Significant Recommendations

Identify the participants of the CPSC Risk Executive Council and define specific tasks/milestones for implementing the proposed Risk Management Framework.

Develop an Enterprise Architecture that includes a comprehensive IT security architecture using the CIO Council's guidance and incorporate this into the Security Control Documents.

Management updates, develops, and publishes general access control and logical access control policies and procedures for all systems that permit access to PII.

Provide training or document training completion by individual system owners on establishing, implementing, and maintaining logical access policies and procedures for systems that contain PII.

Comply with and enforce HSPD-12 multifactor authentication supported by the Personal Identity Verification Card.

Upon a justifiable determination of the PMS system categorization, design, implement, and assess the PMS security controls and formally authorize PMS to operate in accordance with CPSC organizational security policies and procedures as well as other applicable government standards.

Upon a justifiable determination of PMS’s system categorization, design and implement standard procedures for requesting and approving user access to roles and resources in PMS.

REDACTED

REDACTED

REDACTED

REDACTED

REDACTED

REDACTED

REDACTED

Reconvene the BRT to assess the full extent of the breach, and base its response on the totality of the breach.

Review all available data and establish an accurate identification of all data inadvertently released, internally and externally, from 2010 to 2019.

Obtain an independent review of a sample of Clearinghouse responses prior to 2010 to determine the need for an expanded scope of the review.

Establish a process for communicating and enforcing the implementation of recommendations previously agreed to by management, as required by law.

Implement a single data extraction tool to allow maximum functionality in searching multiple product codes while adequately blocking protected data from release. This tool should default to block ALL fields which may contain 6(b) information and PII data. This data tool must contain a standardized data dictionary to limit placement of restricted information to identified fields.

Limit access to the underlying database and the data extraction tool to those with a bona fide need for access.

Require initial and annual refresher training for all staff on the importance of protecting 6(b) information and PII, including the rights of individuals and businesses, and how to recognize 6(b) information and PII in documents and how to securely handle this information.

Enforce Principle of Least Privilege and limit access to data on the P-drive to individuals with a bona fide “need to know.”

Determine, document, and implement a structure for the Clearinghouse.

Design, document, and implement control activities to respond to the results of the completed risk assessment process.

Develop and implement written guidance on the importance of the statements of assurance process and the related documentation requirements.

Implement a risk assessment process to determine where to focus efforts in terms of usefulness and improving message effectiveness.

Update and implement EXRM directives, policies, and procedures regarding position designation to reflect current EXRM operations and address current OPM policies and guidelines.

Develop and maintain an accessible database with all information required to effectively manage the position designation and suitability program. At a minimum, this system should contain the name of the employee or contractor, position number and title, position designation, tier of background investigation completed, entry-on-duty date, date the background investigation was requested, date the background investigation was completed, whether it was an initial investigation or reinvestigation, whether reciprocity was applied, and reinvestigation due date.

Establish a process to include Office of Human Resources Management during the drafting of the statement of work to determine the appropriate investigative tier for contractors prior to when the request for quotes is released to potential vendors.

Develop a formal documented process (directive or standard operating procedure) for onboarding contractors.

Provide guidance identifying programs and/or activities as a part of its internal guidance and in accordance with achieving its mission requirements.

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network (Risk Management ii/iii).

Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network (Risk Management ii/iii).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (Risk Management iv/v/vi).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (Risk Management iv/v/vi).

Develop and implement an Enterprise Risk Management (ERM) program based on the National Institute of Standards and Technology and ERM Playbook (Office of Management and Budget Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (Risk Management iv/v/vi).

Develop and implement an information security architecture that supports the Enterprise Architecture. (Risk Management vii).

Develop an Enterprise Architecture to be integrated into the risk management process (Risk Management vii).

Develop supply chain risk management policies and procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply-chain risk management requirements (Supply Chain Risk Management ii/iii/iv) (2021 recommendation).

Integrate the management of secure configurations into the organizational Configuration Management process (Configuration Management v).

Establish measures to evaluate the implementation of changes in accordance with documented information system baselines and integrated secure configurations (Configuration Management vii).

Integrate Identity, Credential, and Access Management strategy and activities into the Enterprise Architecture and Information Security Continuous Monitoring (Identity and Access Management i/ii/iii).

Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements:
• Performance of periodic reviews of risk designations at least annually,
• Explicit position screening criteria for information security role appointments, and
• Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).

Identify and document potentially incompatible duties permitted by privileged accounts (Identity and Access Management vii).

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (Identity and Access Management vii).

Identify all CPSC personnel that affect security and privacy (e.g., Executive Risk Council, Freedom of Information Act personnel, etc.) and ensure the training policies are modified to require these individuals to participate in role-based security/privacy training (Data Protection and Privacy iii).

Implement Information Security Continuous Monitoring procedures, including those procedures related to the monitoring of performance measures and metrics , that support the Information Security Continuous Monitoring program (Information Security Continuous Monitoring ii) (2021 recommendation).

