Significant Recommendations

Identify the participants of the CPSC Risk Executive Council and define specific tasks/milestones for implementing the proposed Risk Management Framework.

Develop an Enterprise Architecture that includes a comprehensive IT security architecture using the CIO Council's guidance and incorporate this into the Security Control Documents.

Develop, document, and maintain a software inventory including license management policies and procedures.

Comply with and enforce HSPD-12 multifactor authentication supported by the Personal Identity Verification Card.

Develop and implement an effective OEP team training program with drills and exercises to include all team members at least annually.

Develop and implement procedures to address the needs of individuals requiring additional assistance. These procedures should include a process to routinely update the list of persons requiring assistance.

Develop and implement facility-specific policies and procedures.

Upon a justifiable determination of PMS’s system categorization, design and implement standard procedures for requesting and approving user access to roles and resources in PMS.

REDACTED

REDACTED

Determine, document, and implement a structure for the Clearinghouse.

Update and implement EXRM directives, policies, and procedures regarding position designation to reflect current EXRM operations and address current OPM policies and guidelines.

Develop and maintain an accessible database with all information required to effectively manage the position designation and suitability program. At a minimum, this system should contain the name of the employee or contractor, position number and title, position designation, tier of background investigation completed, entry-on-duty date, date the background investigation was requested, date the background investigation was completed, whether it was an initial investigation or reinvestigation, whether reciprocity was applied, and reinvestigation due date.

Establish a process to include Office of Human Resources Management during the drafting of the statement of work to determine the appropriate investigative tier for contractors prior to when the request for quotes is released to potential vendors.

Develop a formal documented process (directive or standard operating procedure) for onboarding contractors.

Provide guidance identifying programs and/or activities as a part of its internal guidance and in accordance with achieving its mission requirements.

Align programs and/or activities with applicable reporting requirements.

Report programs and/or activities in accordance with applicable Federal criteria.

Provide training to CPSC program managers on how to develop and implement a formal internal controls program in accordance with Standards for Internal Control in the Federal Government, OMB Circular A-123, and CPSC policies and procedures.

Develop a formal internal controls program over operations for CPSC programs.

Establish formal lines of communication between the Office of Financial Management, Planning and Evaluation and CPSC program management for the purpose of assessing and monitoring internal control programs and compliance with FMFIA requirements.

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (Risk Management iv/v/vi).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (Risk Management iv/v/vi).

Develop and implement an Enterprise Risk Management (ERM) program based on the National Institute of Standards and Technology and ERM Playbook (Office of Management and Budget Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (Risk Management iv/v/vi).

Develop and implement an information security architecture that supports the Enterprise Architecture. (Risk Management vii).

Develop an Enterprise Architecture to be integrated into the risk management process (Risk Management vii).

Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).

Integrate the management of secure configurations into the organizational Configuration Management process (Configuration Management v).

Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:• Performance of periodic reviews of risk designations at least annually,• Explicit position screening criteria for information security role appointments, and• Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training (Data Protection and Privacy iii).

Implement Information Security Continuous Monitoring procedures, including those procedures related to the monitoring of performance measures and metrics , that support the Information Security Continuous Monitoring program (Information Security Continuous Monitoring ii) (2021 recommendation).

Update and implement the CPSC Framework Implementation Action Plan.

Implement registration and inventorying procedures for the CPSC’s information systems. (2022 Recommendation).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (2020 Recommendation).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (2020 Recommendation).

Develop and implement an Enterprise Risk Management (ERM) program based on National Institute of Standards and Technology and ERM Playbook (OMB Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (2020 Recommendation).

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements (2021 Recommendation).

Integrate the management of secure configurations into the organizational configuration management process (2020 Recommendation).

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (2020 Recommendation).

Implement data encryption and sanitization of digital media policies and procedures (2020 Recommendation - Modified).

Create and publish an HCOP that conforms to current OPM guidance.

Design and implement agency policies which describe how the use of data willsupport sound HC strategies and identify process improvements. This shouldinclude a process to identify deficiencies and a plan for remediation.

