U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2023 Federal Information Security Modernization Act

OCIO management should implement an effective quality control process to monitor that security controls are tested and documented during the assessments within the established annual timelines.

OCIO management should develop and implement an effective review process to ensure the required security controls are assessed in accordance with the information system's security baseline categorization (e.g., High, Moderate, or Low) and designation as a HVA, as applicable.

OCIO management should implement an effective quality control process for reviewing security control assessment plans either on a risk-based rotation or as needed basis. Such reviews will ensure the test plans incorporate the required controls for each application's baseline.

OCIO management should develop department-wide communication or training to ensure USDA stakeholders and system personnel understand the requirements for performing and overseeing security control assessments.

OCIO management should ensure a formal risk waiver is procured when selected security controls cannot be tested during the annual assessment.