Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1 | Yes | $0 | $0 | ||
Update AmeriCorps' Information System Inventory to include external vendor systems such as Administrative Resource Center Financial System. (New) | |||||
2 | Yes | $0 | $0 | ||
Establish policies and procedures to perform an annual review of the inventory to ensure AmeriCorps' Information System Inventory includes all information systems used or operated by an agency, an agency contractor, or another organization on behalf of an agency. (New) | |||||
3 | Yes | $0 | $0 | ||
Upgrade to a supported version of the application software and revise the references to the supported software in the Business Impact Analysis or accept the risk of not updating the software by documenting the exposure risk in a formal risk acceptance memo signed by the Authorizing Official. (New) | |||||
4 | Yes | $0 | $0 | ||
Develop and implement an effective monitoring mechanism to track the progress of Authorization to Operate letters within the three-year review window and ensure timely approval of the System Security Plans. (New) | |||||
5 | Yes | $0 | $0 | ||
Complete an authorization package that covers the Administrative Resource Center Financial System (New) | |||||
6 | Yes | $0 | $0 | ||
Enhance and implement core and specialized training to develop competencies in authorization packages for external vendor systems such as Administrative Resource Center Financial System. (New) | |||||
7 | Yes | $0 | $0 | ||
Finalize and issue the Incident Response Plan for FY 2023. (New) | |||||
8 | Yes | $0 | $0 | ||
Establish and implement a process and an effective monitoring mechanism to track the progress of Incident Response Plan annual reviews ensuring timely completion and updates, adapting the evolving cybersecurity threats, maintaining effective response capabilities, and reflecting the current agency operations and system environment. (New) | |||||
9 | Yes | $0 | $0 | ||
Develop a comprehensive project plan and roadmap to meet the logging requirements in accordance with OMB M-21-31. (New) | |||||
10 | Yes | $0 | $0 | ||
Upgrade and configure its Security Information and Event Management tool to capture all log requirements in accordance with OMB M-21-31. (New) | |||||
11 | Yes | $0 | $0 | ||
Implement a tool to closely track the timely completion and review of an annual Disaster Recovery Exercise/Contingency Plan Test conducted to account for all information systems. (New) | |||||
12 | Yes | $0 | $0 | ||
Develop and implement standard operating procedures for Disaster Recovery Exercise/Contingency Plan Test coverage of external vendors systems including Administrative Resource Center Financial System. (New) | |||||
13 | Yes | $0 | $0 | ||
Enhance and implement core and specialized training programs targeted at the Authorizing Official, System Owner, and Information System Security Officer to develop competencies in contingency planning for external vendor systems. (New) | |||||
14 | Yes | $0 | $0 | ||
Complete the three steps in accomplishing Business Impact Analysis in accordance with NIST SP 800-34, Revision 1 and ensure the application adheres to the minimum requirements. (New) | |||||
15 | Yes | $0 | $0 | ||
Develop a contingency plan and perform Business Impact Analysis for Administrative Resource Center Financial System. (New) |