Independent Auditors’ Performance Audit Report on the U.S. Department of the Interior Federal Information Security Modernization Act for Fiscal Year 2017

The Federal Information Security Modernization Act (FISMA) for fiscal year (FY) 2017. FISMA (Public Law 113-283) requires Federal agencies to have an annual independent evaluation of their information security programs and practices. This evaluation can be performed by either the agency’s Office of Inspector General (OIG) or by an independent external auditor, as determined by the OIG, to determine the effectiveness of such programs and practices. KPMG, an independent public accounting firm, performed the DOI FY 2017 FISMA audit under a contract issued by the DOI and monitored by the OIG.KPMG reviewed information security practices, policies, and procedures at the DOI Office of the Chief Information Officer and 15 DOI bureaus and offices, and identified needed improvements in the areas of risk management, configuration management, identity and access management, and information system continuous monitoring. KPMG made 20 recommendations intended to strengthen the Department’s information security program, as well as those of the Bureaus and Offices. In its response to the draft report, the Office of the Chief Information Officer concurred with all recommendations and established a target completion date for each corrective action.