The Federal Labor Relations Authority (FLRA) scored well on its fiscal year 2020 Federal Information Security Modernization Act (FISMA) audit, with only four areas noted as weaknesses and no carry-over weaknesses from prior year audits.
The audit, conducted on behalf of FLRA’s inspector general and released on October 30, notes that FLRA “has taken steps to improve the information security program,” and that the small agency “does take information security weaknesses seriously.” The audit tested the agency’s General Support System and the agency’s policies and inventories.
In the scoring of the agency’s posture against frameworks from the National Institute of Standards and Technology (NIST), FLRA received:
- Level 4 for risk management
- Level 1 for configuration management
- Level 1 for identity and access management
- Level 4 for data protection and privacy
- Level 4 for security training
- Level 3 for continuous monitoring
- Level 3 for incident response
- Level 4 for contingency planning
FLRA noted their pride in the results of the FISMA audit in its response to the audit.
“We are overjoyed that, out of the 900+ controls for which we are responsible, only four findings have been reported. A 99.6% success rate for any agency would be a crowning achievement, but for a small/micro agency, it is truly a proud reflection of FLRA’s commitment to the program,” wrote Michael Jeffries, executive director of the FLRA.
The audit’s recommendations centered on areas where FLRA diverged from NIST guidelines, such as outdated policies, little review of user privileges, and a lack of risk classification for employees. FLRA agreed to all recommendations included in the report.