oversight

AT A GLANCE
Performance Audit of the National Science Foundation’s
Information Security Program for FY 2020
Report No. 21-2-002
November 20, 2020

AUDIT OBJECTIVE
The National Science Foundation Office of Inspector General engaged Kearney & Company, P.C.
(Kearney) to conduct a performance audit of NSF’s Information Security Program for fiscal year (FY)
2020, as required by the Federal Information Security Modernization Act of 2014 (FISMA, Pub. L. No.
113-283). The audit, which was conducted in accordance with the performance audit standards
established by Generally Accepted Government Auditing Standards (GAGAS), included an assessment
of the corrective actions taken by NSF in response to the prior-year FISMA audit.

AUDIT RESULTS
Kearney found that NSF’s Information Security Program was effective for FY 2020 and that NSF
complied with the five National Institute of Standards and Technology (NIST) domains as specified in
the U.S. Department of Homeland Security’s FY 2020 Inspector General FISMA Reporting Metrics.
Kearney also determined NSF has implemented corrective actions to fully or partially address the
seven findings identified in the FY 2019 FISMA independent evaluation. Kearney is responsible for
the Performance Audit and the conclusions expressed in the report. NSF OIG does not express any
opinion on the conclusions presented in Kearney’s audit report.

RECOMMENDATIONS
The auditors included five new and three modified repeat findings in the report with associated
recommendations for NSF to address weaknesses in information technology security controls.

AGENCY RESPONSE
NSF agreed with all of the findings in the report and plans to incorporate information gained and
lessons learned from the review to continue making improvements in its information security program.

FOR FURTHER INFORMATION, CONTACT US AT OIGPUBLICAFFAIRS@NSF.GOV.