Federal Managers' Financial Integrity Act (FMFIA) of 1982
During FY 2005, the Department reviewed its management control system in accordance with the requirements of FMFIA, and Office of Management and Budget (OMB) and Departmental guidelines. The objective of our management control system is to provide reasonable assurance that:
The efficiency of the Department’s operations is continually evaluated using information obtained from reviews conducted by the Government Accountability Office (GAO), Office of Inspector General (OIG), and specifically requested studies. It is worth noting that the list of high-risk programs issued by GAO in January 2005 does not include any programs administered by the Department of Commerce. Also, on a yearly basis, operating units within the Department conduct self-assessments of their compliance with FMFIA.
Section 2 of the FMFIA, which deals with nonfinancial controls, requires that federal agencies report, on the basis of annual assessments, any material weaknesses that have been identified in connection with their internal and administrative controls. The diverse reviews that took place during FY 2005 provide a high level of assurance that Commerce systems and management controls comply with standards established under FMFIA, with the exception of one material weakness. This weakness involves the need to validate that information technology (IT) security certification and accreditation (C&A) documentation and processes for the Department’s national critical and mission critical systems are of adequate quality. As stated in the Secretary’s introductory letter, the Department of Commerce has made important progress in resolving this material weakness by working closely with its operating units to address concerns and to improve the overall performance of the Department’s IT security program.
The following table reflects the number of material weaknesses reported under Section 2 of the FMFIA in recent years by the Department of Commerce.
Section 2 of FMFIA
Strengthening Information Technology Security
During the year, the Department of Commerce significantly improved its IT security posture, focusing on completing corrective actions to address prior-year IT security concerns and improving the quality of C&A processes and documentation for national critical and mission critical systems. Improved C&A packages for all national critical systems and most mission critical systems have been completed. However, only a small number of improved C&A packages were available by the Inspector General’s (IG) August 31 deadline for independent evaluation under the Federal Information Security Management Act (FISMA). The OIG’s review of the available packages found that the risk assessments and security plans were much improved, but three of the five improved packages reviewed had not undergone adequate certification testing. In light of the limited number of packages available for review and the testing deficiencies found, OIG concluded that the C&A process had not yet improved to the point where authorizing officials throughout the Department have sufficient information about the vulnerabilities remaining in their systems when it is time to make the accreditation decision. Corrective action related to system testing is underway and all C&A packages are scheduled to have been improved by the end of FY 2006.
Additionally, in FY 2005, the IG’s independent audit of the Department’s FY 2004 financial statements included security reviews of the Department’s financial management systems. The audit concluded that seven operating units had weaknesses in six key IT security areas—entity-wide security program planning and management, access controls, application software development and change control, system software management, segregation of duties, and service continuity.
The Office of the Chief Information Officer (OCIO) issued a Plan for Eliminating the Basis for the Commerce FMFIA IT Security Material Weakness, which contains a schedule and reporting plan developed collaboratively with Commerce operating units to improve C&A documentation and processes during FY 2005 and FY 2006. OCIO closely monitored efforts in FY 2005 by operating units to improve the quality of C&A documentation and processes. OCIO completed IT security compliance reviews that included inspecting improved system C&A packages for five of the Department’s national critical and 21 of its mission critical systems. It also reviewed 50 IT contracts for inclusion of IT security clauses, and reviewed secure configuration management implementation status and procedures for compliance with federal guidance and Departmental policy. It monitored on a monthly basis the status of corrective actions taken by operating units in response to these and prior-year reviews, and provided quarterly status updates to OMB on planned corrective actions and IT security performance metrics as required by FISMA.
Additionally, at the end of FY 2004, OCIO identified the following planned actions for FY 2005:
All of these actions were completed in FY 2005, and the accomplishments and efforts taken by Commerce to strengthen its Department-wide IT Security Program are summarized below:
In addition, the following activities were continued in order to maintain effective oversight of Department-wide IT security program implementation:
Ongoing Effort to Strengthen IT Security will Continue in FY 2006
Notwithstanding these achievements during FY 2005 to resolve prior IT security issues and to maintain a strong IT security program, work still remains to ensure the implementation and management of secure system configurations and to sustain efforts to improve C&A practices and adequate quality of work products for managing system security. Specifically, actions planned for FY 2006 include:
As the Department works to fully resolve this material weakness during FY 2006, the focus will be on ensuring that IT security practices are integrated throughout the Department, demonstrating further that sound, repeatable practices are implemented in a compliant and consistent manner.
Section 4 of FMFIA
The Department has no material weaknesses relating Section 4 of FMFIA.
Previous Page | Next Page