Recommendation Dashboard

USAID/Indonesia direct RTI International to implement a strategy, including milestone dates, outlining the steps it plans to take to help district governments become more actively involved in facilitating and monitoring service delivery improvements in the program's health and education sectors.

USAID/Indonesia direct RTI International to implement a strategy outlining the steps it plans to take, including milestone dates, for providing additional technical support for Kinerja's service delivery units, particularly those in the program's health and education sectors, and multi-stakeholder forums to promote the sustainability of the program's activities to improve public service delivery.

USAID/Indonesia direct RTI International to implement a strategy to improve the quality of the results data reported under the program's performance indicators. At a minimum, this strategy should include a method for recognizing program achievements that requires that reported achievements are supported adequately, a data quality assurance review of the accumulated balance for each performance indicator to validate the balance based on the supporting records on file, and (3) measures to improve efforts to collect supporting records from Kinerja's field staff and partners in a timely manner.

USAID/Pakistan finalize its mission-wide strategic framework, including a mission-wide performance management plan.

USAID/Pakistan implement a mission-wide monitoring and evaluation plan to cover all aspects of mission programs.

USAID/Pakistan implement a structured system to manage documentation for all monitoring and evaluation assignments.

USAID/Pakistan implement a plan to allocate sufficient resources to manage the Independent Monitoring and Evaluation Program.

USAID/Pakistan immediately terminate the task order issued under the General Services Administration's Federal Supply Schedule contract awarded to Management Systems International and put any remaining funds to better use.

USAID/Pakistan determine the allowability of ineligible questioned costs billed by Management Systems International for technology services that are outside the scope of work listed on the authorized Federal Supply Schedule price list and recover from Management Systems International any amount determined to be unallowable. As of September 30, 2012, these billings totaled $1,303,533.

USAID/Pakistan determine the allowability of ineligible questioned labor costs billed by Management Systems International for cooperating-country nationals that are outside the scope of work authorized by the Federal Supply Schedule price list and recover from Management Systems International any amount determined to be unallowable. As of September 30, 2012, these billings totaled $3,590,098.

USAID/Pakistan determine the allowability of ineligible costs billed by Management Systems International for items outside the scope of work authorized by the Federal Supply Schedule price list - such as travel, other direct costs, subcontractors, general services and administration fees, and subcontract handling fees - and recover from Management Systems International any amount determined to be unallowable. As of September 30, 2012, these billings totaled $2,143,628.

USAID/Pakistan train its contracting staff in the proper use of the General Services Administration's Federal Supply Schedule.

USAID/Pakistan determine the allowability of $28,000 in ineligible questioned costs billed to USAID/Pakistan between June and September 2011 for the salary expenses of Management Systems International's chief of party's spouse and recover from Management Systems International any amount determined to be unallowable.

USAID/Pakistan implement a plan to incorporate existing geographic information systems into a consolidated database.

USAID/Kenya direct the Center for Health Solutions, Kenya, to include in its work plan technical assistance to the Division of Leprosy, Tuberculosis, and Lung Disease to develop a financial sustainability plan that includes improved cost efficiency for tuberculosis programs.

USAID/Kenya implement a plan to improve coordination between the Division of Leprosy, Tuberculosis, and Lung Disease and implementing partners reporting indicator results pertaining to patients infected with tuberculosis and HIV.

USAID/Kenya implement a plan to commission a new data quality assessment of tuberculosis performance indicators that complies with USAID's requirements. The assessment should contain overall conclusions on the data management system, including systemic problems, if applicable, and mission officials should review the final assessment report to verify that it complies with USAID requirements.

USAID/Uganda take appropriate action regarding the statement contained in the training material for the Inter-Religious Council of Uganda's district interfaith networks and document the results.

The Chief Information Officer review the controls documented within the USAID common controls system security plan and update the descriptions to specifically describe the control that is planned or in place.

The Chief Information Officer review agency
system security plans to determine whether they point to the USAID common control system security plan. If so, determine whether that plan adequately addresses the referenced control.

The Chief Information Officer implement documented procedures to be sure that scheduled completion dates identified in the plan of action and milestones are reasonable.

