DC,
United States
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
22-A-18-053.14 | No | $0 | $0 | ||
HHS OCIO work with all OpDivs to ensure that: All systems on the network have a valid ATO. OpDivs should ensure that security authorization policies and procedures are fully developed and disseminated to the appropriate personnel to ensure that all OpDiv personnel understand the requirements for completing the ATO process. | |||||
22-A-18-053.15 | No | $0 | $0 | ||
HHS OCIO work with all OpDivs to ensure that: ISCM strategy and procedures should clearly define critical reporting metrics for reports utilized by internal and external stakeholders. Additionally, OpDivs should coordinate reporting efforts with the OCIO to ensure the definitions and reporting requirements are consistently implemented. | |||||
22-A-18-053.01 | No | $0 | $0 | ||
Continue implementation of an automated CDM solution that provides a centralized, enterprise-wide view of risks across all of HHS. | |||||
22-A-18-053.02 | No | $0 | $0 | ||
Update the ISCM strategy to include a more specific roadmap; including target dates, for ISCM deployment across the HHS enterprise. | |||||
22-A-18-053.03 | No | $0 | $0 | ||
HHS should perform an enterprise risk assessment over known control weaknesses (e.g., Authority to Operate, incomplete OpDiv provided system inventories, lack of OpDiv adherence to HHS information security policies) due to their federated environment and document an appropriate risk response (e.g., accept, avoid, mitigate, share, or transfer). | |||||
22-A-18-053.05 | No | $0 | $0 | ||
HHS OCIO work with all OpDivs to: Ensure that all operational systems have SSPs and FIPS 199 categorizations completed for information systems in accordance with HHS policy. | |||||
22-A-18-053.06 | No | $0 | $0 | ||
HHS OCIO work with all OpDivs to: Ensure that all OpDivs are completing security controls system assessments and POA&Ms at least quarterly or more frequently as defined by the OpDiv. | |||||
22-A-18-053.09 | No | $0 | $0 | ||
HHS OCIO work with all OpDivs to: Develop a management approved Configuration Management policy that addresses purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities. This document should be tailored to the OpDivs' needs and be reviewed and updated according to HHS policy (at least every 3 years). | |||||
22-A-18-053.10 | No | $0 | $0 | ||
HHS OCIO work with the OpDivs to ensure that all DpDivs: Update and implement its personnel security policies to clearly articulate the personnel screening process along with the required access agreements that need to be completed prior to being granted system access. In addition, OpDivs should update and implement their procedures for retrieving and archiving user access agreements for internal control purposes. | |||||
22-A-18-053.11 | No | $0 | $0 | ||
HHS OCIO work with the OpDivs to ensure that all OpDivs: Develop and implement an ICAM strategy and authenticator management policy to ensure all information systems undergo a digital identity risk assessment to determine which systems require strong authentication. Once a risk assessment is complete, OpDivs should ensure that authentication mechanisms are implemented for all information systems. | |||||
22-A-18-053.12 | No | $0 | $0 | ||
HHS OCIO work with the OpDivs to ensure that all OpDivs: Establish a process for the review of privileged users on an annual basis to ensure compliance with HHS Policy. In addition, OpDivs should ensure that this process is created to identify: User access is still needed, User rights subscribe to the principle of least privileged, User actions are captured and monitored appropriately as dictated by HHS policy. |