USAID's chief information officer update the Agency's Vulnerability Management Standard Operating Procedure to (1) define the timeframe for applying system patches and (2) document and implement a process to validate that system patches are applied according to the timeframe
specified in the procedure.
USAID's chief information officer document and implement a process to validate that unsupported software is either upgraded or removed within 48 hours of identification, as specified in the Agency's Unauthorized/Unsupported Software Standard Operating Procedures, or document acceptance of the risk for allowing the unsupported software on the network.
USAID's chief information officer document and implement a process to fully automate the disabling of accounts after 90 days of inactivity and document the results.
USAID's chief information officer document and implement a process to validate that Agency account management policies are enforced for all USAID information systems, or formally document acceptance of the risk when implementing the account management policies is not feasible.
USAID's chief information officer document and implement a process to validate that USAID procedures are followed for testing, conducting security impact analysis of, and approving system changes.
USAID's chief information officer document and implement a process to validate that security assessment plans are documented and uploaded into the Cyber Security Assessment and Management tool.
USAID's chief information officer document and implement a process for reviewing plans of action and milestones on a regular basis to validate that scheduled completion dates, milestone updates, and quarterly updates are documented.
USAID's chief information officer document and implement a process to validate that USAID's privacy plan, policies, and procedures define personally identifiable information in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-122, and are reviewed and kept up-to-date at least on a biannual basis as recommended by NIST Special Publication 800-53 (revision 4).
USAID's chief information officer document and implement a process to complete the rollout of the role-based security training to all required individuals.