Skip to main content
Report File
Date Issued
Submitting OIG
Consumer Product Safety Commission OIG
Other Participating OIGs
Consumer Product Safety Commission OIG
Agencies Reviewed/Investigated
Consumer Product Safety Commission
Report Number
24-A-04
Report Description

The U.S. Consumer Product Safety Commission (CPSC) OIG retained Williams, Adley, & Co.-DC LLP (Williams Adley, we), an independent public accounting firm, to perform the independent evaluation of the CPSC’s implementation of FISMA for FY 2024 and to determine the effectiveness of its information security program. This report documents the results of the OIG’s FISMA evaluation. Specifically, we assessed the CPSC’s compliance with the annual Inspector General (IG) FISMA reporting metrics set forth by the DHS and OMB. Agency efforts are scored against a five level maturity model ranging from level one, “ad hoc,” to level five, “optimized,” with level four, “managed and measurable,” generally considered effective.

Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
35
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 35 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 No $0 $0

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media).

3 No $0 $0

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the NIST guidance.

4 No $0 $0

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

5 No $0 $0

Develop and implement an Enterprise Risk Management program based on NIST, Chief Financial Officers Council and Performance Improvement Council Enterprise Risk Management Playbook, and OMB Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC.

6 No $0 $0

Develop, document, and implement a process for determining and defining system boundaries in accordance with NIST guidance.

7 No $0 $0

Develop and implement an information security architecture that supports the enterprise architecture.

8 No $0 $0

Develop an enterprise architecture to be integrated into the risk management process.

9 No $0 $0

Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data.

10 No $0 $0

Implement registration and inventorying procedures for the CPSC’s information systems.

11 No $0 $0

Develop Supply Chain Risk Management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and Supply Chain Risk Management requirements.

12 No $0 $0

Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.

13 No $0 $0

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations.

14 No $0 $0

Integrate the management of secure configurations into the organizational configuration management process.

15 No $0 $0

Develop and implement an enterprise Configuration Management plan to ensure it includes all requisite information.

16 No $0 $0

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.

17 No $0 $0

Develop qualitative and quantitative performance measures to evaluate the effectiveness of the following: Configuration Management plan and change control activities.

18 No $0 $0

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:• Performance of periodic reviews of risk designations, at least annually.• Explicit position screening criteria for information security role appointments.• Description of how cybersecurity is integrated into human resources practices .

19 No $0 $0

Implement the CPSC’s policies and procedures for provisioning, managing, and reviewing privileged accounts.

20 No $0 $0

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training.

21 No $0 $0

Fully implement a data loss prevention solution.

22 No $0 $0

Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities.

23 No $0 $0

Develop and tailor security training content for all CPSC personnel with significant security responsibilities and provide this training to the appropriate individuals.

24 No $0 $0

Document and implement a process for ensuring that all personnel with significant security roles and responsibilities are provided specialized security training to perform assigned duties.

25 No $0 $0

Fully implement the Awareness and Training Policy.

26 No $0 $0

Develop a security awareness and training strategy/plan in accordance with the Chief Human Capital Officers Council Federal Cybersecurity Workforce Strategy.

27 No $0 $0

Establish and implement a strategy for identifying and integrating organizational risk tolerance and mission risk tolerances into the Information Security Continuous Monitoring program, and ensure the Information Security Continuous Monitoring supporting plan, policy, and procedures are updated to consider each program tier.

28 No $0 $0

Implement Information Security Continuous Monitoring procedures including those procedures related to the monitoring of performance measures and metrics, that support the Information Security Continuous Monitoring program.

29 No $0 $0

Update the System Security Plans to include the most up-to-date information and assess the relevant minor applications.

30 No $0 $0

Define and implement Event Logging requirements in accordance with OMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.

31 No $0 $0

Update the Continuity of Operations Plan, or other documentation supporting CPSC contingency planning efforts, to provide traceability from the statutory requirements to the mission essential functions and to include all necessary information, for example: (1) a list of systems that support the Mission Essential Functions, (2) a list of systems necessary for essential supporting activities, and (3) a list of records essential for the CPSC’s continuity of operations.

32 No $0 $0

Integrate documented contingency plans with the newly developed Continuity of Operations Plan and organizational Business Impact Analyses.

33 No $0 $0

Develop and implement policies and procedures for maintaining a Continuity of Operations Plan and conducting organizational and system level Business Impact Analyses in accordance with current federal guidance (e.g., NIST SP 800-34/53, DHS Federal Continuity Directive 1, NIST Cybersecurity Framework, and National Archives and Records Administration guidance).

34 No $0 $0

Perform a cost benefit analysis of introducing automation to support the testing of system contingency plans; and apply the appropriate risk mitigation strategy.

35 No $0 $0

Fully implement its processes for information system back up for General Support System Cloud.

1 No $0 $0

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media)

Consumer Product Safety Commission OIG

United States