AT A GLANCE Performance Audit of the National Science Foundation’s Information Security Program for FY 2017 Report No. OIG 18-2-004 November 30, 2017 AUDIT OBJECTIVE The NSF Office of Inspector General (OIG) engaged Kearney & Company, P.C. (Kearney) to conduct a performance audit of NSF’s Information Security Program for FY 2017, as required by the Federal Information Security Modernization Act of 2014 (FISMA). The audit, which was conducted in accordance with the performance audit standards established by Generally Accepted Government Auditing Standards (GAGAS), included an assessment of the corrective actions taken by NSF in response to prior-year FISMA audits. Kearney is responsible for the attached auditor’s report and the conclusions expressed therein. NSF OIG does not express any opinion on the conclusions presented in Kearney’s audit report. AUDIT RESULTS Kearney found that NSF has an established Information Security Program and has implemented appropriate corrective actions in response to four of the five findings reported in the FY 2016 FISMA report; however, additional work is needed to address shortfalls in select information technology (IT) security controls. Kearney issued two new and one modified-repeat findings in the areas of configuration management, U.S. Antarctic Program (USAP) contingency planning, and USAP accreditation packages. RECOMMENDATIONS Kearney made five recommendations, which, if implemented, will improve NSF’s IT Security Program. AGENCY RESPONSE NSF generally agreed with the findings and recommendations, and plans to incorporate the results of the audit as it continues to make improvements in the IT Security Program. NSF’s response is included in its entirety at Appendix A. FOR FURTHER INFORMATION, CONTACT US AT (703) 292-7100 OR OIG@NSF.GOV. NSF.GOV/OIG | OIG 18-2-004
Performance Audit of the National Science Foundation's Information Security Program for FY 2017
Published by the National Science Foundation, Office of Inspector General on 2017-11-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)