OFFICE OF Report of Evaluation INSPECTOR GENERAL OIG 2009 Evaluation of the Farm Credit Administration’s Compliance with the Federal Information Security Management Act November 18, 2009 E-09-01 Tammy Rapp Auditor-in-Charge FARM CREDIT ADMINISTRATION Memorandum Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102-5090 November 18, 2009 The Honorable Leland A. Strom Chairman of the Board Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102-5090 Dear Chairman Strom: The Office of the Inspector General completed the 2009 independent evaluation of the Farm Credit Administration’s compliance with the Federal Information Security Management Act (FISMA). The objectives of this evaluation were to perform an independent assessment of FCA’s information security program and assess FCA’s compliance with FISMA. The results of our evaluation revealed that FCA has an effective information security program that complies with FISMA and did not identify any significant deficiencies in the Agency’s information security program. We appreciate the courtesies and professionalism extended to the evaluation staff. If you have any questions about this evaluation, I would be pleased to meet with you at your convenience. Respectfully, Carl A. Clinefelter Inspector General TABLE OF CONTENTS EXECUTIVE SUMMARY ..................................................................................1 INTRODUCTION AND BACKGROUND ..........................................................2 OBJECTIVES ....................................................................................................2 SCOPE AND METHODOLOGY .......................................................................2 CONCLUSIONS ................................................................................................4 Information Security Program Management ........................................................... 4 Risk Assessment ........................................................................................................ 5 Planning ....................................................................................................................... 5 System and Services Acquisition............................................................................. 5 Certification, Accreditation, and Security Assessments ....................................... 6 Personnel Security...................................................................................................... 7 Physical and Environmental Protection .................................................................. 7 Contingency Planning................................................................................................ 8 Configuration Management ....................................................................................... 8 Maintenance ................................................................................................................ 9 System and Information Integrity ............................................................................. 9 Media Protection ....................................................................................................... 10 Incident Response .................................................................................................... 10 Awareness and Training .......................................................................................... 10 Identification and Authentication............................................................................ 11 Access Control.......................................................................................................... 11 Audit and Accountability.......................................................................................... 11 System and Communications Protection.............................................................. 12 Privacy Related ......................................................................................................... 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT FOR OMB APPENDIX B: ACRONYMS AND ABBREVIATIONS EXECUTIVE SUMMARY The Federal Information Security Management Act (FISMA) requires the Chief Information Officer (CIO) and Office of Inspector General (OIG) to conduct annual assessments of an agency’s information security program and report the results to the Office of Management & Budget (OMB). This report contains the objectives, scope, methodology, and results of the OIG’s evaluation of the Farm Credit Administration’s (FCA or Agency) information security program. In addition, Appendix A contains the Inspector General (IG) Section Report as required by OMB’s FY 2009 Reporting Instructions for the FISMA in OMB Memorandum M-09-29. The results of our evaluation revealed that FCA has an effective information security program that continues to mature. FCA adopted a risk based approach to information security and implements new controls where weaknesses are identified that strengthen security while not becoming too burdensome. Some of the elements of the Agency’s information security program include categorizing systems based on risk, developing security plans, implementing risk based security controls, applying a common security configuration, performing continuous monitoring, conducting a comprehensive security awareness program, testing the continuity of operations plan, and implementing an incident response program. FCA has an engaged CIO with an information technology (IT) team that is experienced and well trained. The CIO and IT team are proactive in their approach to information security. The IT team was very responsive to minor suggestions made for improvement during the FISMA evaluation, and in many cases, the IT staff made immediate changes to strengthen the information security program where possible. The IT Security Specialist continues to work on her individual development plan to become a Certified Information Systems Security Professional (CISSP). Our evaluation did not reveal any significant deficiencies in FCA’s information security program and this report does not contain any recommendations or agreed-upon actions. