| 3 |
No |
$0 |
$0 |
|
|
Ensure the Information System Security Officers are reviewing system configurationcompliance scans monthly as required within NARA’s Configuration ComplianceManagement Standard Operating Procedure. (New Recommendation)
|
| 5 |
No |
$0 |
$0 |
|
|
Implement improved processes to remediate security deficiencies on NARA’s networkinfrastructure, to include enhancing its patch and vulnerability management program toaddress security deficiencies identified during our assessments of NARA’s applicationsand network infrastructure. (Recommendation #13 from the FY 2022 FISMA audit, report#22-AUD-09)
|
| 7 |
No |
$0 |
$0 |
|
|
Document and implement a process to track and remediate persistent configurationvulnerabilities or document acceptance of the associated risks. (Recommendation #15from the FY 2021 FISMA audit, report #22-AUD-04)
|
| 8 |
No |
$0 |
$0 |
|
|
Ensure all information systems are migrated away from unsupported operating systemsto operating systems that are vendor-supported. (Recommendation #18 from the FY 2021FISMA audit, report #22-AUD-04)
|
| 9 |
No |
$0 |
$0 |
|
|
Finalize and implement system configuration baseline management procedures, whichencompass at a minimum, the request, documentation, and approval of deviations frombaseline settings for all NARA systems. (Recommendation #22 from the FY 2021 FISMAaudit, report #22-AUD-04)
|
| 11 |
No |
$0 |
$0 |
|
|
Enhance current procedures to ensure that new NARA users who do not complete theirinitial security awareness training, have their accounts automatically disabled inaccordance with timeframes promulgated within the Privacy and Awareness Handbook.(New Recommendation)
|
| 12 |
No |
$0 |
$0 |
|
|
Continue and complete efforts to require PIV authentication for all privileged users, serversand applications, through NARA’s Privileged Access Management authentication projectand other efforts. (Recommendation #26 from the FY 2021 FISMA audit, report #22-AUD04)
|
| 13 |
No |
$0 |
$0 |
|
|
Enforce mandatory PIV card authentication for all NARANet users, in accordance withOMB requirements. (Recommendation #27 from the FY 2021 FISMA audit, report #22-AUD-04)
|
| 14 |
No |
$0 |
$0 |
|
|
Ensure NARANet user accounts are reviewed and disabled in accordance with NARA’sinformation technology policies and requirements. (Recommendation #29 from theFY 2021 FISMA audit, report #22-AUD-04)
|
| 15 |
No |
$0 |
$0 |
|
|
Ensure that the SAOP complete PIAs for all systems which contain PII. (NewRecommendation)
|
| 16 |
No |
$0 |
$0 |
|
|
The SAOP review and update the NARA 1609 Initial Privacy Reviews and Privacy ImpactAssessments privacy policies and procedures to reflect NARA’s current processes andcontrols. (Recommendation #33 from the FY 2021 FISMA audit, report #22-AUD-04)
|
| 17 |
No |
$0 |
$0 |
|
|
The CIO and SAOP implement a process to ensure role-based privacy training iscompleted by all personnel having responsibility for PII or for activities that involve PII, andcontent includes, as appropriate: responsibilities under the Privacy Act of 1974 andE-Government Act of 2002, consequences for failing to carry out responsibilities,identifying privacy risks, mitigating privacy risks, and reporting privacy incidents, datacollections and use requirements. (Recommendation #34 from the FY 2021 FISMA audit,report #22-AUD-04)
|
