The General Services Administration’s information security practices contain deficiencies in five of eight FISMA program areas, according to an independent evaluation done by KPMG, a professional auditing company.
The practices are based on FISMA requirements, Office of Management and Budget policy, and National Institute of Standards and Technology guidelines.
“While the security program has been implemented across the GSA, we identified 16 deficiencies that we reported to GSA management in five of eight FISMA metric domains,” the report said. “We have made 26 recommendations related to these deficiencies that, if effectively addressed by management, should strengthen the respective information systems and the GSA’s information security program.”
The Federal Information Security Management Act establishes requirements for Federal agency information security practices, and mandates that agencies have an annual, independent evaluation of those practices, performed by the agency inspector general or independent auditor. The report, published in December 2016 and released to the public on Thursday, evaluated GSA security practices for fiscal year 2016 and offered recommendations for improvement.
The KPMG report found deficiencies in the areas of risk management, contractor systems, configuration management, identity and access management, and contingency planning.
“The overall objectives for this FISMA evaluation was to conduct an independent evaluation of the information security program and practices of GSA to assess the effectiveness of such programs and practices for the year ending September 30, 2016,” the report said.
The report also found that GSA had closed or partially closed all of the findings in 2014 and 2015 evaluations.
In a written response to the report, the GSA CIO agreed with the findings and presented corrective action plans that KPMG deemed responsive to their recommendations.