oversight

Performance Audit of the National Science Foundation's Information Security Program for FY 2019

Published by the National Science Foundation, Office of Inspector General on 2019-11-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

AT A GLANCE
Performance Audit of the National Science Foundation’s
Information Security Program for FY 2019
Report No. OIG 20-2-002
November 22, 2019

AUDIT OBJECTIVE
The National Science Foundation (NSF) Office of Inspector General engaged Kearney & Company,
P.C. (Kearney) to conduct a performance audit of NSF’s Information Security Program for fiscal year
(FY) 2019, as required by the Federal Information Security Modernization Act of 2014 (FISMA, Pub.
L. No. 113-283). The audit, which was conducted in accordance with the performance audit standards
established by Generally Accepted Government Auditing Standards (GAGAS), included an
assessment of the corrective actions taken by NSF in response to the prior-year FISMA audit.

AUDIT RESULTS
Kearney found that although NSF has an established Information Security Program, weaknesses in
four of the five National Institute of Standards and Technology (NIST) domains specified in the U.S.
Department of Homeland Security’s FY 2019 Inspector General FISMA Reporting Metrics resulted in
a conclusion that NSF’s Information Security Program was not effective. Kearney also determined
that NSF has implemented appropriate corrective actions in response to both findings reported in the
FY 2018 FISMA report. Kearney is responsible for the attached report and the conclusions expressed
in this report. NSF OIG does not express any opinion on the conclusions presented in Kearney’s audit
report.

RECOMMENDATIONS
The auditors included seven findings in the report with associated recommendations for NSF to
address shortfalls in information technology security controls.

AUDITEE RESPONSE
NSF agreed with all of the findings in the report and plans to incorporate information gained and
lessons learned from the review to continue making improvements in its information security
program.

FOR FURTHER INFORMATION, CONTACT US AT OIGPUBLICAFFAIRS@NSF.GOV.