Objective: To determine whether the Social Security Administration was managing its Security Assessment and Authorization process in accordance with Federal and Agency requirements.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | Agree | |
Complete the implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5. | |||||
2 | No | $0 | $0 | Agree | |
Update policies and procedures to require that system owners define the privacy requirements for the system and the environment of operation, including where those requirements should be documented. | |||||
3 | No | $0 | $0 | Agree | |
Remind Agency personnel of National Archives and Records Administration regulations. | |||||
4 | No | $0 | $0 | Agree | |
Identify and assign the senior accountable official for risk management. | |||||
5 | No | $0 | $0 | Agree | |
Include the organizational risk tolerance and make explicit the threats, assumptions, constraints, and trade offs used for making investment and operational decisions in the Risk Management Strategy. | |||||
6 | No | $0 | $0 | Agree | |
Document and implement procedures for conducting and updating an organization and system-level risk assessment. | |||||
7 | No | $0 | $0 | Agree | |
Update the information security continuous monitoring strategy to include the monitoring requirements at the mission/business process and information system levels; the minimum monitoring frequency for implemented controls across the organization; and how ongoing assessments are to be conducted. | |||||
8 | No | $0 | $0 | Agree | |
Update policies and procedures to require that the senior accountable official for risk management, or other designated official, review and approve the continuous monitoring strategy and retain evidence of the review and approval. | |||||
9 | No | $0 | $0 | Agree | |
Remind Agency personnel of policies and procedures, including compliance with roles and responsibilities noted in policy, and updating the security plan to document appropriate security control allocations and control tailoring. | |||||
10 | No | $0 | $0 | Agree | |
Centralize policies and procedures related to the Security Assessment and Authorization (SA&A) process. | |||||
11 | No | $0 | $0 | Agree | |
Update Agency policy to comply with Federal regulations for SA&A. Specifically, complete a system-level continuous monitoring strategy. | |||||
12 | No | $0 | $0 | Agree | |
Update Agency policy to comply with Federal regulations for SA&A. Specifically, require that system owners review and update Security Assessment Reports, System Security Plans, and Plans of Actions and Milestones based on the results of the continuous monitoring process. | |||||
13 | No | $0 | $0 | Agree | |
Update Agency policy to comply with Federal regulations for SA&A. Specifically, require that system owners report the security and privacy posture of the system to the authorizing and other organizational officials and define how often these updates should happen. | |||||
14 | No | $0 | $0 | Agree | |
Update Agency process documentation, as applicable, to establish a process to document the review and approval of system security and privacy plan by the authorizing official or designated representative. | |||||
15 | No | $0 | $0 | Agree | |
Update Agency process documentation, as applicable, to designate the signed Authorization to Operate is the risk determination completed by the authorizing official or a designated representative | |||||
16 | No | $0 | $0 | Agree | |
Update Agency process documentation, as applicable, to require that the authorizing official review systems’ security and privacy posture on an ongoing basis. | |||||
17 | No | $0 | $0 | Agree | |
Update Agency process documentation, as applicable, to require that system owners identify, define, and document requirements from the Prepare phase. | |||||
18 | No | $0 | $0 | Agree | |
Update Agency process documentation, as applicable, to establish a process to document the review and approval of Security Categorization and Security Assessment Plan by the authorizing official or designated representative. | |||||
19 | No | $0 | $0 | Agree | |
Update Agency process documentation, as applicable, to establish a process to include recommendations in all future Security Assessment Reports. |