Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Status: Open: Resolved. 1.a. A centralized view of risk across the organization will be possible once the agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant. <br />
1.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.<br />

Status: Open: Resolved. 2.a. DNFSB will review existing policies &amp; procedures against the recommendations in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024. <br />
2.b. A centralized view of risk across the organization will be possible once the agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant. 2.c. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &amp; Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024.<br />

Status: Open: Resolved. DNFSB published the Risk Assessment Policy in January 2023, which included defined frequencies for risk assessments and integrating those results into mission and business processes. As part of the external security assessment of the GSS, a risk assessment and control assessment were performed by an external auditor. DNFSB completed an external security assessment in June of 2023 and issued an updated ATO for the DNFSB GSS in July 2023. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed.

Agency Response Dated June 2, 2025: DNFSB has developed policies and procedures that demonstrate supply chain risks are managed across the agency, monitoring the compliance of external providers with defined cybersecurity and supply chain requirements, and counterfeit components are prevented from entering the agency’s supply chain. DNFSB identified completion and approval of its SCRM Plan and SCRM Operating Procedure, on March 21, 2025, and May 1, 2025, respectively. Key supporting documentation was provided to the Auditor. DNFSB request closure of this recommendation, based on the status update and documentation provided.<br />
OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years’ outstanding FISMA recommendations. The OIG inspected the SCRM Plan and SCRM Operating procedures identifying that the DNFSB has developed policies and procedures that demonstrate supply chain risks are managed across the agency, monitoring the compliance of external providers with defined cybersecurity and supply chain requirements, and counterfeit components are prevented from entering the agency’s supply chain. The agency’s corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.<br />
<br />
March 31, 2025: OIG Analysis: The DNFSB did not provide an updated response for this recommendation.<br />
On September 20, 2023, the agency provided the following response:<br />
Supply Chain Risk will be addressed in an upcoming<br />
Supply Chain Risk Management Program Operating<br />
Procedure. The estimated completion is Q4 FY 2023.<br />
The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit. Status: Open: Resolved. <br />
<br />
Supply Chain Risk will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY 2023.