| 1 |
Yes |
$0 |
$0 |
|
|
Implement registration and inventorying procedures for the CPSC’s information systems. (2022 Recommendation).
|
| 2 |
No |
$0 |
$0 |
|
|
Develop, document, and implement a process for determining and defining system boundaries in accordance with National Institute of Standards and Technology guidance (2020 Recommendation).
|
| 5 |
No |
$0 |
$0 |
|
|
Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media) (2020 Recommendation)
|
| 7 |
Yes |
$0 |
$0 |
|
|
Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (2020 Recommendation).
|
| 8 |
Yes |
$0 |
$0 |
|
|
Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (2020 Recommendation).
|
| 9 |
Yes |
$0 |
$0 |
|
|
Develop and implement an Enterprise Risk Management (ERM) program based on National Institute of Standards and Technology and ERM Playbook (OMB Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (2020 Recommendation).
|
| 10 |
No |
$0 |
$0 |
|
|
Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data (2022 Recommendation).
|
| 11 |
Yes |
$0 |
$0 |
|
|
Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements (2021 Recommendation).
|
| 12 |
No |
$0 |
$0 |
|
|
Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations (2020 Recommendation).
|
| 13 |
Yes |
$0 |
$0 |
|
|
Integrate the management of secure configurations into the organizational configuration management process (2020 Recommendation).
|
| 14 |
No |
$0 |
$0 |
|
|
Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploitable Vulnerabilities (2020 Recommendation - Modified).
|
| 15 |
Yes |
$0 |
$0 |
|
|
Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (2020 Recommendation).
|
| 16 |
No |
$0 |
$0 |
|
|
Define and implement processes for provisioning, managing, and reviewing privileged accounts (2021 Recommendation).
|
| 17 |
Yes |
$0 |
$0 |
|
|
Implement data encryption and sanitization of digital media policies and procedures (2020 Recommendation - Modified).
|
| 18 |
No |
$0 |
$0 |
|
|
Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities (2020 Recommendation).
|
| 19 |
No |
$0 |
$0 |
|
|
Integrate the established strategy for identifying organizational risk tolerance into the Information System Configuration Management plan (2020 recommendation).
|
| 20 |
No |
$0 |
$0 |
|
|
Update the System Security Plans to include the most up-to-date information and assess the relevant minor applications (2022 recommendation).
|
| 22 |
No |
$0 |
$0 |
|
|
Develop, document, and distribute all required Contingency Planning documents (ex. organization-wide Continuity of Operation Plan and Business Impact Assessment, Disaster Recovery Plan, Business Continuity Plans, in accordance with appropriate federal and best practice guidance (Contingency Planning 2020 Recommendation).
|
| 23 |
No |
$0 |
$0 |
|
|
Integrate documented contingency plans with the other relevant agency planning areas (2020 Recommendation).
|
| 24 |
No |
$0 |
$0 |
|
|
Test the set of documented contingency plans (2020 Recommendation - Modified).
|
