Independent Evaluation of the Board’s Implementation of the Federal Information Security Management Act for fiscal Year 2014
Report Information
Recommendations
Update the POA&M to include all known vulnerabilities and actual completion dates for the completed POA&M activities.
Develop, document, and implement procedures for performing oversight of systems operated by contractors and other Federal agencies.
As a best practice, for federally operated systems, in addition to obtaining ATOs for those systems, also request confirmation of annual contingency plan testing and annual security control testing for those systems.
Develop a plan and schedule for authorizing contractor-operated systems, including cloud-based systems, in accordance with FISMA, the NIST RMF, and FedRAMP.