Independent Auditors’ Performance Audit Report on the U.S. Department of the Interior Federal Information Security Modernization Act for Fiscal Year 2020

The Federal Information Security Modernization Act (FISMA) requires Federal agencies to have an annual independent evaluation of their information security programs and practices. This evaluation is to be performed by the agency’s Office of Inspector General or by an independent external auditor to determine the effectiveness of such programs and practices. The U.S. Department of the Interior (DOI) contracted with KPMG, an independent public accounting firm, to complete a FISMA audit for fiscal year 2020.KPMG reviewed information security practices, policies, and procedures at the DOI Office of the Chief Information Officer and 11 DOI bureaus and offices. The audit revealed that improvements were needed in the areas of risk management, configuration management, identity and access management, the data protection and privacy program, the security training program, and contingency planning. Based on these findings, KPMG made 32 recommendations intended to strengthen the DOI’s information security program as well as those of the bureaus and offices.The DOI’s Office of the Chief Information Officer has concurred with all 32 recommendations and established a target completion date for each corrective action.