Information Security: Review of GAO's Program and Practices for Fiscal Years 2016 and 2017

OIG-18-4: Jul 17, 2018

Additional Materials:


Office of Inspector General
Tonya R. Ford
(202) 512-5748


This is a publication by GAO's Office of Inspector General (OIG) that concerns internal GAO operations. This report addresses GAO's fiscal year 2016 and 2017 compliance with Federal Information Security Modernization Act of 2014 (FISMA) requirements.

What OIG Found

During the period reviewed, GAO continued efforts to improve upon existing capabilities and strengthen its information security controls, particularly in the areas of identity and access management, security training, and continuous monitoring. Our report identifies specific areas, such as configuration management and contingency planning, where additional efforts are needed to further strengthen GAO's information security consistent with FISMA requirements. The issues we identified in this report also highlight how gaps in GAO's implementation of an enterprise-wide risk management program may have contributed to the challenges and heightened risks identified during our audit.

Due to the sensitive nature of our findings, a full report on the results of our audit was prepared for internal GAO use only.

What OIG Recommends

The OIG is making three recommendations to the Comptroller General intended to help the GAO more fully implement federal information security requirements. Specifically, we recommend that GAO document (1) a process to evaluate current and future enterprise IT investment portfolio assets, including risks, and ensure alignment with GAO's IT Strategy for fiscal years 2017-2019 and (2) its plans, policies, and procedures for identifying, prioritizing, and mitigating operational risk related to establishing full failover capabilities at the agency's alternate computing facility in the event of a disaster and preparing for end-of-support upgrades for Windows 7. In addition, we recommend that GAO document and implement a process to identify and track hardware and software interdependencies for GAO's system inventory including vendor support data.

GAO agreed with our recommendations and described actions planned to mitigate the control risks identified in our work. The agency also provided technical comments that we incorporated, as appropriate. 

For more information, contact Adam R. Trzeciak at (202) 512-5748 or

Nov 25, 2019

Sep 30, 2019

Sep 27, 2019

Jul 16, 2019

May 22, 2019

Nov 9, 2018

Aug 27, 2018

Jul 17, 2018

May 22, 2018

May 21, 2018

Looking for more? Browse all our products here