The Federal Information Security Modernization Act (FISMA) requires OIGs to annually assess the effectiveness of the agency’s information security program. It specifically mandates that each independent evaluation include a test of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems and an assessment of the effectiveness of the information security policies, procedures, and practices of the agency. The FY 2023 FISMA review focused on 20 core and 20 supplemental reporting metrics identified by OMB across 9 domains, using criteria developed by the CIGIE and issued by OMB. Using this framework, we assessed the effectiveness of each security function using maturity level scoring as follows: (1) Ad-hoc, (2) Defined, (3) Consistently Implemented, (4) Managed and Measurable, and (5) Optimized. Level 1, Ad-hoc, is the lowest maturity level and Level 5, Optimized, is the highest maturity level. For a security function to be considered effective, an agency’s security programs must score at or above Level 4, Managed and Measurable.
The auditors determined that the Department’s overall IT security program and practices are effective as eight out of the nine FISMA domains met the requirements needed to operate at a Level 4 maturity rating, indicating the systems security is Managed and Measurable. In addition, the auditors identified potential areas of improvement involving (1) managing information security risks; (2) two-factor authentication enforcement; (3) implementing access provisioning controls for privileged users; and (4) implementing event logging requirements at the enterprise level.
The auditors made 6 recommendations to assist the Department with increasing the effectiveness of its information security programs. In addition, the auditors looked at previously-issued FISMA reports to determine the status of recommendations. The auditors found that: (1) one recommendation from FY 2019 remains open; (2) eight out of nine FY 2020 prior year recommendations were closed; (3) all ten FY 2021 prior year recommendations were closed; (4) eight out of ten FY 2022 prior year recommendations were closed.
Information Technology Security