Federal Information Security Management Act FY 2012 Independent Evaluation Report

Published by the National Science Foundation, Office of Inspector General on 2013-01-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          National Science Foundation    •   4201 Wilson Boulevard     •   Arlington, Virginia 22230
                                         Office of Inspector General


DATE:            January 12, 2013

TO:              Dr. Subra Suresh, Director, National Science Foundation

FROM:            Allison C. Lerner /s/
                 Inspector General

SUBJECT:         Federal Information Security Management Act FY 2012 Independent Evaluation
                 Report – OIG Report Number 13-2-003

Attached is the Federal Information Security Management Act of 2002 (FISMA) FY 2012
Independent Evaluation Report. In accordance with Office of Management and Budget (OMB)
Memorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management, we previously provided the Inspector
General Section of NSF’s FY 2012 FISMA Report, which was submitted through the OMB
automated reporting tool on November 15, 2012.

CliftonLarsonAllen’s Independent Evaluation Report includes four new findings as follows:

      •   NSF needs to improve its patch management process for the timely resolution and
          mitigation of logical security vulnerabilities.
      •   NSF needs to correct the United States Antarctic Program’s (USAP) Certification and
          Accreditation documentation process to include required elements.
      •   USAP needs to review its System Security Plan for consistency with NIST requirements.
      •   USAP needs to enforce NSF’s password and account management policies at USAP.

The report also includes four previous findings, as follows:

   •      The USAP “Advanced Revelation” suite of applications needs to be replaced.
   •      USAP needs to develop, document, and implement a disaster recovery plan for its
          Antarctica Operations at its Denver data center.
   •      NSF needs to remove timely the information technology accounts for separated
          employees and contractors.
   •      NSF needs to improve the security of its network topology as the present design poses a
          potential security weakness.
The Independent Evaluation was performed in conjunction with the annual financial statement
audit. A draft of the Independent Evaluation Report was previously submitted to your staff and
their comments are included as an attachment to the report.

In accordance with OMB Circular A-50, on Audit Follow-Up, we request that NSF submit a
written corrective action plan to our office within 60 days of the date of this memorandum to
address the recommendations in the Independent Evaluation. This corrective action plan should
identify specific actions your office has taken or plans to take to address each recommendation
along with the associated milestone date. We are available to work with your staff to ensure the
submission of a mutually agreeable corrective action plan.

We appreciate the courtesies and cooperation extended to CliftonLarsonAllen LLP during the

If you or your staff has any questions, please contact Brett M. Baker, Assistant Inspector General
for Audit, or me at (703) 292-7100.


cc:    Cora B. Marrett, Deputy Director, Acting, OD
       G.P. Peterson, Chair, Audit and Oversight Committee
       Kathryn Sullivan, Senior Advisor, OD
       Eugene Hubbard, Director, OIRM
       Amy Northcutt, Chief Information Officer
       Kelly K. Falkner, Acting Director, OD/OPP
       Martha Rubenstein, Director and CFO, BFA
       Susanne LaFratta, Senior Advisor, OD/OPP