| 8 |
Yes |
$0 |
$0 |
|
|
Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (Risk Management iv/v/vi).
|
| 7 |
Yes |
$0 |
$0 |
|
|
Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (Risk Management iv/v/vi).
|
| 11 |
Yes |
$0 |
$0 |
|
|
Develop and implement an information security architecture that supports the Enterprise Architecture. (Risk Management vii).
|
| 12 |
Yes |
$0 |
$0 |
|
|
Develop an Enterprise Architecture to be integrated into the risk management process (Risk Management vii).
|
| 13 |
Yes |
$0 |
$0 |
|
|
Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).
|
| 15 |
No |
$0 |
$0 |
|
|
Develop and implement a Configuration Management plan to ensure it includes all requisite information (Configuration Management ii/iii).
|
| 17 |
Yes |
$0 |
$0 |
|
|
Integrate the management of secure configurations into the organizational Configuration Management process (Configuration Management v).
|
| 20 |
Yes |
$0 |
$0 |
|
|
Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).
|
| 22 |
Yes |
$0 |
$0 |
|
|
Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).
|
| 23 |
Yes |
$0 |
$0 |
|
|
Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:• Performance of periodic reviews of risk designations at least annually,• Explicit position screening criteria for information security role appointments, and• Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).
|
| 39 |
No |
$0 |
$0 |
|
|
Integrate the established strategy for identifying organizational risk tolerance into the Information Security Continuous Monitoring plan (Information Security Continuous Monitoring i).
|
| 45 |
No |
$0 |
$0 |
|
|
Develop, document, and distribute all required Contingency Planning documents (e.g.. organization-wide Continuity of Operation Plan and Business Impact Assessment, Disaster Recovery Plan, Business Continuity Plans, and Information System Contingency Plans) in accordance with appropriate federal and best practice guidance (Contingency Planning ii/iv).
|
| 46 |
No |
$0 |
$0 |
|
|
Integrate documented contingency plans with the other relevant agency planning areas (Contingency Planning iii).
|
