FY26 FISMA Audit
- Est. solicitation
- —
- Date posted
- —
- Source
- Open forecast
Description
The Federal Information Security Management Act of 2002 (FISMA), as amended in 2014, requires agencies to develop, implement, and document department-wide information security programs. FISMA requires each federal agency to perform an annual independent evaluation of the information security program and practices of the agency to determine the effectiveness of such programs and practices and report the results to the Office of Management and Budget (OMB). For each agency with an Inspector General (IG) appointed under the Inspector General Act of 1978, the annual evaluation must be performed by the IG or by an independent external auditor, as determined by the IG of the agency. GSA OIG has elected to have the annual evaluation performed by an independent external auditor. OMB requires inspectors general to assess metrics in 6 security function areas: Govern, Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies’ information security programs and the maturity level of each function area. OMB has five defined maturity levels from lowest to highest: Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, and Optimized. Consistent with FISMA and OMB requirements, the objective of the audit is to determine the effectiveness of GSA’s information security program and practices for a specified period each year. Specifically, the Contractor will assess GSA’s performance in the six security function areas. Under the general direction of the U.S. General Services Administration (GSA) Office of Inspector General (OIG), Office of Audits, the Contractor will perform an audit of GSA’s information security program and practices to determine the effectiveness of such program and practices pursuant to the Federal Information Security Modernization Act of 2014 (FISMA). The audit must be conducted in accordance with the Government Accountability Office Government Auditing Standards (GAGAS), the OMB Guidance on Federal Information Security and Privacy Management Requirements, and the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).
Planning details
- Estimated value
- $1M - $1.9M
- Contract type
- Firm Fixed Price
Classifications
- NAICS541211
- PSC541211