U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

  1. Home
  2. Reports

Evaluation of the CPSC's FISMA Implementation for FY 2021

Date Issued
Report Number
22-A-01
Report Type
Inspection / Evaluation
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

Develop and implement a process to maintain an up-to-date and complete information system inventory (Risk Management i).

Develop, document, and implement a process for determining and defining system boundaries in accordance with the National Institute of Standards and Technology guidance (Risk Management ii/iii).

Establish and implement policies and procedures to manage software licenses using automated monitoring and expiration notifications (Risk Management ii/iii).

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network (Risk Management ii/iii).

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: IT system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media) (Risk Management ii/iii).

Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network (Risk Management ii/iii).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (Risk Management iv/v/vi).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (Risk Management iv/v/vi).

Develop and implement an Enterprise Risk Management (ERM) program based on the National Institute of Standards and Technology and ERM Playbook (Office of Management and Budget Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (Risk Management iv/v/vi).

Develop and implement a supply chain risk management plan (Supply Chain Risk Management i).

Develop and implement an information security architecture that supports the Enterprise Architecture. (Risk Management vii).

Develop an Enterprise Architecture to be integrated into the risk management process (Risk Management vii).

Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).

Further define the resource designations for a Change Control Board (Configuration Management i).

Develop and implement a Configuration Management plan to ensure it includes all requisite information (Configuration Management ii/iii).

Develop, implement, and disseminate a set of Configuration Management procedures in accordance with the inherited Configuration Management Policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations (Configuration Management iv/v).

Integrate the management of secure configurations into the organizational Configuration Management process (Configuration Management v).

Consistently implement flaw remediation processes, including the remediation of critical vulnerabilities (Configuration Management vi).

Identify and document the characteristics of items that are to be placed under Configuration Management control (Configuration Management vii).

Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).

Define and document a strategy (including specific milestones) to implement the Federal Identity, Credential, and Access Management architecture (Identity and Access Management i/ii/iii).

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:
• Performance of periodic reviews of risk designations at least annually,
• Explicit position screening criteria for information security role appointments, and
• Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).

Define and implement a process to ensure the completion of access agreements for all CPSC users. (Identity and Access Management v).

Enforce Personnel Identity Verification card usage for authenticating to all CPSC systems (Identity and Access Management vi).

Identify and document potentially incompatible duties permitted by privileged accounts (Identity and Access Management vii).

Document and implement a process to restrict the use of privileged accounts and services when performing non-privileged activities (Identity and Access Management vii).

Fully deploy the CPSC’s privileged access management solution (Identity and Access Management vii).

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (Identity and Access Management vii).

Define and implement the identification and authentication policies and procedures (Identity and Access Management ii).

Define and implement processes for provisioning, managing, and reviewing privileged accounts (Identity and Access Management vii) (2021 recommendation).

Document and implement a process for inventorying and securing systems that contain Personally Identifiable Information or other sensitive agency data (e.g., proprietary information) (Data Protection and Privacy i).

Document and implement a process for periodically reviewing for and removing unnecessary Personally Identifiable Information from agency systems (Data Protection and Privacy i).

Develop and implement data encryption policies and procedures (Data Protection and Privacy ii).

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training (Data Protection and Privacy iii).

Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities (Security Training i).

Document and implement a process for ensuring that all personnel with significant security roles and responsibilities are provided specialized security training to perform assigned duties (Security Training ii/iii) (2021 recommendation).

Develop and tailor security training content for all CPSC personnel with significant security responsibilities and provide this training to the appropriate individuals (Security Training iv/v).

Integrate the established strategy for identifying organizational risk tolerance into the Information Security Continuous Monitoring plan (Information Security Continuous Monitoring i).

Implement Information Security Continuous Monitoring procedures, including those procedures related to the monitoring of performance measures and metrics , that support the Information Security Continuous Monitoring program (Information Security Continuous Monitoring ii) (2021 recommendation).

Implement Information Security Continuous Monitoring procedures for conducting ongoing authorizations and provide authorizations to operate to all major information systems (Information Security Continuous Monitoring iii) (2021 recommendation).

Update and implement the CPSC policy and plan with the latest practices, including Incident Response performance measures and implemented profiling techniques (Incident Response i/ii).

Define and implement a process to ensure the timely resolution of incidents. For example, establish routine status reviews for tracking incident response activities to completeness (Incident Response iii).

Develop and document a robust and formal approach to contingency planning for agency systems and processes using the appropriate guidance (e.g., National Institute of Standards and Technology (NIST) Special Publications 800-34/53, Federal Continuity Directive 1, NIST Cybersecurity Framework, and National Archive and Records Administration guidance) (Contingency Planning i).

Develop, document, and distribute all required Contingency Planning documents (e.g.. organization-wide Continuity of Operation Plan and Business Impact Assessment, Disaster Recovery Plan, Business Continuity Plans, and Information System Contingency Plans) in accordance with appropriate federal and best practice guidance (Contingency Planning ii/iv).

Integrate documented contingency plans with the other relevant agency planning areas (Contingency Planning iii).

Test the set of documented contingency plans (Contingency Planning iv).