Board Report: March 30, 2012
Consistent with the requirements of the Federal Information Security Management Act (FISMA), we conducted a security control review of the Federal Reserve System’s National Remote Access Services (NRAS). The Board and the 12 Federal Reserve Banks use NRAS to remotely access Board and Federal Reserve Bank information systems.
Our audit objective was to evaluate how effectively selected security controls and techniques ensure that the Board’s remote access program is generally compliant with FISMA requirements. To accomplish this objective, we used a control assessment review program based on the security controls defined in National Institute of Standards and Technology Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems. This document provides a baseline for managerial, operational, and technical security controls for organizations to use in protecting their information systems.
Overall, our review found that the Federal Reserve’s remote access system is technically and operationally sound, and the Board has developed an adequate process to administer the token keys for Board personnel. However, we identified opportunities to strengthen information security controls to help ensure that the Federal Reserve’s remote access system meets FISMA requirements. In comments on a draft of our report, the Director of the Division of Information Technology generally agreed with our recommendations and outlined corrective actions. We will follow up on the implementation of these recommendations as part of our future FISMA-related audit activities. Given the sensitivity of information security review work, our reports in this area are generally restricted.