Open Recommendations

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

Develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology, Enterprise Risk Management Playbook, and Office of Management and Budget Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to thetop decision makers within the CPSC.

Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data.

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations.

Integrate the management of secure configurations into the organizational configuration management process.

Develop, implement, and disseminate processes to implement Trusted Internet Connection 3.0, including updating its network and system boundary policies, in accordance with Office of Management and Budget Memorandum 19-26, Update to the Trusted Internet Connections (TIC) Initiative. This includes, as appropriate, the incorporation of Trusted Internet Connection security capabilities catalog, Trusted Internet Connection use cases, and Trusted Internet Connection overlays.

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploitable Vulnerabilities.

Develop, implement, and disseminate an Identity and Access Management policy and procedures which are in accordance with the most recent National Institute of Standards and Technology guidance.

Define and document a strategy (including specific milestones) to implement the Federal Identity, Credential, and Access Management architecture.

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring.

Define and implement the Identity, Credential, and Access Management policies and procedures.

Define and implement a process to ensure the completion of access agreements for all of the CPSC users.

Implement the CPSC’s policies and procedures for provisioning, managing, and reviewing privileged accounts.

Identify and document potentially incompatible duties permitted by privileged accounts.

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties.

Define and document policies and procedures outlining the CPSC’s remote access configuration/connection requirements, including use of Federal Information Processing Standards 140-2 validated cryptographic modules, system timeouts, and monitoring and control of remote access sessions.

Implement data encryption policies and procedures for data at rest and data in transit. This should include fully implementing the Data Loss Prevention solution.

Document and implement a process for inventorying and securing systems that contain Personally Identifiable Information or other sensitive agency data (e.g., proprietary information)

Document and implement a process for periodically reviewing for and removing unnecessary Personally Identifiable Information from agency systems.

Perform an assessment of the knowledge, skills, and abilities of the CPSC personnel with significant security responsibilities.

Finalize and implement the Awareness and Training policy which is currently in draft.

Develop a security awareness and training strategy/plan in accordance with Federal Cybersecurity Workforce Strategy.

Establish and implement a strategy for identifying and integrating organizational risk tolerance and mission risk tolerances into the Information Security Continuous Monitoring program, and ensure the Information Security Continuous Monitoring supporting plan, policy, and procedures are updated to consider each program tier.