UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL Information Technology Audit Division September 12, 2011 FINAL MANAGEMENT INFORMATION REPORT To: James W. Runcie Acting Chief Operating Officer Federal Student Aid From: Charles E. Coe Jr. /s/ Assistant Inspector General for Information Technology Audits and Computer Crime Investigations Subject: Survey of Federal Student Aid Contracts and Guaranty Agency Agreements that Provide Information Technology Support or Services Control Number ED-OIG/X11L0002 The purpose of this Final Management Information Report is to provide the U.S. Department of Education (Department), Federal Student Aid (FSA), with information that may strengthen its current contracting process by ensuring that contracts and agreements align with Federal requirements and guidance and with Department and FSA policy and procedures.1 The objective of our survey was to first identify all FSA contracts providing contractor information technology (IT) support or services2 to FSA or the Department, as well as all agreements for Guaranty Agencies (GA),3 which process, store, or transmit Department data through external IT systems as of November 1, 2010. Then, for each FSA contract identified, we determined whether the current contract contained any language that addressed IT security and whether documentation existed to support the certification and accreditation (C&A) of the contractor’s system. For each GA agreement identified, we determined whether the current agreement contained any language that addressed IT security. We found that (1) 7 of the 38 IT support or service contracts reviewed did not contain any language to address IT security; (2) 29 of the 38 contracts reviewed that were subject to the C&A process did not contain all of the documents required to support system C&A; and (3) none of the agreements between FSA and the 32 GAs contained any language that addressed IT security. 1 To include the E-Government Act (Public Law 107-347), security standards, and guidance issued by the National Institute of Standards and Technology, Office of Management and Budget policy, the Federal Acquisition Regulation, and the Privacy Act of 1974. 2 IT support services includes the processing, storing, or transmission of data. 3 A Guaranty Agency is a public or private nonprofit entity that, consistent with 34 Code of Federal Regulations (C.F.R.) §§ 682.400 et seq., performs certain administrative functions in the Federal Family Education Loan Program to provide loan guarantees on loans made by private lenders and collecting or helping rehabilitate defaulted student loans. The Department of Education’s mission is to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 2 of 11 BACKGROUND The Department is obligated to ensure appropriate IT security for operations and assets of the agency. IT security requirements are outlined in Federal requirements and guidance such as the Federal Information Security Management Act of 2002 (FISMA)4 and publications issued by the National Institute of Standards and Technology (NIST). When dealing with external entities, the Department furthers this obligation through formal agreements and contracts with these entities. FISMA requires that each Federal agency develop, document, and implement an agency-wide program providing security for the information and information systems that support the operations and assets of the agency. This support also includes operations and assets provided or managed by another agency, contractor, or other source. NIST, through its Computer Security Division, provides standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services. These standards include Federal Information Processing Standards5 (FIPS) Publications and Special Publications6 (SP). NIST FIPS Publication 200, “Minimum Security Requirements for Federal Information and Information Systems,” dated March 2006, specifies minimum security requirements for information and information systems supporting the executive agencies of the Federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. Two areas that specifically relate to the scope of this survey include (1) certification, accreditation, and security assessments, and (2) systems and services acquisition. NIST SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems,” dated February 2010, establishes a common information security framework for the Federal government and its contractors.7 Appendix I of NIST SP 800-37, Revision 1, states that security requirements for external providers, including the security controls for information systems processing, storing, or transmitting of Federal information, are expressed in appropriate contracts or other formal agreements. Appendix I also states that 4 Enacted as Title III of the E-Government Act (Public Law 107-347), December 2002. 5 FIPS Publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the IT Reform Act of 1996 (Public Law 104-106) and FISMA. With the passage of FISMA, there is no longer a statutory provision to allow for agencies to waive mandatory FIPS. 6 Special Publications present documents of general interest to the computer security community. The SP 800 series provides information on NIST’s Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. 7 Revision 1 redefined the traditional C&A process into a six-step Risk Management Framework. It replaced the May 2004 version titled “Guide for the Security Certification and Accreditation of Federal Information Systems,” which defined the security accreditation package as containing a System Security Plan, Security Assessment Report, and Plan of Action and Milestones. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 3 of 11 FISMA and Office of Management and Budget (OMB) policy require external providers of information system services handling Federal information or operating information systems on behalf of the Federal government to meet the same security requirements as Federal agencies. The SP 800-37 Risk Management Framework further states that common control providers8 are responsible for: Documenting the common controls in a system security plan (SSP); Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization; Documenting assessment findings in a security assessment report (SAR); and Producing a Plan of Action and Milestones (POA&M) for all controls having weaknesses or deficiencies. Department of Education OCIO-01 “Handbook for Information Assurance Security Policy,” dated March 31, 2006, establishes policies required to comply with Federal laws and regulations, thus ensuring adequate protection of Department IT resources. Additionally, OCIO-05 “Handbook for Information Technology Security Certification and Accreditation Procedures,” dated March 31, 2006, establishes a comprehensive and uniform approach to the C&A process for agency systems. The handbooks are consistent with government-wide policies, standards, and procedures issued by OMB, NIST, the General Services Administration, and the Office of Personnel Management. OBSERVATIONS With respect to the scope of our review, we determined that 38 active FSA contracts were related to contractor-provided IT support or services. Of those 38 contracts, 7 of the contracts did not address IT security. In addition, 29 of the 38 contracts that were subject to the C&A process did not contain all of the required supporting documentation to verify that the contractor’s system was properly certified and accredited in accordance with Federal mandates. We also determined that none of the GA agreements addressed IT security. Review of Contracts for IT Security Requirements At the beginning of our survey work, FSA identified a total universe of 241 active contracts. Of the 241 contracts, FSA identified that 52 of these active contracts were related to contractor- provided IT support or services. For all 52 contracts, we verified which contracts were indeed related to contractor-provided IT support or services. Initially, we could not identify the systems that were going to be used in performing the work specified in some of the contracts because 8 A common control provider is an organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls that are inherited by one or more organizational systems). Final Management Information Report Control Number – ED-OIG/X11L0002 Page 4 of 11 they were not specifically identified within the contracts. Therefore, we performed extensive research to determine whether the systems were correctly identified for each contract. We determined that 4 of the 52 contracts identified by FSA did not provide contractor IT support or services and, therefore, were excluded from our review. Four more of those 52 contracts were multiple contracts for the same system associated with the same contractor and were also excluded from our review. An FSA official identified 6 contracts for which the contractor did not use a system and, therefore, the contract was not subject to the C&A process. Of the remaining 38 contracts, we identified 7 contracts that included no provisions to address IT security. These seven contracts provided services such as processing and disbursement of Direct Loans and Federal Pell Grants; collecting enrollment data for Teacher Education Assistance for College and Higher Education Grant recipients, Direct Loan borrowers, and Department-held Federal Family Education Loan (FFEL) borrowers; managing student aid obligations made under Title IV of the Higher Education Act of 1965, as amended; and providing operation, maintenance, and development services for the Ombudsman Case Tracking System, as well as Ombudsman Web sites. By not addressing IT security requirements in all IT support and service contracts and agreements, FSA may have insufficient assurances that systems and data, such as personally identifiable information9 (PII), are protected from unauthorized access, use, disclosure, modification, or destruction. Certification and Accreditation Support for Contractor Systems As part of our survey, we also determined whether documentation existed to verify that the contractors’ systems were properly certified and accredited consistent with NIST and Department policies. To conduct our review, we were provided access to the Operational Vulnerability Management System (OVMS) and to FSA public folders within Microsoft Outlook, which an FSA official said contained the C&A documentation for all Departmental systems. After reviewing the documentation in OVMS and Microsoft Outlook, we determined that for 29 of the 38 contracts containing systems that were subject to the C&A process, FSA did not maintain all required documentation. Specifically, we found that: 1 contract (3 percent) FSA did not maintain an SSP, SAR, and POA&M; 3 contracts (8 percent) FSA did not maintain a SAR and POA&M; 9 contracts (24 percent) FSA did not maintain a SAR; and 16 contracts (42 percent) FSA did not maintain a POA&M. 9 PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 5 of 11 Changes to an IT system or associated IT environment can affect the accredited safeguards and may result in changes to the prescribed security requirements needed for the system. Therefore, having the appropriate required documentation will help ensure that authorizing officials make credible on-going risk-based decisions regarding the security state of the information systems. Review of GA Agreements for IT Security Language As part of our survey work, we requested FSA to provide all GA agreements. As previously noted, GAs process, store or transmit Department data through external IT systems. FSA identified and provided agreements between itself and 32 GAs participating in the FFEL Program. 10 It also provided us with all the available supporting documentation it had for these agreements. For all the GA agreement documentation we reviewed, we found that none of the GA agreements addressed IT security. However, during our survey, we were informed that FSA was in the process of establishing and incorporating IT security in all future GA agreements to ensure compliance with Federal requirements and guidance. By including security language based on Federal requirements in GA agreements, FSA can increase its assurance that the necessary security controls are in place to protect information processed on behalf of the Department. Including Federal security language in all contracts providing IT support or services, as well as all agreements for GAs, will help to ensure that system data, including PII, are protected from unauthorized access, use, disclosure, modification, or destruction. Including the security language also will allow for increased oversight of vendors, thus protecting FSA and the Department if security breaches occur from a vendor’s system. Suggested FSA Management Actions We suggest that the Chief Operating Officer for FSA: 1. Ensure all contract documentation that specifies the name of the system for which the work is to be performed is accounted for in a centralized location such as the contract file and is timely provided when requested. FSA Response FSA management stated that during the survey, the survey team might have had difficulty in determining whether the contracts they were reviewing were for systems services or program services. They further stated that all of the contracts for system services had the names of the systems included in the contracts, and that corrective action is not required. 