The Federal Information Security Modernization Act of 2014 (FISMA) provides a comprehensive framework for establishing and ensuring the effectiveness of managerial, operational, and technical controls over information technology (IT) that supports Federal operations and assets and provides a mechanism for improved oversight of Federal agency information security programs. FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce IT security risks to an acceptable level. FISMA requires agency program officials, Chief Information Officers (CIO)s, Chief Information Security Officers (CISO)s, senior agency officials for privacy, and inspectors general to conduct annual reviews of the agency’s information security program.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | Yes | $0 | $0 | ||
| The Peace Corps develops a strategy and structure that integrates information security into the agency’s business operations. This should include an established responsibility for assessing information security risks in all agency programs and operations and providing this analysis to senior leadership, including the ERM Council, for decision-making. | |||||
| 2 | Yes | $0 | $0 | ||
| The Peace Corps include the CISO at the ERM Council meetings to provide insights on cybersecurity risks. | |||||
| 3 | Yes | $0 | $0 | ||
| The Peace Corps further define and implement the ERM program to ensure information security risks are communicated and monitored at the system, business process, and entity levels. | |||||
| 4 | Yes | $0 | $0 | ||
| The Peace Corps improve its incident response process to ensure incidents are properly defined, promptly identified, and effectively remediated. | |||||
| 5 | Yes | $0 | $0 | ||
| The Peace Corps consistently improve and implement its inventory management process to ensure information system, hardware, and software inventories are accurate, complete, and up to date. | |||||
| 6 | Yes | $0 | $0 | ||
| The Peace Corps improve its vulnerability and patch management processes by consistent and timely remediation of critical and high vulnerabilities as well as patching. | |||||
| 7 | Yes | $0 | $0 | ||
| The Peace Corps complete and fully implement an identity credential and access management program. | |||||
