U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the U.S. Election Assistance Commission's Compliance with the Federal Information Security Modernization Act for Fiscal Year 2023

Report Information

Date Issued
Report Number
O23HQ0029-23-07
Report Type
Audit
Subject
IT
Description

EAC OIG, through the independent public accounting firm of Brown & Company CPAs and Management Consultants, PLLC, audited EAC’s information security program for fiscal year 2023 in support of the Federal Information Security Modernization Act of 2014 (FISMA). The objective was to determine whether EAC implemented selected security controls for certain information systems in support of FISMA.

Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Status of Recommendations

Open

We recommend EAC OCIO resolve conflicting baseline configuration settings for Windows 10 devices and ensure iPhones meet the agency’s configuration setting requirements.

Open

We recommend EAC OCIO ensure information systems meet STIGs secure configuration settings as required by the agency’s policy.

Open

We recommend EAC OCIO update its hardware inventory system to include the level of detail needed to manage devices according to Federal requirements and document management’s oversight and review.

Open

We recommend EAC OCIO update its POA&M procedures and, in coordination with management, develop and maintain POA&M reports based on Federal requirements.

Open

We recommend EAC OCIO update the agency’s SSP document to align with NIST requirements and include the network environment's current state.

Open

We recommend EAC OCIO fully implement its GRC solution to manage and monitor cybersecurity risk activities required by NIST SP 800-39 and provide a centralized enterprise-wide view of all risk across the agency.