FAC Explorer

Finding 49860 (2022-003)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2022
Accepted
2022-12-15
Audit: 42061
Organization: New Mexico Institute of Mining and Technology (NM)
Auditor: Moss Adams LLP

AI Summary

  • Core Issue: The Institute has not completed a required risk assessment under the Gramm-Leach-Bliley Act, leading to noncompliance with federal regulations.
  • Impacted Requirements: The lack of a risk assessment affects the security, confidentiality, and integrity of customer information, as outlined in 16CFR 314.4.
  • Recommended Follow-up: Management should finalize the ongoing risk assessment by December 2022 and implement necessary safeguards to address identified risks.

Finding Text

2022-003 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act, Significant Deficiency and Instance of Noncompliance Federal Assistance Listing Number(s): Multiple Federal Agency/Pass-through Entity ? Program Name: Student Financial Assistance Cluster Award Number: Multiple Award Year: Multiple Questioned Costs: Multiple Criteria: Per 16CFR 314.4, the Institute shall base an information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats faced; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. Condition/Context: Per the Gramm-Leach-Bliley Act, the Institute has not completed a risk assessment as required. Cause: The Institute has not completed a risk assessment as required. Effect: Noncompliance with federal regulations. Questioned Costs: Unknown Repeat Finding: This is not a repeat finding. Recommendation: Management should complete a risk assessment to determine the organizational risks and design and implement safeguards to control identified risks. Views of Responsible Officials and Planned Corrective Actions: A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the fiscal year 2021 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps. Responsible Person: Director of Information Technology and Communications

Corrective Action Plan

A risk assessment is currently in process, which will provide a holistic plan that includes Gramm-Leach-Bliley Act requirements. This assessment is scheduled for completion by December 2022, as committed in the FY21 audit response. It is currently on track for that completion date. Once the assessment is completed, a technical suitability evaluation will be conducted to provide the most appropriate technical solutions to meet the overall needs based on the assessment findings/determinations. This will address the current deficiencies and control gaps.

Categories

Subrecipient Monitoring Special Tests & Provisions Significant Deficiency

Other Findings in this Audit

  • 49861 2022-003
    Significant Deficiency
  • 49862 2022-003
    Significant Deficiency
  • 49863 2022-003
    Significant Deficiency
  • 49864 2022-003
    Significant Deficiency
  • 49865 2022-003
    Significant Deficiency
  • 49866 2022-003
    Significant Deficiency
  • 626302 2022-003
    Significant Deficiency
  • 626303 2022-003
    Significant Deficiency
  • 626304 2022-003
    Significant Deficiency
  • 626305 2022-003
    Significant Deficiency
  • 626306 2022-003
    Significant Deficiency
  • 626307 2022-003
    Significant Deficiency
  • 626308 2022-003
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.063 Federal Pell Grant Program $2.01M
84.425E Covid-19 - Education Stabilization Fund $1.87M
12.910 Research and Technology Development $1.39M
12.800 Air Force Defense Research Sciences Program $1.19M
12.615 Research and Technical Assistance $1.10M
84.038 Perkins Loan $944,321
15.945 Cooperative Research and Training Programs ? Resources of the National Park System $664,153
84.425F Covid-19 - Education Stabilization Fund $606,386
84.031 Higher Education_institutional Aid $549,788
15.944 Natural Resource Stewardship $498,777
93.262 Occupational Safety and Health Program $441,067
84.425L Covid-19 - Education Stabilization Fund $359,602
81.123 National Nuclear Security Administration (nnsa) Minority Serving Institutions (msi) Program $352,913
15.810 National Cooperative Geologic Mapping Program $343,484
81.049 Office of Science Financial Assistance Program $317,335
84.047 Trio_upward Bound $313,668
12.617 Economic Adjustment Assistance for State Governments $301,370
84.007 Federal Supplemental Educational Opportunity Grants $288,971
12.300 Basic and Applied Scientific Research $154,304
81.089 Fossil Energy Research and Development $154,114
84.268 Federal Direct Student Loans $143,924
15.808 U.s. Geological Survey_ Research and Data Collection $143,262
47.074 Biological Sciences $136,921
84.033 Federal Work-Study Program $114,832
17.600 Mine Health and Safety Grants $101,562
10.310 Agriculture and Food Research Initiative (afri) $96,687
15.560 Secure Water Act ? Research Agreements $86,940
47.070 Computer and Information Science and Engineering $70,185
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $69,385
15.814 National Geological and Geophysical Data Preservation Program $62,794
47.076 Education and Human Resources $44,997
15.237 Rangeland Resource Management $44,730
81.RD Unknown $38,504
17.502 Occupational Safety and Health_susan Harwood Training Grants $35,084
47.049 Mathematical and Physical Sciences $32,737
47.050 Geosciences $28,200
47.078 Polar Programs $23,368
15.225 Recreation Resource Management $23,075
43.001 Science $20,112
43.012 Space Technology $19,783
12.630 Basic, Applied, and Advanced Research in Science and Engineering $18,008
43.RD Unknown $17,716
47.083 Integrative Activities $16,622
15.980 National Ground-Water Monitoring Network $15,762
12.351 Basic Scientific Research - Combating Weapons of Mass Destruction $13,799
15.805 Assistance to State Water Resources Research Institutes $13,552
47.041 Engineering $13,221
43.008 Education $8,661
15.506 Water Desalination Research and Development Program $8,065
12.431 Basic Scientific Research $7,928
59.075 Covid-19 - Shuttered Venue Operators Grant Program $7,691
93.859 Biomedical Research and Research Training $6,662
16.560 National Institute of Justice Research, Evaluation, and Development Project Grants $5,008
97.042 Emergency Management Performance Grants $4,612
97.005 State and Local Homeland Security National Training Program $1,252
20.109 Air Transportation Centers of Excellence $-595