The independent public accounting firm of RMA Associates, LLC, under contract with the Office of Inspector General, audited EAC’s information security program for fiscal year 2024 in support of the Federal Information Security Modernization Act of 2014 (FISMA). The objective was to determine whether EAC implemented an effective information security program.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | ||
We recommend that the Chief Information Security Officer identify qualitative and quantitative metrics on service level agreements held with third parties, then perform an analysis with monthly reporting received from those third parties to identify metrics that can be measured and documented, on either a monthly or quarterly basis, to ensure that EAC is receiving all contracted services. | |||||
2 | No | $0 | $0 | ||
We recommend that the Chief Information Security Officer develop and implement procedures to leverage the Repository for Software Attestation and Artifacts to obtain sufficient assurance that the security and supply chain controls of systems or services provided by contractors or other entities on behalf of the organization meet FISMA requirements. | |||||
3 | No | $0 | $0 | ||
We recommend that the Chief Information Security Officer provide annual Anti-Counterfeit Training for IT staff with SCRM responsibilities. | |||||
4 | No | $0 | $0 | ||
We recommend that the Election Assistance Commission's Chief Information Officer implement EL3 logging requirements in accordance with Office of Management and Budget memorandum M-21-31. | |||||
6 | No | $0 | $0 | ||
We recommend that the Election Assistance Commission's Chief Information Officer establish and implement a formal Information Security Continuous Monitoring Strategy and an effective monitoring mechanism to track the progress of ongoing lessons learned. | |||||
7 | No | $0 | $0 | ||
We recommend that the Election Assistance Commission's Chief Information Officer identify and employ an automated notification mechanism to test its system level contingency plans thoroughly and effectively. |