Why We Performed This Audit
The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies, including the United States (U.S.) General Services Administration (GSA), to have an annual independent evaluation of their information security program and practices to determine the effectiveness of such program and practices. GSA contracted KPMG LLP (“KPMG” or “we”) to conduct this audit, and the GSA Office of Inspector General (OIG) monitored KPMG’s work to ensure it met professional standards and contractual requirements.
To support the overall performance audit objective, we also performed an external penetration test and internal vulnerability scanning activities over a selected set of GSA-owned information systems in order to identify potential system flaws, misconfigurations, or vulnerabilities that could increase the risk of unauthorized access or elevation of privileges to GSA systems and data.
We conducted a performance audit of GSA’s information security program in accordance with Generally Accepted Government Auditing Standards (GAGAS) and with the Office of Management and Budget’s (OMB’s) most recent FISMA reporting guidance to determine the effectiveness of GSA’s information security program and practices for its information systems for the period of October 1, 2022, through May 31, 2023. In addition to GAGAS, we conducted this performance audit in accordance with Consulting Services Standards established by the American Institute of Certified Public Accountants (AICPA). The technical security testing was completed as of June 21, 2023.
What We Found
Our testing for Fiscal Year (FY) 2023 included procedures at the entity and system levels for five GSA-owned information systems and five contractor-owned information systems. We also followed up on the status of 15 prior year findings. As a result of our procedures and based on the maturity levels calculated in CyberScope, we assessed GSA’s information security program as “Effective” according to OMB guidance. We made this determination based on assessing a majority of the FY 2023 Core and Supplemental Group 1 Inspector General (IG) Metrics (FY 2023 IG FISMA Reporting Metrics) as “Managed and Measurable” and “Optimized.” Specifically, the Identify, Respond, and Recover cybersecurity functions were assessed as “Managed and Measurable,” while the Protect and Detect cybersecurity functions were assessed as “Optimized.”
Based on our testing, we determined that GSA implemented corrective actions to remediate 13 of the 15 prior year findings and that these findings were closed (see Appendix I). However, we determined that the remaining two prior year findings remained open, and also reported two new findings (see Section IV) in the Identify and Protect cybersecurity functions in the following areas:
Cybersecurity Function – Identify
- Plans of Action and Milestones (POA&Ms) – Weaknesses in Timely Update of Entity-Wide and Certain System-Level POA&Ms (Risk Management)
- POA&Ms – Lack of POA&M Documentation for Identified Control Implementation Gap for one GSA-owned information system (Risk Management)
Cybersecurity Function – Protect
- Session Termination – Lack of POA&M Documentation for Identified Control Implementation Gap for one GSA-owned information system (Identity and Access Management)
The nature of these findings did not affect our overall assessment of the Identify or Protect functions after determining the calculated average rating of the 11 IG metrics within the Identify function and the 18 IG metrics within the Protect function.
What We Recommend
We made two recommendations related to the two new findings that should strengthen GSA’s information security program if effectively addressed by management. GSA management should also implement a process to determine if these recommendations apply to other information systems maintained within the organization’s FISMA system inventory.
We recommend that GSA management:
- Document updates in the entity-wide and system-level POA&M listing in a timely manner and include a rationale for delays, milestone changes, or new scheduled completion dates for delayed POA&Ms.
- Document POA&Ms for any required security controls that system security plans (SSPs) list as partially implemented or scheduled for implementation.
GSA management agreed with each of our findings and recommendations. The GSA Chief Information Officer’s (CIO’s) response is included in Section VI.