Concurrent with audit work performed pursuant to the requirements of the Federal Information Security Act, we conducted an evaluation that focused on the Board’s C&A reviews of the National Examination Database (NED) to help us gain a perspective on the evolving C&A process.  Our objective was to assess the Board’s progress as it conducted C&A reviews in accordance with guidance issued by the National Institute of Standards and Technology and the Board.  The evaluation focused on the depth, scope, and completeness of the C&A reviews performed and the sufficiency of information that the NED system owner and authorizing official had available to make their accreditation decision.

As noted in a management letter to the Director of Information Technology, our NED evaluation observations were consistent with our 2008 information security program audit report’s conclusion that security assessments, performed as part of the C&A process, need to be strengthened to include sufficient independent testing to provide system owners with assurance that information security controls are effectively implemented and operating as intended.