Independent Evaluation of the Board’s Implementation of the Federal Information Security Management Act for fiscal Year 2014
Perform an annual security control assessment of the General Support System (GSS). Since the Board has not identified the process for identifying which subset of controls should be tested each year, for FY 2015, OIG recommends the following controls should be tested at a minimum:
• Any controls that are new or changed in NIST SP 800-53 Revision 4.
• Any security control enhancements not tested during the 2012 security assessment.
• Any controls impacted by changes to the GSS environment since the security assessment conducted in 2012.
• Any controls associated with the closed Plan of Action and Milestones (POA&M) items.
Update the GSS security authorization documentation (e.g., Security Plan, Risk Assessment and the Security Assessment Report) as required.
Reevaluate the risk assigned to the controls impacted by the error in the 2012 GSS risk assessment and update the POA&M as needed.
Update the GSS System Security Plan to document risk.
Develop, document, and implement POA&M management procedures.