Audit of the U.S. Election Assistance Commission's Compliance with the Federal Information Security Modernization Act for Fiscal Year 2025

View Report

Date Issued

Monday, September 29, 2025

Submitting OIG

Election Assistance Commission OIG

Agencies Reviewed/Investigated

Election Assistance Commission

Report Number

P25HQ0063-25-07

Report Description

The independent public accounting firm of RMA Associates, LLC, under contract with the Office of Inspector General, audited EAC’s information security program for fiscal year 2025 in support of the Federal Information Security Modernization Act of 2014 (FISMA). The objective was to determine whether EAC implemented an effective information security program.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Develop and implement a contingency plan to address potential future staffing challenges that may arise, to mitigate delays in implementing necessary improvements across the applicable FISMA domains.
2	No	$0	$0
Establish and execute a monitoring plan to make sure that all information technology policies and procedures, including referenced standards and guidance, are reviewed and updated in accordance with the timeliness requirements defined by EAC policy.
3	No	$0	$0
Implement a continuous monitoring governance, risk, and compliance tool that enables the integration of cybersecurity risk management into the enterprise risk management reporting tool. Capture lessons learned to make any necessary adjustments to the process.
4	No	$0	$0
Implement a process to detect and prevent the use of untrusted removable media on the EAC’s network.
5	No	$0	$0
Fully document and implement a process that includes a clear business reason for risk acceptance in the event that untrusted removable media must be introduced on the EAC’s network.
6	No	$0	$0
Develop compensating controls to reduce the risk that vulnerabilities can be exploited that are caused by the use of untrusted removable media on the EAC’s network.
7	No	$0	$0
Schedule and complete annual contingency planning tests. Retain supporting documentation to demonstrate compliance during audits.