Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021
Report Information
Recommendations
Update the ISA and use the updated ISA to:
a. Assess enterprise, business process, and information system level risks;
b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
Using the results of recommendations one above:
a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;
b. Implement a centralized view of risk across the organization;
c. Implement formal procedures for prioritizing and tracking POA&Ms to remediate vulnerabilities.
Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:
a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.
Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:
a. How supply chain risks are to be managed across the agency;
b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;
c. How counterfeit components are prevented from entering the DNFSB supply chain.
Conduct remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.