National Science Foundation • 4201 Wilson Boulevard • Arlington, Virginia 22230 Office of Inspector General MEMORANDUM DATE: January 12, 2013 TO: Dr. Subra Suresh, Director, National Science Foundation FROM: Allison C. Lerner /s/ Inspector General SUBJECT: Federal Information Security Management Act FY 2012 Independent Evaluation Report – OIG Report Number 13-2-003 Attached is the Federal Information Security Management Act of 2002 (FISMA) FY 2012 Independent Evaluation Report. In accordance with Office of Management and Budget (OMB) Memorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, we previously provided the Inspector General Section of NSF’s FY 2012 FISMA Report, which was submitted through the OMB automated reporting tool on November 15, 2012. CliftonLarsonAllen’s Independent Evaluation Report includes four new findings as follows: • NSF needs to improve its patch management process for the timely resolution and mitigation of logical security vulnerabilities. • NSF needs to correct the United States Antarctic Program’s (USAP) Certification and Accreditation documentation process to include required elements. • USAP needs to review its System Security Plan for consistency with NIST requirements. • USAP needs to enforce NSF’s password and account management policies at USAP. The report also includes four previous findings, as follows: • The USAP “Advanced Revelation” suite of applications needs to be replaced. • USAP needs to develop, document, and implement a disaster recovery plan for its Antarctica Operations at its Denver data center. • NSF needs to remove timely the information technology accounts for separated employees and contractors. • NSF needs to improve the security of its network topology as the present design poses a potential security weakness. The Independent Evaluation was performed in conjunction with the annual financial statement audit. A draft of the Independent Evaluation Report was previously submitted to your staff and their comments are included as an attachment to the report. In accordance with OMB Circular A-50, on Audit Follow-Up, we request that NSF submit a written corrective action plan to our office within 60 days of the date of this memorandum to address the recommendations in the Independent Evaluation. This corrective action plan should identify specific actions your office has taken or plans to take to address each recommendation along with the associated milestone date. We are available to work with your staff to ensure the submission of a mutually agreeable corrective action plan. We appreciate the courtesies and cooperation extended to CliftonLarsonAllen LLP during the evaluation. If you or your staff has any questions, please contact Brett M. Baker, Assistant Inspector General for Audit, or me at (703) 292-7100. Attachment cc: Cora B. Marrett, Deputy Director, Acting, OD G.P. Peterson, Chair, Audit and Oversight Committee Kathryn Sullivan, Senior Advisor, OD Eugene Hubbard, Director, OIRM Amy Northcutt, Chief Information Officer Kelly K. Falkner, Acting Director, OD/OPP Martha Rubenstein, Director and CFO, BFA Susanne LaFratta, Senior Advisor, OD/OPP
Federal Information Security Management Act FY 2012 Independent Evaluation Report
Published by the National Science Foundation, Office of Inspector General on 2013-01-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)