Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Status: Open: Resolved. This recommendation is a duplicate of 2020-9. DNFSB has determined that automated management of privileged accounts presents a higher risk than the current manual process of account review. DNFSB has implemented a manual review of account activity based on automated reports sent from the Varonis tool weekly. Administrators review this data and act in accordance with DNFSB policies and procedures. DNFSB will request a risk acceptance for this recommendation by Q4 FY 2023.

Status: Open: Resolved. DNFSB requests OIG to define the exact milestone required to meet closure of this recommendation. Otherwise, DNFSB will always be making efforts to improve data loss prevention functionality for the Microsoft 365 environment.

Agency Response Dated June 2, 2025: The DNFSB has updated its Enterprise Architect and Identity and Authentication Operating procedure to reflect implementation requirements for the recommendation. DNFSB identified completion and approval of its Enterprise Architect and Identity and Authentication Operating Procedure, on December 17, 2024, and September 17, 2024, respectively. Key supporting documentation was provided to the Auditor. DNFSB request closure of this recommendation, based on the status update and documentation provided. OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of FISMA for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years’ outstanding FISMA recommendations. The DNFSB has updated its Enterprise Architect and Identity and Authentication Operating procedure to reflect implementation requirements for the recommendation. The agency has tracked the implementation and completion of the requirement with the help of the Plan of Action and Milestones. The agency’s corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.<br />
<br />
Agency Response Dated February 27, 2025: DNFSB published its Enterprise Architecture that includes the agency’s “to-be” ICAM architecture in December 2024 and published OP 411.1-7, Identification and Authentication Operating Procedures in September 2024.<br />
OIG Analysis: The OIG reviewed the evidence and concluded that it is not sufficient to show corrective actions have been taken to address this recommendation. The OIG will close this recommendation when the DNFSB provides evidence demonstrating the clear milestones for implementing strong authentication, Federal ICAM, OMB M-19-17, and CDM Phase 2, and actions taken by the agency to support the achievement of these requirements and CDM Phase 2.<br />
<br />
Status: Open: Resolved. DNFSB has defined clear milestones for implementing strong authentication in “Pillar I – Identity” of its Zero Trust Architecture Implementation Plan. DNFSB currently participates in DHS/CISA’s CDM Shared Service offering (DEFEND F) and has already implemented all of the available capabilities (hardware asset management, software asset management, configuration settings management, vulnerability management, enterprise mobility management, and endpoint detection &amp; response) and is participating with CDM IDAM capabilities as they are being developed and plan to implement them when they become available. DNFSB requests clarification from the OIG regarding what additional actions need to be taken to close this recommendation.

Status: Open: Resolved. DNFSB conducted incident response/contingency plan exercises on September 26 &amp; 27, 2022 and May 24, 2023, that included testing the agency’s breach response plan. DNFSB requests confirmation from the OIG if the exercises performed above resolve this recommendation, and if so, then this recommendation needs to be closed. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed.