Submitting OIG:
Report Description:
This report presents the OIG’s assessment of GAO’s compliance with Federal Information Security Modernization Act of 2014 (FISMA) requirements.
FISMA requires federal agencies to develop, document, and implement an agency-wide information security program for the information and systems that support their operations and assets, including those provided or managed by another agency or contractor. Although GAO, as a legislative branch agency, is not subject to FISMA, its management has chosen to use FISMA as a set of best practices for its information security program. While GAO has defined an information security program that is generally aligned with FISMA the OIG identified several opportunities for GAO to improve the implementation of its information security program and to ensure alignment with federal best practices.
The OIG identified opportunities for GAO to strengthen its risk management program. Specifically, GAO needs to better document a key element of its risk management program, complete impact assessments for all systems, and update it procedures to ensure that standard contract language aligns with NIST guidelines as appropriate.
In addition to improvements in risk management, there are also opportunities for GAO to better protect its systems. Information system vulnerabilities, especially those designated as high and critical, need to be remediated in a timely manner. Further, baseline configurations, which help ensure consistent secure deployment of hardware and software, had not been documented for all existing environments.
GAO also has opportunities to improve its disaster recovery program. Contingency plan testing did not occur in fiscal year 2018 and one high-impact system did not have a contingency plan defined. Finally, GAO did not complete a business impact analysis which helps to inform contingency planning decisions.
The OIG made eight recommendation to strengthen GAO's information security program and practices.
Short / Alternative Report Title:
GAO's Fiscal Year 2018 FISMA Assessment
Date Issued:
Monday, September 30, 2019
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
OIG-19-3
Location(s):
Agency-Wide
Type of Report:
Audit
View Document:
Attachment | Size |
---|---|
GAO OIG-19-3.pdf | 137.66 KB |