Skip navigation
Share this page

In Brief: Smithsonian Institution Information Security Program, No. A-12-08
Issued June 3, 2013

Why We Did This Audit

The Federal Information Security Management Act of 2002 (FISMA) directs the Office of the Inspector General to annually evaluate the information security program of the entity. The Smithsonian voluntarily complies with FISMA requirements because they are consistent with the Smithsonian’s strategic goals. We contracted with an independent auditor to conduct this review on our behalf.


The goal of information security is to build a defensible enterprise that enables organizations to harness technological innovation, while protecting an organization’s information and information systems.

FISMA requires organizations to adopt a risk-based, life cycle approach to improving information security that includes annual security program reviews, independent evaluations by the Office of the Inspector General, and reporting to the Office of Management and Budget (OMB) and the Congress. FISMA, DHS and the National Institute of Standards and Technology (NIST) also identify security requirements for federal information security programs.

What We Found

We determined that during the past year, the Office of the Chief Information Officer (OCIO) made improvements in the Smithsonian’s information security program, including proactively reviewing security controls and identifying areas to enhance the program. While the Smithsonian has made progress, it needs to continue to make improvements to ensure controls are in place and operating effectively.

We found weaknesses in the following areas:

    The Smithsonian needs to make the following two improvements to the information security program --

        • More timely test and install security patches and updates

        • Strengthen desktop workstation configuration baselines

    At the system level, managers of four major applications need to improve continuous monitoring or Plan of Actions and Milestones     (POA&M)reporting.

We also noted that OCIO has not completed implementing 11 information security recommendations from previous reports. By not implementing these recommendations, the Smithsonian’s IT infrastructure and systems may be more vulnerable to unauthorized modifications and access, as well as the unavailability of important resources.

What We Recommended

We made six recommendations to more quickly remediate identified security vulnerabilities; strengthen controls over installed applications; improve workstation configurations; better document deviations from established baselines; and improve continuous monitoring and POA&M reporting.

Management concurred with our findings and recommendations and has proposed corrective actions.

Click to view the full report.

Download Adobe Reader for PDF files at