EAC OIG, through the independent public accounting firm of Brown & Company CPAs and Management Consultants, PLLC, audited EAC’s information security program for fiscal year 2023 in support of the Federal Information Security Modernization Act of 2014 (FISMA). The objective was to determine whether EAC implemented selected security controls for certain information systems in support of FISMA.
Audit of the U.S. Election Assistance Commission's Compliance with the Federal Information Security Modernization Act for Fiscal Year 2023
Status of Recommendations
We recommend EAC OCIO resolve conflicting baseline configuration settings for Windows 10 devices and ensure iPhones meet the agency’s configuration setting requirements.
We recommend EAC OCIO ensure information systems meet STIGs secure configuration settings as required by the agency’s policy.
We recommend EAC OCIO update its hardware inventory system to include the level of detail needed to manage devices according to Federal requirements and document management’s oversight and review.
We recommend EAC OCIO update its POA&M procedures and, in coordination with management, develop and maintain POA&M reports based on Federal requirements.
We recommend EAC OCIO update the agency’s SSP document to align with NIST requirements and include the network environment's current state.
We recommend EAC OCIO fully implement its GRC solution to manage and monitor cybersecurity risk activities required by NIST SP 800-39 and provide a centralized enterprise-wide view of all risk across the agency.