The Office of Inspector General classifies certain recommendations for corrective action to the Agency as significant. The definition used for significant includes those recommendations that have wide programmatic impact or where the implementation would result in a significant financial impact.
Identify the participants of the CPSC Risk Executive Council and define specific tasks/milestones for implementing the proposed Risk Management Framework.
Develop an Enterprise Architecture that includes a comprehensive IT security architecture using the CIO Council's guidance and incorporate this into the Security Control Documents.
Management updates, develops, and publishes general access control and logical access control policies and procedures for all systems that permit access to PII.
Provide training or document training completion by individual system owners on establishing, implementing, and maintaining logical access policies and procedures for systems that contain PII.
Develop, document, and maintain a software inventory including license management policies and procedures.
Comply with and enforce HSPD-12 multifactor authentication supported by the Personal Identity Verification Card.
Develop and implement a telework policy that is compliant with current Federal laws, regulations, and OPM best practices where appropriate.
Align agency practice and telework policy regarding employee participation and position eligibility.
Develop and implement an effective OEP team training program with drills and exercises to include all team members at least annually.
Develop and implement procedures to address the needs of individuals requiring additional assistance. These procedures should include a process to routinely update the list of persons requiring assistance.
Develop and implement facility-specific policies and procedures.
Ensure directives are updated to align with the current directives system policies and procedures as well as reflect the current CPSC organizational structure and operations.
Upon a justifiable determination of the PMS system categorization, design, implement, and assess the PMS security controls and formally authorize PMS to operate in accordance with CPSC organizational security policies and procedures as well as other applicable government standards.
Upon a justifiable determination of PMS’s system categorization, design and implement standard procedures for requesting and approving user access to roles and resources in PMS.
Reconvene the BRT to assess the full extent of the breach, and base its response on the totality of the breach.
Develop and document a comprehensive crisis communication plan. This plan should include a process to ensure that there is an authoritative source for data related to any incident.
The CPSC should publish the resulting comprehensive crisis communication plan after any update.
Review all available data and establish an accurate identification of all data inadvertently released, internally and externally, from 2010 to 2019.
Obtain an independent review of a sample of Clearinghouse responses prior to 2010 to determine the need for an expanded scope of the review.
Establish policies and procedures to ensure that when the agency reports data related to a data breach or other violation of law or regulation, the reported data has been independently verified by a person outside of the responsible organization.
Establish a process for communicating and enforcing the implementation of recommendations previously agreed to by management, as required by law.
Implement a single data extraction tool to allow maximum functionality in searching multiple product codes while adequately blocking protected data from release. This tool should default to block ALL fields which may contain 6(b) information and PII data. This data tool must contain a standardized data dictionary to limit placement of restricted information to identified fields.
Limit access to the underlying database and the data extraction tool to those with a bona fide need for access.
Require additional training for Clearinghouse supervisory staff, up to and including the AED for EPHA, on effective review of Clearinghouse staff output.
Annually update and require refresher training for Clearinghouse supervisory staff, up to and including the AED for EPHA, on the effective review of Clearinghouse staff output.
Develop, implement, and require training for all Clearinghouse staff, up to and including the AED for EPHA, on a tracking system to monitor Clearinghouse receipt and fulfillment of all Clearinghouse data requests.
Use the data from the tracking system to develop and publish annual statistics related to the work of the Clearinghouse.
Require initial and annual refresher training for all staff on the importance of protecting 6(b) information and PII, including the rights of individuals and businesses, and how to recognize 6(b) information and PII in documents and how to securely handle this information.
Enforce Principle of Least Privilege and limit access to data on the P-drive to individuals with a bona fide “need to know.”
Determine, document, and implement a structure for the Clearinghouse.
Design, document, and implement control activities to respond to the results of the completed risk assessment process.
Develop and implement written guidance on the importance of the statements of assurance process and the related documentation requirements.
Consider disciplinary action for the supervisors who did not accurately report the status of internal controls in the statements of assurance they produced. Document the results of the disciplinary review, to include the analysis supporting any decision to not perform disciplinary action.
