Information Security: Review of GAO's Program and Practices for Fiscal Years 2016 and 2017

U.S. Government Accountability Office

Information Security: Review of GAO's Program and Practices for Fiscal Years 2016 and 2017

OIG-18-4: Jul 17, 2018

Highlights

View Report (PDF, 1 page)

Share This:

Additional Materials:

Full Report:
- View Report (PDF, 1 page)
Accessible Version:
- (PDF, 1 page)

Contact:

Office of Inspector General
Tonya R. Ford
(202) 512-5748
oig@gao.gov

Objectives

This is a publication by GAO's Office of Inspector General (OIG) that concerns internal GAO operations. This report addresses GAO's fiscal year 2016 and 2017 compliance with Federal Information Security Modernization Act of 2014 (FISMA) requirements.

What OIG Found

During the period reviewed, GAO continued efforts to improve upon existing capabilities and strengthen its information security controls, particularly in the areas of identity and access management, security training, and continuous monitoring. Our report identifies specific areas, such as configuration management and contingency planning, where additional efforts are needed to further strengthen GAO's information security consistent with FISMA requirements. The issues we identified in this report also highlight how gaps in GAO's implementation of an enterprise-wide risk management program may have contributed to the challenges and heightened risks identified during our audit.

Due to the sensitive nature of our findings, a full report on the results of our audit was prepared for internal GAO use only.

What OIG Recommends

The OIG is making three recommendations to the Comptroller General intended to help the GAO more fully implement federal information security requirements. Specifically, we recommend that GAO document (1) a process to evaluate current and future enterprise IT investment portfolio assets, including risks, and ensure alignment with GAO's IT Strategy for fiscal years 2017-2019 and (2) its plans, policies, and procedures for identifying, prioritizing, and mitigating operational risk related to establishing full failover capabilities at the agency's alternate computing facility in the event of a disaster and preparing for end-of-support upgrades for Windows 7. In addition, we recommend that GAO document and implement a process to identify and track hardware and software interdependencies for GAO's system inventory including vendor support data.

GAO agreed with our recommendations and described actions planned to mitigate the control risks identified in our work. The agency also provided technical comments that we incorporated, as appropriate.

For more information, contact Adam R. Trzeciak at (202) 512-5748 or trzeciaka@gao.gov.

View Report (PDF)

Find Recent OIG Work »

Explore Other OIG Information »

Nov 25, 2019

Semiannual Report to Congress, April 1, 2019, through September 30, 2019

OIG-20-1SP:Published: Oct 23, 2019. Publicly Released: Nov 25, 2019.

Sep 30, 2019

Information Security:
Review of GAO's Program and Practices for Fiscal Year 2018

OIG-19-3:Published: Sep 30, 2019. Publicly Released: Sep 30, 2019.

Sep 27, 2019

DATA Act:
Audit of GAO's Fiscal Year 2019, First Quarter, DATA Act Submission

OIG-19-2:Published: Sep 27, 2019. Publicly Released: Sep 27, 2019.

Jul 17, 2018

Information Security:
Review of GAO's Program and Practices for Fiscal Years 2016 and 2017

OIG-18-4:Published: Jul 17, 2018. Publicly Released: Jul 17, 2018.

May 22, 2018

Semiannual Report to Congress, October 1, 2017, through March 31, 2018

OIG-18-2SP:Published: Apr 20, 2018. Publicly Released: May 22, 2018.

May 21, 2018

Debt and Interest Waivers:
Procedures are Needed to Ensure Decisions are Consistent with Federal Requirements

OIG-18-3:Published: May 21, 2018. Publicly Released: May 21, 2018.

Looking for more? Browse all our products here

The Office of Inspector General (OIG) independently conducts audits, evaluations, and other reviews of GAO programs and operations and makes recommendations to promote the agency's economy, efficiency, and effectiveness. The OIG also investigates allegations of potential fraud, waste, mismanagement, and violations of rules and laws related to GAO employees.