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 1 INTRODUCTION AND BACKGROUND The President signed into law the E-Government Act (Public Law 107-347), which includes Title III, Information Security, on December 17, 2002. FISMA permanently reauthorized the Government Information Security Reform Act of 2000 which expired in November 2002. The purpose of FISMA was to strengthen the security of the Federal government’s information systems and develop minimum standards for agency systems. Section 3545 of FISMA requires OIGs to perform an annual independent evaluation of their agency’s information security program to determine the effectiveness of the security program and practices. “Each evaluation under this section shall include— (A) testing of the effectiveness of information security policies, procedures, and practices of a representative subset of the agency’s information systems; (B) an assessment (made on the basis of the results of the testing) of compliance with— (i) the requirements of this subchapter; and (ii) related information security policies, procedures, standards, and guidelines;” OMB issued Memorandum M-09-29, FY 2009 Reporting Instructions for the FISMA and Agency Privacy Management, on August 20, 2009. This memorandum provides instructions for complying with FISMA’s annual reporting requirements and reporting on the agency’s privacy management program. The most significant change to this year’s reporting instruction from OMB was the method of data collection from agencies. OMB developed an automated reporting tool, CyberScope, which will be used by agencies in lieu of spreadsheet templates used in prior years. OBJECTIVES The objectives of this evaluation were to perform an independent assessment of FCA’s information security program and assess FCA’s compliance with FISMA. SCOPE AND METHODOLOGY The scope of this evaluation covered FCA’s Agency-owned and contractor operated information systems of record as of September 30, 2009. FCA is a single program Agency with six mission critical systems: Infrastructure, Lotus Notes (Notes), Consolidated Reporting System (CRS), Personnel/Payroll System (PPS), Agency Financial Management System (AFMS), and electronic Official Personnel Folder system (eOPF). Our evaluation included determination of the critical elements that are essential for establishing compliance with FISMA. Key criteria used to evaluate FCA’s information security program and FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 2 compliance with FISMA included OMB guidance, National Institute of Standards and Technology (NIST) Special Publications (SP), and Federal Information Processing Standards Publications (FIPS). In performing this evaluation, we performed the following steps: • Identified and reviewed Agency policies and procedures related to information security; • Examined documentation relating to the Agency’s information security program and compared to NIST standards and FCA policy; • Conducted interviews with the CIO and other key personnel; • Observed security related activities performed by Agency personnel; and • Performed tests for a subset of controls. The evaluation focused on the actual performance of the Agency’s security program and practices and not on how the Agency measures its performance in its own evaluations. We relied on the guidelines contained within NIST SP 800-53A for evaluating information systems. Our assessment procedures included identifying the security controls for each system and determining whether a subset of those controls were implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. Since we completed an audit of the Agency’s certification and accreditation (C&A) process in July 2009, we incorporated the results from that audit with this evaluation and built on our understanding from past FISMA evaluations. This evaluation represents the status of the information security program as of September 30, 2009, and did not include a test of all information security controls. NIST SP 800-53A organizes security control assessment procedures into three “classes” of controls: management, operational, and technical. It further divides the three classes of controls into eighteen security control families. In addition to these security control families, we performed a limited evaluation of privacy issues in order to respond to OMB’s reporting requirements for IGs. The conclusion section of this report summarizes our observations for each of these control families. The evaluation’s observations and results were presented to key IT personnel throughout the evaluation. On November 10, 2009, the CIO and OIG shared and discussed drafts of their respective FISMA section reports. On November 13, 2009, the OIG held an exit conference with the CIO and other key IT personnel to formally communicate the observations from this evaluation. This evaluation was performed at the FCA headquarters in McLean, Virginia, from August 2009 through November 2009, in accordance with the former President’s Council on Integrity and Efficiency’s1 Quality Standards for Inspections. This report is intended for use by FCA management and OMB. 1 The PCIE was abolished by the Inspector General Reform Act of 2008 and replaced by the Council of the Inspectors General on Integrity and Efficiency (CIGIE). CIGIE is now in the process of reviewing the Quality Standards for Inspections for any needed changes and will reissue them in the future under CIGIE’s authorship. