AT A GLANCE Performance Audit of the National Science Foundation’s Information Security Program for FY 2019 Report No. OIG 20-2-002 November 22, 2019 AUDIT OBJECTIVE The National Science Foundation (NSF) Office of Inspector General engaged Kearney & Company, P.C. (Kearney) to conduct a performance audit of NSF’s Information Security Program for fiscal year (FY) 2019, as required by the Federal Information Security Modernization Act of 2014 (FISMA, Pub. L. No. 113-283). The audit, which was conducted in accordance with the performance audit standards established by Generally Accepted Government Auditing Standards (GAGAS), included an assessment of the corrective actions taken by NSF in response to the prior-year FISMA audit. AUDIT RESULTS Kearney found that although NSF has an established Information Security Program, weaknesses in four of the five National Institute of Standards and Technology (NIST) domains specified in the U.S. Department of Homeland Security’s FY 2019 Inspector General FISMA Reporting Metrics resulted in a conclusion that NSF’s Information Security Program was not effective. Kearney also determined that NSF has implemented appropriate corrective actions in response to both findings reported in the FY 2018 FISMA report. Kearney is responsible for the attached report and the conclusions expressed in this report. NSF OIG does not express any opinion on the conclusions presented in Kearney’s audit report. RECOMMENDATIONS The auditors included seven findings in the report with associated recommendations for NSF to address shortfalls in information technology security controls. AUDITEE RESPONSE NSF agreed with all of the findings in the report and plans to incorporate information gained and lessons learned from the review to continue making improvements in its information security program. FOR FURTHER INFORMATION, CONTACT US AT OIGPUBLICAFFAIRS@NSF.GOV.
Performance Audit of the National Science Foundation's Information Security Program for FY 2019
Published by the National Science Foundation, Office of Inspector General on 2019-11-22.
Below is a raw (and likely hideous) rendition of the original report. (PDF)