U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


  1. Home
  2. Reports

Evaluation of the CPSC's FISMA Implementation for FY 2021

Date Issued
Report Number
Report Type
Inspection / Evaluation
Questioned Costs
Funds for Better Use

Open Recommendations

Develop, document, and implement a process for determining and defining system boundaries in accordance with the National Institute of Standards and Technology guidance (Risk Management ii/iii).

Establish and implement policies and procedures to manage software licenses using automated monitoring and expiration notifications (Risk Management ii/iii).

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network (Risk Management ii/iii).

Define and document the taxonomy of the CPSC’s information system components, and classify each information system component as, at minimum, one of the following types: IT system (e.g., proprietary and/or owned by the CPSC), application (e.g., commercial off-the-shelf, government off-the-shelf, or custom software), laptops and/or personal computers, service (e.g., external services that support the CPSC’s operational mission, facility, or social media) (Risk Management ii/iii).

Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network (Risk Management ii/iii).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (Risk Management iv/v/vi).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (Risk Management iv/v/vi).

Develop and implement an Enterprise Risk Management (ERM) program based on the National Institute of Standards and Technology and ERM Playbook (Office of Management and Budget Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (Risk Management iv/v/vi).

Develop and implement an information security architecture that supports the Enterprise Architecture. (Risk Management vii).

Develop an Enterprise Architecture to be integrated into the risk management process (Risk Management vii).

Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).

Develop and implement a Configuration Management plan to ensure it includes all requisite information (Configuration Management ii/iii).

Develop, implement, and disseminate a set of Configuration Management procedures in accordance with the inherited Configuration Management Policy which includes the process management follows to develop and tailor common secure configurations (hardening guides) and to approve deviations from those standard configurations (Configuration Management iv/v).

Integrate the management of secure configurations into the organizational Configuration Management process (Configuration Management v).

Consistently implement flaw remediation processes, including the remediation of critical vulnerabilities (Configuration Management vi).

Identify and document the characteristics of items that are to be placed under Configuration Management control (Configuration Management vii).

Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).

Define and document a strategy (including specific milestones) to implement the Federal Identity, Credential, and Access Management architecture (Identity and Access Management i/ii/iii).

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:
• Performance of periodic reviews of risk designations at least annually,
• Explicit position screening criteria for information security role appointments, and
• Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).

Define and implement a process to ensure the completion of access agreements for all CPSC users. (Identity and Access Management v).

Identify and document potentially incompatible duties permitted by privileged accounts (Identity and Access Management vii).

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (Identity and Access Management vii).

Define and implement the identification and authentication policies and procedures (Identity and Access Management ii).

Define and implement processes for provisioning, managing, and reviewing privileged accounts (Identity and Access Management vii) (2021 recommendation).

Document and implement a process for inventorying and securing systems that contain Personally Identifiable Information or other sensitive agency data (e.g., proprietary information) (Data Protection and Privacy i).

Document and implement a process for periodically reviewing for and removing unnecessary Personally Identifiable Information from agency systems (Data Protection and Privacy i).

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training (Data Protection and Privacy iii).

Perform an assessment of the knowledge, skills, and abilities of CPSC personnel with significant security responsibilities (Security Training i).

Document and implement a process for ensuring that all personnel with significant security roles and responsibilities are provided specialized security training to perform assigned duties (Security Training ii/iii) (2021 recommendation).

Develop and tailor security training content for all CPSC personnel with significant security responsibilities and provide this training to the appropriate individuals (Security Training iv/v).

Integrate the established strategy for identifying organizational risk tolerance into the Information Security Continuous Monitoring plan (Information Security Continuous Monitoring i).

Implement Information Security Continuous Monitoring procedures, including those procedures related to the monitoring of performance measures and metrics , that support the Information Security Continuous Monitoring program (Information Security Continuous Monitoring ii) (2021 recommendation).

Develop, document, and distribute all required Contingency Planning documents (e.g.. organization-wide Continuity of Operation Plan and Business Impact Assessment, Disaster Recovery Plan, Business Continuity Plans, and Information System Contingency Plans) in accordance with appropriate federal and best practice guidance (Contingency Planning ii/iv).

Integrate documented contingency plans with the other relevant agency planning areas (Contingency Planning iii).

Test the set of documented contingency plans (Contingency Planning iv).