Independent Evaluation of DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 For Fiscal Year 2019
Define an ISA in accordance with the Federal Enterprise Architecture Framework.
Use the fully defined ISA to:
a. Assess enterprise, business process, and information system level risk.
b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decision.
c. Conduct an organization wide security and privacy risk assessment.
d. Conduct a supply chain risk assessment.
Using the results of recommendations one (1) and two (2) :
a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components; Cybersecurity Team exports metrics and vulnerability reports and sends them to the CISO and CIO’s Office monthly for review. Develop a centralized dashboard that Cybersecurity Team and the CISO can populate for real-time assessments of compliance and security policies.
b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.
c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.
d. Implement a centralized view of risk across the organization.
Finalize the implementation of a centralized automated
solution for monitoring authorized and unauthorized software
and hardware connected to the agency’s network in near
real time. Continue ongoing efforts to apply the Track-It!
ForeScout and KACE solutions.
Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agency’s Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.