Using the results of recommendations one (1) and two (2) :a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components; Cybersecurity Team exports metrics and vulnerability reports and sends them to the CISO and CIO’s Office monthly for review. Develop a centralized dashboard that Cybersecurity Team and the CISO can populate for real-time assessments of compliance and security policies.b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.d. Implement a centralized view of risk across the organization.
b. DNFSB needs clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.
c. DNFSB needs more clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.
The OIG clarified on November 01, 2023, that subsection “b” of this recommendation will require the DNFSB to provide
evidence of established performance metrics in service level agreements for the contractor systems and services
monitored by Information Technology (IT) Operations. Subsection “c” of this recommendation will require the DNFSB to utilize guidance from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-55, Performance Measurement Guide for Information Security, to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program. The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.
Status: Open: Resolved. 3.a. DNFSB has implemented Qualys, Intune, and Defender as vulnerability and compliance management platforms. These systems have dashboards which provide an up-to-date, complete, accurate, and readily available Agencywide view of security configurations. Vulnerability reports are provided to the CIO/CISO weekly and include the number of open vulnerabilities, the number of patches applied in the last 7 days, and detailed information on remediation efforts.
3.b. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.
3.c. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.
3.d. A centralized view of risk across the organization will be possible once the Agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant.
DNFSB anticipates completing these tasks by Quarter 4 FY 2023.