Independent Evaluation of the DNFSB’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020
Report Information
Recommendations
Define an ISA in accordance with the Federal Enterprise Architecture Framework.
OIG Analysis: The OIG confirmed that the agency has defined an ISA in accordance with the Federal Enterprise Architecture Framework. Hence, this recommendation is now closed.<br />
<br />
Status: Open: Resolved. DNFSB has completed development of our Zero Trust Implementation Plan and is actively working towards its implementation. This plan is the equivalent of an Information Security Architecture. Based on actions already taken, DNFSB’s position is that this Recommendation needs to be closed
Use the fully defined ISA to: a. Assess enterprise, business process, and information system level risks;b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;c. Conduct an organization wide security and privacy risk assessment; and,d. Conduct a supply chain risk assessment.
On September 20, 2023, the agency provided the following response:<br />
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.<br />
b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.<br />
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 2c <br />
and 2d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address<br />
Recommendation 2 during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.<br />
<br />
Status: Open: Resolved. 2.a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.<br />
2.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management make more informed risk management decisions. No target date for all four parts.<br />
2.c. DNFSB will conduct an organization wide security and privacy risk assessment once the ERM program has been established.<br />
2.d. DNFSB will conduct a supply chain risk assessment in Q2 FY2024.<br />
Using the results of recommendations one (1) and two (2)above:a. Collaborate with the DNFSB’s Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;c. Implement a centralized view of risk across the organization; and,d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and a process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.<br />
b. DNFSB will review existing policies & procedures against the recommendation in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024.<br />
d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &<br />
Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024. The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3a and 3c. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address Recommendation 3a through 3d during its FY25 FISMA audit.<br />
<br />
Status: Open: Resolved. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.<br />
3.a. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.<br />
3.b. DNFSB will review existing policies & procedures against the recommendations in NIST SP-800 55 Rev.2 and make any updates by Q2 FY2024.<br />
3.c. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.<br />
3.d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies & Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY2024.<br />
Finalize the implementation of a centralized automated solution for monitoring authorized and unauthorized software and hardware connected to the agency’s network in near real time. Continue ongoing efforts to apply the Track-It!, ForeScout, and KACE solutions.
Based on actions already taken, DNFSB’s position is that this Recommendation needs to be closed.<br />
Conduct remedial training to re-enforce requirements for documenting CCB’s approvals and security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.