DFC Implemented an Effective Information Security Program for FY 2021 in Support of FISMA

Our objective was to determine whether the U. S. International Development Finance Corporation (DFC) implemented and effective information security program for fiscal year (FY) 2021, in support of the Federal Information Security Modernization Act of 2014 (FISMA). The OIG contracted with the independent certified public accounting firm of CliftonLarsonAllen LLP (CLA) to conduct the audit. CLA evaluated the effectiveness of DFC’s implementation of CLA reviewed FISMA reporting metrics and also assessed DFC’s implementation of selected controls outlined in the National Institute of Standards and Technology’s Special Publication 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations.” CLA reviewed three of the four internal and external systems in DFC’s inventory dated February 12, 2021.We found DFC implemented an effective information security program. For example, DFC established an effective security training program, maintained an effective information system continuous monitoring program, and implemented an effective incident handling and response program. However, we did make recommendations to address weaknesses in four of the nine FY 2021 IG FISMA metric domains.