The Federal Maritime Commission (FMC) inspector general flagged several IT security policy issues at the agency in a recent FISMA compliance audit, which FMC pledged to address over the next few months.
The IG report said that while “FMC has various information technology security policies and procedures, several had not been updated/reviewed in a timely manner, or they were lacking from development into a formalized policy.”
“Due to time constraints, FMC did not adequately review and/or update as well ensure they have appropriate policies and procedures in accordance with NIST 800-53, Revision 4,” the IG said, adding, “Without finalized policies and procedures, there is an increased risk that IT staff will be unaware of the requirements when deploying and designing security controls.”
The IG recommended that the FMC Office of Information Technology develop, review and update as necessary a variety of IT security program policies and procedures in accordance with NIST and agency requirements. Those policies and procedures involve risk policies, system development life cycle policy, personnel security policy, security assessment policy, configuration management policy and plan, security awareness policy, and identification and authentication policy.
FMC agreed with the recommendation, and said it expects to review and update the policies by the end of March 2021. “Going forward, the policies will be reviewed every three years and updated as needed,” the agency pledged.