Evaluation of the CPSC's FISMA Implementation for FY 2023

View Report

Date Issued

Friday, July 28, 2023

Submitting OIG

Consumer Product Safety Commission OIG

Other Participating OIGs

Consumer Product Safety Commission OIG

Agencies Reviewed/Investigated

Consumer Product Safety Commission

Report Number

23-A-05

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
3	No	$0	$0
Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.
5	No	$0	$0
Develop, implement, and disseminate processes to implement Trusted Internet Connection 3.0, including updating its network and system boundary policies, in accordance with Office of Management and Budget Memorandum 19-26, Update to the Trusted Internet Connections (TIC) Initiative. This includes, as appropriate, the incorporation of Trusted Internet Connection security capabilities catalog, Trusted Internet Connection use cases, and Trusted Internet Connection overlays.
7	No	$0	$0
Develop, implement, and disseminate an Identity and Access Management policy and procedures which are in accordance with the most recent National Institute of Standards and Technology guidance.
9	No	$0	$0
Finalize and implement the Awareness and Training policy which is currently in draft.
11	No	$0	$0
Implement Information Security Continuous Monitoring roles and responsibilities.
12	No	$0	$0
Develop mechanisms to ensure Information Security Continuous Monitoring stakeholder accountability.
14	No	$0	$0
Develop and implement policies and procedures for maintaining a Continuity of Operations Plan and conducting organizational and system level Business Impact Analyses in accordance with current federal guidance. (e.g., National Institute of Standards and Technology Special Publication 800- 34/53, Federal Continuity Directive 1, National Institute of Standards and Technology Cybersecurity Framework, and National Archive and Records Administration guidance).