Obtain a written opinion from Office of General Counsel staff on the appropriateness of using VGB Act grant funds to pay for swimming lessons, whether such use violated the Purpose Act and, if a violation of the Purpose Act occurred, whether or not this violation constitutes an Anti-Deficiency Act violation.
Report to the OIG as to whether an Anti-Deficiency Act violation occurred.
Stop incurring costs on behalf of other Federal agencies in support of the NEISS program based upon a legal determination as recommended in Finding 1, if applicable.
Develop and implement an effective process to ensure that estimated costs identified in Interagency Agreements are properly supported and representative of “the actual costs of goods or services provided.”
Develop a data governance framework to ensure that data is managed appropriately and in accordance with programmatic and regulatory requirements.
Strengthen their quality control review over the excel-based leasehold improvements and ADP software schedules.
Consider transitioning from an excel-based schedule to another software/platform or enhance excel capabilities such as adding formulas to calculate number of months in service, locking formulas to avoid overriding with incorrect data input, and restricting cells to limit data input that are required to help prevent errors.
Update and implement EXRM directives, policies, and procedures regarding position designation to reflect current EXRM operations and address current OPM policies and guidelines.
Develop and maintain an accessible database with all information required to effectively manage the position designation and suitability program. At a minimum, this system should contain the name of the employee or contractor, position number and title, position designation, tier of background investigation completed, entry-on-duty date, date the background investigation was requested, date the background investigation was completed, whether it was an initial investigation or reinvestigation, whether reciprocity was applied, and reinvestigation due date.
Establish a process to include Office of Human Resources Management during the drafting of the statement of work to determine the appropriate investigative tier for contractors prior to when the request for quotes is released to potential vendors.
Develop a formal documented process (directive or standard operating procedure) for onboarding contractors.
Provide guidance identifying programs and/or activities as a part of its internal guidance and in accordance with achieving its mission requirements.
Align programs and/or activities with applicable reporting requirements.
Report programs and/or activities in accordance with applicable Federal criteria.
Provide training to CPSC program managers on how to develop and implement a formal internal controls program in accordance with Standards for Internal Control in the Federal Government, OMB Circular A-123, and CPSC policies and procedures.
Develop a formal internal controls program over operations for CPSC programs.
Evaluate staffing needs within the Office of Financial Management, Planning and Evaluation to support internal controls and FMFIA reporting requirements.
Establish formal lines of communication between the Office of Financial Management, Planning and Evaluation and CPSC program management for the purpose of assessing and monitoring internal control programs and compliance with FMFIA requirements.
Develop and implement a process to maintain an up-to-date and complete information system inventory (Risk Management i).
Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network (Risk Management ii/iii).
Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network (Risk Management ii/iii).
Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (Risk Management iv/v/vi).
Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (Risk Management iv/v/vi).
Develop and implement an Enterprise Risk Management (ERM) program based on the National Institute of Standards and Technology and ERM Playbook (Office of Management and Budget Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (Risk Management iv/v/vi).
Develop and implement an information security architecture that supports the Enterprise Architecture. (Risk Management vii).
Develop an Enterprise Architecture to be integrated into the risk management process (Risk Management vii).
Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).
Integrate the management of secure configurations into the organizational Configuration Management process (Configuration Management v).
Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).
Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).
Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:
• Performance of periodic reviews of risk designations at least annually,
• Explicit position screening criteria for information security role appointments, and
• Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).
Enforce Personnel Identity Verification card usage for authenticating to all CPSC systems (Identity and Access Management vi).
Identify and document potentially incompatible duties permitted by privileged accounts (Identity and Access Management vii).
Document and implement a process to restrict the use of privileged accounts and services when performing non-privileged activities (Identity and Access Management vii).
Fully deploy the CPSC’s privileged access management solution (Identity and Access Management vii).
Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (Identity and Access Management vii).
Develop and implement data encryption policies and procedures (Data Protection and Privacy ii).
Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training (Data Protection and Privacy iii).
Implement Information Security Continuous Monitoring procedures, including those procedures related to the monitoring of performance measures and metrics , that support the Information Security Continuous Monitoring program (Information Security Continuous Monitoring ii) (2021 recommendation).
Update and implement the CPSC Framework Implementation Action Plan.