EAC OIG, through the independent public accounting firm of CliftonLarsonAllen, conducted this audit to assess EAC's compliance with the Federal Information Security Management Act (FISMA) and related information security policies, procedures, standards, and guidelines for fiscal year 2017.
EAC's Fiscal Year 2017 Compliance with the Federal Information Security Modernization Act of 2014
Report Information
Status of Recommendations
We recommend that Acting Chief Information Officer complete the formal timeline and implementation plan for enforcement of the use of PIV cards for two factor authentication at the local network layer through its partnership with GSA.
We recommend that EAC management refine their process to renew interconnection documentation and monitor renewal timeframes going forward.
We recommend that EAC management, in coordination with GSA, ensure current and signed ATOs are issued for ENS which do not create any gaps in coverage.
We recommend that the Acting Chief Information Officer implement corrective actions to resolve critical and high-risk vulnerabilities identified related to patching, software upgrades and configuration weaknesses for those systems identified within the...
We recommend that the Acting Chief Information Officer implement a process to scan on a regular basis and remediate weaknesses noted from those scans that is built into the larger effort of implementing tools as part of DHS CDM.
We recommend that the Acting Chief Information Officer document any deviations from the USGCB baseline to include business justifications for each deviation.
We recommend that Acting Chief Information Officer revise and implement the EAC-CIO-2010-009 Auditing and Monitoring SOP to outline the frequency of audit log reviews and responsibilities around all monitoring activities.
We recommend that the EAC management document and implement a formal procedure for documenting the review of SOC reports for applicable third party systems at a define frequency.
We recommend the Acting Chief Information Officer reviews and updates the COOP at least Annually. We also recommend that EAC management review the business impact analysis supporting the COOP for accuracy semi-annually in alignment with the existing IT...
We recommend that Acting Chief Information Officer test the COOP annually using a rotating testing schedule that includes review of the test results and response to corrective actions identified as part of lessons learned exercises subsequent to testing.
We recommend that the Acting Chief Information Officer update the POA&M report to cover all information from required fields and to benchmark the state of corrective action and identify next steps. We also recommend that the Acting Chief Information...