The Chief Information Officer implement documented procedures to be sure that scheduled completion dates are met when applicable.

USAID's Director, Office of Human Resources; Director, Management Policy, Budget, and Performance; Director, Office of Security; and Director, Office of Acquisition and Assistance, coordinate with each other to implement documented procedures to notify USAID system administrators when an employee or contractor leaves the agency or is transferred.

The Chief Information Officer implement a documented process to test the AIDNet contingency plan annually in compliance with USAID policy.

The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7260 and 7687 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer complete planned corrective actions for AIDNet to be sure that plan of action and milestone items 7691, 7692, 7693, 7694, 7695, 7696, 7697, and 7698 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7657, 7658, 7659, 7660, 7661, 7662, 7330, and 7679 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer complete planned corrective actions for AIDNet to make sure that plan of action and milestone items 7689 and 7690 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Information Officer implement documented procedures to make sure that Agency Secure Image and Storage Tracking system accounts are removed or disabled in a timely manner.

The Chief Information Officer review inactive Agency Secure Image and Storage Tracking system accounts, and disable or delete them in accordance with USAID policy.

The Chief Information Officer review all security controls identified as inherited in the Agency Secure Image and Storage Tracking system security plan to make sure each control is categorized appropriately. When a portion of a control is handled within the system, the control should be identified as hybrid or specific to the system.

The Chief Information Officer complete planned corrective actions for the Agency Secure Image and Storage Tracking system to be sure that plan of action and milestone item 7447 is remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Director, Office of Foreign Disaster Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone item 2013-7790 is remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are disabled or deleted immediately when an individual with OFDANet access leaves the agency or no longer needs such access.

The Director, Office of Foreign Disaster Assistance, implement documented account management procedures that confirm that accounts are reviewed when inactive for 90 days and disabled or deleted if no longer required.

The Director, Office of Foreign Disaster
Assistance, complete planned corrective actions for OFDANet to make sure that plan of action and milestone items 2013-7782, 2013-7783, and 2013-7784 are remediated in a timely manner or an appropriate acceptance of risk has been performed.

The Chief Financial Officer comply with National Institute of Standards and Technology, Office of Management and Budget, and USAID risk management requirements by carrying out formal security assessment and authorization procedures over the Electronic Cash Reconciliation Tool.

The Chief Financial Officer update Electronic
Cash Reconciliation Tool account management procedures to be sure they are addressing all National Institute of Standards and Technology Special Publication 800-53 revision 3 AC-2 controls, including reviewing accounts for inactivity, disabling accounts in a timely manner, recertifying accounts, and logging the activities of the system administrator's account management activities.

The Chief Financial Officer complete a
recertification of all Electronic Cash Reconciliation Tool user accounts on a periodic
basis in accordance with National Institute of Standards and Technology and USAID requirements to make sure that continued access remains appropriate and the level of access granted is commensurate with the individual's responsibilities.

The Chief Financial Officer implement documented procedures to disable Electronic Cash Reconciliation Tool user accounts that have never logged on or have not logged on within the specified time frame in accordance with National Institute of Standards and Technology and USAID
requirements.

The Chief Financial Officer implement documented procedures to remove Electronic Cash Reconciliation Tool accounts associated with individuals no longer supporting USAID in a timely manner.

The Chief Financial Officer implement documented procedures to audit Electronic Cash Reconciliation Tool account creations and removals.

The Director, Office of Acquisition and
Assistance, update the Global Acquisition and Assistance System security plan to document all National Institute of Standards and Technology Special Publication 800-53 revision 3 control descriptions and their implementation statements.

The Director, Office of Acquisition and Assistance, implement documented procedures to make sure all inactive Global Acquisition and Assistance System user accounts are identified and disabled or deleted if determined not needed.

The Director, Office of Acquisition and
Assistance, implement documented procedures for reviewing all Global Acquisition and Assistance System audit logs in accordance with USAID policy.

The Director, Office of Acquisition and
Assistance, implement documented procedures to test the Global Acquisition and Assistance System contingency plan annually in compliance with USAID policy.

