Skip navigation
Share this page

Fiscal Year 2017 Independent Evaluation of the Smithsonian Institution’s Information Security Program (OIG-A-18-10, September 21, 2018)

What OIG Did

The Office of the Inspector General contracted with Williams Adley to conduct this audit. The objective of the audit was to evaluate the effectiveness of the Smithsonian’s information security program in fiscal year 2017.


The Department of Homeland Security and the Office of Management and Budget publish metrics each year to assist inspectors general in their annual information security program assessments under the Federal Information Security Modernization Act. The metrics rank the maturity level of five cybersecurity functions on a scale of 1 to 5.

As an entity progresses in maturity, it moves from an informal ad-hoc (level 1) state to formally documented policies and procedures (level 2) that are consistently implemented (level 3), managed through quantitative or qualitative measurement (level 4), and finally optimized based on mission needs (level 5). When an entity achieves level 4 in the majority of the five cybersecurity functions, its information security program is considered effective overall.

What Was Found

For fiscal year 2017, Williams, Adley & Company - DC, LLP (Williams Adley) found that the Smithsonian Institution (Smithsonian) made improvements to its information security program. Significant improvements included updating the specialized security training program; adopting and beginning to implement a security information and event management tool; and adopting a governance, risk, and compliance tool to assist in security assessment and authorization.

However, the Smithsonian did not achieve the minimum maturity level defined by the Department of Homeland Security to be considered fully effective in fiscal year 2017. Williams Adley determined that the Smithsonian made progress in maturing its cybersecurity functions. For example, the Detect and Respond functions progressed from level 1: ad-hoc in fiscal year 2016 to level 2: defined in fiscal year 2017. While the Smithsonian has made considerable efforts to define policies and procedures for its program, additional work is needed to consistently implement them.

Williams Adley found that the maturity of the Smithsonian’s information security program was hampered by an incomplete inventory of information systems, including related hardware and software components, and an information security architecture that was only partially defined. In addition, the Office of the Chief Information Officer had not yet defined an entity-wide disaster recovery plan based on a business impact analysis and had outdated guidance for configuration management and contingency planning. Further, Williams Adley found that, for the two information systems reviewed, there was minimal documentation in place to formalize their security practices.

What Was Recommended

Williams Adley made nine recommendations to enhance information security at the Smithsonian; management concurred with seven and partially concurred with two. For the partially concurred recommendations, management agreed with the key aspects of the recommendation and provided an explanation for an alternative implementation.

Download Adobe Reader for PDF files at