Evaluation of the CPSC's FISMA Implementation for FY 2023

Implement registration and inventorying procedures for the CPSC’s information systems.

Develop, document, and implement a process for determining and defining system boundaries in accordance with National Institute of Standards and Technology guidance.

Establish and implement a policy and procedures to manage software licenses using automated monitoring and expiration notifications.

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network.

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: information technology system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media).

Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network.

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance.

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

Develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology, Enterprise Risk Management Playbook, and Office of Management and Budget Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to the
top decision makers within the CPSC.

Implement Plan of Action and Milestones in accordance with agency policy to mitigate security weakness and document the estimated funding requirements for each of the Plan of Action and Milestones along with the source of those funds.

Perform periodic lessons learned exercises to improve the Plan of Action and Milestones process.

Implement solutions to perform scenario analysis and model potential responses, including modeling the potential impact of a threat exploiting a vulnerability and the resulting impact to organizational systems and data.

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Develop and communicate an organization-wide Supply Chain Risk Management strategy/plan to manage the supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the CPSC systems, system components, or services.

Develop, implement, and disseminate a current configuration management policy which is in accordance with the most recent National Institute of Standards and Technology guidance.

Develop, implement, and disseminate a set of configuration management procedures in accordance with the inherited configuration management policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations.

Integrate the management of secure configurations into the organizational configuration management process.

Develop, implement, and disseminate processes to implement Trusted Internet Connection 3.0, including updating its network and system boundary policies, in accordance with Office of Management and Budget Memorandum 19-26, Update to the Trusted Internet Connections (TIC) Initiative. This includes, as appropriate, the incorporation of Trusted Internet Connection security capabilities catalog, Trusted Internet Connection use cases, and Trusted Internet Connection overlays.

Develop and implement policies and procedures in support of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploitable Vulnerabilities.

Update the Vulnerability Disclosure Handling Procedures to support the implementation of the CPSC’s Vulnerability Disclosure Program.

Develop, implement, and disseminate an Identity and Access Management policy and procedures which are in accordance with the most recent National Institute of Standards and Technology guidance.

Define and document a strategy (including specific milestones) to implement the Federal Identity, Credential, and Access Management architecture.

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring.

Define and implement the Identity, Credential, and Access Management policies and procedures.

Define and implement a process to ensure the completion of access agreements for all of the CPSC users.

Implement the CPSC’s policies and procedures for provisioning, managing, and reviewing privileged accounts.

Identify and document potentially incompatible duties permitted by privileged accounts.

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties.

Define and document policies and procedures outlining the CPSC’s remote access configuration/connection requirements, including use of Federal Information Processing Standards 140-2 validated cryptographic modules, system timeouts, and monitoring and control of remote access sessions.

Implement data encryption policies and procedures for data at rest and data in transit. This should include fully implementing the Data Loss Prevention solution.

Document and implement a process for inventorying and securing systems that contain Personally Identifiable Information or other sensitive agency data (e.g., proprietary information)

Document and implement a process for periodically reviewing for and removing unnecessary Personally Identifiable Information from agency systems.

Perform an assessment of the knowledge, skills, and abilities of the CPSC personnel with significant security responsibilities.

Finalize and implement the Awareness and Training policy which is currently in draft.

Develop a security awareness and training strategy/plan in accordance with Federal Cybersecurity Workforce Strategy.

Establish and implement a strategy for identifying and integrating organizational risk tolerance and mission risk tolerances into the Information Security Continuous Monitoring program, and ensure the Information Security Continuous Monitoring supporting plan, policy, and procedures are updated to consider each program tier.

Update the System Security Plans to include the most up-to-date information and assess the relevant minor applications.

Implement Information Security Continuous Monitoring roles and responsibilities.

Develop mechanisms to ensure Information Security Continuous Monitoring stakeholder accountability.

Define and implement event logging requirements in accordance with Office of Management and Budget Memorandum 21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.

Develop and implement policies and procedures for maintaining a Continuity of Operations Plan and conducting organizational and system level Business Impact Analyses in accordance with current federal guidance. (e.g., National Institute of Standards and Technology Special Publication 800- 34/53, Federal Continuity Directive 1, National Institute of Standards and Technology Cybersecurity Framework, and National Archive and Records Administration guidance).

Update the Continuity of Operations Plan, or other documentation supporting the CPSC contingency planning efforts, to provide traceability from the statutory requirements to the Mission Essential Functions and to include all necessary information, for example: (1) a list of systems that support the Mission Essential Functions, (2) a list of systems necessary for essential supporting activities, and (3) a list of records essential for the CPSC’s continuity of operations.

Integrate documented contingency plans with the newly developed Continuity of Operations Plan and organizational Business Impact Analyses.

Test the set of documented contingency plans.