The Smithsonian Institution (SI) made some progress in its Fiscal Year 2018 FISMA (Federal Information Security Modernization Act) audit, but still sat at around a Level 2 on the FISMA scale, according to a report released September 23 by the Smithsonian Office of Inspector General.
The audit found improvement for the institution in the Identify and Recover functions of the NIST Cybersecurity Framework, rising from Level 1 in FY2017 to Level 2 in FY2018. However, SI fell well short of the Level 4 needed to be considered an effective information security program.
On the positive side, report says the Smithsonian was developing a new security architecture during the audit, implementing a continuous monitoring strategy, and updating policies to address gaps. SI also made progress in contingency planning, user training, and using cloud for recovery. The audit made several mentions of SI’s improvements, and ongoing efforts to improve information security. However, many of the improvements were not completed by the end of FY2018, and fell outside the audit’s scope.
One of the main issues the audit found was lack of authorizations.
“[The auditor] found that the Smithsonian’s information security program was hampered because many of the information systems had not yet been reauthorized for use through a revised security review process,” the report states.
While the Smithsonian had implemented an automated Governance, Risk, and Compliance (GRC) tool, not all systems had been assessed and entered into the tool, including six of the seven sampled systems. The review also found gaps on multi-factor authentication, separation testing, privacy analyses, and incident response program.
The audit made nine recommendations to SI’s CIO, five of which have already been completed and four that had plans and timelines in place.