The General Services Administration (GSA) Office of Inspector General (OIG) reported three weaknesses in GSA’s Federal Information Security Management Act (FISMA) compliance for Fiscal Year 2019 in a report dated Dec. 5, 2019, but released on Jan. 30.
The audit, conducted from September 2019 through December 2019, resulted in four new recommendations to GSA.
Auditors concluded that GSA did not have a formal review and acceptance process for third-party security systems, a GSA network user was not removed from the system in a timely manner after their departure, and two security incidents at GSA were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner.
OIG recommends GSA:
- Implement a formal review and acceptance process for contractors that includes a review by the information system security officer;
- Establish a monitoring control to review any rejected ServiceNow tickets;
- Monitor to ensure all incidents are reported to US-CERT in a timely manner; and
- Train new analysts on the GSA incident reporting process.
Despite those shortcomings, auditors concluded that GSA still met general compliance with FISMA standards. GSA met “managed and measurable” standards for a majority of its FISMA metric questions and cybersecurity functions, the OIG report says. The agency fell short on its ability to recover from cyber incidents, with auditors saying it was only “consistently implemented.”
GSA agreed with all findings and recommendations.