Inspector General Open Recommendations
10/29/2021 - Consumer Product Safety Commission Evaluation of the CPSC's FISMA Implementation for FY 2021 Inspection / Evaluation - Open Recommendations
Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).
Develop, implement, and disseminate a set of Configuration Management procedures in accordance with the inherited Configuration Management Policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations (Configuration Management iv/v).
Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements: • Performance of periodic reviews of risk designations at least annually, • Explicit position screening criteria for information security role appointments, and • Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).