The Federal Information Security Modernization Act (FISMA) (Public Law 113-283) requires Federal agencies to have an annual independent evaluation of their information security programs and practices. This evaluation is to be performed by the agency’s Office of Inspector General (OIG) or by an independent external auditor, at the OIG’s discretion, to determine the effectiveness of such programs and practices.
KPMG, an independent public accounting firm, performed the U.S. Department of the Interior (DOI) fiscal year 2019 FISMA audit under a contract issued by the DOI and monitored by the OIG. KPMG reviewed information security practices, policies, and procedures at the DOI Office of the Chief Information Officer and 11 DOI bureaus and offices. KPMG identified needed improvements in the areas of risk management, configuration management, identity and access management and contingency planning.
KPMG made 27 recommendations related to these control weaknesses intended to strengthen the DOI’s information security program, as well as those of the bureaus and offices. In its response to the draft report, the Office of the Chief Information Officer concurred with all recommendations and established a target completion date for each corrective action.