Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agency’s Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.
Questioned Costs
$0
Funds for Better Use
$0
Recommendation Status
Closed
Source UUID
e45ebf14-a3e8-47a2-b18b-90c2d502d345-5
Recommendation Number
5
Additional Information
Agency Response Dated June 2, 2025: The DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes. This document is currently under review. Key supporting documentation was provided to the Auditor. DNFSB request closure of this recommendation, based on the status update and documentation provided.
OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years’ outstanding FISMA recommendations. The OIG verified that the DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes. The CM Operating Procedure and CM Plan identify that the DNFSB has incorporated requirements for remedial training. The agency’s corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.
March 31, 2025. OIG Analysis: The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status: Open: Resolved. The DNFSB Configuration Management Plan details change control procedures. Consequences for noncompliance are detailed in the DNFSB Configuration Management Policy, section 6: Compliance (revised March 2023), and the DNFSB Information Systems User Agreement + IT Equipment Agreement Form, section: Policy, Standards, and Procedures Must Be Followed. DNFSB required all members of the IT Team that are authorized to submit change request tickets to take remedial “CCB and Change Request Training” in August 2022 and then take an updated remedial training in December 2022 that addressed changes to the CCB & SIA form process. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed.
OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years’ outstanding FISMA recommendations. The OIG verified that the DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes. The CM Operating Procedure and CM Plan identify that the DNFSB has incorporated requirements for remedial training. The agency’s corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.
March 31, 2025. OIG Analysis: The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status: Open: Resolved. The DNFSB Configuration Management Plan details change control procedures. Consequences for noncompliance are detailed in the DNFSB Configuration Management Policy, section 6: Compliance (revised March 2023), and the DNFSB Information Systems User Agreement + IT Equipment Agreement Form, section: Policy, Standards, and Procedures Must Be Followed. DNFSB required all members of the IT Team that are authorized to submit change request tickets to take remedial “CCB and Change Request Training” in August 2022 and then take an updated remedial training in December 2022 that addressed changes to the CCB & SIA form process. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed.
Significant Recommendation
Yes