The objective of the FY 2024 Federal Information Security Modernization Act (FISMA) audit was to determine whether the Department’s overall information technology (IT) security program and practices are effective as they relate to Federal information security requirements. To determine the effectiveness of the Department’s information security program, the audit team utilized the FY 2023-2024 Inspector General FISMA reporting metrics, issued on February 10, 2023, which required that an independent assessor evaluate core and supplemental reporting metrics identified by the Office of Management and Budget. To properly conclude on the effectiveness of the Department’s information security program and practices, a rotational strategy was used to select six in-scope systems not evaluated in the previous year’s audit.
For FY 2024, the audit team determined that the Department’s overall IT security program and practices are effective as eight out of the nine FISMA domains met the requirements needed to operate at a Level 4 maturity rating (Managed and Measurable) or higher. The auditors also identified a total of six conditions across the nine FISMA domains indicating potential areas of improvement. The identified conditions were evaluated from a risk- based standpoint and within the context of the overall information security program to determine their root cause and associated level of risk.
The audit team made 10 recommendations to assist the Department with increasing the effectiveness of its information security programs.
Information Technology Security
See previous work involving this subject: Federal Information Security Modernization Act.