIDNet contingency plan to include all information required by the National Institute of Standards and Technology, including contingency roles and responsibilities, and activities associated with restoring the system after a disruption or failure, concurrent processing, testing, cleanup, documentation, business impact analysis, and to fully address operations at the Miami Terremark data center.

The Chief Information Officer document and implement a process to periodically review and update the AIDNet contingency plan in accordance with USAID policy.

The Chief Information Officer develop and implement a policy to retain results of backup tests in a central location to allow Agency
managers to verify that the testing is being performed in accordance with USAID policy.

The Chief Information Officer document and fully implement a process to include all weaknesses identified through continuous monitoring in the respective system's plan of action and milestones.

The Chief Information Officer, pending implementation of an automated solution, document and implement a temporary process to identify deviations from baseline configurations, and track and remediate them
appropriately.

The Chief Information Officer document and implement procedures to manage USAID access to the server room at Two Potomac Yards. At a minimum, procedures should cover approving, periodically reviewing, and revoking access to the room.

The Chief Financial Officer update Phoenix security settings to comply with Agency policy, or obtain written authorization from the Chief Information Officer for deviations.

The Chief Financial Officer implement automated controls when possible to ensure that inactive Phoenix accounts are disabled when they reach the inactivity threshold. If management determines that using such controls is not feasible, they should document this decision formally and ensure that mitigating manual controls are in place.

The Chief Information Officer update the existing security assessment and authorization policy to require that the authorizing official and system owner be different individuals.

The Chief Information Officer review and update all system security assessment and authorization packages to ensure that the authorizing official and system owner are different individuals.

The Director for the Office of Acquisition and
Assistance document and implement procedures to ensure that accounts are reviewed and disabled or deleted in accordance with USAID policy.

The Director for the Office of Acquisition and
Assistance review all accounts in GLAAS to determine whether any users have conflicting roles based on updated separation-of-duties guidance, and take action to remove any conflicting roles. If management determines that certain individuals require access in violation of the policy, these exceptions should be documented formally and approved by management. In addition, compensating controls should be identified and put in place to mitigate risks related to these exceptions.

The Director, Office of Education, document and implement formal procedures to review Visa Compliance System accounts periodically for appropriateness.

The Director, Office of Education, document and implement procedures for reviewing Visa Compliance System logs. Procedures should include confirming that logs are reviewed by an individual who does not have high-level administrator access.

The Chief Financial Officer update appropriate Payment Management System agreements with the Department of Health and Human Services to require it to provide information about account management to USAID upon request.

The Director of Management Services update E2 Travel Management Service User Guide to address the following account management activities and implement them accordingly:
- Requiring appropriate approvals for requests to establish accounts
- Activating, modifying, disabling, and removing accounts
- Authorizing and monitoring the use of guest/anonymous and temporary accounts
- Notifying account managers when temporary accounts are no longer required
- Deactivating accounts when required
- Granting access
- Reviewing accounts quarterly

The Director, Office of Human Resources, document and implement a process for verifying that all employees complete the employee exit process before leaving the Agency.

USAID/Afghanistan implement procedures to evaluate whether the Afghan Government has met its commitments, including audit requirements, before the Agency disburses funds to government-to-government projects.

USAID/Afghanistan modify the audit requirements within its government-to-government project documents to describe the Agency-contracted audit process, and communicate to these recipients that additional funding may not be disbursed until audits are completed.

USAID/Afghanistan issue a notice to relevant staff to remind them that the Office of Inspector General's country office should be notified each time the mission awards an audit of a government-to-government project.

USAID/Afghanistan implement procedures that require procurement officials to be included in the team responsible for individual government-to-government projects, as applicable.

USAID/Afghanistan update its on-budget assistance mission order to reflect its current practices.

USAID/Afghanistan schedule and document periodic training courses for officials designated to monitor on-budget assistance.

USAID/Afghanistan develop or update templates for its government-to-government implementation letters to include more clearly defined expectations based on the revised Automated Directives System 220 and lessons learned.

USAID/Afghanistan implement a procedure to confirm that Afghan Government officials responsible for implementing government-to-government projects understand the expectations described within project documents.

USAID/Afghanistan perform an evaluation of its newly implemented process to verify that government-to-government transactions are recorded correctly and promptly, make necessary adjustments, and document the final results.