10 The agreements it provided were primarily basic program agreements made under 34 C.F.R. § 682.401 although some of the agreements included additional provisions. However, from our review, not all documentation was included with each agreement. For example, for some of the agreements, we noted the attachments cited were missing. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 6 of 11 OIG Response The survey team worked with FSA staff to identify which contracts were for system services. Once FSA identified these contracts, we requested all documentation for each of the contracts. We were provided the hardcopy documentation for each of the contract files. Our review showed that for some of the contracts, names of the systems were not in the documentation we were provided. This condition was noted in the discussion draft that was provided to FSA management on June 27, 2011. During the exit briefing on June 30, 2011, FSA management did not indicate that documentation showing system names for the questioned contracts was available. On July 13, 2011, we issued our draft report. In its management response on August 4, 2011, FSA management stated that system names were included in all contracts for system services. However, it still did not provide the supporting documentation. Therefore, if this documentation existed outside of the contract files we reviewed, it needs to be accounted for in a centralized location. In our draft report, this management action originally suggested that FSA ensure that contracts specify the name of the system for which the work is to be performed. We have revised Suggestion 1. to address this issue. 2. Ensure that all contract documentation showing provisions to address IT security is accounted for in a centralized location such as the contract file and is timely provided when requested. FSA Response FSA management stated that after the release of the draft Management Information Report, all of FSA’s current contracts contain IT security requirements and requested that this finding and Suggestion 2. be removed. OIG Response On January 21, 2011, when we first identified the seven contracts that did not contain documentation showing provisions to address IT security, while we were on site, we contacted our FSA point of contact to verify whether any documentation was missing. We did not receive any documentation. This condition was noted in the discussion draft that was provided to FSA management on June 27, 2011. On June 28, 2011, FSA personnel contacted OIG to request the information for the seven contracts. During the exit briefing on June 30, 2011, FSA management did not indicate that documentation showing provisions addressing IT security was available for the seven questioned contracts. On July 13, 2011, we issued our draft report. On July 15, 2011, FSA provided OIG documentation of provisions addressing IT security for the seven contracts. This documentation was not included in the contract files we reviewed and should have been accounted for in a centralized location. In our draft report, this management action originally suggested that FSA modify current contracts to appropriately address IT security and ensure that future contracts address IT security. We have revised Suggestion 2. to address this issue. 3. Ensure that all required C&A documentation can be readily located for the systems identified in the contract for which work is to be performed. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 7 of 11 FSA Response FSA stated that after the draft report was issued, it located the documents in OVMS and Outlook public folders. FSA is currently taking steps to store all of the records in OVMS and it expects to complete this project by the fall of 2011. OIG Response The survey team worked with FSA staff to locate C&A documents. However, by the end of survey, we still could not locate nor were we provided with the missing documents. After the issuance of the discussion draft, FSA requested and was provided an inventory of the missing C&A documents. During the exit briefing, the existence of these documents in OVMS and Outlook public folders was still not brought to our attention by FSA management. After the issuance of the draft report, FSA worked with the survey team to locate these documents. For C&A documents in Outlook public folders, we noticed that a user needed to access many different levels/folders to locate the documentation. Also, if a user did not know the exact folders users needed to access, the C&A documents could not easily be located. In addition, we noticed that for some C&A documents, there was not a standard naming convention that could easily identify the content of the document, further complicating our search for specific documentation. FSA’s action to migrate documents housed in the Outlook public folders into OVMS will make these documents easier to locate. In our draft report, this management action originally suggested that FSA ensure that all required C&A documentation exists for the systems identified in the contract for which work is to be performed. We have revised Suggestion 3. to address this issue. 4. Create a centralized repository for all C&A information. This will ensure that all applicable C&A documentation is complete and can be readily located. FSA Response FSA management stated that it had implemented a centralized repository for all system related security documentation approximately 6 years ago in Outlook public folders for each system in FSA. OVMS had become FSA’s central repository when it was able to capture C&A information in OVMS. FSA is currently moving the Outlook documents into OVMS and expects this transition to be completed by October 2011. OIG Response During our review, we found that C&A documentation was maintained in both the Outlook public folders and OVMS and not in a central repository. We found that documentation could not be readily located and we had to search both systems to locate a document. As cited in the suggested management action above, when using the Outlook public folders, the survey team encountered difficulty in locating C&A documentation. Centralizing C&A documentation into one repository will ensure that complete and up-to-date documentation can be readily located. We agree with FSA’s corrective action to address this issue. