Federal agencies are supposed to observe all the set standards when it comes to federal information security. In a recent audit, it was revealed that TSP recorded the lowest score regarding compliance with information security standards. TSP is a federal agency that is in charge of administering the 401(k)-style retirement program.
Thrift Savings Plan is run by the Federal Retirement Thrift Investment Board which has an information security program that was examined by auditors from Williams Adley. The Federal Information Security Modernization Act requires all Federal Agencies to comply with information security standards entirely and that is why all the information security programs have to be audited.
In 2017, TSP scored Level 1 out of five based on inspector general reporting metrics. The Federal Retirement Thrift Investment Board (FRTIB) had come up with quite a lot of policies and measures to enhance cybersecurity and upgrade IT infrastructure, but the auditors found out that most of the policies were yet to be implemented.
For a federal information security program to be considered to have met the set standards, it must at least have a Level 4 score. A federal agency can only get a Level 4 score after it has put in place the right qualitative and quantitative measures to ensure that its strategy, procedures, and policies are effective. Also, the auditors assess the necessary changes for that specific federal agency.
In their final report, the auditor stated that FRTIB did not have an organization-wide information security program that meets the set standards regarding implementation and efficiency. All the seven IG FISMA metric domains were used to assess the system, and the auditors found out that the agency had control deficiencies when it comes to technology, process, and people.
In an attempt to defend the poor showing, FRTIB officials argued that a policy must remain in operation for a minimum of one fiscal year for it to help the organization enhance its FISMA score. The officials insisted that the audit should not have included policies that were introduced beyond Sep.30, 2016 in the 2017 audit.
In other words, the officials claimed that it was difficult for the score to reflect any change they had introduced because the changes had not been operational for the entire fiscal year. On the other hand, the auditors were of the opinion that the TSP policies were “Ad Hoc,” inadequately defined, and reactionary.