USAID/South Africa determine the allowability of the $153,656 in questioned costs ($9,524 ineligible and $144,132 unsupported) identified on page 17 of Henk Prinsloo & Partners' audit report and recover from the siyaJabula siyaKhula the amounts determined to be unallowable.

USAID/South Africa ensures that siyaJabula
siyaKhula corrects the five material weaknesses and five significant deficiencies in internal control detailed on pages 26 to 39 of Henk Prinsloo & Partners' audit report.

USAID/South Africa ensures that siyaJabula siyaKhula corrects the eleven instances of material noncompliance detailed on pages 41 to 55 of Henk Prinsloo & Partners' audit report.

The Chief Information Officer place a protective
cover over the emergency power switch to prevent someone from accidentally cutting off the power to the data center.

The Chief Information Officer implement a process to document approvals to changes in the general support system by requiring signatures from the change control board members, in accordance with National Institute of Standards and Technology Special Publication 800-53, Revision 3, and for audit verification purposes.

The Chief Information Officer update the foundation's continuity of operations plan to reflect its May 2014 Security Categorization of USADF Information Types and Information Systems.

The Chief Information Officer update the foundation's information technology security implementation plan to reflect its May 2014
Security Categorization of USADF Information Types and Information Systems.

USAID/Senegal develop and implement internal procedures to ensure that any deviations from Automated Directive System 591 and the Office of Inspector General's Guidelines for Financial Audits Contracted by Foreign Recipients auditing requirements are documented, justified, and approved.

USAID/Senegal develop and implement internal procedures that require the mission to review and approve recipients' audit contracts for compliance with USAID's policies and applicable regulations, and that performance of these procedures be documented and maintained.

USAID/Senegal develop and implement a formal timeline with its recipients to ensure that the full audit process from hiring an audit firm to submitting the audit report to the Regional Inspector General's office in Dakar is done within the time frame established in USAID policy.

USAID's Assistant Administrator for Management send a written request to the Administrator that he designate a senior-level agency official for privacy with Agency-wide responsibility for information privacy issues, as required by Office of Management and Budget M-05-08.

After final action is taken on Recommendation 1, USAID's Director, Human Resources, modify the written position description of the senior agency official for privacy to fully incorporate responsibility for privacy across the Agency.

After final action is taken on Recommendation 1, the supervisor for the senior agency official for privacy modify the written work objectives for the senior agency official for privacy to fully incorporate accountability for privacy across the Agency.

USAID's Chief Privacy Officer perform a written privacy threshold analysis for the Agency's Wellness Staff Care Web site, https://wellnessstaffcare.usaid.gov, and, based on the results of the analysis, prepare a written privacy impact assessment and written system of record notice, if required.

USAID's Chief Information Security Officer prepare the following for the Agency's Wellness Staff Care Web site, https://wellnessstaffcare.usaid.gov:
-A documented review of the security package for the system.
-A documented review of the security risks if the Agency uses the system.
-A written authorization for the system to operate if the system meets security requirements, or if not, take action to discontinue use of the Web site and document its discontinuation.

USAID's Chief Privacy Officer update the Privacy Office's Training Plan for Basic Privacy Training (September 1, 2013) to:
-Explain what action will be taken when individuals do not meet privacy training requirements.
-Require annual privacy refresher training.

USAID's Chief Privacy Officer develop and implement written annual basic privacy training that covers the following privacy topics:
-The definition of personally identifiable information (PII).
-Applicable privacy laws, regulations, and policies.
-Restrictions on data collection, storage, and use of PII.
-Roles and responsibilities for using and protecting PII.
-Appropriate disposal of PII.
-Sanctions of a security or privacy incident involving PII.
-Roles and responsibilities in responding to PII-related incidents and reporting.
-How to respond to an incident, should one occur.
-Rules for teleworking.

USAID's Chief Privacy Officer develop and implement documented role-based privacy training for the following employees: security staff, human resources staff, contracting officers' staff, financial officers' staff, chief information security office staff, and travel staff.

USAID's Chief Privacy Officer update the Privacy Office's Role-Based Personally Identifiable Information (PII) Training Plan (November 1, 2013) to:
-Require role-based privacy training at least annually for employees in the identified roles who handle personally identifiable information.
-List the privacy topics that will be addressed for travel staff.

USAID's Chief Privacy Officer document and implement a process to maintain records of employees who attend role-based privacy training, to include comparing those records to a list of employees that should receive the training.

