EAC OIG, through the independent public accounting firm of Brown & Company CPAs, conducted this audit to assess EAC's compliance with the Federal Information Security Management Act (FISMA) and related information security policies, procedures, standards, and guidelines for fiscal year 2018.
U.S. Election Assistance Commission’s Fiscal Year 2018 Compliance with the Federal Information Security Modernization Act
Report Information
Status of Recommendations
We recommend EAC Chief Information Officer to develop and implement an Enterprise Risk Management Strategy that will include a risk profile, risk management committee, risk appetite/tolerance levels, risk register, responding to risk, monitoring risk and...
We recommend EAC Chief Information Officer to document an information security architecture to provide a disciplined and structured methodology for managing risk.
EAC management should remediate configuration related vulnerabilities in the network identified, and document the results or document acceptance of the risks of those vulnerabilities
We recommend the EAC define and implement a process for conducting assessment of the knowledge, skills and abilities of EAC's cybersecurity workforce.
We recommend the EAC to conduct a baseline assessment of the Agency's cybersecurity workforce that includes (1) the percentage of personnel with IT, cybersecurity, or other cyber-related job functions who hold certifications; (2) the level of...
EAC management should review and approve EAC's information security policies and procedures on an annual basis.
EAC management should implement a remediation plan to commit resources to update all EAC-wide information security policies and procedures on the frequency required by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53...
We recommend EAC OIT to develop a Business Impact Analysis.
We recommend EAC to incorporate the results from the Business Impact Analysis into the analysis and strategy development efforts for the Agency's COOP.