Independent Auditors’ Performance Audit Report on the U.S. Department of the Interior Federal Information Security Modernization Act for Fiscal Year 2018

The Federal Information Security Modernization Act (FISMA) (Public Law 113-283) requires Federal agencies to have an annual independent evaluation of their information security programs and practices. This evaluation can be performed by either the agency’s Office of Inspector General (OIG) or by an independent external auditor, as determined by the OIG, to determine the effectiveness of such programs and practices. KPMG, an independent public accounting firm, performed the DOI fiscal year 2018 FISMA audit under a contract issued by the DOI and monitored by the OIG.KPMG reviewed information security practices, policies, and procedures at the DOI Office of the Chief Information Officer and 11 DOI bureaus and offices, and identified needed improvements in the areas of configuration management, identity and access management, data protection and privacy, contingency planning and incident response. KPMG made 18 recommendations related to these control weaknesses that were intended to strengthen the Department’s information security program, as well as those of the Bureaus and Offices. In its response to the draft report, the Office of the Chief Information Officer concurred with all recommendations and established a target completion date for each corrective action.