Our FY 2012 Federal Information Security Management Act of 2002 (FISMA) review found that the Department had made progress in addressing issues identified in previous FISMA reviews. Specifically, it was compliant in 3 of the 11 reporting metrics: continuous monitoring, contractor systems, and security capital planning. However, we found that 6 of the 11 security control areas we reviewed—risk management, configuration management, remote access management, identity and access management, security training, and contingency planning—contained repeat or modified findings from OIG and contractor reports issued during the prior 3 years. The remaining two metric areas—incident response and reporting, and plan of action and milestones—contained new findings. Without adequate management, operational, and technical security controls in place, the Department’s systems and information are vulnerable to attacks that could lead to a loss of confidentiality and to a loss of integrity resulting from data modification or limited availability of systems. In addition to recommendations we made in the FY 2011 FISMA report, we made 22 new recommendations to assist the Department in establishing and sustaining an effective information security program.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Education | The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2012 | Audit | Agency-Wide | View Report | |
| Department of the Treasury | The Department of the Treasury Federal Information Security Management Act Fiscal Year 2012 Performance Audit for Collateral National Security Systems | Audit | Agency-Wide | View Report | |
| Department of the Treasury | Audit of the United States Mint’s Schedule of Custodial Deep Storage Gold and Silver Reserves as of September 30, 2012 and 2011 | Audit | Agency-Wide | View Report | |
| Department of Agriculture | Federal Crop Insurance Corporation/Risk Management Agency's Financial Statements for Fiscal Years 2012 and 2011 | Audit | Agency-Wide | View Report | |
| Millennium Challenge Corporation | Audit of the Millennium Challenge Corporation's Fiscal Year 2012 Compliance With the Federal Information Security Management Act of 2002 | Audit |
|
View Report | |
| Office of Personnel Management | Audit of the Federal Employees Health Benefits Program Operations at HealthAmerica Pennsylvania, Inc. | Audit | Agency-Wide | View Report | |
| Office of Personnel Management | Audit of Aging Health Benefit Refunds Sample of BlueCross and BlueShield Plans | Audit | Agency-Wide | View Report | |
| Department of the Treasury | Report on the Bureau of the Public Debt Trust Fund Management Branch Schedules for Selected Trust Funds as of and for the Year Ended September 30, 2012 | Audit | Agency-Wide | View Report | |
| U.S. Agency for International Development | Audit of USAID/Southern Africa's Tuberculosis Activities | Audit |
|
View Report | |
| Federal Deposit Insurance Corporation | Independent Evaluation of the FDIC's Information Security Program-2012 | Audit | Agency-Wide | View Report | |
