Open Recommendations

Rec. 2.a.1: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director update and implement their Component policies to describe the types and extent of financial information required to document contracting officer financial responsibility determinations and to maintain the documentation in the contract file in accordance with the Defense Federal Acquisition Regulation Supplement 232.072-2.

Rec. 2.a.1: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director update and implement their Component policies to describe the types and extent of financial information required to document contracting officer financial responsibility determinations and to maintain the documentation in the contract file in accordance with the Defense Federal Acquisition Regulation Supplement 232.072-2.

Rec. 2.a.2: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director update and implement their Component policies to indicate that the Defense Contract Management Agency's Financial Capability Team is available to assist them in determining financial responsibility of prospective contractors.

Rec. 2.a.2: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director update and implement their Component policies to indicate that the Defense Contract Management Agency's Financial Capability Team is available to assist them in determining financial responsibility of prospective contractors.

Rec. 2.a.2: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director update and implement their Component policies to indicate that the Defense Contract Management Agency's Financial Capability Team is available to assist them in determining financial responsibility of prospective contractors.

Rec. 2.b: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director issue a memorandum to the DoD contracting officers to advise them of the policy updates made in response to Recommendation 2.a.

Rec. 2.b: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director issue a memorandum to the DoD contracting officers to advise them of the policy updates made in response to Recommendation 2.a.

Rec. 2.b: The DoD OIG recommended that the Deputy Assistant Secretary of the Army (Procurement); Deputy Assistant Secretary of the Navy (Procurement); Deputy Assistant Secretary of the Air Force (Acquisition, Technology and Logistics); and Defense Logistics Agency Acquisition Director issue a memorandum to the DoD contracting officers to advise them of the policy updates made in response to Recommendation 2.a.

Define actions not permitted by application administrators to ensure separation of duties is adequate and implement technical controls, or determine other mechanisms, to prohibit application administrators from conducting those actions.

Ensure plans are in place for effective access controls during the expansion of CATS to uncleared personnel, or any other significant changes to the application, to help prevent account management weaknesses.

Prioritize efforts to implement automated account management to lessen the burden on administrators and ensure appropriate roles and access are granted.

Ensure that control assessment plans are developed and that they detail the scope of the assessment, including assessment procedures and specific roles and responsibilities of members on the assessment team.

Ensure that all required controls are fully assessed for CATS and its operating environment on the frequency basis described within the ISCM plan to determine whether controls were implemented correctly, operating as intended, and producing desired outcomes. Controls assessments should be shared with relevant stakeholders. Any deficiencies should be documented in a plan of action and milestones, as appropriate.

Document the ISA annual review process and any updates that may have occurred as a result.

Communicate with the Authorizing Official of eDISS+ during the annual review process of the ISA to ensure that all technical changes are updated appropriately within the agreement and that both parties are aware of any potential system changes that may impact either system’s security categorization and/or implemented controls.

Ensure that the NA-IM cybersecurity team participates in the monthly data bridge meetings that support the ISA between CATS and eDISS+ to verify that the CATS data remains secure and that all risks associated with the system information exchange are reported to management and addressed appropriately.

Ensure that annual reviews and updates to the CATS risk assessment are performed to include the evaluation of all risks and subsequential existence of mitigating controls, in accordance with NNSA’s internal policies and NIST requirements.

Ensure that the CATS PIA is completed/updated annually in accordance with NNSA’s privacy procedures and that the information being reported is accurate by collaborating with all system subject matter experts.

Ensure that the CATS security categorization is reevaluated to consider all relevant factors and additional security controls are implemented, as necessary.

Develop a system-level contingency plan for CATS and test the plan on a specified frequency to verify that notification, recovery, and restoration capabilities are adequately implemented.

Reevaluate the risks and needs associated with implementing an alternate storage site for the CATS backup information and implement changes, as necessary.

Ensure that all system users complete applicable security and privacy training based on assigned roles and responsibilities within the system in accordance with established requirements.

Ensure that an analysis is conducted to identify PSFs in the system that are eligible for dispositioning, per Federal and Department requirements. Once completed, direct system personnel to communicate those results to the respective CPSOs to prepare for destruction where it is warranted.

Ensure a mechanism is developed to assist in identifying, communicating, and destroying PSFs that meet Federal and Department retention and dispositioning requirements.

Ensure initial and refresher training is provided to security personnel regarding the management, retention, and destruction of PSFs housed in CATS.