Federal Reports

This report presents the OIG’s assessment of GAO’s compliance with Federal Information Security Modernization Act of 2014 (FISMA) requirements.FISMA requires federal agencies to develop, document, and implement an agency-wide information security program for the information and systems that support their operations and assets, including those provided or managed by another agency or contractor. Although GAO, as a legislative branch agency, is not subject to FISMA, its management has chosen to use FISMA as a set of best practices for its information security program. While GAO has defined an information security program that is generally aligned with FISMA the OIG identified several opportunities for GAO to improve the implementation of its information security program and to ensure alignment with federal best practices.The OIG identified opportunities for GAO to strengthen its risk management program. Specifically, GAO needs to better document a key element of its risk management program, complete impact assessments for all systems, and update it procedures to ensure that standard contract language aligns with NIST guidelines as appropriate.In addition to improvements in risk management, there are also opportunities for GAO to better protect its systems. Information system vulnerabilities, especially those designated as high and critical, need to be remediated in a timely manner. Further, baseline configurations, which help ensure consistent secure deployment of hardware and software, had not been documented for all existing environments.GAO also has opportunities to improve its disaster recovery program. Contingency plan testing did not occur in fiscal year 2018 and one high-impact system did not have a contingency plan defined. Finally, GAO did not complete a business impact analysis which helps to inform contingency planning decisions.The OIG made eight recommendation to strengthen GAO's information security program and practices.

U.S. Customs and Border Protection’s (CBP) Office of Field Operations (OFO) has spent nearly $25.6 million on 279 small scale chemical screening devices that do not identify fentanyl and other illicit narcotics at lower purity levels (10 percent or less). We also found CBP OFO does not have adequate policies for deploying, using, and updating the chemical screening devices. We made four recommendations that will help OFO officers better identify fentanyl and other illicit narcotics at ports of entry. Specifically, we recommended that OFO Executive Assistant Commissioner develop and implement a strategy to ensure all deployed devices are able to identify narcotics at purity levels less than or equal to 10 percent, or provide ports of entry with an alternative method. Further, the Executive Assistant Commissioner should develop a formal strategy to deploy, use, and keep the chemical screening devices updated. CBP concurred with all of the recommendations.