The Federal Maritime Commission (FMC), the agency regulating U.S. international ocean transportation, is not responding to cybersecurity vulnerabilities in a timely manner, according to a FISMA audit from its Office of the Inspector General (OIG).
Released on Oct. 25, the OIG report details information security concerns at FMC, including a slow response time to remediate cybersecurity vulnerabilities. OIG recommended that FMC more closely follow policy and guidance from the Department of Homeland Security (DHS) to improve procedure. In response, FMC said it will also review National Institute of Standards and Technology (NIST) guidelines to improve.
Additionally, OIG made two recommendations concerning access authorization management. All employees at FMC should be assigned a risk designation to be used when authorizing network privileges and contractors should be recertified on an annual basis for regular users and a semi-annual basis for administrators, the report said.
As of September 2019, FMC assigned risk designations to staff and closed the first recommendation. FMC said it would resolve the final recommendation by ensuring recertification of contractors “not less frequently than on an annual basis.”