FAC Explorer

Audit 42061

FY End
2022-06-30
Total Expended
$60.37M
Findings
14
Programs
56
Organization: New Mexico Institute of Mining and Technology (NM)
Year: 2022 Accepted: 2022-12-15
Auditor: Moss Adams LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
49860 2022-003 Significant Deficiency - N
49861 2022-003 Significant Deficiency - N
49862 2022-003 Significant Deficiency - N
49863 2022-003 Significant Deficiency - N
49864 2022-003 Significant Deficiency - N
49865 2022-003 Significant Deficiency - N
49866 2022-003 Significant Deficiency - N
626302 2022-003 Significant Deficiency - N
626303 2022-003 Significant Deficiency - N
626304 2022-003 Significant Deficiency - N
626305 2022-003 Significant Deficiency - N
626306 2022-003 Significant Deficiency - N
626307 2022-003 Significant Deficiency - N
626308 2022-003 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $2.01M Yes 1
84.425E Covid-19 - Education Stabilization Fund $1.87M Yes 0
12.910 Research and Technology Development $1.39M - 0
12.800 Air Force Defense Research Sciences Program $1.19M Yes 0
12.615 Research and Technical Assistance $1.10M Yes 0
84.038 Perkins Loan $944,321 Yes 1
15.945 Cooperative Research and Training Programs ? Resources of the National Park System $664,153 - 0
84.425F Covid-19 - Education Stabilization Fund $606,386 Yes 0
84.031 Higher Education_institutional Aid $549,788 - 0
15.944 Natural Resource Stewardship $498,777 - 0
93.262 Occupational Safety and Health Program $441,067 - 0
84.425L Covid-19 - Education Stabilization Fund $359,602 Yes 0
81.123 National Nuclear Security Administration (nnsa) Minority Serving Institutions (msi) Program $352,913 - 0
15.810 National Cooperative Geologic Mapping Program $343,484 - 0
81.049 Office of Science Financial Assistance Program $317,335 - 0
84.047 Trio_upward Bound $313,668 - 0
12.617 Economic Adjustment Assistance for State Governments $301,370 - 0
84.007 Federal Supplemental Educational Opportunity Grants $288,971 Yes 1
12.300 Basic and Applied Scientific Research $154,304 - 0
81.089 Fossil Energy Research and Development $154,114 - 0
84.268 Federal Direct Student Loans $143,924 Yes 1
15.808 U.s. Geological Survey_ Research and Data Collection $143,262 - 0
47.074 Biological Sciences $136,921 - 0
84.033 Federal Work-Study Program $114,832 Yes 1
17.600 Mine Health and Safety Grants $101,562 - 0
10.310 Agriculture and Food Research Initiative (afri) $96,687 - 0
15.560 Secure Water Act ? Research Agreements $86,940 - 0
47.070 Computer and Information Science and Engineering $70,185 - 0
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $69,385 - 0
15.814 National Geological and Geophysical Data Preservation Program $62,794 - 0
47.076 Education and Human Resources $44,997 - 0
15.237 Rangeland Resource Management $44,730 - 0
81.RD Unknown $38,504 - 0
17.502 Occupational Safety and Health_susan Harwood Training Grants $35,084 - 0
47.049 Mathematical and Physical Sciences $32,737 - 0
47.050 Geosciences $28,200 - 0
47.078 Polar Programs $23,368 - 0
15.225 Recreation Resource Management $23,075 - 0
43.001 Science $20,112 - 0
43.012 Space Technology $19,783 - 0
12.630 Basic, Applied, and Advanced Research in Science and Engineering $18,008 - 0
43.RD Unknown $17,716 - 0
47.083 Integrative Activities $16,622 - 0
15.980 National Ground-Water Monitoring Network $15,762 - 0
12.351 Basic Scientific Research - Combating Weapons of Mass Destruction $13,799 - 0
15.805 Assistance to State Water Resources Research Institutes $13,552 - 0
47.041 Engineering $13,221 - 0
43.008 Education $8,661 - 0
15.506 Water Desalination Research and Development Program $8,065 - 0
12.431 Basic Scientific Research $7,928 - 0
59.075 Covid-19 - Shuttered Venue Operators Grant Program $7,691 - 0
93.859 Biomedical Research and Research Training $6,662 - 0
16.560 National Institute of Justice Research, Evaluation, and Development Project Grants $5,008 - 0
97.042 Emergency Management Performance Grants $4,612 - 0
97.005 State and Local Homeland Security National Training Program $1,252 - 0
20.109 Air Transportation Centers of Excellence $-595 - 0

Contacts

Name Title Type
HZJ2JZUALWN4 Jenny Ma Auditee
5758355958 Lisa Todd Auditor
No contacts on file

Notes to SEFA

Title: Loan/loan guarantee outstanding balances Accounting Policies: Note 2 - Summary of significant accounting policies The accompanying Schedule of Expenditures of Federal Awards has been prepared on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles in Title 2U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. Amounts related to pass-through grants are classified as private grants and contracts in the accompanying statement of revenues, expenses, and changes in net position. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. PERKINS LOAN (84.038) - Balances outstanding at the end of the audit period were 721750.
Title: Note 1 - General Accounting Policies: Note 2 - Summary of significant accounting policies The accompanying Schedule of Expenditures of Federal Awards has been prepared on the accrual basis of accounting. Such expenditures are recognized following, as applicable, the cost principles in Title 2U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. Amounts related to pass-through grants are classified as private grants and contracts in the accompanying statement of revenues, expenses, and changes in net position. De Minimis Rate Used: N Rate Explanation: The auditee did not use the de minimis cost rate. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal grant activity of the Institute under programs of the federal government for the year ended June 30, 2022. The information in this schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the schedule presents only a selected portion of the operations of the Institute, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the Institute. The Institute receives annual Facilities and Administrative Forward Indirect Cost Rates approved by the Office of Naval Research before the beginning of each year.

Finding Details

Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications
Finding 2022-003
2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications