U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Report Information

Date Issued
Report Number
Report Type
Inspection / Evaluation
Joint Report
Agency Wide
No (location specific)
Questioned Costs
Funds for Better Use


Update the ISA and use the updated ISA to:
a. Assess enterprise, business process, and information system level risks;
b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Using the results of recommendations one above:
a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;
b. Implement a centralized view of risk across the organization;
c. Implement formal procedures for prioritizing and tracking POA&Ms to remediate vulnerabilities.

Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:
a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:
a. How supply chain risks are to be managed across the agency;
b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;
c. How counterfeit components are prevented from entering the DNFSB supply chain.

Conduct remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.