Open Recommendations

Implement registration and inventorying procedures for the CPSC’s information systems.

Develop, document, and implement a process for determining and defining system boundaries in accordance with National Institute of Standards and Technology guidance.

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance.

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

Develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology, Enterprise Risk Management Playbook, and Office of Management and Budget Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to thetop decision makers within the CPSC.

Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data.

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations.

Integrate the management of secure configurations into the organizational configuration management process.

Develop, implement, and disseminate processes to implement Trusted Internet Connection 3.0, including updating its network and system boundary policies, in accordance with Office of Management and Budget Memorandum 19-26, Update to the Trusted Internet Connections (TIC) Initiative. This includes, as appropriate, the incorporation of Trusted Internet Connection security capabilities catalog, Trusted Internet Connection use cases, and Trusted Internet Connection overlays.

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploitable Vulnerabilities.

Develop, implement, and disseminate an Identity and Access Management policy and procedures which are in accordance with the most recent National Institute of Standards and Technology guidance.

Define and document a strategy (including specific milestones) to implement the Federal Identity, Credential, and Access Management architecture.

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring.

Define and implement the Identity, Credential, and Access Management policies and procedures.

Define and implement a process to ensure the completion of access agreements for all of the CPSC users.

Implement the CPSC’s policies and procedures for provisioning, managing, and reviewing privileged accounts.

Identify and document potentially incompatible duties permitted by privileged accounts.

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties.

Define and document policies and procedures outlining the CPSC’s remote access configuration/connection requirements, including use of Federal Information Processing Standards 140-2 validated cryptographic modules, system timeouts, and monitoring and control of remote access sessions.

Implement data encryption policies and procedures for data at rest and data in transit. This should include fully implementing the Data Loss Prevention solution.

Document and implement a process for inventorying and securing systems that contain Personally Identifiable Information or other sensitive agency data (e.g., proprietary information)

Document and implement a process for periodically reviewing for and removing unnecessary Personally Identifiable Information from agency systems.