A new report from the Commerce Department Office of the Inspector General (OIG) determined that the Census Bureau must improve the implementation of its risk management framework.
“We found that the Bureau did not follow its risk management framework process,” said Frederick J. Meny, Jr., assistant IG for Audit and Evaluation, in an Oct. 30 memo. “Specifically, we found that (1) the Bureau had not continuously monitored critical security controls and failed to document the resulting risks, (2) authorizing officials lacked information about significant cybersecurity risks, and (3) the Bureau did not effectively manage common controls.”
The Bureau is required to implement the risk management framework initially developed by the National Institute of Standards and Technology to effectively managing the cybersecurity risks facings its IT systems. To do so, the Bureau developed a software application, called the Risk Management Program System (RMPS), that automated the risk management framework implementation. The IG stepped in to review the implementation because the “RMPS has become a critical tool of senior management and IT security staff managing cybersecurity risks,” meaning “the effectiveness of the Bureau’s risk management program depends heavily on the accuracy and integrity of the information maintained within RMPS.”
In addition to the reports three main findings, the IG offered up seven recommendations, and according to Meny, the Bureau concurred with all recommendations. The IG recommended the Bureau:
- “Update the Bureau’s Risk Management Framework Methodology to include additional procedures that leverage automated reporting, to ensure that deviations from continuous monitoring plans are reported more timely to senior management designated as the authorizing official and to IT security management.
- Ensure that management is informed when risks are omitted from RMPS reports.
- Develop both manual and automated procedures to help ensure that complete descriptions of system security controls are entered into RMPS, reviewed, and approved as part of the system authorization process.
- Ensure that assessment procedures include provisions (both manual and automated) for quality control associated with the validation of security control assessments.
- Develop a strategy for periodically verifying the accuracy of common control inheritance within RMPS.
- Ensure greater rigor in assessment of common control requirements, to include assessing the relationship between the security service provided by the common control requirement and the information system receiving the service.
- Clearly document the rationale for common control decisions within RMPS.”
According to Meny’s memo, Ron S. Jarmin, who is performing the non-exclusive functions and duties of the director for the U.S. Census Bureau, has 60 calendar days to submit an “action plan” to the IG that addresses all of its recommendations.