Skip to main content

Using the results of recommendations one (1) and two (2)above:a. Collaborate with the DNFSB’s Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;c. Implement a centralized view of risk across the organization; and,d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.

Questioned Costs
$0
Funds for Better Use
$0
Recommendation Status
Open
Source UUID
257decb8-faef-4076-ac5d-cb024498df13-3
Report
Independent Evaluation of the DNFSB’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020
Recommendation Number
3
Additional Information
OIG Analysis: The agency did not provide an updated response pertaining to Recommendation 3b and 3d. On September 20, 2023, the agency provided the following response:
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and a process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.
b. DNFSB will review existing policies & procedures against the recommendation in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024.
d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &
Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024. The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3a and 3c. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address Recommendation 3a through 3d during its FY25 FISMA audit.

Status: Open: Resolved. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.
3.a. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.
3.b. DNFSB will review existing policies & procedures against the recommendations in NIST SP-800 55 Rev.2 and make any updates by Q2 FY2024.
3.c. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
3.d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies & Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY2024.
Significant Recommendation
Yes
Migration Source
http://oversight-d7.lndo.site/node/212628
http://oversight-d7.lndo.site/node/212628/edit
https://www.oversight.gov/node/212628
https://www.oversight.gov/node/212628/edit