Independent Performance Audit on the Effectiveness of the U.S. General Services Administration’s Information Security Program and Practices Report - Fiscal Year 2024

Why We Performed This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies, including the United States (U.S.) General Services Administration (GSA), to have an annual independent evaluation of their information security program and practices to determine the effectiveness of such program and practices. GSA contracted KPMG LLP (“KPMG” or “we”) to conduct this audit, and the GSA Office of Inspector General (OIG) monitored KPMG’s work to ensure it met professional standards and contractual requirements.

We conducted a performance audit of GSA’s information security program in accordance with Generally Accepted Government Auditing Standards (GAGAS) and with the Office of Management and Budget’s (OMB’s) most recent FISMA reporting guidance to determine the effectiveness of GSA’s information security program and practices for its information systems for the period of October 1, 2023, through May 31, 2024. In addition to GAGAS, we conducted this performance audit in accordance with Consulting Services Standards established by the American Institute of Certified Public Accountants.

What We Found

Our testing for Fiscal Year (FY) 2024 included procedures at the entity and system levels for five GSA-owned information systems and five contractor-owned information systems. The FY 2024 Core and Supplemental Group 2 Inspector General (IG) Metrics (FY 2024 IG FISMA Reporting Metrics) established in the FY 2023 – 2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics dated February 10, 2023, served as the basis for our test procedures.

Additionally, to support the overall performance audit objective, we also assessed management’s actions for a selection of penetration test results and findings and performed internal vulnerability scanning activities over a select set of GSA-owned information systems in order to identify potential system flaws, misconfigurations, or vulnerabilities that could increase the risk of unauthorized access or elevation of privileges to GSA systems and data. This technical security testing was completed as of June 27, 2024.

Finally, we followed up on the status of four prior year findings. As a result of our procedures and based on the maturity levels calculated in CyberScope, we assessed GSA’s information security program as “Effective” according to OMB guidance. We made this determination based on assessing a majority of the FY 2024 IG FISMA Reporting Metrics as “Managed and Measurable” and “Optimized.” Specifically, the Identify, Protect, Respond, and Recover cybersecurity functions were assessed as “Managed and Measurable,” while the Detect cybersecurity function was assessed as “Optimized.”

Based on our testing, we determined that GSA implemented corrective actions to remediate two of the four prior year findings and that these findings were closed (see Appendix I). However, we determined that the other two prior year findings remained open, and also reported seven new findings (see Section IV) in the Protect cybersecurity function within the following areas:

Configuration Management

• Configuration Change Control – Lack of Approval for Operating System (OS) Patches Prior to Implementation to the Production Environment
• Flaw Remediation – Configuration, Patch, and Vulnerability Management Programs for three GSA-owned information systems Needs Improvement
   

Identity and Access Management

• Session Termination – Incompliant Session Termination Period Configuration Setting
• Separation of Duties – Self Approval during Application Account Reauthorization Process for one GSA-owned information system
• Account Management – Access Authorizations for New Database (DB) and OS User Access Not Documented for one GSA-owned information system
   

Security Training

• Specialized Training – Evidence for Specialized Training for GSA Personnel Not Consistently Completed and Tracked
• Security Training and Awareness – Weakness in Removal of Network Access for Users Not Completing Security Awareness Training
   

The nature of these findings impacted our assessment of certain FY 2024 IG FISMA Reporting Metrics within the Protect function, which subsequently impacted the calculated average rating of the function.

What We Recommend

We made eight recommendations related to five of the seven new findings that should strengthen GSA’s information security program if effectively addressed by management. GSA management should also consider whether these recommendations apply to other information systems maintained in the organization’s FISMA system inventory and implement remedial action as needed.

We recommend that GSA management:

1. Enforce its defined procedures to obtain formal approval of all OS patches to three GSA-owned information systems prior to their implementation in the production environment and to retain associated supporting documentation.
2. Establish procedures and processes to enforce compliance with GSA’s configuration and patching requirements on the websites for three GSA-owned information systems.
3. Properly update and remediate vulnerabilities and configuration weaknesses throughout the environments for three GSA-owned information systems in accordance with GSA and National Institute of Standards and Technology requirements.
4. Establish milestones to perform root cause analysis and remediation of reported vulnerabilities for three GSA-owned information systems, including the creation of Plans of Action and Milestones.
5. Enforce proper completion of DB and OS request forms for one GSA-owned information system to include obtaining authorizations from designated management prior to provisioning administrator access to its DB and OS, respectively.
6. Validate that access is appropriate for all DB and OS accounts on one GSA-owned information system.
7. Commit resources and implement a process to provide and formally track the completion of specialized training for GSA IT security personnel.
8. Implement an oversight process to disable access for all new users who do not complete their required Security Awareness training within the agency’s defined timeframe and that is commensurate with GSA’s risk appetite.

GSA management agreed with each of our findings and recommendations. The GSA Chief Information Officer’s response is included in Section VI.