Evaluation of the U.S. AbilityOne Commission’s Compliance with FISMA for Fiscal Year 2020

The objective of the evaluation was to assess the effectiveness of the Commission’s security program and practices across key functional areas as of September 30, 2020. The Commission made progress through implementation of security policies, procedures, and strategies, but lacked quantitative and qualitative measures to assess them. During FY20, there were six findings and nine corresponding recommendations regarding the Commission’s information security program including: 1. Vulnerabilities not being remediated in a timely manner; 2. Security assessment plan and security assessment report not documented during annual assessment exercises; 3. Back-up data not stored with encryption; 4. Inactive accounts not automatically disabled after 90 days of inactivity; 5. Mobile device usage policy in draft and not finalized, approved or distributed as of year-end and 6. Enterprise Architecture Policy is currently in draft and not finalized, approved or disseminated. The overall assessment of the Commission’s FY2020 information security program was deemed effective because the tested, calculated and assessed maturity levels across the functional and domain areas received an overall rating of effective. The Commission implemented the three open prior year recommendations and the report provides nine new recommendations corresponding to six new findings.