Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov MEMORANDUM DATE:

November 10, 2022 TO:

James Biggins Acting Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (DNFSB-22-A-04)

REFERENCE:

GENERAL MANAGER, DEFENSE NUCLEAR FACILITIES SAFETY BOARD, CORRESPONDENCE DATED AUGUST 19, 2022 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agency response dated August 19, 2022. Based on these responses, all recommendations are open and resolved. Please provide an updated status of all recommendations by March 1, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc:

T. Tadlock, OEDO

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 2 Recommendation 1:

Update the ISA and use the updated ISA to:

a. Assess enterprise, business process, and information system level risks;

b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Agency Response Dated August 19, 2022:

In response to EO 14028, OMB M-22-09, and other recent OMB Memorandums related to Zero Trust, DNFSB is developing a Zero Trust Architecture (ZTA) Implementation Plan. When completed, this plan will serve as the equivalent of both an Enterprise Architecture and Information Security Architecture, therefore remediating this recommendation.

While the ZTA Implementation Plan is a living document, DNFSB anticipates having a final version developed and approved by end of Q4 FY22.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the Information Security Architecture (ISA) to assess risk and update risk tolerance and appetite levels necessary for prioritizing and guiding risk management on the enterprise, business process, and information system levels.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 3 Recommendation 2:

Using the results of recommendations one above:

a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) - Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;

b. Implement a centralized view of risk across the organization;

c. Implement formal procedures for prioritizing and tracking POA&Ms to remediate vulnerabilities.

Agency Response Dated August 19, 2022:

DNFSB anticipates completing these tasks by Q4 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the ISA to utilize guidance form NIST to establish metrics to manage and optimize all domains of the DNFSB information security program more effectively; implement a centralized view of risk across the organization; and, implement formal procedures for prioritizing and tracking plan of actions and milestones (POA&Ms) to remediate vulnerabilities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 4 Recommendation 3:

Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:

a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Agency Response Dated August 19, 2022: DNFSB will publish the updated version of its Risk Management Framework which defines a frequency for conducting risk assessments, by end of Q4 FY22.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, including defining a frequency for conducting risk assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 5 Recommendation 4:

Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:

a. How supply chain risks are to be managed across the agency;

b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;

c. How counterfeit components are prevented from entering the DNFSB supply chain.

Agency Response Dated August 19, 2022: DNFSB developed a Supply Chain Risk Management (SCRM) Strategic Plan, which addresses the items included in the recommendation. A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. Many of the government-wide contract vehicles that DNFSB utilizes, such as GSAdvantage and NASA SEWP, have internal processes to ensure approved vendors perform SCRM-related actions such as complying with Section 889 requirements. In addition, discussions with DNFSBs Contracting Officer indicated that additional internal agency policies for IT acquisitions are being developed that will mandate the inclusion of FAR clauses related to SCRM in all future contracts for IT acquisitions.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines a supply chain risk management strategy to drive the development and implementation of policies and procedures for the items in bullets a. through c. above.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 6 Recommendation 5:

Conduct remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.

Agency Response Dated August 19, 2022: DNFSB has developed and delivered remedial training for all members of the IT staff that can submit change requests in the agencys IT help desk ticketing system (Track-IT!) that describes the process for creating change request tickets, documents the requirements for what information must be included in each change request ticket (security impact assessment (SIA) form, testing plan, and rollback procedures), and explains the process for attaching SIA forms to change request tickets. The standard operating procedures for DNFSBs IT support contractors have been updated to perform a monthly review of all change request tickets to ensure that every ticket includes all required information (SIA forms, testing plans & rollback procedures) and that tickets require approval from more than just the submitter of the ticket (with the exception of specific ticket types that only require CIO or CISO approval).

OIG Analysis:

The OIG will close this recommendation when the DNFSB conducts remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 7 Recommendation 6:

Integrate the Configuration management plan with risk management and continuous monitoring programs and utilize lessons learned to make improvements to this plan.

Agency Response Dated August 19, 2022: DNFSB recently updated its Configuration Management Plan, Continuous Monitoring Policies and Procedures Guide, and Risk Management Framework, and are currently reconciling all three documents for consistency. When completed, these three documents will be integrated.

DNFSB anticipates completing this task by end of Q4 FY 2022.

OIG Analysis:

The OIG will close this recommendation when the DNFSB integrates the configuration management plan with risk management and continuous monitoring programs and utilizes lessons learned to make improvements to this plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 8 Recommendation 7:

Implement automated mechanisms (e.g., machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Agency Response Dated August 19, 2022:

DNFSB has implemented procedures such as setting the expiration date of privileged user accounts to the date of completion of the annual privileged user training, which will automatically disable privileged accounts if privileged user training hasnt been completed again. DNFSB has an automated process for generating alerts for inactive accounts, which are then manually reviewed prior to being disabled. DNFSB has very limited use of emergency accounts (currently only two exist) and any use of the emergency accounts are closely audited. DNFSB has also implemented policies for Office 365 that will automatically block access to any user accounts or user sign-ins that any of the Microsoft Defender tools classify as High risk. DNFSB will pursue a way to automate the disabling or removing privileged accounts, pending availability of funds.

