Information Technology Risks Are Identified, Assessed, and Reported, but Mitigation Documentation and Oversight Need Improvement

The Chief Information Officer should require all IT organization functions (except the Cybersecurity function) to record information technology risks in the ITRAC system.

The Chief Information Officer should require detailed descriptions of the risk mitigation plans, mitigation activities, and closure rationale be captured and closure documentation be uploaded into the ITRAC system for the IT organization function and program risks, as applicable.

The Chief Information Officer should require periodic review of the risk descriptions and documentation uploaded into the ITRAC system to ensure that the information is appropriate, current, complete, and accurate.

The Chief Information Officer should reassess risk quarterly, or on a reasonable basis within the year as determined by the risk owner, for all accepted unmitigated risks to ensure that acceptance remains management's preferred response.