Open Recommendations

Develop Supply Chain Risk Management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and Supply Chain Risk Management requirements.

Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations.

Integrate the management of secure configurations into the organizational configuration management process.

Develop and implement an enterprise Configuration Management plan to ensure it includes all requisite information.

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.

Develop qualitative and quantitative performance measures to evaluate the effectiveness of the following: Configuration Management plan and change control activities.

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:• Performance of periodic reviews of risk designations, at least annually.• Explicit position screening criteria for information security role appointments.• Description of how cybersecurity is integrated into human resources practices .

Implement the CPSC’s policies and procedures for provisioning, managing, and reviewing privileged accounts.

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training.

Fully implement a data loss prevention solution.

Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities.

Develop and tailor security training content for all CPSC personnel with significant security responsibilities and provide this training to the appropriate individuals.

Document and implement a process for ensuring that all personnel with significant security roles and responsibilities are provided specialized security training to perform assigned duties.

Fully implement the Awareness and Training Policy.

Develop a security awareness and training strategy/plan in accordance with the Chief Human Capital Officers Council Federal Cybersecurity Workforce Strategy.

Establish and implement a strategy for identifying and integrating organizational risk tolerance and mission risk tolerances into the Information Security Continuous Monitoring program, and ensure the Information Security Continuous Monitoring supporting plan, policy, and procedures are updated to consider each program tier.

Implement Information Security Continuous Monitoring procedures including those procedures related to the monitoring of performance measures and metrics, that support the Information Security Continuous Monitoring program.

Update the System Security Plans to include the most up-to-date information and assess the relevant minor applications.

Define and implement Event Logging requirements in accordance with OMB M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.

Update the Continuity of Operations Plan, or other documentation supporting CPSC contingency planning efforts, to provide traceability from the statutory requirements to the mission essential functions and to include all necessary information, for example: (1) a list of systems that support the Mission Essential Functions, (2) a list of systems necessary for essential supporting activities, and (3) a list of records essential for the CPSC’s continuity of operations.

Integrate documented contingency plans with the newly developed Continuity of Operations Plan and organizational Business Impact Analyses.

Develop and implement policies and procedures for maintaining a Continuity of Operations Plan and conducting organizational and system level Business Impact Analyses in accordance with current federal guidance (e.g., NIST SP 800-34/53, DHS Federal Continuity Directive 1, NIST Cybersecurity Framework, and National Archives and Records Administration guidance).

Perform a cost benefit analysis of introducing automation to support the testing of system contingency plans; and apply the appropriate risk mitigation strategy.

Fully implement its processes for information system back up for General Support System Cloud.