The National Security Agency (NSA) may have deep knowledge of signals intelligence and cyber, but the agency still faces challenges in implementing a strong cybersecurity posture under FISMA (the Federal Information Security Modernization Act), according to the agency’s inspector general.
The inspector general’s Semiannual Report noted that NSA has “room for improvement in all areas” of the FISMA audit. Specifically, the FY 2018 audit found that no area reached above Level 3 (out of a total of 5) on the FISMA maturity model, and contingency planning was evaluated to be at Level 1 – leaving the agency with an ad hoc approach.
The bright spots of the audit were Identity and Access Management and Security Training, both of which reached Level 3 on the maturity model for NSA.
Ongoing audits for NSA also include an examination of the authorities of the agency’s CIO. The summary in the Semiannual Report notes that the audit will examine if NSA is in compliance with the Clinger-Cohen Act and OMB’s 2011 memo on CIO authorities.
The inspector general will also examine in a separate audit whether the agency is decommissioning legacy systems effectively. The Semiannual Report notes that the audit will examine “whether the agency is effectively decommissioning information systems, including doing so consistently, securely, and efficiently.”