U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 For Fiscal Year 2019

Report Information

Date Issued
Report Number
DNFSB-20-A-05
Report Type
Inspection / Evaluation
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Use the fully defined ISA to:
a. Assess enterprise, business process, and information system level risk.
b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decision.
c. Conduct an organization wide security and privacy risk assessment.
d. Conduct a supply chain risk assessment.

Using the results of recommendations one (1) and two (2) :
a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components; Cybersecurity Team exports metrics and vulnerability reports and sends them to the CISO and CIO’s Office monthly for review. Develop a centralized dashboard that Cybersecurity Team and the CISO can populate for real-time assessments of compliance and security policies.
b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.
c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.
d. Implement a centralized view of risk across the organization.

Finalize the implementation of a centralized automated
solution for monitoring authorized and unauthorized software
and hardware connected to the agency’s network in near
real time. Continue ongoing efforts to apply the Track-It!
ForeScout and KACE solutions.

Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agency’s Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.