Information Security: Review of GAO's Program and Practices for Fiscal Years 2016 and 2017
OIG-18-4: Jul 17, 2018
Additional Materials:
- Full Report:
- Accessible Version:
Contact:
Objectives
This is a publication by GAO's Office of Inspector General (OIG) that concerns internal GAO operations. This report addresses GAO's fiscal year 2016 and 2017 compliance with Federal Information Security Modernization Act of 2014 (FISMA) requirements.
What OIG Found
During the period reviewed, GAO continued efforts to improve upon existing capabilities and strengthen its information security controls, particularly in the areas of identity and access management, security training, and continuous monitoring. Our report identifies specific areas, such as configuration management and contingency planning, where additional efforts are needed to further strengthen GAO's information security consistent with FISMA requirements. The issues we identified in this report also highlight how gaps in GAO's implementation of an enterprise-wide risk management program may have contributed to the challenges and heightened risks identified during our audit.
Due to the sensitive nature of our findings, a full report on the results of our audit was prepared for internal GAO use only.
What OIG Recommends
The OIG is making three recommendations to the Comptroller General intended to help the GAO more fully implement federal information security requirements. Specifically, we recommend that GAO document (1) a process to evaluate current and future enterprise IT investment portfolio assets, including risks, and ensure alignment with GAO's IT Strategy for fiscal years 2017-2019 and (2) its plans, policies, and procedures for identifying, prioritizing, and mitigating operational risk related to establishing full failover capabilities at the agency's alternate computing facility in the event of a disaster and preparing for end-of-support upgrades for Windows 7. In addition, we recommend that GAO document and implement a process to identify and track hardware and software interdependencies for GAO's system inventory including vendor support data.
GAO agreed with our recommendations and described actions planned to mitigate the control risks identified in our work. The agency also provided technical comments that we incorporated, as appropriate.
For more information, contact Adam R. Trzeciak at (202) 512-5748 or trzeciaka@gao.gov.
Nov 25, 2019
-
Semiannual Report to Congress, April 1, 2019, through September 30, 2019
OIG-20-1SP:Published: Oct 23, 2019. Publicly Released: Nov 25, 2019.
Sep 30, 2019
-
Information Security:
Review of GAO's Program and Practices for Fiscal Year 2018
OIG-19-3:Published: Sep 30, 2019. Publicly Released: Sep 30, 2019.
Sep 27, 2019
-
DATA Act:
Audit of GAO's Fiscal Year 2019, First Quarter, DATA Act Submission
OIG-19-2:Published: Sep 27, 2019. Publicly Released: Sep 27, 2019.
Jul 16, 2019
-
Telework Participation and Eligibility:
Additional Controls Are Needed to Strengthen Compliance with Telework Act Requirements and GAO Policies for Certain Employees
OIG-19-1:Published: Jul 15, 2019. Publicly Released: Jul 16, 2019.
May 22, 2019
-
Semiannual Report to Congress, October 1, 2018, through March 31, 2019
OIG-19-2SP:Published: Apr 26, 2019. Publicly Released: May 22, 2019.
Nov 9, 2018
-
Semiannual Report to Congress, April 1, 2018, through September 30, 2018
OIG-19-1SP:Published: Oct 18, 2018. Publicly Released: Nov 9, 2018.
Aug 27, 2018
-
Contract Closeout:
GAO has Taken Steps to Strengthen Contract Closeout Controls, but Additional Actions are Needed
OIG-18-5:Published: Aug 27, 2018. Publicly Released: Aug 27, 2018.
Jul 17, 2018
-
Information Security:
Review of GAO's Program and Practices for Fiscal Years 2016 and 2017
OIG-18-4:Published: Jul 17, 2018. Publicly Released: Jul 17, 2018.
May 22, 2018
-
Semiannual Report to Congress, October 1, 2017, through March 31, 2018
OIG-18-2SP:Published: Apr 20, 2018. Publicly Released: May 22, 2018.
May 21, 2018
-
Debt and Interest Waivers:
Procedures are Needed to Ensure Decisions are Consistent with Federal Requirements
OIG-18-3:Published: May 21, 2018. Publicly Released: May 21, 2018.
Looking for more? Browse all our products here