The Chief Financial Officer document memorandums of understanding and/or service-level agreements with all agencies and organizations storing or processing Phoenix data, including but not limited to: a. Department of Health and Human Services; b. Carlson Wagonlit Travel; c. Department of Treasury; d. Department of State.

USAID/Dominican Republic work with its implementing partner to revise the program's performance management plan to include definitions for each indicator including the data source and collection methodology, results disaggregated by gender, and updated targets and actual results.

USAID/Dominican Republic update the education team's performance management plan, and confirm that it agrees with indicators being reported in the program performance management plan and the
performance plan and report.

USAID/Dominican Republic work with its implementing partner to implement an improved record-keeping system that supports each reported result.

USAID/Dominican Republic implement a site visit plan that includes frequent visits and data verification.

USAID/Dominican Republic, in conjunction with its implementing partner, verify in writing that all necessary training information is entered into USAID's Training Results and Information Network.

USAID/Dominican Republic provide and document training to its staff on how to report results in USAID's Training Results and Information Network.

USAID/Dominican Republic work with its implementing partner to implement a sustainability plan, and document the experiences
and lessons learned during the program as required by the agreement.

USAID/Dominican Republic work with its implementing partner to update its branding and marking plan, including the use of banners or posters with the USAID logo during training sessions.

USAID/Dominican Republic modify its agreement to include changes to the program's activity description and add required standard provisions.

USAID/Dominican Republic work with its implementing partner to document success stories in its partner's fiscal year 2013 annual report.

USAID/Yemen finalize its approach for the remainder of the Community Livelihoods Project by formally modifying the cooperative agreement.

USAID/Yemen require Creative Associates International Inc. to update its project and performance management plans to reflect the changes in the modification.

USAID/Yemen perform a documented review of its standard operating procedures with the Yemen Monitoring and Evaluation Project and, if necessary, amend the procedures to improve the communication of key findings.

USAID/Yemen require Creative Associates
International Inc. to implement a performance management plan that includes the Yemen Monitoring and Evaluation Project's role, authorities, and responsibilities as thirdparty
monitors for the Community Livelihoods Project, as outlined in the mission's procedures.

USAID/Yemen require Creative Associates
International Inc. to update its performance management plan to include a control system to validate the delivery of goods.

USAID/Yemen require Creative Associates
International Inc. to update its performance management plan to clearly delineate its
responsibility for monitoring project activities and reporting findings in an accurate, timely
fashion.

USAID/Yemen require Creative Associates
International Inc. to improve its data reporting by consolidating the data system, implementing a procedure manual to formalize data collection, and implementing a data validation system.

USAID/Yemen deobligate funds associated with activities eliminated from the project.

USAID/Yemen conduct a written analysis to
determine whether the project would benefit from creating a new funds control system. If so, it should implement the system to track funds for the remainder of the project.

The Inter-American Foundation Chief Information Officer remediate vulnerabilities in the network identified by the Office of Inspector General's contractor, as appropriate, and document the results or document acceptance of the risks of those vulnerabilities.

The Inter-American Foundation Chief Information Officer establish in writing patch time frame requirements to make sure known vulnerabilities are remediated.

The Inter-American Foundation Chief Information Officer implement a written process to review the virtual private network device configuration and to either disable nonessential and insecure services or document acceptance of the risks.

The Inter-American Foundation Chief Information Officer document and implement audit and accountability procedures to include monitoring, reviewing, and analyzing event logs on a schedule defined by the organization for indications of inappropriate or unusual activity.

The Inter-American Foundation Chief Information Officer document and implement a baseline configuration for the Enterprise Network.

The Inter-American Foundation Chief Information Officer either update the foundation's policies, procedures, and network password settings to ensure compliance with the U. S. Government Configuration Baseline standards or document deviations from those standards in the foundation's Information System Security Program and System Security Plan and document acceptance of the risk.

The Inter-American Foundation Chief Information Officer document and implement a process to maintain an up-to-date plan of action and milestones and to implement corrective actions in a timely manner.