Update and implement the CPSC Framework Implementation Action Plan.

Implement registration and inventorying procedures for the CPSC’s information systems. (2022 Recommendation).

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network (2020 Recommendation).

Identify and implement a Network Access Control solution that establishes set policies for hardware and software access on the agency’s network (2020 Recommendation).

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance (2020 Recommendation).

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies (2020 Recommendation).

Develop and implement an Enterprise Risk Management (ERM) program based on National Institute of Standards and Technology and ERM Playbook (OMB Circular A-123, Section II requirement) guidance. This includes establishing a cross-departmental risk executive (function) lead by senior management to provide both a departmental and organization level view of risk to the top decision makers within the CPSC (2020 Recommendation).

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements (2021 Recommendation).

Integrate the management of secure configurations into the organizational configuration management process (2020 Recommendation).

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties (2020 Recommendation).

Implement data encryption and sanitization of digital media policies and procedures (2020 Recommendation - Modified).

Create and publish an HCOP that conforms to current OPM guidance.

Design and implement agency policies which describe how the use of data will
support sound HC strategies and identify process improvements. This should
include a process to identify deficiencies and a plan for remediation.

Establish formal communication strategies with all appropriate agency stakeholders (messages, briefings, policies etc.).

Update and publish directives and SOPs for all major HC areas and routine HC tasks.

Create and publish a succession plan and supporting documents that conform to current OPM guidance, to include backfill and reorganization plans, and a list of all Mission Critical Occupations.

Review policy and programs that directly relate to recruitment and retention such as: retention bonuses, flexible pay bands for hard-to-fill positions, career ladder positions, cross-training, easier hiring processes, and other flexibilities at HR’s disposal to recruit and retain qualified employees.

At the end of each EXRM-provided training, provide employees with the option to provide feedback on the utility of each training provided.

Create and distribute a survey to all employees regarding satisfaction with EXRM services, at least annually.

Utilize all available data sources in a targeted, data-driven manner to assess HC programs effectiveness and success. Follow-up on the results of assessments via formal written reports and hold personnel accountable to ensure the findings do not continue to occur in the future.

Complete annual self-audits as required by OPM guidance.

Initiate a communication plan and distribute this plan across the CPSC to all appropriate stakeholders. The plan should establish formal communication strategies with all appropriate agency stakeholders (messages, briefings, briefing notes, policies etc.).

Implement registration and inventorying procedures for the CPSC’s information systems.

Establish and implement a policy and procedure to ensure that only authorized hardware and software execute on the agency’s network.

Develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance.

Complete an assessment of information security risks related to the identified deficiencies and document a corresponding priority listing to address identified information security deficiencies and their associated recommendations. A corrective action plan should be developed that documents the priorities and timing requirements to address these deficiencies.

Develop and implement an Enterprise Risk Management program based on National Institute of Standards and Technology, Enterprise Risk Management Playbook, and Office of Management and Budget Circular A-123, Section II guidance. This includes establishing a cross-departmental risk executive (function) led by senior management to provide both a departmental and organization level view of risk to the
top decision makers within the CPSC.

Develop supply chain risk management procedures to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain risk management requirements.

Integrate the management of secure configurations into the organizational configuration management process.

Identify and document potentially incompatible duties permitted by privileged accounts.

Log and actively monitor activities performed while using privileged access that permit potentially incompatible duties.

Implement data encryption policies and procedures for data at rest and data in transit. This should include fully implementing the Data Loss Prevention solution.

Develop and implement an IT modernization plan. This plan should:

i. document an inventory of all legacy systems in operation at the CPSC
ii. identify the cost associated with the operations and maintenance of the
legacy systems in operation in the current environment at the CPSC
iii. identify the resources necessary to modernize each CPSC legacy system
(e.g., migrating to a Commercial-Off-The-Shelf solution or shared services
solution, moving to a cloud environment, etc.)
iv. analyze potential opportunities to save money, improve operations, and
improve security through modernizing the CPSC’s legacy systems

Establish and implement a policy and procedure to manage the cloud computing, shared
services, and third-party system inventory necessary for transitioning to a consumptionbased
service model.

Perform an assessment of employee resources in the Office of Financial Management, Planning, and Evaluation, and other relevant financial process areas to ensure an appropriate complement of resources are in place to manage accounting and reporting matters as they arise and through their normal course of business.

Provide training and supervision for personnel on financial management matters that affect the financial statements, including adhering to accounting policies and procedures, as appropriate, and performing key internal control functions in support of financial reporting.

Improve the risk assessment process at the financial statement assertion and process level to ensure that CPSC management is appropriately capturing significant changes in the control environment and subsequently responding to those risks.

Implement key monitoring controls over the financial reporting process and develop robust policies and procedures to increase oversight, review, and accountability of accounting events at the process level to ensure the successful implementation of an effective internal control environment.