| 3 |
Yes |
$0 |
$0 |
March 31, 2025: DNFSB did not provide an updated response pertaining to recommendation 3b and 3c. On September 20, 2023, the agency provided the following response:
b. DNFSB needs clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.
c. DNFSB needs more clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.
The OIG clarified on November 01, 2023, that subsection “b” of this recommendation will require the DNFSB to provide
evidence of established performance metrics in service level agreements for the contractor systems and services
monitored by Information Technology (IT) Operations. Subsection “c” of this recommendation will require the DNFSB to utilize guidance from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-55, Performance Measurement Guide for Information Security, to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program. The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.
Status: Open: Resolved. 3.a. DNFSB has implemented Qualys, Intune, and Defender as vulnerability and compliance management platforms. These systems have dashboards which provide an up-to-date, complete, accurate, and readily available Agencywide view of security configurations. Vulnerability reports are provided to the CIO/CISO weekly and include the number of open vulnerabilities, the number of patches applied in the last 7 days, and detailed information on remediation efforts.
3.b. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.
3.c. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.
3.d. A centralized view of risk across the organization will be possible once the Agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant.
DNFSB anticipates completing these tasks by Quarter 4 FY 2023.
|
|
Using the results of recommendations one (1) and two (2) :a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components; Cybersecurity Team exports metrics and vulnerability reports and sends them to the CISO and CIO’s Office monthly for review. Develop a centralized dashboard that Cybersecurity Team and the CISO can populate for real-time assessments of compliance and security policies.b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.d. Implement a centralized view of risk across the organization.
|
| 5 |
Yes |
$0 |
$0 |
March 31, 2025. OIG Analysis: The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status: Open: Resolved. The DNFSB Configuration Management Plan details change control procedures. Consequences for noncompliance are detailed in the DNFSB Configuration Management Policy, section 6: Compliance (revised March 2023), and the DNFSB Information Systems User Agreement + IT Equipment Agreement Form, section: Policy, Standards, and Procedures Must Be Followed. DNFSB required all members of the IT Team that are authorized to submit change request tickets to take remedial “CCB and Change Request Training” in August 2022 and then take an updated remedial training in December 2022 that addressed changes to the CCB & SIA form process. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed. |
|
Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agency’s Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.
|
| 11 |
Yes |
$0 |
$0 |
OIG Analysis: The DNFSB did not provide an updated response. On September 20, 2023, the agency provided the following response: Supply Chain Risk, including ICT, will be addressed in an upcoming Supply Chain Risk Management
Program Operating Procedure. The estimated completion is Q4 FY 2023. The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status: Open: Resolved. Supply Chain Risk, including ICT, will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY2023. |
|
Based on the results of DNFSB’s supply chain risk assessment included in the recommendation for the Identify function above, update DNFSB’s contingency planning policies and procedures to address ICT supply chain risk.
|
