U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

Independent Evaluation of the DNFSB’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Report Information

Date Issued
Report Number
DNFSB-21-A-04
Report Type
Inspection / Evaluation
Joint Report
No
Agency Wide
No (location specific)
Questioned Costs
$0
Funds for Better Use
$0

Recommendations

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Use the fully defined ISA to:

a. Assess enterprise, business process, and information system level risks;

b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;

c. Conduct an organization wide security and privacy risk assessment; and,

d. Conduct a supply chain risk assessment.

Use the fully defined ISA to:

a. Assess enterprise, business process, and information system level risks;

b. Formally define enterprise, business process, and information system level risk tolerance and
appetite levels necessary for prioritizing and guiding risk management decisions;

c. Conduct an organization wide security and privacy risk assessment; and,

d. Conduct a supply chain risk assessment.

Using the results of recommendations one (1) and two (2)
above:

a. Collaborate with the DNFSB’s Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;

b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;

c. Implement a centralized view of risk across the organization; and,

d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.