upgrade and enhancement costs across Legislative Branch agencies. LOC currently hosts the financial systems of several other Legislative Branch agencies including the Congressional Budget Office, U.S. Capitol Police and the Office of Compliance. It is tentatively expected that FMS and ICS will be fully migrated to the LBSSC environment by early FY 2016.

Federal Information Security Management Act

The Federal Information Security Management Act (FISMA) requires each Executive Branch agency to develop, document and implement an agency-wide program to provide information security for the information and information systems that support the agency’s operations and assets. AOC, as a Legislative Branch agency, is not required to comply with FISMA but, nonetheless, strives to comply with FISMA principles. AOC references sources such as the U.S. Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) and the National Institute of Standards and Technology (NIST) Special Publications for guidance on its Information System Security program. AOC uses this guidance to create and maintain a risk-based Information Security program.

In FY 2014, AOC with support from an independent third party, started the reaccreditation of all AOC information systems, previously completed in FY 2013. This effort evaluates the information security controls for AOC systems consistent with AOC policies. Improvements to AOC’s continuous monitoring strategy, started in 2013, is based on NIST Special Publication (SP) 800-53.

In FY 2014, AOC improved its information systems security posture by placing a strong emphasis on computer security awareness and training, enforcing procedures and processes for detecting, reporting and responding to security incidents, vulnerability scanning and remediation, patch compliance and continuous monitoring. In particular, AOC achieved 99 percent compliance with security aware- ness training. Also, AOC monitored the incident response program utilizing internal procedures in conjunction with managed security monitoring and management of its enterprise infrastructure provided by the Managed Security Event and Information Management (SEIM) enterprise security services. The Managed SEIM helps protect AOC against external and internal threats, provides immediate assessment and response to security incidents and adheres to regulatory requirements for log auditing, security and compliance reporting.

AOC’s Information Systems and AOC Information System Security programs are evaluated each year through independent assessments and multiple audits. Through these activities AOC improves information system documentation, policies and procedures and mitigates information security risks and weaknesses.

Improper Payments Information Act

Please refer to Section IV: Other Information of this report for a brief summary of the Improper Payments Information Act and its applicability to AOC.

SERVE • PRESERVE • INSPIRE

Jenna Lemons 

Scheduler, Visitor Services Division, U.S. Capitol Visitor Center

Jenna Lemons joined the Capitol Visitor Center (CVC) in January 2014 and has consistently provided “Extraordinary Services” for her colleagues to ensure that the daily schedules of more than 100 frontline employees, including all Visitor Guides and Visitor Assistants, are completed in a timely manner. Ms. Lemons produces schedules that incorporate the myriad demands on the Visitor Services staff, including staffing for special events and special tours. Ms. Lemons accommodates approved employee requests for leave, training, participation in special programs, service on committees or goal teams, and other scheduling requests while never compromising CVC operational efficiency.