Federal Managers' Financial Integrity Act (FMFIA) of 1982
During FY 2006, the Department reviewed
its management control system in accordance with the requirements of FMFIA,
and Office of Management and Budget (OMB) and Departmental guidelines.
The objective of the Department’s management control system is to
provide reasonable assurance that:
- obligations and costs are in compliance with
applicable laws
- assets are safeguarded against waste, loss,
and unauthorized use of appropriations
- revenues and expenditures applicable to agency
operations are properly recorded and accounted for, permitting accurate
accounts, reliable financial reports, and full accountability for
assets
- programs are efficiently and effectively carried
out in accordance with applicable laws and management policy.
Section 2 of FMFIA – Internal Management Controls
Section 2 of the FMFIA requires that federal agencies report, on the
basis of annual assessments, any material weaknesses that have been identified
in connection with their internal and administrative controls. The efficiency
of the Department’s operations is continually evaluated using information
obtained from reviews conducted by the U.S. Government Accountability
Office (GAO) and the Office of the Inspector General (OIG), and specifically
requested studies. It is worth noting that GAO’s list of high-risk
programs, which was last issued in January 2005 at the beginning of the
new Congress, does not include any programs administered by the Department.
Also, on a yearly basis, operating units within the Department conduct
self-assessments of their compliance with FMFIA.
The diverse reviews that took place during FY 2006 relative to nonfinancial
controls provide assurance that Department systems and management controls
comply with standards established under FMFIA, with the exception of one
material weakness. As discussed in detail below, this material weakness
involves information technology (IT) security issues and the need to improve
the quality of certification and accreditation (C&A) processes and
documentation for all IT systems.
The following table reflects the number of material weaknesses reported
under Section 2 of FMFIA in recent years by the Department.
NUMBER OF MATERIAL WEAKNESSES
|
NUMBER
AT
BEGINNING
OF FISCAL YEAR |
NUMBER
CORRECTED |
NUMBER
ADDED |
NUMBER
REMAINING END OF
FISCAL YEAR |
FY 2003 |
1 |
0 |
0 |
1 |
FY 2004 |
1 |
0 |
0 |
1 |
FY 2005 |
1 |
0 |
0 |
1 |
FY 2006 |
1 |
0 |
0 |
1 |
IT Security Requires Further Improvement
As stated in the Secretary’s introductory letter, the Department
made significant strides again this year in addressing this concern while
acknowledging that further improvements are needed.
There are 229 moderate and high impact systems in the Department’s
information systems inventory. Twenty-two improved C&A packages for
high and moderate-impact systems were received by the Office of the Chief
Information Officer (OCIO) in time for review by OIG under the Federal
Information Security Management Act (FISMA). OCIO reviewed the 22 packages
and determined 12 to be of sufficient quality to forward to OIG. OIG evaluated
11 of these packages, which were for Department-owned systems, as well
as four additional packages for contractor systems. OIG found that the
quality of risk assessments and system security plans for Department-owned
systems overall had significantly improved, but that certification testing
and related documentation for many of the systems still needed improvement.
OIG concluded that five of the 11 Department-owned systems and none of
the four contractor systems met the C&A criteria established by the
Department’s IT security policy, OMB’s policy, and the National
Institute of Standards and Technology’s (NIST) standards and guidelines.
Further improvement of system testing is underway and improvement of all
C&A packages will be monitored throughout FY 2007.
During FY 2006, OIG’s independent audit of the Department’s
FY 2005 financial statements included security reviews of the Department’s
financial management systems. The audit concluded that seven operating
units had weaknesses in five out of six key IT security areas: entity-wide
security program planning and management, access controls, application
software development and change control, system software management, and
service continuity. The Department notes that the number of auditor findings
has been decreasing—from 46 in FY 2005 to 25 in FY 2006—and
that the severity of the findings has lessened, indicating significant
improvement.
In February 2005, OCIO issued a Plan for Eliminating the Basis for the
Commerce FMFIA IT Security Material Weakness, which set forth
a schedule and reporting plan developed collaboratively with Department
operating units to improve C&A documentation during FY 2005 and FY
2006. On a monthly basis, OCIO monitored the status of the operating units’
corrective actions in response to this plan and prior-year reviews, and
provided quarterly status updates of these and other planned corrective
actions, as well as the status of IT security performance metrics, to
OMB in accordance with FISMA requirements.
In its FY 2005 FMFIA report, the Department highlighted the following
planned actions for FY 2006:
- Complete the use of secure system configurations
to ensure that software parameters are set in a standard way to make
each system adequately secure, and review the extent to which such
secure system configurations have been implemented Department-wide.
- Confirm that C&A improvement efforts undertaken
in FY 2005 have resulted in establishing lasting, repeatable, quality
management practices for C&A documentation. In FY 2006, the focus
was on ensuring that IT security practices were integrated throughout
the Department, demonstrating further that sound, repeatable practices
are implemented in a compliant and consistent manner.
These actions were addressed in FY 2006 for selected high and moderate-impact
systems, yet work will continue into FY 2007 for all systems Department-wide.
The Department’s efforts and accomplishments during FY 2006 to strengthen
its Department-wide IT security program are summarized below.
- The Department’s IT security program
maturity, as measured using the federal CIO Council’s 5-level
IT security maturity scale, maintained 100 percent of the Department
operating units at level 3—implemented policies and procedures—or
higher. This level of accomplishment in improving the maturity of
IT security management reflects the hard work of many dedicated IT
security professionals within the Department to institutionalize IT
security practices and develop repeatable processes.
