We recommend that the chief information officer document and implement a process to track and remediate persistent vulnerabilities, or document acceptance of the associated risks.
We recommend that the chief information officer document and implement a process to verify that vulnerability assessment tools are configured to detect vulnerabilities previously undiscovered by internal scans.
We recommend that the chief information officer develop and implement a documented process to migrate unsupported applications from their existing platform to vendor-supported platforms. The risk and approval, including adequate compensating controls, should be documented if an exception must be made until the unsupported software is migrated to vendor-supported platforms.
We recommend that the chief information officer document and implement a process to verify that Microsoft Windows systems comply with the U.S. Government Configuration Baseline, and to grant and disseminate approved deviations from the baseline configuration settings.
We recommend that the chief information officer document and implement a plan to confirm all internal and external systems are currently authorized to operate.
We recommend that the chief information officer document and implement a plan to annually assess risks for all internal and external systems in accordance with agency policy.
We recommend that the chief information officer establish a process to monitor the operation of the automated script that disables accounts after 90 days of inactivity.
We recommend that the chief information officer (a) identify system owners; (b) require them to verify their procedures for revoking system access accounts for separated and transferred employees and contractors are enforced; and (c) document their responses.
We recommend that the chief information officer document and implement a procedure to check for unauthorized software at established intervals.
We recommend that the chief human capital officer document and implement a process to verify that all employees' exit clearance forms are completed and maintained in accordance with policy.
We recommend that the chief information officer document and implement a
procedure to review and analyze remote access connections.