- Get Involved
- About Us
The Federal Information Security Management Act of 2002 (FISMA) directs the Office of the Inspector General to annually evaluate the information security program of the entity. The Smithsonian voluntarily complies with FISMA requirements because it is consistent with its strategic goals. We hired an independent auditor to conduct this review on our behalf.
The goal of information security is to build a defensible enterprise that enables organizations to harness technological innovation, while protecting an organization’s information and information systems.
FISMA requires organizations to adopt a risk-based, life cycle approach to improving information security that includes annual security program reviews, independent evaluations by the Office of the Inspector General, and reporting to the Office of Management and Budget(OMB) and the Congress. FISMA, OMB and the National Institute of Standards and Technology (NIST) also identify security requirements for federal information security programs.
We determined that during the past year, the Office of the Chief Information Officer (OCIO) made improvements to strengthen the information security program, including proactively reviewing security controls and identifying areas to enhance the program. As part of its ongoing security program, the Smithsonian periodically performs network and system scans and annually provides security assessments and/or authorizations for all major systems, consistent with NIST guidance.
However, additional work is still needed to ensure controls are in place and operating effectively.
We found weaknesses in four areas where OCIO did not do the following:
We also noted that OCIO has not completed addressing 12 information security recommendations from previous reports. By not implementing these recommendations, the Smithsonian’s IT infrastructure and systems may be more vulnerable to unauthorized modifications and access, as well as the unavailability of important resources.
We made nine recommendations to strengthen configuration change controls; improve user account management; enforce requirements for continuous monitoring reports; and strengthen patch management and flaw remediation.
Management concurred with our findings and recommendations and has proposed corrective actions that, if timely implemented, will resolve the recommendations.