U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Actions Need to Be Taken to Improve the Cyber Security Assessment and Management Application Security Controls

Report Information

Date Issued
Report Number
2023-20-064
Report Type
Audit
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View Report

Recommendations

The Chief Information Officer should ensure that the CSAM audit logs are reviewed weekly and the results of the review are documented.

The Chief Information Officer should ensure that the CSAM SSP is updated to include clarification for security specialists to review audit logs to comply with the NIST, Special Publication 800-53 Rev. 5, separation of duties control.

The Chief Information Officer should create a risk-based decision accepting the risk for allowing accounts to remain on the CSAM after 365 days of inactivity.

The Chief Information Officer should coordinate with system owners to ensure that POA&Ms with identified weaknesses are updated in the SSPs.