Effective April 2020, the office of primary responsibility for the remediation and auditability of Information Technology General Controls (ITGC) for financially relevant information systems transitioned from the Assistant Secretary of the Navy Financial Management and Comptroller (ASN FM&C), Office of Financial Management Systems (FMS) to the Department of the Navy, Office of the Chief Information Officer (DON CIO), under the leadership of Mr. Chris Cleary, Chief Information Security Officer (CISO). Throughout the course of the transition, DON CIO continued to drive ITGC remediation efforts while maintaining continuity of support across the various Functional Area Managers (FAMs), Senior Accountable Officials (SAOs), system stakeholders, and executive oversight bodies to implement both system-specific and enterprise-wide solutions, policies and guidance among the DON community.
Strengthening the cybersecurity posture of the DON enterprise remains a focal point by aligning IT audit readiness and remediation with the broader DON Risk Management Framework (RMF), digital transformation, and enterprise-wide modernization efforts and policies under DON CIO. Ongoing efforts to drive short-term risk reduction and build sustainable long-term solutions include the following:
Accelerating IT NFR Remediation Efforts
DON CIO is supporting the remediation of issues identified by the Independent Public Accountant (IPA) and Managers’ Internal Control Program (MICP) in a manner that appropriately aligns with the DON Audit Priorities and Office of Financial Operations’ (FMO’s) Multi-Year Strategy. DON CIO is assuming both remediation and quality assurance (formerly validation) responsibilities. As part of the transition of responsibilities, having direct access and engagement with the IPA and Department of Defense Office of the Inspector General (DoDIG) will promote additional efficiencies, help streamline Corrective Action Plan (CAP) review procedures, and enable the implementation of accelerators and guidance to expedite closure for Notifications of Findings and Recommendations (NFRs).
Implementing Sustainable Solutions Addressing Enterprise-Wide Material Weaknesses
The overall DON IT environment has grown exponentially in scale and complexity which has contributed to challenges surrounding the DON’s financial, logistics, acquisition and personnel information systems. DON CIO is continuing to enhance current capabilities to address enterprise-wide risks associated Material Weakness areas and aligning prioritized support to focus on higher risk control areas. Leveraging innovative technologies and automated solutions in areas such as Identity, Credential, and Access Management (ICAM), Segregation of Duties (SOD) monitoring, Governance, Risk and Compliance (GRC), configuration management, interface reconciliation, and RMF compliance will assist in improving the reliability of financial information systems across the enterprise.
Employing Robotics Process Automation (RPA)
In collaboration with the FMS Center of Excellence, DON CIO is supporting future state process design and development of prioritized automations as program offices transition from manual activities to automated solutions. This will result in decreased processing time for each process and reallocation of manual hours to other high value tasks.
Strategic Way Forward
Building off of the momentum established through the activities above, DON CIO is continuing to enable the closure of all targeted NFRs and MICP-identified issues, with prioritized support for those that are the highest priority, aligned to enduring systems, and directly support the FM&C audit priorities.
DON CIO understands that audit-focused governance, promoting accountability, and proactive collaboration across the enterprise is essential to improving the department’s cybersecurity and audit readiness position. A strong system of entity-level controls, founded on the principles of the GAO Green Book, to manage the control environment, risks, controls, information and communication, and monitoring activities is needed. DON CIO can play a critical role, but this will require DON-wide coordination and execution.
Additionally, the DON must not only address its existing IT auditability challenges, but also be positioned for the future. Enterprise-wide capabilities must be designed and implemented to prevent many of the recently remediated issues from recurring and those capabilities must not only be in place for existing enduring financial information systems, but also must be developed in time to overlay or integrate with newly developed systems.
Neil McNulty is the DON CIO ITGC Audit Lead.
Sajin Mathew is a contractor serving as ITGC Project Lead supporting the DON CIO.