Evaluation of the CPSC's FISMA Implementation for FY 2022

Implement registration and inventorying procedures for the CPSC’s information systems. (2022 Recommendation).

Develop, document, and implement a process for determining and defining system boundaries in accordance with National Institute of Standards and Technology guidance (2020 Recommendation).

Establish and implement a policy and procedures to manage software licenses using automated monitoring and expiration notifications (2020 Recommendation).

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network (2020 Recommendation).

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media) (2020 Recommendation)

Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network (2020 Recommendation).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (2020 Recommendation).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (2020 Recommendation).

Develop and implement an Enterprise Risk Management (ERM) program based on National Institute of Standards and Technology and ERM Playbook (OMB Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (2020 Recommendation).

Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data (2022 Recommendation).

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements (2021 Recommendation).

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations (2020 Recommendation).

Integrate the management of secure configurations into the organizational configuration management process (2020 Recommendation).

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploitable Vulnerabilities (2020 Recommendation - Modified).

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (2020 Recommendation).

Define and implement processes for provisioning, managing, and reviewing privileged accounts (2021 Recommendation).

Implement data encryption and sanitization of digital media policies and procedures (2020 Recommendation - Modified).

Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities (2020 Recommendation).

Integrate the established strategy for identifying organizational risk tolerance into the Information System Configuration Management plan (2020 recommendation).

Update the System Security Plans to include the most up-to-date information and assess the relevant minor applications (2022 recommendation).

Develop and document a robust and formal approach to contingency planning for agency systems and processes that include mission essential functions using the appropriate guidance (e.g., NIST SP 800-34/53, Federal Continuity Directive 1, NIST Cybersecurity Framework, and National Archive and Records Administration guidance) (2020 Recommendation).

Develop, document, and distribute all required Contingency Planning documents (ex. organization-wide Continuity of Operation Plan and Business Impact Assessment, Disaster Recovery Plan, Business Continuity Plans, in accordance with appropriate federal and best practice guidance (Contingency Planning 2020 Recommendation).

Integrate documented contingency plans with the other relevant agency planning areas (2020 Recommendation).

Test the set of documented contingency plans (2020 Recommendation - Modified).