Audit of the CPSC’s FISMA Implementation for FY 2025

View Report

Date Issued

Thursday, August 7, 2025

Submitting OIG

Consumer Product Safety Commission OIG

Agencies Reviewed/Investigated

Consumer Product Safety Commission

Report Number

25-A-04

Report Description

The U.S. Consumer Product Safety Commission (CPSC) OIG retained Williams, Adley, & Co.-DC LLP (Williams Adley, we), an independent public accounting firm, to perform the independent assessment of the CPSC’s implementation of FISMA for FY 2025 and to determine the effectiveness of its information security program. This report documents the results of the OIG’s FISMA evaluation. Specifically, we assessed the CPSC’s compliance with the annual Inspector General (IG) FISMA reporting metrics set forth by the DHS and OMB.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Finalize and implement policies and procedures for creating and maintaining current and target cybersecurity profiles in alignment with National Institute of Standards and Technology Cybersecurity Framework Guidance.
2	Yes	$0	$0
Finalize and implement a comprehensive Risk Management Strategy that defines roles and responsibilities, enterprise risk priorities, objectives, and communication protocols, including third-party risk considerations.
3	Yes	$0	$0
Continue to develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology and Enterprise Risk Management Playbook (Office of Management and Budget Circular A- 123, Section II requirement) guidance.
4	No	$0	$0
Develop and implement policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and corresponding metadata for the Consumer Product Safety Commission data types.
5	No	$0	$0
Fully implement, assess, and maintain secure configuration settings in accordance with defined configuration management policy and security configuration baseline procedures.
6	No	$0	$0
Update all relevant Information Security Continuous Monitoring policies, procedures, and supporting documentation based on latest National Institute of Standard and Technology guidance.