In response to the Federal Information Security Management Act of 2002 (FISMA), OIG performed an independent review and evaluation of the information security program of BBG. Replacing the Government Information Security Reform Act, FISMA provides a comprehensive framework for establishing and ensuring the effectiveness of controls over IT resources that support federal operations and assets and a mechanism for improved oversight of federal agency information security programs. Also, OMB implementation guidance for FISMA requires OIGs to assess development, implementation, and management of the agency-wide plan of action and milestones process and to focus on performance measures. The specific objectives of OIG’s review were to assess BBG’s progress in developing its computer security program and implementing the requirements of the law.

To fulfill the review objectives, OIG met with BBG officials from IBB, Voice of America (VOA), Office of Cuba Broadcasting, and four overseas transmitting stations in Germany. OIG did not conduct a detailed review of BBG’s grantee organizations, RFE/RL and RFA, but did hold meetings and gathered relevant documentation to assess each organization’s strategic approach to handling IT information security. Both grantees are private, nonprofit organizations that own and operate their own IT systems.

OIG’s evaluation of BBG’s information security program concluded that BBG has made limited progress in the past year and much more needs to be done to comply with FISMA. BBG has developed a comprehensive system security plan for the IBB Office of Computing Services; performed program-level self-assessments; and documented the results of the self-assessments in quarterly reporting to OMB of the agency’s plan of action and milestones process. The first three FY 2003 quarterly reports to OMB identified 220 information security weaknesses, of which 136 had been corrected. In addition, BBG hired a contractor to assist BBG’s Office of Computing Services to meet FISMA requirements. However, despite this progress, several key areas of information security still require management attention. BBG concurred with the five recommendations included in OIG’s FISMA evaluation report and will be taking actions to ensure their implementation.