Improvements Are Needed to Ensure That New Information Systems Deploy With Compliant Audit Trails and That Identified Deficiencies Are Timely Corrected

The Chief Technology Officer should ensure that the ESAT checklist is amended to include an ESAT office signature block to indicate that the project was evaluated for audit trail requirements prior to exiting Milestone 2 and that the checklist is then provided to the Federal Information Security Management Act (FISMA) Certification Program Office as part of the Security Package. New projects related to legacy systems should not be exempt from this control.

The Chief Technology Officer should clarify guidance which specifies that preparing the interface control document is an integral task to sending audit trails to the SAAS. The guidance should include that the interface control document is the responsibility of the system owners and needs to be completed. In addition, the interface control document should be included as a Security Package artifact. If not completed prior to Milestone 4b exit, the interface control document and the SAAS testing/transmission tasks should be included in a system Plan of Action and Milestones as an open deficiency that needs to be addressed.

The Chief Technology Officer should ensure that the Associate Chief Information Officer, Cybersecurity, revises the program-level memorandum to clearly state that the responsibility for audit trail controls reverts to the system owner once the ESAT office has signed (approved) the audit plan.

The Chief Technology Officer should ensure that system owners timely create a Plan of Action and Milestones for all identified information technology security weaknesses, including audit trail deficiencies.

The Chief Technology Officer should ensure that the ESAT office issues an audit notification memorandum for deficiencies identified in previously completed audit plans if the system owner did not get one of the memorandums and there are no Plans of Action and Milestones for the deficiencies.