| 1.1 |
Yes |
$0 |
$0 |
|
|
We recommend that management design and implement additional controls that respond to the risks associated with the relevance and reliability of underlying data used in developing the assumptions related to the subsidy re-estimates. Such review should be documented and maintained.
|
| 2.1 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to evaluate, design, and implement controls to track and report all new and separated contractors to allow for timely onboarding or off-boarding, respectively.
|
| 2.2 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to provide training and oversight to the Department's personnel with access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system and network service directory access.
|
| 2.3 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews.
|
| 2.4 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to ensure the database, server layer, and network service directory controls comply and operate with the disabling of inactive accounts, PIV authentication, account lockout duration password setting requirements, as required by Department policy.
|
| 2.5 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to following established user access provisioning procedures detailed in the Federal and Department guidance to authorize access and assign roles that are commensurate with job functions and do not violate the least privilege principle.
|
| 2.6 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to oversee the Department's systems change management process to enforce adherence to the change management plan to ensure relevant documentation and approvals are properly completed prior to closing the change ticket.
|
| 2.7 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to update the Department's systems' change management plan to require program change supporting documentation, such as approvals, be retained.
|
| 2.8 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA work with the Department to develop and implement formal procedures addressing controls over the Department's systems': (a) Changes to production jobs, and schedules; and (b) monitoring of actions taken by the generic job processing account in the job scheduling tool, including management of the password for the generic account.
|
| 2.9 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA design and implement controls to evaluate the magnitude of impact, likelihood of occurrence, and nature of the deficiency in order to tailor the corrective actions to remediate the risk and address the root cause. Further, update guidance to ensure that quality reviews over the POA&M closure documentation are conducted to confirm the noted deficiencies are fully addressed to help prevent future reoccurrences.
|
| 2.10 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA formally develop and implement a quality control review process to ensure that logical access control processes are followed completely and accurately to validate logical access requests, reviews, and recertifications.
|
| 2.11 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA enforce established access authorization and provisioning controls and ensure all requirements are met and documented prior to granting system access. Follow established user access provisioning procedures detailed in the Federal, Department, and FSA guidance to authorize system access and assign roles that are commensurate with job functions and do not violate the least privilege principle.
|
| 2.12 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA update access review procedures to require the reviewers to verify the access lists received to be used in the performance and operation of the access reviews is complete and accurate and not modified prior to commencing the access reviews.
|
| 2.13 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA perform and formally document the periodic reviews of all application user accounts in accordance with Department policy to confirm access is current, authorized, commensurate with job responsibilities, and follow the concept of least privileged.
|
| 2.14 |
Yes |
$0 |
$0 |
|
|
We recommend that FSA ensure the application access controls comply and operate with the PIV authentication requirements, as required by Department policy.
|
| 3.1 |
Yes |
$0 |
$0 |
|
|
We recommend that management improve the risk assessment process at the financial statement assertion level and at the process level to ensure FSA is appropriately defining objectives to enable the identification of risks and define risk tolerances.
|
| 3.2 |
Yes |
$0 |
$0 |
|
|
We recommend that management implement key monitoring controls to ensure that corrective action plans are implemented to timely remediate control deficiencies identified. In addition, increase oversight, review, and accountability over the process among various offices and directorates within FSA.
|
