The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. Each independent evaluation must include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. For FY 2024, the auditors determined that the Department’s overall IT security program and practices are effective as eight out of the nine FISMA domains met the requirements needed to operate at a Level 4 maturity rating (Managed and Measurable) or higher. The auditors also identified a total of six conditions across the nine FISMA domains indicating potential areas of improvement for the Department.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to capture the missinghardware data elements for each identified system and assess whether other information systems may be missing similaror related data elements. | |||||
| 1.2 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to further define the oversightcontrols that are in the current policy to ensure all Departmental systems consistently utilize the inventory template whencompleting/updating the hardware inventory. | |||||
| 1.3 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to capture the missingsoftware data elements for each identified system and assess whether other information systems may be missing similaror related data elements. | |||||
| 1.4 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to further define the oversightcontrols that are in the current policy to ensure all Departmental systems consistently utilize the inventory template whencompleting/updating the software inventory. | |||||
| 3.1 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to review and approve theUSDS-MaxED/AidVntge and EDAWSEW MOU. Furthermore, the Department and FSA should update existingprocedures and ensure all MOUs reflect the appropriate two-year review cycle. | |||||
| 2.1 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to implement a process tomonitor that PRDs are reviewed and signed prior to the security investigation. | |||||
| 2.2 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to implement an automationprocess to centrally document, track, and share risk designation and screening information. | |||||
| 2.3 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to reinforce their process fordocumenting the authorization, review, and approval of PUAs. | |||||
| 2.4 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require the Department and FSA to develop enhanced monitoring controls to ensure proper internal controls mechanisms and processes are strictly enforced. | |||||
| 2.5 | Yes | $0 | $0 | ||
| The auditors recommend that the Chief Information Officer require Departmental Principal Offices re-evaluate the use ofPIV alternates/exemptions across the organization, and modify onboarding procedures, as needed, to support a newstrategic direction which aligns with HSPD-12. | |||||