USAID's Chief Privacy Officer complete written system of record notices for the Web Time and Attendance System and End-to-End Travel System, and publish them in the Federal Register.

USAID's Chief Privacy Officer develop and implement written procedures to review and update system of records notices on at least a biennial basis.

USAID's Chief Privacy Officer finalize the written privacy impact assessments for Facebook (https://www.facebook.com/USAID), Twitter (https://twitter.com/#!/usaid), and Youtube (http://www.youtube.com/usaidvideo).

USAID's Chief Privacy Officer update and finalize the written privacy impact assessment for Making All Voices Count, (http://www.makingallvoicescount.org) to explain the specific purpose of the Agency's use of the third-party Web site or application, whether and how the Agency will maintain personally identifiable information, and for how long, and what other privacy risks exist and how the Agency will mitigate those risks.

USAID's Bureau for Legislative and Public Affairs, Strategic Adviser for Strategic Communications, post final privacy impact assessments on USAID's official external Web site for the following third-party Web sites and document the results:
-Facebook, https://ww.facebook.com/USAID
-GitHub, https://github.com/USAID
-Linkedin, http://www.linkedin.com/groups?gid=118430
-Making All Voices Count, http://www.makingallvoicescount.org/
-Twitter, https://twitter.com/#!/usaid
-Youtube, http://www.youtube.com/usaidvideo

USAID's Chief Privacy Officer review the FLIKR Web site, http://www.flickr.com/people/usaid-indonesia, and make a written determination whether it may provide personally identifiable information to the Agency, and, based on that determination, prepare a privacy impact assessment, as appropriate.

USAID's Bureau for Legislative and Public Affairs, Strategic Adviser for Strategic Communications, implement a written process to maintain an Agency-wide inventory of third-party Web sites that make personally identifiable information available to the Agency.

USAID's Chief Privacy Officer make a written risk-based determination of the frequency that the data loss prevention tool and Pretty Good Privacy should be monitored, and based on that, implement appropriate corrective actions and document the results.

USAID's Chief Privacy Officer revise its written plan to eliminate the unnecessary collection and use of Social Security numbers, to include time frames for reviewing and eliminating the unnecessary collection and use of partial and full Social Security numbers in Agency forms and systems

After taking final action on Recommendation 19, USAID's Chief Privacy Officer implement its plan to eliminate the unnecessary collection and use of Social Security numbers and document the results.

USAID's Chief Privacy Officer develop and implement documented procedures for reviewing the Agency's personally identifiable information holdings. At a minimum, those procedures must include who is responsible for conducting those reviews, the schedule for conducting them, and how they will be conducted.

USAID's Chief Privacy Officer make the Agency's written schedule for reviewing its personally identifiable information holdings publicly available.

USAID's Chief Privacy Officer prepare written privacy notices and post them on the following Web sites at all locations where the public might make personally identifiable information available to the Agency, as required:
-Facebook, https://www.facebook.com/USAID
-GitHub, https://github.com/USAID
-Linkedin, http://www.linkedin.com/groups?gid=118430
-Making All Voices Count, http://www.makingallvoicescount.org
-Twitter, https://twitter.com/#!/usaid
-YouTube, http://www.youtube.com/usaidvideo

USAID's Chief Privacy Officer develop and implement a written process to periodically review the Agency's inventory of third-party Web sites for completeness, and prepare privacy notices and post them on the Web sites at all locations where the public might make personally identifiable information available to the Agency.

USAID's Chief, Systems Development Branch, either configure the server that hosts http://www.usaid.gov/comment to require the use of Transport Layer Security 1.0 or higher, or if not needed, discontinue collecting "names" on http://www.usaid.gov/comment, and document the results.

USAID's Chief Privacy Officer revise the Privacy Office's Guidance for USAID Breach Response Team (August 2007) to include:
-Instructions on how to handle a delay to send notifications of a privacy breach, including who should make this decision and what they are required to do once the decision is made.
-A statement on whether breached information was encrypted or protected by other means, when appropriate.
-A reassessment of the impact level as defined by the National Institute of Standards and Technology following an information breach.

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken links to the system of record notices on the Agency's external Web site, http://www.usaid.gov/privacy-program, and document the results.

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken link to the privacy impact assessment for AIDNet on the Agency's external Web site, http://www.usaid.gov/privacy-policy//ia-summaries, and document the results.

