Publicly Released: October 13, 2022
The purpose of this management advisory is to provide Air Force leadership with DoD Office of Inspector General (OIG) findings and recommendations specific to the Air Force’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA). We identified these findings during our FY 2021 review of the DoD’s compliance with FISMA, which was announced on November 18, 2020 (Project No. D2021‑D000CP‑0034.000).
FISMA requires Federal agencies to develop, document, and implement an agencywide program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources. FISMA also requires Federal agency Inspectors General (IGs), or an independent external auditor designated by that IG, to conduct an annual independent review on the effectiveness of the agency’s information security program and practices. IGs must submit their annual results to the Office of Management and Budget and Department of Homeland Security.
For FY 2021, we assessed selected portions of the Air Force’s information security program and practices as part of our annual independent review. We submitted the results of the overall effectiveness of DoD’s information security program and practices to the Office of Management and Budget and Department of Homeland Security on October 28, 2021. We are issuing this management advisory to report the results specific to the Air Force and to issue recommendations for corrective action.
We provided a draft copy of this management advisory to DoD management and requested written comments on the findings and recommendations. We considered management’s comments on the draft when preparing the final management advisory.
This management advisory contains six recommendations that we consider resolved. Therefore, as discussed in the Recommendations, Management Comments, and Our Response section of this advisory, the six recommendations will remain open until documentation is submitted showing that the agreed‑upon actions are complete. Once we verify that the actions are complete, the recommendations will be closed.
This management advisory contains one recommendation that is considered closed as discussed in the Recommendations, Management Comments, and Our Response section of this advisory. The recommendation does not require further action.