| 4 |
Yes |
$0 |
$0 |
March 31, 2025: OIG Analysis: The DNFSB did not provide an updated response for this recommendation.
On September 20, 2023, the agency provided the following response:
Supply Chain Risk will be addressed in an upcoming
Supply Chain Risk Management Program Operating
Procedure. The estimated completion is Q4 FY 2023.
The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit. Status: Open: Resolved.
Supply Chain Risk will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY 2023. |
|
Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:a. How supply chain risks are to be managed across the agency;b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;c. How counterfeit components are prevented from entering the DNFSB supply chain.
|
| 9 |
Yes |
$0 |
$0 |
Agency Response Dated February 27, 2025: DNFSB published its Enterprise Architecture that includes the agency’s “to-be” ICAM architecture in December 2024 and published OP 411.1-7, Identification and Authentication Operating Procedures in September 2024.
OIG Analysis: The OIG reviewed the evidence and concluded that it is not sufficient to show corrective actions have been taken to address this recommendation. The OIG will close this recommendation when the DNFSB provides evidence demonstrating the clear milestones for implementing strong authentication, Federal ICAM, OMB M-19-17, and CDM Phase 2, and actions taken by the agency to support the achievement of these requirements and CDM Phase 2.
Status: Open: Resolved. DNFSB has defined clear milestones for implementing strong authentication in “Pillar I – Identity” of its Zero Trust Architecture Implementation Plan. DNFSB currently participates in DHS/CISA’s CDM Shared Service offering (DEFEND F) and has already implemented all of the available capabilities (hardware asset management, software asset management, configuration settings management, vulnerability management, enterprise mobility management, and endpoint detection & response) and is participating with CDM IDAM capabilities as they are being developed and plan to implement them when they become available. DNFSB requests clarification from the OIG regarding what additional actions need to be taken to close this recommendation. |
|
Update agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal ICAM architecture and OMB M-19-17, and phase 2 of DHS's Continuous Diagnostics and Mitigation (CDM) program.
|
| 11 |
Yes |
$0 |
$0 |
March 31, 2025: Agency Status: In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, “the DNFSB is currently in the process of developing role-based privacy training,” based on their testing.
OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. The OIG notified the DNFSB that, ultimately, the agency should define this themselves (i.e., who/what roles require additional privacy role-based training). Therefore, to close this recommendation, the DNFSB would need to demonstrate identification of the roles that are required to take additional privacy role-based training, show evidence of the development and/or acquisition/rollout of privacy rolebased training program materials, and show the
implementation of the privacy role-based training (i.e., that the required personnel have taken the training). The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status: Open: Resolved. DNFSB provides role-based privacy training within its required annual Cyber Awareness training. Topics such as Social Networking, handling of Controlled Unclassified Information (CUI) and Classified data, website use, and Social Engineering are all covered by this training. Each user is required to complete this training prior to accessing DNFSB systems. DNFSB further requires all users to take annual Controlled Unclassified Information (CUI) training, and all Federal employees with DOE clearances must take an annual clearance holder training, both of which address requirements for accessing, storing, and transmitting sensitive information. DNFSB has developed updated privacy training and will deliver it to agency users by the end of Q1 FY 2024. DNFSB needs the OIG to define which roles it feels require additional role-based privacy training in order to resolve this recommendation. |
|
Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.
|
| 23 |
Yes |
$0 |
$0 |
Agency Status: In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, “corrective action is ongoing,” and “the DNFSB is currently establishing an enterprise risk management program”. Once established, this program will conduct a BIA.”
OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. To close this recommendation, the DNFSB will need to demonstrate they have conducted a DHS Federal Emergency Management Agency (FEMA) Federal Continuity Directive (FCD) 2 process-based BIA in 2025 and show that they have incorporated the results into their contingency planning strategy and mitigation planning activities. Preferably, updates to a system-based BIA supporting the DNFSB General Support Systems (GSS) Information System
Contingency Program (ISCP) would be completed in parallel to ensure the most current information was reflected in the DNFSB’s contingency planning at the Mission Essential Functions (MEF), Primary Mission Essential Functions (PMEF), and system levels. It would also be preferable if regular, process- and system-level BIA updates were
incorporated as part of the ISCP program / National Institute of Standards and Technology (NIST) Risk
Management Framework (RMF) Monitor step in accordance with DHS FEMA FCD 2 Annex D and NIST Special
Publication (SP) 800-34, Section 3.6, requirements. The OIG will verify if corrective actions have been taken by
the DNFSB to address this recommendation during its FY25 FISMA audit.
Status: Open: Resolved. This recommendation will be resolved when an agency-wide BIA is performed. DNFSB will complete a BIA Q3 FY 2024. |
|
Conduct a business impact assessment within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.
|