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following third-party Web sites that make personally identifiable information available to the Agency: Facebook, GitHub, LinkedIn, Making All Voices Count, Twitter, and YouTube.

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following Agency systems that contain personally identifiable information: Agency Correspondence Tracking System, ePerformance, End to End Travel, Partner Vetting System, and Web Time and Attendance System.

USAID's Senior Agency Official for Privacy formally establish in writing the Agency's Privacy Office within the organizational structure.

USAID's Chief Privacy Officer conduct a written comprehensive review of the Agency's privacy program and report any weaknesses identified during that review in the Agency's written plan of action and milestones required by the Federal Information Security Management Act of 2002.

After final action is taken on Recommendation 32, we recommend that USAID's Senior Agency Official for Privacy perform a written comprehensive analysis to determine the resources (including staff, budget, and tools) needed to correct the weaknesses in the Agency's privacy program, and based on that analysis, allocate the resources.

USAID's Chief Information Officer request in writing that the Agency's Management Control Review Committee make a written determination whether the weaknesses in the Agency's privacy program should be reported, tracked, and monitored as a material weakness pursuant to the Federal Managers' Financial Integrity Act of 1982.

USAID/Barbados update its completed Stage 2 risk assessment by conducting a financial review that tests the effectiveness of operational controls of all public financial management systems critical to program implementation and identifies both risks and appropriate risk mitigation actions.

USAID/Barbados assess the potential risk of all the issues noted in work papers but not disclosed or evaluated in the assessment report, and determine what mitigation measures are necessary.

USAID/Honduras implement a risk mitigation plan to address the lack of documentation for the Millennium Challenge Account financial system.

The Office of the Chief Financial Officer update and reissue Stage 2 guidance to clarify the requirement for a completed questionnaire on any future risk assessments, and other requirements.

The Office of Acquisition and Assistance implement a plan to address the limitations identified by survey respondents and other challenges known to hinder the collection, use, and quality of performance information and provide the Office of Management and Budget nd the Naval Sea Logistics Center with a list of systemic challenges and recommendations to improve the Contractor Performance Assessment Reporting System.

The Office of Acquisition and Assistance issue or
revise policies to provide more detailed procedures for writing consistent evaluations, for
documenting past performance and responsibility considerations, for helping contracting officers
communicate and enforce consistent performance evaluations, and for measuring and assessing evaluation quality.

The Office of Acquisition and Assistance develop
methods to improve consistency among its contracting officers, including their timely review of contractor performance evaluations and their documented use of past performance and integrity information when selecting contractors.

The Office of Acquisition and Assistance test
alternative and innovative methods to more effectively organize and communicate the office's
policy, guidance, and resources and to better support contracting and noncontracting staff at the missions and in Washington.

The Office of Acquisition and Assistance implement a plan to widely distribute and monitor the training of both contracting and noncontracting staff at the missions and in Washington on past performance issues identified in this review.

The Office of Acquisition and Assistance implement a
strategy with the Administrator's assistance to increase the accountability of noncontracting staff
for completing quality performance evaluations.

The Office of Acquisition and Assistance issue or
revise policy to provide clear, detailed procedures for obtaining and using reliable past
performance information that helps make positive determinations of applicant responsibility
when awarding assistance instruments; and ensure consistency among its agreement officers, including their use and documentation of past performance information, when awarding assistance instruments.

USAID/South Sudan address the significant control deficiency with the mission's personal property management and document actions taken.

USAID/South Sudan prepare a written list of the minimum replacement standards for nonexpendable property that it manages.

USAID/South Sudan implement procedures to document the reason for disposing of property before the end of its useful life.

USAID/South Sudan prepare a schedule of property in its inventory organized by expected disposal date.

USAID/South Sudan implement written procedures governing the disposal of assets, including adequate records to determine which items were sold, at what price, and to whom, and the timely reconciliation of any differences.

USAID/South Sudan implement written procedures to comply with State Department and USAID requirements to review the number and type of vehicles required for operations in South Sudan.

USAID/South Sudan provide and document training to the motor pool supervisor on the vehicle management information system.

USAID/South Sudan make a written determination of which officials were responsible for noncompliance with regulations regarding the vehicle procurement and document any appropriate remedial actions taken.

USAID/South Sudan implement procedures to identify and document the brand and types of vehicles that need to be procured before asking for quotations, including why these specific vehicles are required.

USAID/South Sudan implement policies and procedures to comply with maintenance requirements.