Fiscal Year 2023 Independent Evaluation of SEC’s Implementation of the Federal Information Security Modernization Act of 2014 Evaluation Report

Date Issued

Wednesday, December 20, 2023

Submitting OIG

Securities and Exchange Commission OIG

Agencies Reviewed/Investigated

Securities and Exchange Commission

Report Number

580

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

External Link

Hide this report from display

Yes

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2	Yes	$0	$0
Update the Vulnerability Disclosure Policy (VDP) to include all internet-accessible systems. Once OIT has updated the VDP, the SEC should immediately report to the Cybersecurity and Infrastructure Security Agency (CISA) regarding:a. Any valid or credible reports of newly discovered or not publicly known vulnerabilities (including misconfigurations) on SEC systems that use commercial software or services that affect or are likely to affect other parties in government or industry.b. Vulnerability disclosure, coordination, or remediation activities that the SEC believes CISA can assist with or should be aware of, particularly as they relate to outside organizations.c. Any other situation in which the SEC deems it helpful or necessary
3	Yes	$0	$0
Develop and implement vulnerability disclosure-handling procedures that describe the SEC’s process for implementing its VDP, in accordance with Department of Homeland Security Binding Operational Directive 20-01.
4	Yes	$0	$0
[REDACTED]
5	Yes	$0	$0
Update the SEC’s system security plans with the latest baseline controls for all FISMA-reportable systems to ensure the SEC is assessing and monitoring the controls in accordance with the level of risk associated with each information security system.
6	Yes	$0	$0
[REDACTED]