Open Recommendations

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the NIST guidance.

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

Develop and implement an Enterprise Risk Management program based on NIST, Chief Financial Officers Council and Performance Improvement Council Enterprise Risk Management Playbook, and OMB Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC.

Develop, document, and implement a process for determining and defining system boundaries in accordance with NIST guidance.

Develop and implement an information security architecture that supports the enterprise architecture.

Develop an enterprise architecture to be integrated into the risk management process.

Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data.

Implement registration and inventorying procedures for the CPSC’s information systems.

Develop Supply Chain Risk Management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and Supply Chain Risk Management requirements.

Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations.

Integrate the management of secure configurations into the organizational configuration management process.

Develop and implement an enterprise Configuration Management plan to ensure it includes all requisite information.

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.

Develop qualitative and quantitative performance measures to evaluate the effectiveness of the following: Configuration Management plan and change control activities.

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:• Performance of periodic reviews of risk designations, at least annually.• Explicit position screening criteria for information security role appointments.• Description of how cybersecurity is integrated into human resources practices .

Implement the CPSC’s policies and procedures for provisioning, managing, and reviewing privileged accounts.

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training.

Fully implement a data loss prevention solution.

Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities.

Develop and tailor security training content for all CPSC personnel with significant security responsibilities and provide this training to the appropriate individuals.

Document and implement a process for ensuring that all personnel with significant security roles and responsibilities are provided specialized security training to perform assigned duties.

Fully implement the Awareness and Training Policy.

Develop a security awareness and training strategy/plan in accordance with the Chief Human Capital Officers Council Federal Cybersecurity Workforce Strategy.