Audit Report 14-12: Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review
About this document and download
On April 30, 2014, the OIG issued Audit Report 14-12, Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review (FISMA). Under FISMA, agencies must report their compliance with information security requirements. The OIG reports on the effectiveness of the agency’s information security program in accordance with OMB criteria. For Fiscal Year (FY) 2013, the OIG was required to report on the agency’s compliance the following 11 areas:
- configuration management
- identity and access management
- risk management
- continuous monitoring controls
- plan of actions and milestones
- remote access management
- security training
- computer security incidents
- contingency planning
- contractor systems
- security capital planning
In FY 2013, the OIG found that the SBA continued to show limited progress in meeting FISMA requirements. In the annual FISMA report, the OIG found the SBA needs to further establish its configuration management, identity and access management, risk management, and continuous monitoring controls. In addition to weaknesses identified in FY 2013, the SBA needs to continue to remediate outstanding and overdue recommendations specifically relating to FISMA compliance. The OIG made seven new recommendations relating to FISMA compliance.