The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. Each independent evaluation must include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. The FY 2023 FISMA review focused on 20 core and 20 supplemental reporting metrics identified by OMB, using criteria developed by the CIGIE and issued by OMB. Using this framework, we assessed the effectiveness of each security function using maturity level scoring as follows: (1) Ad-hoc, (2) Defined, (3) Consistently Implemented, (4) Managed and Measurable, and (5) Optimized. Level 1, Ad-hoc, is the lowest maturity level and Level 5, Optimized, is the highest maturity level. For a security function to be considered effective, an agency’s security programs must score at or above Level 4, Managed and Measurable. The auditors determined that the Department’s overall IT security program and practices are effective. In addition, the auditors identified potential areas of improvement involving (1) managing information security risks; (2) two-factor authentication enforcement; (3) implementing access provisioning controls for privileged users; and (4) implementing event logging requirements at the enterprise level.
Wednesday, September 13, 2023
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
Type of Report:
Funds for Better Use:
Number of Recommendations:
Report updated under NDAA 5274: