Evaluation of the FLRA's Compliance with the Federal Information Modernization Act of 2014 for Fiscal Yar 2024
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | No | $0 | $0 | ||
Perform a risk-based allocation of resources based on system categorization. | |||||
2 | No | $0 | $0 | ||
Incorporate the system level risk assessment results into the organization-wide cybersecurity and privacy risk assessment. | |||||
3 | No | $0 | $0 | ||
Integrate the information security architecture with the development lifecycle. | |||||
4 | No | $0 | $0 | ||
Implement qualitative or quantitative measures to measure, report on, and monitor the information security and SCRM performance of organizationally defined products, systems, and services provided by external providers. | |||||
5 | No | $0 | $0 | ||
Implement qualitative or quantitative measures used to gauge the effectiveness of its component authenticity policies and procedures and ensures that data supporting the metrics is obtained accurately, consistently, and in a reproducible format. | |||||
6 | No | $0 | $0 | ||
Allocate resources in a risk-based manner. | |||||
7 | No | $0 | $0 | ||
Implement qualitative or quantitative measures on the effectiveness of the configuration management plan. | |||||
8 | No | $0 | $0 | ||
Ensure flaw remediation is centrally managed. | |||||
9 | No | $0 | $0 | ||
Implement qualitative or quantitative measures on the effectiveness of change control activities. | |||||
10 | No | $0 | $0 | ||
Deploy automation to centrally document, track, and share risk designations and screening information with necessary parties. | |||||
11 | No | $0 | $0 | ||
Deploy automation to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate. | |||||
12 | No | $0 | $0 | ||
The FLRA should ensure that the security controls for protecting PII and other agency sensitive data, as appropriate, throughout the data lifecycle are subject to the monitoring processes defined within the organization's ISCM strategy. | |||||
13 | No | $0 | $0 | ||
Implement qualitative or quantitative measures on the performance of data exfiltration and enhanced network defenses. | |||||
14 | No | $0 | $0 | ||
Implement qualitative or quantitative measures on the effectiveness of the Data Breach Response Plan. | |||||
15 | No | $0 | $0 | ||
Obtain feedback from privacy training. | |||||
16 | No | $0 | $0 | ||
Assess training and talent of workforce. | |||||
17 | No | $0 | $0 | ||
Obtain feedback regarding training needs of workforce. | |||||
18 | No | $0 | $0 | ||
Implement qualitative or quantitative measures on the effectiveness of the ISCM policies and strategy. | |||||
19 | No | $0 | $0 | ||
Implement qualitative or quantitative measures that have been defined in the Incident Response Plan to monitor and maintain the effectiveness of an overall incident response capability. | |||||
20 | No | $0 | $0 | ||
Perform risk-based allocation for stakeholders to effectively implement incident response activities. | |||||
21 | No | $0 | $0 | ||
Implement qualitative or quantitative measures to ensure the effectiveness of incident detection and analysis policies and procedures. | |||||
22 | No | $0 | $0 | ||
FLRA should monitor and analyze qualitative and quantitative performance measures on the effectiveness of incident handling policies and procedures. | |||||
23 | No | $0 | $0 | ||
Incident response metrics should be used to measure and manage the timely reporting of incident information to organizational officials and external stakeholders. | |||||
24 | No | $0 | $0 | ||
FLRA should employ automated mechanisms to test system contingency plans more thoroughly and effectively. | |||||
25 | No | $0 | $0 | ||
Assess backups. |