U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

EAC's Fiscal Year 2017 Compliance with the Federal Information Security Modernization Act of 2014

Report Information

Date Issued
Report Number
I-PA-EAC-02-17
Report Type
Audit
Subject
IT
Description

EAC OIG, through the independent public accounting firm of CliftonLarsonAllen, conducted this audit to assess EAC's compliance with the Federal Information Security Management Act (FISMA) and related information security policies, procedures, standards, and guidelines for fiscal year 2017.

Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Status of Recommendations

Closed

We recommend that Acting Chief Information Officer complete the formal timeline and implementation plan for enforcement of the use of PIV cards for two factor authentication at the local network layer through its partnership with GSA.

Closed

We recommend that EAC management refine their process to renew interconnection documentation and monitor renewal timeframes going forward.

Closed

We recommend that EAC management, in coordination with GSA, ensure current and signed ATOs are issued for ENS which do not create any gaps in coverage.

Closed

We recommend that the Acting Chief Information Officer implement corrective actions to resolve critical and high-risk vulnerabilities identified related to patching, software upgrades and configuration weaknesses for those systems identified within the...

Closed

We recommend that the Acting Chief Information Officer implement a process to scan on a regular basis and remediate weaknesses noted from those scans that is built into the larger effort of implementing tools as part of DHS CDM.

Closed

We recommend that the Acting Chief Information Officer document any deviations from the USGCB baseline to include business justifications for each deviation.

Closed

We recommend that Acting Chief Information Officer revise and implement the EAC-CIO-2010-009 Auditing and Monitoring SOP to outline the frequency of audit log reviews and responsibilities around all monitoring activities.

Closed

We recommend that the EAC management document and implement a formal procedure for documenting the review of SOC reports for applicable third party systems at a define frequency.

Closed

We recommend the Acting Chief Information Officer reviews and updates the COOP at least Annually. We also recommend that EAC management review the business impact analysis supporting the COOP for accuracy semi-annually in alignment with the existing IT...

Closed

We recommend that Acting Chief Information Officer test the COOP annually using a rotating testing schedule that includes review of the test results and response to corrective actions identified as part of lessons learned exercises subsequent to testing.

Closed

We recommend that the Acting Chief Information Officer update the POA&M report to cover all information from required fields and to benchmark the state of corrective action and identify next steps. We also recommend that the Acting Chief Information...