- The Department continued its IT security compliance
review program, in which OCIO has arranged for a contractor to assess
the extent to which IT security policy and guidance are implemented
within the operating units and to assess the adequacy of agency-level
IT security programs. The FY 2006 compliance review included looking
at C&A packages for compliance with government-wide and Department
requirements, and to ensure that the quality of the documentation
reflects sound security planning. This year’s compliance monitoring
effort concluded that while all C&A packages inspected were complete,
and FY 2006 efforts have resulted in raising the quality of C&A
packages, additional work needs to be done.
- The Department enhanced its role-based IT security
training program by procuring formal, instructor-led education seminars.
The seminars include education in general IT security concepts as
well as the C&A methodology recommended by NIST. This education
will improve the skills of personnel involved in the C&A process,
including senior managers serving as system Authorizing Officials
and personnel participating on certification teams.
In order to maintain effective oversight of Department-wide IT security
program implementation, the following activities continued.
- The Department’s CIO provided input to
rating officials, i.e., either the head of the operating unit or their
deputy, on the performance of each operating unit CIO, a significant
portion of which relates to IT security.
- The Department’s CIO and OCIO IT security
staff have been actively involved in the review of proposed IT budget
initiatives, to ensure that IT security is adequately addressed and
funded and to assure sufficient planning for continuity of operations.
- The Department IT Review Board, chaired by
the Department’s CIO, considers and evaluates the proposed IT
security approach for every IT project it reviews, including new initiatives
as well as continuing IT projects. This review includes examination
of the adequacy of the IT security management and funding, as well
as the involvement of IT project managers in leading IT security for
their project as a key part of their work. Corrective actions are
identified and required of program and project officials, as appropriate.
Additionally, efforts to fully resolve this material weakness are being
monitored by the Department’s senior management. The Deputy Secretary
is routinely kept apprised of progress that is being made, and the status
of activities being undertaken at the Departmental and operating unit
levels is formally discussed as part of the quarterly performance reviews.
Further, the Deputy Secretary has requested that the IG and CIO regularly
brief the Secretary and the heads of the operating units during Executive
Management Team meetings.
Notwithstanding these achievements, work still remains to ensure the
implementation and management of secure system configurations and to improve
the C&A process as needed to guarantee the necessary quality of work
products for managing system security. Specifically, actions planned for
FY 2007 include:
- Enhanced training of personnel with significant
IT security roles and responsibilities. The Department will focus
efforts on educating Authorizing Officials and System Owners regarding
their roles and responsibilities for IT security, especially for their
role in the C&A process.
- Increased monitoring to validate that secure
system configurations have been implemented, thereby ensuring that
software parameters are set in a standard way to make each system
adequately secure. The extent to which such secure system configurations
have been implemented for selected systems and operating system platforms
Department-wide will be validated.
- Continue efforts to confirm that C&A improvement
efforts undertaken in FY 2006 have resulted in establishing lasting,
repeatable, quality management practices for C&A documentation.
In FY 2007, the focus will be on ensuring that secure system configurations
are being implemented for all operating system platforms throughout the
Department, that personnel with significant IT security roles are properly
trained, and that a sound, repeatable C&A process has been implemented
in a compliant and consistent manner. Involved Departmental officials
will continue to work closely with operating unit personnel to address
these issues, and progress will continue to be monitored through quarterly
performance reviews with the Deputy Secretary.
Strengthening Internal Controls over Financial Reporting
In December 2004, OMB issued a complete revision to Circular A-123, Management’s
Responsibility for Internal Control, which focused on strengthening requirements
for assessing internal controls over financial reporting. In FY 2006,
the first year for which the revised circular was effective, the Department
and its operating units undertook a comprehensive and coordinated approach
to conducting an assessment of the effectiveness of internal control over
financial reporting in accordance with the new requirements of Circular
A-123.
- A Senior Management Council was established
to implement, direct, and oversee the assessment process, and a Senior
Assessment Team was established to develop and conduct the assessment.
- The scope of the assessment was determined
by identifying financial and budgetary reports that have significant
effects on spending, budgetary, and other financial decisions.
- The overall control environment was evaluated,
and 12 key process cycles and approximately 630 key controls were
identified for evaluation across the Department. The 12 key processes
included Budget Execution; Inventory; Purchasing; Revenues; Payroll
and Employee Benefits; Property, Plant and Equipment Spending, and
Maintenance; Financial Reporting; Treasury Management; Risk Management;
Information Systems; Grants Management; and Loans.
- A Department-wide testing approach and plan
were developed.
- The Senior Management Council and Senior Assessment
Team reviewed testing results and determined the significance of any
deficiencies, i.e., whether they constituted an internal control deficiency,
reportable condition, or material weakness.
- A communication plan was developed for use
in raising the awareness of Department employees to the importance
of internal controls in carrying out their responsibilities.
The Department’s assessment reflects a system of financial controls
that is operating effectively. No material weaknesses were identified
for the period October 1, 2005 through June 30, 2006, the reporting period
specified by OMB Circular A-123. Further, no material weaknesses related
to internal control over financial reporting were identified between July
1, 2006 and September 30, 2006.
Section 4 of the FMFIA – Internal Controls over Financial Management
Systems
NUMBER OF MATERIAL WEAKNESSES
|
NUMBER
AT
BEGINNING
OF FISCAL YEAR |
NUMBER
CORRECTED |
NUMBER
ADDED |
NUMBER
REMAINING END OF
FISCAL YEAR |
FY 2003 |
1 |
1 |
0 |
1 |
FY 2004 |
0 |
0 |
0 |
0 |
FY 2005 |
0 |
0 |
0 |
0 |
FY 2006 |
0 |
0 |
0 |
0 |
Based on reviews conducted by the Department and its operating units
for FY 2006, the financial systems in the Department are compliant with
GAO principles and standards, the requirements of the Chief Financial
Officers (CFO) Act, and OMB requirements. The Department had no material
weaknesses under Section 4 of FMFIA.
|