Open Recommendations

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 9.Ensure that contingency plans are tested, as required, to include the ability to recover and restore information system components.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 10.Ensure that all required security controls are documented in system security plans and are implemented consistent with the system’s security categorization.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 11.Ensure effective implementation of Federal requirements relate to information input validation controls, including updating, as necessary, BPA’s system and information integrity policies and procedures to help ensure that all necessary controls are implemented.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 12.Develop and implement a role-based continency training program for information system users with assigned contingency roles and responsibilities, to include specific continuity requirements contained in BPA’s system’s contingency plans.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 13.Develop and/or update policies and procedures to facilitate an effective cybersecurity program through the implementation of security controls in accordance with Federal and Department requirements.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 14.Implement an effective oversight structure at BPA that encompasses program management activities, to include the development and implementation of continuous monitoring, risk management, and governance activities.

We recommend that the Administrator, BPA, direct personnel to: 15.Apply all necessary software patches and fixes in a timely manner and monitor patching capabilities to ensure patches and fixes are applied as intended.

We recommend that the Administrator, BPA, direct personnel to: 16.Ensure that effective web application testing processes and procedures are implemented as part of the application development and vulnerability management programs to identify and remediate known web application vulnerabilities in a timely manner.

We recommend that the Chief Information Security Officer, BPA, direct personnel to: 17.Develop and implement a role-based security training program for personnel in roles with privileged system access or other security-related responsibilities, to include ensuring training is completed prior to granting system access or initiating activities related to other responsibilities.

We recommend that the Chief Information Security Officer, BPA, direct personnel to: 18.Update existing policies to require complete and documented user access reviews for standard and privileged users on BPA’s systems and applications, at least quarterly.

We recommend that the Chief Information Security Officer, BPA, direct personnel to: 19.Develop and implement separation of duties and implement a mechanism to identify and alert on potential conflicts in assigned roles and privileges.

We recommend that the Chief Information Security Officer, BPA, direct personnel to: 19.Develop and implement separation of duties and implement a mechanism to identify and alert on potential conflicts in assigned roles and privileges.

We recommend that the Chief Information Security Officer, BPA, direct personnel to: 18.Update existing policies to require complete and documented user access reviews for standard and privileged users on BPA’s systems and applications, at least quarterly.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 1.Ensure that BPA’s information system inventory accurately reflects the current information system environment and that reviews of the information system component inventory are documented.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 2.Develop and maintain a current security architecture for BPA’s organization that includes all necessary Federal and Department requirements.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 3.Ensure continuous monitoring of BPA’s information systems and applications to gain assurance that rquired controls are implemented, working as intended, and continue to operate at an acceptable level of risk.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 4.Develop and implement security assessment plans that establish the appropriate expectations for security control assessments and incorporate all required security controls used as part of the continuous monitoring and security authorization process.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 5.Ensure that all information systems and major applications currently in operation have complete authorization packages, including ensuring that all known issues and supporting processes, such as risk assessments, are fully and effectively addressed, and a rationale of the system categorization is appropriately documented.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 6.Ensure that POA&Ms are tracked to completion and that adequate evidence is maintained to support the correction of the identified condition.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 7.Ensure that configuration management policies and procedures are developed and effectively implemented to support management of configuration baselines and configuration changes, including ensuring that configuration baselines and settings are updated, documented, and approved at least every 6 months in accordance with site-level policies and procedures.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 8.Implement a procedure to monitor and control deviations for information system configuration settings, including, but not limited to, documenting approvals and deviations for configuration settings for BPA’s systems.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 9.Ensure that contingency plans are tested, as required, to include the ability to recover and restore information system components.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 10.Ensure that all required security controls are documented in system security plans and are implemented consistent with the system’s security categorization.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 11.Ensure effective implementation of Federal requirements relate to information input validation controls, including updating, as necessary, BPA’s system and information integrity policies and procedures to help ensure that all necessary controls are implemented.

We recommend that the Administrator and Chief Executive Officer direct the Chief Administrative Officer to: 12.Develop and implement a role-based continency training program for information system users with assigned contingency roles and responsibilities, to include specific continuity requirements contained in BPA’s system’s contingency plans.