Fiscal Year 2016 Independent Evaluation of the Smithsonian Institution’s Information Security Program

OIG-A-18-02, November 21, 2017

What OIG Did

The Smithsonian’s Office of the Inspector General contracted with Williams Adley to conduct this audit. The objective of the audit was to evaluate the effectiveness of the Smithsonian’s information security program in fiscal year 2016 and to support the Office of the Inspector General’s annual report under FISMA.


FISMA was enacted in 2002 to strengthen the security of the federal government’s information systems. Although the Smithsonian is not subject to FISMA because it is not an executive branch agency, the Smithsonian applies FISMA standards as best practices to the extent practicable and consistent with its mission.

FISMA requires organizations to adopt a risk-based, life cycle approach to improving information security that includes annual security program reviews, independent Office of Inspector General evaluations, and reporting to the Department of Homeland Security and the Congress. 

What Was Found

For fiscal year 2016, the Office of the Chief Information Officer (OCIO) implemented key elements of the Smithsonian Institution’s (Smithsonian) information security program. For example, OCIO had policies for vulnerability management, incident response, configuration management, and security training. However, an independent public accounting firm, Williams, Adley & Company – DC, LLP (Williams Adley), found that OCIO did not have an effective risk-based process to target resources with the highest risk vulnerabilities for the two information systems tested. One of the two systems provides the network infrastructure for most of the Smithsonian.

In addition, OCIO had neither established nor implemented an enterprise information security architecture to ensure that information technology security processes are effectively deployed to secure the Smithsonian’s operating environment. Furthermore, by end of fiscal year 2016, OCIO had not resolved significant issues found in prior audits, such as the overdue implementation of an information security continuous monitoring program that helps assess the ongoing risks in the information security environment. OCIO had a target date of December 2016 to begin implementing such a program.

Based on the deficiencies found during this audit and the significant unresolved issues from prior audits, Williams Adley determined that the Smithsonian did not meet its information security program goals. In addition, the Smithsonian was operating at the lowest Federal Information Security Modernization Act (FISMA) metrics maturity level—Level 1: Ad hoc—for two of the five FISMA cybersecurity framework security functions, Detect and Respond. As a result, the Smithsonian’s information security program was not fully effective in reducing information security risks in fiscal year 2016.

What Was Recommended

Williams Adley made three recommendations to enhance information security at the Smithsonian. Management concurred with two of the three recommendations and partially concurred with the third recommendation. For the partially concurred recommendation, management agreed with the key aspects of the recommendation and provided an explanation for why it could not be applied in all cases.