FISMA: USAID Implemented an Effective Information Security Program for Fiscal Year 2024 but Longstanding Weaknesses Persist

Date Issued

Thursday, September 19, 2024

Submitting OIG

U.S. Agency for International Development OIG

Agencies Reviewed/Investigated

U.S. Agency for International Development

Report Number

A-000-24-005-C

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend that USAID's Chief Information Officer request its cognizant Management Council on Risk and Internal Control to report and track as a significant deficiency to the Agency the risk of not timely disabling network accounts for separated employees and contractors, as identified in Office of Inspector General Report No. A-000-21-004-C, Recommendation 2.
2	No	$0	$0
We recommend that USAID's Chief Human Capital Officer request its cognizant Management Council on Risk and Internal Control to report and track as a significant deficiency to the Agency the risk of not maintaining records evidencing that staff have been offboarded in accordance with Agency policy, as identified in Office of Inspector General Report No. A-000-21-004-C, Recommendation 3.
3	No	$0	$0
We recommend that USAID's Chief Information Officer develop and implement procedures to document deviations from Agency policy on security control assessments, including acceptance of the risk of such deviations.
4	No	$0	$0
We recommend that USAID's Chief Information Officer implement accurate automated dashboards to provide enterprise-wide metrics to inform top management of its information technology risks.
5	No	$0	$0
We recommend that USAID's Chief Information Officer establish and implement a process to track the progress of conducting annual reviews and related lessons learned from the implementation of its Information Security Continuous Monitoring Strategy.
7	No	$0	$0
We recommend that USAID's Chief Information Officer update the event logging checklist to include details of event logging level 3 (advanced) applicability and implement requirements as specified by Office of Management and Budget Memorandum M-21-31.