OIG Analysis:

The OIG will close this recommendation when the DNFSB implements automated mechanisms to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 9 Recommendation 8:

Continue efforts to implement data loss prevention functionality for the Microsoft Office 365 environment.

Agency Response Dated August 19, 2022: The IT team will continue to work with the Records Management staff in the Division of Operational Services (DOS) to better define the data loss prevention policies in DNFSBs Office 365 tenant. DNFSB anticipates completing this task by end of Q1 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB continues its efforts to implement data loss prevention functionality for the Microsoft Office 365 environment.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 10 Recommendation 9:

Update agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal ICAM architecture and OMB M-19-17, and phase 2 of DHS's Continuous Diagnostics and Mitigation (CDM) program.

Agency Response Dated August 19, 2022:

Requirements for strong authentication and federated identities (ICAM) will be included in the Zero Trust Architecture (ZTA) Implementation Plan discussed above, which DNFSB anticipates completing by end of Q4 FY 2022.

DNFSB continues to implement new CDM capabilities as they are made available (for example, DNFSB is currently in the process of deploying CDMs Endpoint Detection &

Response (EDR) and will be deploying CDMs Mobile Application Security (MAS) in September 2022), but the milestones for new CDM capabilities are determined by CDM, not DNFSB.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal ICAM architecture and OMB M-19-17, and phase 2 of DHS's Continuous Diagnostics and Mitigation (CDM) program.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 11 Recommendation 10:

Conduct the agencys annual breach response plan exercise for FY 2021.

Agency Response Dated August 19, 2022:

DNFSB needs to update the current Breach Response Plan to ensure it meets the requirements laid out in OMB M-17-12 and then develop a formal exercise that specifically includes activating the Breach Response Plan (Note: a potential breach of PII was included in the 11/17/21 Cyber exercise and whether the incident met the criteria to follow the breach response plan was discussed, but the exercise did not specifically focus on testing all aspects of the breach response plan. DNFSB anticipates completing this task by Q4 FY22.

OIG Analysis:

The OIG will close this recommendation when the DNFSB provides documentation that they conducted the agencys annual breach response plan exercise for FY 2021.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 12 Recommendation 11:

Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Agency Response Dated August 19, 2022:

DNFSB developed a Security Awareness Training Policy that outlines the requirements for annual IT-security related trainings DNFSB users are required to complete every year.

A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. The annual cybersecurity awareness training and phishing and social engineering awareness training that all DNFSB users must take address privacy and data protection responsibilities, and the role-based privileged user training that all users identified as privileged users must complete contains additional information regarding privacy and data protection responsibilities. In addition, dedicated Annual Privacy Act Training was given to all DNFSB users in August

& September 2021 and is being given again in August &

September of 2022.

OIG Analysis:

The OIG will close this recommendation when the DNFSB continues efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 13 Recommendation 12:

Formally document requirements and procedures for the completion of role-based training and enforcement methods in place for individuals who do not complete role-based training.

Agency Response Dated August 19, 2022: DNFSB developed a Security Awareness Training Policy that outlines the requirements for annual IT-security related trainings DNFSB users have to complete every year. A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. This policy documents the requirements for the completion of role-based training and the enforcement actions to be taken for users that do not complete mandatory training during the agency-defined annual testing windows.

In addition, an annual training plan for all 2022 annual IT security training widows was developed and executed, and a new DNFSB Information Systems Privileged User Agreement/Rules of Behavior form was developed and put into use, which includes completing all role-based training as a requirement to maintain privileged access on DNFSB information systems.

OIG Analysis:

Based on subsequent discussions with the Executive Director of Operations (EDO) and documentation provided by the DNFSB, this recommendation is open and resolved. The OIG will close this recommendation when the DNFSB formally documents in DNFSB guidance and/or directives the requirements and procedures for the completion of role-based training and enforcement methods in place for individuals who do not complete the role-based training.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 14 Recommendation 13:

Continue current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Agency Response Dated August 19, 2022: DNFSB will consider this recommendation closed once an external assessment of the DNFSB is performed and an updated Authority to Operate (ATO) is granted for the DNFSB GSS per the updated assessment procedures contained in the updated version of the RMF Handbook.

DNFSB is awaiting pricing and scheduling information from the DOI ISSLOB program office for performing the external security assessment. DNFSB anticipates completing this NLT Q3 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB continues current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 15 Recommendation 14:

Update the DNFSB ISCM policies and procedures clearly defining what needs to be monitored at the system and organization level.

Agency Response Dated August 19, 2022: Procedures for conducing security control assessments at the system or organization level are included in the Risk Management Framework Handbook not the Continuous Monitoring Policies and Procedures Guide and DNFSB has updated its Risk Management Framework (RMF) Handbook to refine existing monitoring and assessment procedures to support ongoing authorization of DNFSB information systems more effectively. A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and subsequent updates have been made and is pending formal approval by the DNFSB CIO. DNFSB is updating its Continuous Monitoring Policies and Procedures Guide to more clearly define what needs to be monitored at the information system level and which tools in use by DNFSB perform specific continuous monitoring functions. DNFSB anticipates updating these documents by the end of Q4 FY22.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates its DNFSB ISCM policies and procedures clearly defining what needs to be monitored at the system and organization levels.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 16 Recommendation 15:

Define standard operating procedures for the use of the agencys continuous monitoring tools or update the continuous monitoring plan to include the use of new monitoring tools.

