FISMA Quarterly Reporting Update - FY 2020 Quarter 3

Speeches Shim


In Quarter 3 (Q3), the Agency successfully executed Phase 1 of the Centers for Disease Control and Prevention (CDC) Coronavirus Disease 2019 (COVID-19) guidelines for the USAID workforce. M/CIO proactively addressed these teleworking challenges while continuing to meet its programming mission. In addition to these activities, USAID’s Office of the Inspector General (OIG), Information Technology (IT) Audit Division is conducting two simultaneous audits on (a) the Federal Information Security Modernization Act (FISMA) Information Security Program and (b) the IT Privacy Program. At the same time, USAID is undergoing a U.S. Government Accountability Office (GAO) audit on the Cybersecurity Risk Management Program.

In Q3, M/CIO made progress toward achieving its FISMA goals, as follows:

  • Achieved 10/10 Cross-Agency Priority (CAP) Goals and highest possible rating of “Managing Risk” from the Office of Management and Budget (OMB) for the Agency’s effective use of cybersecurity tools and technologies across the enterprise.
  • Responded to more than 300 requests for FISMA audit information by OIG Field Auditors.
    • Participated actively with OIG auditors to remediate potential findings.
  • Increased Agency-wide education outreach to all workforce members about cybersecurity issues and concerns via weekly Agency Notices, Cyber Awareness Notices, and CyberSecurity Alerts.
    • Since the beginning of the Agency-wide telework period starting March 16, 2020, M/CIO sent out 35 Agency communication notices related to cybersecurity, awareness and training, equipping our workforce with key information to combat cyber attacks.
  • Launched, tracked, and enforced compliance with Annual Cybersecurity and Privacy Training requirements for the workforce.
    • Coordinated with USAID University team to issue annual online training to all USAID workforce members, due June 15, 2020.
    • Tracked training completion.
    • Disabled network access for all non-compliant accounts.

Also in Q3, the Agency received an overall “A” grade on the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard 10.0. USAID was one of only two CFO Act Federal agencies out of 24 to achieve this score. This significant milestone highlights the way the Agency manages Information Technology (IT) investment portfolios by reducing duplication and waste and increasing cost savings.


Leading into Quarter 4 (Q4), M/CIO plans to focus on the following task areas:

  • Prepare for the upcoming FISMA Annual Report to Congress in accordance with OMB Memorandum M-20-04.*
    1. M/CIO Quantitative Metrics: Respond to the President's Management Agenda (PMA) through the advanced collection and analysis of Agency FISMA metrics to demonstrate progress toward meeting or surpassing OMB and Department of Homeland Security (DHS) cybersecurity standards.
    2. OIG Quantitative and Qualitative Metrics: Apply the Cyber Security Framework (CSF) to the enterprise environment by conducting ongoing self-assessment against the FISMA maturity levels standards to identify deficiencies and strengths for continuous improvement.
    3. FISMA OIG Audit and Reports:
      • Security: Evaluate implementation and effectiveness of the information security program against the deployed NIST security controls.
      • Privacy: Evaluate current state of the IT Privacy Program against applicable laws, regulations, and USAID policies.
    4. Senior Agency Official for Privacy (SAOP) Quantitative and Qualitative Metrics: Respond to the Agency’s Privacy Program and compliance data to report Agency compliance efforts.
  • Develop M/CIO’s proposed response to the FY19 National Defense Authorization Act (NDAA), Section 889, waiver request process to address the use of prohibited telecommunications and video surveillance equipment.
  • Continue role as key stakeholder, along with the Office of the Chief Financial Officer (M/CFO) and others, in support of the Enterprise Risk Management (ERM) program.
    • The development of the pilot plan is underway and expected to complete final procurement of the Governance, Risk, and Compliance (GRC) tool in Q4.


Friday, August 14, 2020 - 4:30pm