FISMA: USAID Implemented an Effective Information Security Program Through April 14, 2025, Despite Some Concerns

Date Issued

Wednesday, March 4, 2026

Submitting OIG

U.S. Agency for International Development OIG

Agencies Reviewed/Investigated

U.S. Agency for International Development

Report Number

A-000-26-004-M

Report Type

Audit

Location

United States

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
USAID's Chief Information Officer conduct updated risk assessments for the two systems we identified
2	No	$0	$0
USAID's Chief Information Officer perform security controls assessments for the two systems we identified.
3	No	$0	$0
USAID's Chief Information Officer determine whether the Agency included cybersecurity duties in position descriptions and performance plans. If not, take corrective action, including addressing the causes for not doing so.
4	No	$0	$0
USAID's Chief Information Officer determine whether the Agency developed and implemented policies and procedures for maintaining data and metadata inventories for its various data types, including data from third-party providers. If not, take corrective action, including addressing the causes for not doing so.
5	No	$0	$0
USAID's Chief Information Officer determine whether the Agency implemented network monitoring and enforcement mechanisms to identify and disconnect or isolate noncompliant devices. If not, take corrective action, including addressing the causes for not doing so.