U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the CPSC’s FISMA Implementation for FY 2025

Date Issued
Report Number
25-A-04
Report Type
Audit
Number of Recommendations
6
Description
The U.S. Consumer Product Safety Commission (CPSC) OIG retained Williams, Adley, & Co.-DC LLP (Williams Adley, we), an independent public accounting firm, to perform the independent assessment of the CPSC’s implementation of FISMA for FY 2025 and to determine the effectiveness of its information security program. This report documents the results of the OIG’s FISMA evaluation. Specifically, we assessed the CPSC’s compliance with the annual Inspector General (IG) FISMA reporting metrics set forth by the DHS and OMB. 
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov
Download a PDF of this Report

Open Recommendations

Finalize and implement policies and procedures for creating and maintaining current and target cybersecurity profiles in alignment with National Institute of Standards and Technology Cybersecurity Framework Guidance.

Finalize and implement a comprehensive Risk Management Strategy that defines roles and responsibilities, enterprise risk priorities, objectives, and communication protocols, including third-party risk considerations.

Continue to develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology and Enterprise Risk Management Playbook (Office of Management and Budget Circular A- 123, Section II requirement) guidance.

Develop and implement policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and corresponding metadata for the Consumer Product Safety Commission data types.

Fully implement, assess, and maintain secure configuration settings in accordance with defined configuration management policy and security configuration baseline procedures.

Update all relevant Information Security Continuous Monitoring policies, procedures, and supporting documentation based on latest National Institute of Standard and Technology guidance.