We recommend that the DNFSB implement the DNFSB’s Vulnerability Management Standard Operating Procedure for vulnerability and compliance management based on the risk and level of effort involved in mitigating confirmed vulnerabilities on a case-by-case basis, such as:a) Remediating vulnerabilities in accordance with the DNFSB Vulnerability Management Standard Operating Procedure.b) Opening plans of action and milestones to track critical and high-risk vulnerabilities that the DNFSB cannot address within 30 days.c) Preparing risk-based decisions in unusual circumstances in which a technical or cost limitation makes it infeasible to mitigate a critical or high-risk vulnerability, including identifying documented, effective compensating controls coupled with a clear timeframe for planned remediation.
the month of October 2024 to create a vulnerability Plan of Actions & Milestones (POA&M) in accordance with OP-411.1-16.
Agency Response Dated February 18, 2025: Please see “FY24 Recommendation 1 – Vulnerability POAMs Using Updated Procedures.zip” that contains updated vulnerability POAMs implemented using updated procedures for November 2024, December 2024 and
January 2025.
OIG Analysis: The OIG reviewed and confirmed the evidence provided by DNFSB management of implementation of OP-411.1-16, System and Information Integrity Operating Procedure, for vulnerability and compliance management based on the risk and level of effort involved in mitigating confirmed vulnerabilities on a case-by-case basis and the vulnerability
POA&Ms created in accordance with OP-411.1-16. This recommendation is now closed.