Why We Performed This Audit
The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies, including the United States General Services Administration (GSA), to have an annual independent evaluation of their information security program and practices to determine the effectiveness of such program and practices. GSA contracted KPMG LLP (“KPMG” or “we”) to conduct this audit, and the GSA Office of Inspector General monitored KPMG’s work to ensure it met professional standards and contractual requirements.
We conducted a performance audit of GSA’s information security program in accordance with Generally Accepted Government Auditing Standards (GAGAS) and with the Office of Management and Budget’s (OMB’s) most recent FISMA reporting guidance to determine the effectiveness of GSA’s information security program and practices for its information systems for the period of October 1, 2024, through May 31, 2025. In addition to GAGAS, we conducted this performance audit in accordance with Consulting Services Standards established by the American Institute of Certified Public Accountants.
What We Found
Our testing for Fiscal Year (FY) 2025 included procedures at the entity and system levels for five GSA- owned information systems and five contractor-owned information systems. The FY 2025 Inspector General (IG) FISMA Reporting Metrics (FY 2025 IG FISMA Reporting Metrics) established in the FY 2025 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics document, dated April 3, 2025, served as the basis for our test procedures.
To support the overall performance audit objective, we also performed external vulnerability scanning and penetration testing activities over a selected GSA-owned information system, and performed internal vulnerability scanning activities over three selected GSA-owned information systems in order to identify potential system flaws, misconfigurations, or vulnerabilities that could increase the risk of unauthorized access or elevation of privileges to GSA systems and data. This technical security testing was completed as of June 25, 2025.
Additionally, we followed up on the status of nine prior years’ findings. Based on our testing, we determined that GSA management implemented corrective actions to remediate seven of the nine prior years’ findings, and that these findings were closed (see Appendix I). However, we determined that two prior years’ findings remained open, and we also reported three new findings (see Section IV) in the Protect cybersecurity function within the following areas:
Configuration Management
- Flaw Remediation – Remediation and Tracking of Vulnerabilities Not in Adherence with GSA Policy for two GSA-owned information systems
Identity and Access Management
- Least Privilege and Separation of Duties – Initial Access Authorization Not Documented Prior to Access Provisioning for New Privileged User for one GSA-owned information system
- Least Privilege and Separation of Duties –Privileged User Self-Reviewed Access During Periodic User Access Review for one GSA-owned information system
The nature of these findings impacted our assessment of certain FY 2025 IG FISMA Reporting Metrics within the Protect function, which was then factored into the calculated average rating of the function.
As a result of our procedures and based on the maturity levels calculated in CyberScope, we assessed GSA’s information security program as “Effective” according to OMB guidance. We made this determination based on the calculated averages of the FY 2025 IG FISMA Reporting Metrics being assessed as “Managed and Measurable” or “Optimized.” Specifically, the calculated averages of metrics in the Govern, Identify, Protect, Respond, and Recover cybersecurity functions were assessed as “Managed and Measurable,” while the Detect cybersecurity function was assessed as “Optimized.”
What We Recommend
We made one recommendation related to one of the three new findings that should strengthen GSA’s information security program if effectively addressed by management. GSA management should also consider whether this recommendation applies to other information systems maintained in the organization’s FISMA system inventory and implement remedial action as needed.
We recommend that GSA management:
- Implement a secondary, independent review of access for the user(s) responsible for performing the periodic user access review for one GSA-owned information system, so that these users do not review their own access.
GSA management agreed with each of our findings and recommendation. The GSA Chief Information Officer’s response is included in Section VI.