Establish formal communication strategies with all appropriate agency stakeholders (messages, briefings, policies etc.).

Update and publish directives and SOPs for all major HC areas and routine HC tasks.

Create and publish a succession plan and supporting documents that conform to current OPM guidance, to include backfill and reorganization plans, and a list of all Mission Critical Occupations.

Review policy and programs that directly relate to recruitment and retention such as: retention bonuses, flexible pay bands for hard-to-fill positions, career ladder positions, cross-training, easier hiring processes, and other flexibilities at HR’s disposal to recruit and retain qualified employees.

At the end of each EXRM-provided training, provide employees with the option to provide feedback on the utility of each training provided.

Create and distribute a survey to all employees regarding satisfaction with EXRM services, at least annually.

Utilize all available data sources in a targeted, data-driven manner to assess HC programs effectiveness and success. Follow-up on the results of assessments via formal written reports and hold personnel accountable to ensure the findings do not continue to occur in the future.

Complete annual self-audits as required by OPM guidance.

Initiate a communication plan and distribute this plan across the CPSC to all appropriate stakeholders. The plan should establish formal communication strategies with all appropriate agency stakeholders (messages, briefings, briefing notes, policies etc.).

Implement registration and inventorying procedures for the CPSC’s information systems.

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance.

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

Develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology, Enterprise Risk Management Playbook, and Office of Management and Budget Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to thetop decision makers within the CPSC.

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Integrate the management of secure configurations into the organizational configuration management process.

Identify and document potentially incompatible duties permitted by privileged accounts.

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties.

Implement data encryption policies and procedures for data at rest and data in transit. This should include fully implementing the Data Loss Prevention solution.

Develop and implement an IT modernization plan. This plan should:i. document an inventory of all legacy systems in operation at the CPSCii. identify the cost associated with the operations and maintenance of thelegacy systems in operation in the current environment at the CPSCiii. identify the resources necessary to modernize each CPSC legacy system(e.g., migrating to a Commercial-Off-The-Shelf solution or shared servicessolution, moving to a cloud environment, etc.)iv. analyze potential opportunities to save money, improve operations, andimprove security through modernizing the CPSC’s legacy systems

Develop and establish a process to monitor the implementation of the IT modernizationplan by documenting the objectives, goals, tasks, milestones, metrics, and funding sourcesassociated with management’s modernization efforts.

Establish and implement a policy and procedure to manage the cloud computing, sharedservices, and third-party system inventory necessary for transitioning to a consumptionbasedservice model.

Perform an assessment of employee resources in the Office of Financial Management, Planning, and Evaluation, and other relevant financial process areas to ensure an appropriate complement of resources are in place to manage accounting and reporting matters as they arise and through their normal course of business.

Provide training and supervision for personnel on financial management matters that affect the financial statements, including adhering to accounting policies and procedures, as appropriate, and performing key internal control functions in support of financial reporting.

Improve the risk assessment process at the financial statement assertion and process level to ensure that CPSC management is appropriately capturing significant changes in the control environment and subsequently responding to those risks.

Implement key monitoring controls over the financial reporting process and develop robust policies and procedures to increase oversight, review, and accountability of accounting events at the process level to ensure the successful implementation of an effective internal control environment.

Develop, document, and use a risk-based methodology to analyze agency space needs.

Design and implement policies and procedures to create an effective real property management program.

Establish and document policies and procedures that ensure only officials with the authority to commit or obligate the CPSC execute occupancy agreements, including a process to keep all delegations of authority available for inspection.

Take appropriate action to right-size the agency’s leased office space in order to meet the agency’s targeted utilization and occupancy rates and promote the efficient utilization of space at an economical cost to the government.

Finalize and implement a comprehensive Risk Management Strategy that defines roles and responsibilities, enterprise risk priorities, objectives, and communication protocols, including third-party risk considerations.

Continue to develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology and Enterprise Risk Management Playbook (Office of Management and Budget Circular A- 123, Section II requirement) guidance.