Evaluation of the U.S. AbilityOne Commission’s Compliance with FISMA for Fiscal Year 2021

The Office of the Inspector General is required by the Federal Information Security Modernization Act of 2014 (FISMA) to conduct an annual independent evaluation that determines the effectiveness of the information security program (ISP) and practices of its respective agency. To that end, the Office of Inspector General engaged the independent public accounting firm McConnell & Jones LLP (M&J) to conduct the annual evaluation and complete the FY 2021 IG FISMA Reporting Metrics. The objective of the evaluation was to assess the effectiveness of the Commission’s security program and practices across key functional areas, as of September 30, 2021. The evaluators determined that although the Commission took positive steps to implement policies, procedures and strategies, there are existing improvement opportunities. Specifically, the Commission remediated seven of the nine prior year recommendations leading to their closure at the end of FY 2021. Furthermore, the overall assessment of the Commission’s FY 2021 information security program was deemed effective because the tested, calculated, and assessed maturity levels across the functional and domain areas received an overall rating of effective. However, the evaluators identified two new findings with two corresponding recommendations.