The U.S. Consumer Product Safety Commission (CPSC) OIG retained Williams, Adley, & Co.-DC LLP (Williams Adley, we), an independent public accounting firm, to perform the independent assessment of the CPSC’s implementation of FISMA for FY 2025 and to determine the effectiveness of its information security program. This report documents the results of the OIG’s FISMA evaluation. Specifically, we assessed the CPSC’s compliance with the annual Inspector General (IG) FISMA reporting metrics set forth by the DHS and OMB.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | ||
Finalize and implement policies and procedures for creating and maintaining current and target cybersecurity profiles in alignment with National Institute of Standards and Technology Cybersecurity Framework Guidance. | |||||
2 | Yes | $0 | $0 | ||
Finalize and implement a comprehensive Risk Management Strategy that defines roles and responsibilities, enterprise risk priorities, objectives, and communication protocols, including third-party risk considerations. | |||||
3 | Yes | $0 | $0 | ||
Continue to develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology and Enterprise Risk Management Playbook (Office of Management and Budget Circular A- 123, Section II requirement) guidance. | |||||
4 | No | $0 | $0 | ||
Develop and implement policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and corresponding metadata for the Consumer Product Safety Commission data types. | |||||
5 | No | $0 | $0 | ||
Fully implement, assess, and maintain secure configuration settings in accordance with defined configuration management policy and security configuration baseline procedures. | |||||
6 | No | $0 | $0 | ||
Update all relevant Information Security Continuous Monitoring policies, procedures, and supporting documentation based on latest National Institute of Standard and Technology guidance. |