The Inter-American Foundation Chief Information Officer implement a documented process to review and update the Enterprise Network System Security Plan annually or as significant system changes
occur to make sure the security requirements and controls for the system are documented adequately and reflect the current operating environment of the information system.

USAID/Morocco revise the memorandum of understanding with the Direction Generale des Collectivites Locales to reactivate and formalize the existence of the steering committee, and define its role and agenda.

USAID/Morocco perform a data quality assessment for activities under the Democracy and Governance Program in accordance with USAID requirements and document the results.

USAID/Morocco review its active awards portfolio to identify awards missing the required antitrafficking and environmental language, and implement a plan to include the missing language in future amendments to these awards.

USAID/Morocco require RTI International to include the required antitrafficking and environmental language in all active subawards.

The Overseas Private Investment Corporation Chief Information Officer develop, document, and implement National Institute of Standards and Technology-approved configuration baselines for the following software platforms utilized by OPICNet: Windows Server (all versions, Microsoft SQL Server (all versions), Oracle 9, Microsoft Internet Information Server.

The Overseas Private Investment Corporation Chief Information Officer conduct configuration baseline monitoring of the following software platforms in accordance with organizational policies and procedures and document the results: Windows Server (all versions), Microsoft SQL Server (all versions, Oracle 9, Microsoft Internet Information Server.

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that: Guest accounts are used as specified in organizational policies and procedures. Accounts inactive for more than 30 days are disabled. Temporary accounts are disabled or removed after 48 hours unless otherwise noted. Terminated individuals' accounts are removed or disabled within a Corporation-specified time frame upon departure. User accounts are disabled properly or removed upon the account expiration date. Account recertifications are conducted at least annually.

The Overseas Private Investment Corporation Chief Information Officer implement audit tools that effectively capture and report all auditable events as required by the Corporation's policies and procedures, and document the results, including: Successful and unsuccessful account logon events, Account management events, Object access, Policy change, Privilege functions, Process tracking, System events, Remote access sessions.

The Overseas Private Investment Corporation Chief Information Officer create a written plan of action and milestones item to track the remediation and establishment of an alternate processing site.

The Overseas Private Investment Corporation Chief Information Officer establish and approve an appropriate written agreement with an alternate processing site to permit the resumption of information system operations for critical mission/business functions when the primary processing capabilities are unavailable in accordance with National Institute of Standards and Technology requirements.

The Overseas Private Investment Corporation Chief Information Officer complete planned corrective actions for OPIC Network to confirm that the plan of action and milestones items for the following are remediated in a timely manner, or perform an appropriate acceptance of risk, and document the results: External access permitted to internal hosts; Insecure Outlook Web access; Unenforced policy (firewalls, demilitarized zone, Internet access content filtering); Unpatchable systems (APPX); Several vulnerabilities and misconfigurations were identified on publicly facing devices.

The Overseas Private Investment Corporation Chief Information Officer implement a written process to confirm that users complete initial security awareness training before they are granted access to the Corporation's network in accordance with OPIC Information System Security Policy, Version 1.0 (ISSP-2013-v1), section 7.3, Awareness and Training.

The Overseas Private Investment Corporation Chief Information Officer revise its OPIC Information System Security Policy to require annual role-based security training in accordance with National Institute of Standards and Technology requirements.

The Overseas Private Investment Corporation Chief Information Officer implement a written role-based security training course for users with significant security responsibilities.

The Overseas Private Investment Corporation Chief Information Officer fully implement procedures to confirm that the System for Awards Management and E2 Solutions system interconnections have been reviewed for appropriate implementation of external agencies' security controls and document the results.

Overseas Private Investment Corporation Chief Information Officer: Define and document information security risk tolerance consistent with the organizational risk tolerance. Implement written procedures to ensure future riskbased decisions are made taking into account the Corporation's defined information security risk tolerance.

The Overseas Private Investment Corporation Chief Information Officer document and implement procedures to confirm that all users sign the Corporation's rules of behavior prior to being granted access to OPIC Network.

The Overseas Private Investment Corporation Chief Information Officer include in the written plan of action and milestones an estimate of funding resources required to resolve weaknesses, as required by Office of Management and Budget Memorandum 02-01.