A report by the U.S. Consumer Product Safety Commission’s (CPSC) Office of Inspector General (OIG) found that CPSC is making progress in implementing Federal Information Security Modernization Act (FISMA) requirements, but still has more work to do in that area.
FISMA requires an independent evaluation of CPSC’s information security program and practices and its compliance with annual FISMA metrics established by the Department of Homeland Security and the Office of Management and Budget.
The OIG made 18 findings and 55 recommendations within the report. The findings OIG made include:
- Inadequate Information Systems Inventory;
- Personal Identification Verification not adequately enforced;
- Inadequate Information System Component Inventory;
- Inadequate Implementation of Privileged User Controls;
- An incomplete Federal Identity, Credential, and Access Management Roadmap;
- Ineffective role-based training requirements;
- An inadequate Information Security Continuous Monitoring program;
- No existing enterprise architecture;
- Ineffective configuration management;
- Lack of formally documented contingency plans;
- Inadequate media sanitization procedures;
- Inadequate contract language;
- Organizational level risk is not adequately managed;
- Inadequate plan of actions and milestones documentation and implementation;
- Inadequate incident response capabilities; and
- A lack of formal personnel risk designation and screening procedures.
“Based on the government-wide OIG metric requirements, we concluded that CPSC has continued to make improvements in its IT security program and progress in implementing the recommendations resulting from previous FISMA evaluations,” the report said.