We recommend that the Deputy Secretary of Commerce ensure that the Chief Information Officer immediately develop detailed policies and procedures that will do the following: (a) ensure the authorization process for Departmental NSS is clearly defined and executed according to the risk management framework; (b) require that Department NSS receive regular, independent assessments according to the risk management framework. These policies and procedures must include consideration of security clearance adjudication timeframes for future assessments; and (c) address the creation and maintenance of an NSS inventory. This should include a requirement for all Department bureaus to provide an update when changes occur.