Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021
Report Information
Recommendations
Update the ISA and use the updated ISA to:a. Assess enterprise, business process, and information system level risks;b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
1.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.<br />
Using the results of recommendations one above:a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;b. Implement a centralized view of risk across the organization;c. Implement formal procedures for prioritizing and tracking POA&Ms to remediate vulnerabilities.
2.b. A centralized view of risk across the organization will be possible once the agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant. 2.c. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies & Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024.<br />
Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.
Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:a. How supply chain risks are to be managed across the agency;b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;c. How counterfeit components are prevented from entering the DNFSB supply chain.
OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years’ outstanding FISMA recommendations. The OIG inspected the SCRM Plan and SCRM Operating procedures identifying that the DNFSB has developed policies and procedures that demonstrate supply chain risks are managed across the agency, monitoring the compliance of external providers with defined cybersecurity and supply chain requirements, and counterfeit components are prevented from entering the agency’s supply chain. The agency’s corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.<br />
<br />
March 31, 2025: OIG Analysis: The DNFSB did not provide an updated response for this recommendation.<br />
On September 20, 2023, the agency provided the following response:<br />
Supply Chain Risk will be addressed in an upcoming<br />
Supply Chain Risk Management Program Operating<br />
Procedure. The estimated completion is Q4 FY 2023.<br />
The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit. Status: Open: Resolved. <br />
<br />
Supply Chain Risk will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY 2023.
Conduct remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.