Agency Response Dated August 19, 2022: DNFSB updated its Continuous Monitoring Policies and Procedures Guide in May 2022 and removed references to specific tools since many of the tools were no longer in use; the use of new monitoring tools will be added back into the CM Guide. DNFSB anticipates completing this task by end of Q4 FY 2022.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines standard operating procedures for the use of the agencys continuous monitoring tools or updates the continuous monitoring plan to include the use of new monitoring tools.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 17 Recommendation 16:

Define the qualitative and quantitative performance measures that will be used to assess the effectiveness of its ISCM program.

Agency Response Dated August 19, 2022: DNFSB is determining which performance measures will serve as useful metrics to assess the effectiveness of the continuous monitoring program. DNFSB anticipates completing this task by end of Q4 FY 2022.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines the qualitative and quantitative performance measures that will be used to assess the effectiveness of its ISCM program.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 18 Recommendation 17:

Define handling procedures for specific types of incidents, processes and supporting technologies for detecting and analyzing incidents, including the types of precursors and indicators and how they are generated and reviewed for prioritizing incidents.

Agency Response Dated August 19, 2022: DNFSB is continuing to update its Cyber Playbook v 1.5 document, which lays out step-by-step response actions to take for different types of incidents, including identifying precursors for different event types. This document will be updated to include guidance on how to prioritize incidents.

DNFSB anticipates completing this task by end of Q4 FY 2022.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines handling procedures for specific types of incidents, processes and supporting technologies for detecting and analyzing incidents, including the types of precursors and indicators and how they are generated and reviewed for prioritizing incidents.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 19 Recommendation 18:

Consistently test the incident response plan annually.

Agency Response Dated August 19, 2022: DNFSB will test its incident response plan on an annual basis. DNFSB anticipates completing this task by end of Q4 FY 2022.

Note: This recommendation was rejected by OGM OIG Analysis:

This response meets the intent of the recommendation. The OIG will close this recommendation when the DNFSB consistently test the incident response plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 20 Recommendation 19:

Update the Agencys incident response plan to reflect the USCERT incident reporting guidelines.

Agency Response Dated August 19, 2022: DNFSB updated its existing Incident Response Plan for the DNFSB GSS that reflects US-CERT incident reporting guidelines. A draft version of the updated document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. During the course of the FY22 FISMA audit fieldwork, the auditors indicated that based on their review of the updated document, they consider this recommendation closed.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the agencys incident response plan to reflect the USCERT incident reporting guidelines.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 21 Recommendation 20:

Allocate and train staff with significant incident response responsibilities.

Agency Response Dated August 19, 2022: DNFSB will identify appropriate training for staff with significant incident response responsibilities (including staff outside of the IT division) and ensure they complete the agency-defined training. DNFSB anticipates completing this task by end of Q1 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB allocates and trains staff with significant incident response responsibilities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 22 Recommendation 21:

Configure all incident response tools in place to be interoperable, can collect and retain relevant and meaningful data that is consistent with the incident response policy, plans and procedures.

Agency Response Dated August 19, 2022:

DNFSB anticipates deploying Azure Sentinel by Q2 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB configures all incident response tools in place to be interoperable, can collect and retain relevant and meaningful data that is consistent with the incident response policy, plans and procedures.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 23 Recommendation 22:

Develop and track metrics related to the performance of contingency planning and recovery related activities.

Agency Response Dated August 19, 2022: DNFSB will develop metrics related to contingency planning and recovery related activities by Q1 FY23.

OIG Analysis:

Based on subsequent discussions with the EDO, and DNFSB acknowledgment that it will consider the best process to develop and track metrics for the performance of contingency planning and recovery related activities, this recommendation is open and resolved. The OIG will close this recommendation when the DNFSB documents in its guidance and/or directives metrics and a tracking mechanism related to the performance of contingency planning and recovery related activities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 24 Recommendation 23:

Conduct a business impact assessment within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Agency Response Dated August 19, 2022: DNFSB will conduct a BIA by Q2 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB conducts a business impact assessment within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 25 Recommendation 24:

Implement role-based training for individuals with significant contingency planning and disaster recovery related responsibilities.

Agency Response Dated August 19, 2022: At the DNFSB, the same staff that have significant incident response capabilities also have contingency planning and disaster recovery responsibilities, so DNFSB will identify appropriate training for staff with significant contingency planning and disaster recovery responsibilities (including staff outside of the IT division) and ensure they complete the agency-defined training. DNFSB anticipates completing this task by end of Q1 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB implements role-based training for individuals with significant contingency planning and disaster recovery related responsibilities.

Status:

Open: Resolved.