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 8 of 11 5. Ensure that existing and future GA agreements account for IT security. FSA Response FSA management stated that it will modify each guaranty agency’s agreement to include a provision that addresses IT security to ensure that system data maintained by each agency, including PII, are protected. OIG Response Although we agree with FSA’s corrective action to address this issue, a completion date for this action is needed. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 9 of 11 OBJECTIVE, SCOPE, AND METHODOLOGY The objective of our survey was to first identify all FSA contracts providing contractor IT support or services to FSA or the Department, as well as all agreements for GA, which process, store, or transmit Department data through external IT systems as of November 1, 2010. Then, for each FSA contract identified, we determined whether the current contract contained any language that addressed IT security and whether documentation existed to support the C&A of the contractor’s system. For each GA agreement identified, we determined whether the current agreement contained any language that addressed IT security. To satisfy this objective, we: reviewed applicable Federal requirements and guidance and Departmental policies and procedures; reviewed related Office of Inspector General (OIG) management information and audit reports and special projects;11 reviewed the FY 2009 FISMA Annual Report relating to interconnection agreements, privacy impact assessments, and IT system certification and accreditation; reviewed the FY 2010 FISMA Annual Report relating to IT system certification and accreditation; conducted interviews with FSA management and staff responsible for managing FSA contracts and guaranty agreements; and evaluated relevant contracts, GA agreements, and supporting documentation to assess whether contracts and GA agreements appropriately address IT security. Additional information on the scope and methodology is presented below. Contract Review We met with FSA contracting officials to identify all current contracts that provide some level of IT support to include processing, storing, or transmitting data on behalf of FSA or the Department. We received an initial list of 241 active FSA contracts. We reviewed all documentation for all 52 contracts that were related to contractor-provided IT support or services but focused on the Statements of Work (SOW)/Statements of Objectives (SOO) to determine which contracts were relevant to our objectives. After reviewing the SOW/SOOs for each contract file, we determined that 38 of those contracts met our objectives based on the NIST 11 “Federal Student Aid’s Efforts to Ensure the Effective Processing of Student Loans Under the Direct Loan Program,” ED-OIG-X19K0008 (Management Information Report), dated September 16, 2010; “System Application Controls over the Financial Management System,” ED-OIG-A11J0005 (Audit Report), dated September 2010; “Security over Certification and Accreditation for Information Systems,” ED-OIG-A11J0001 (Audit Report), dated October 13, 2009; “Incident Handling and Privacy Act Controls over External Web Sites,” ED-OIG-A11I006 (Audit Report), dated June 10, 2009; 2009 FISMA Annual Report, ED-OIG-S11J0008 (Special Project), dated November 17, 2009 and 2010 FISMA Annual Report, ED-OIG-S11K0002 (Special Project), dated November 12, 2010. Final Management Information Report Control Number – ED-OIG/X11L0002 Page 10 of 11 guidance identified in the background section. We also met with FSA contracting officials to discuss the documentation that supported the C&A process. For each contract file, we determined whether a SSP, SAR, and POA&M existed for each contractor system. GA Agreements Review We met with FSA contracting officials to identify all GA agreements that existed between FSA and the GAs. FSA also provided the supporting documentation for the GA agreements. We reviewed the agreements and all supporting documentation to determine whether IT security language was included in the GA agreements. Our fieldwork was conducted from November 2010 through March 2011 at FSA contract offices located in Washington, D.C. An exit conference with FSA contract officials was held on June 30, 2011. We conducted our work in accordance with the OIG quality standards for Management Information Reports. If you have any questions, please call Joseph Maranto, Director, Information Technology Audit Division, at 202-245-7044. cc: Richard Gordon, Chief Information Officer, Federal Student Aid Jay Hurt, Chief Financial Officer, Federal Student Aid Bucky Methfessel, Senior Counsel for Information Technology, Office of General Counsel Marge White, Audit Liaison for FSA Attachment Final Management Information Report Control Number – ED-OIG/X11L0002 Page 11 of 11 Attachment Abbreviations/Acronyms/Short Forms Used in this Report C&A Certification and Accreditation C.F.R. Code of Federal Regulations Department U.S. Department of Education FFEL Federal Family Education Loan FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act of 2002 FSA Federal Student Aid GA Guaranty Agency IT Information Technology NIST National Institute of Standards and Technology OIG Office of Inspector General OMB Office of Management and Budget OVMS Operational Vulnerability Management System PII Personally Identifiable Information POA&M Plan of Action and Milestones SAR Security Assessment Report SOO Statements of Objectives SOW Statement of Work SP Special Publications SSP System Security Plan
Survey of Federal Student Aid Contracts and Guaranty Agency Agreements that Provide Information Technology Support or Services . X11L0002, Date Issued: 09/12/2011 PDF (104K)
Published by the Department of Education, Office of Inspector General on 2011-09-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)