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 3 CONCLUSIONS Procedures performed during our evaluation did not reveal any significant deficiencies in FCA’s information security program. Below you will find a summary of our observations from each of the security control families. Information Security Program Management FCA is committed to complying with the requirements of FISMA and improving its ability to protect personally identifiable information (PII). FCA’s overall security program is integrated with the enterprise architecture (EA), capital planning and investment control process, and the life cycle management of each system. FCA’s EA interacts with the capital planning and investment control process to ensure that IT investments support core business functions. FCA’s EA also identifies security standards required for authentication and non-repudiation, audit trail creation and analysis, access controls, virus protection, and intrusion prevention and detection. FCA reviews and updates its information system inventory during the annual information resources management (IRM) planning and FISMA reporting cycles. FCA developed policies that provide the foundation for an organization-wide information security program. FCA’s security program is based on FISMA, OMB A-130, OMB security related memoranda, and NIST Special Publications and FIPS Publications. FCA is currently in the process of updating significant security policies and employee security certifications with its release of a new information system logon banner. The CIO and the IT Security Specialist provide information security policy and assurance. Since FCA is a small agency, the CIO is responsible for many functions including the role of Senior Information Security Officer (or Chief Information Security Officer) and Senior Agency Official for Privacy. For the past few years, FCA has been transitioning the security related functions from the CIO to the IT Security Specialist, and the IT Security Specialist has been working towards obtaining the CISSP certification. FCA has a process for developing plans of action and milestones (POA&M) for significant information security weaknesses and tracking their implementation. FCA’s security philosophy is to correct identified deficiencies immediately, resulting in limited POA&M items. In addition, FCA uses its annual Management Control Plan to develop, monitor, and report on the performance and accountability of primary internal controls, including IT security. The results of the internal control reviews related to IT security indicated that most internal controls were validated as effective and operating as intended. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 4 Risk Assessment FCA performed periodic assessments of risk and potential harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations of the Agency. IT security and information protection needs were evaluated during the internal control reviews, capital investment planning and control process, and regular updates of the enterprise architecture, security plans, and other related security and IT policies. The security policy delegated responsibility to the CIO for periodically reviewing information systems to ascertain that security is proportionate to the risk. Risk to information systems was continually assessed by evaluating security alerts, monitoring systems, and providing security related training. FCA maintained a vulnerability database, ran automated vulnerability detection tools, and reviewed the resulting lists of potential vulnerabilities. The security plan contained some elements of a risk assessment report as outlined in SP 800-30; however, it could be improved by describing threats and vulnerabilities, measuring the risk, and ensuring appropriate controls are identified and implemented. The Agency added a new system during 2009. This system was categorized and the supporting rationale was documented in accordance with guidance from NIST. Planning FCA developed and implemented security plans that described the security controls for the general support system and major applications. Guidance from NIST was used to develop security plans. All security plans were updated during the past year, and a security plan was developed for a new system. FCA continues to improve its security plans and is in the process of revising its infrastructure security plan to identify the review cycle for each control as part of its continuous monitoring program. In addition, FCA plans to strengthen security plans over the next year by expanding the descriptions of controls implemented and ensuring consistency among the security plans. The IT Infrastructure security plan was updated on a regular basis throughout the year and not limited to the annual review cycle. System and Services Acquisition FCA implemented the following system and service acquisition controls. Specifically, the Agency has: • Integrated security in the enterprise architecture, capital planning and investment control, and budgeting processes; • Allocated sufficient resources to monitor and protect organizational information systems; FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 5 • Employed system development life cycle processes that incorporate information security considerations; • Performed due diligence reviews and monitored security controls for outsourced systems; and • Employed software usage and installation restrictions. FCA ensured that its financial systems provider employed adequate security measures to protect information, applications, and services by performing site visits to review security documentation, performing data validations, and periodically reviewing user accounts and privileges. FCA strengthened its oversight of its payroll and personnel system provider by reviewing independent security assessments performed on the system and reviewing account lists to ensure access to Agency data was limited to authorized users. FCA plans to further strengthen oversight in 2010 by adding more specific controls to its security plans and performing site visits to review security related documentation for two outsourced systems. Certification, Accreditation, and Security Assessments FCA authorized information systems and connections, periodically assessed information security controls to determine their effectiveness, monitored security controls on an ongoing basis to ensure the continued effectiveness of the controls, and developed plans of corrective action to correct deficiencies and vulnerabilities. The Agency’s policy states the general support system and major applications will operate with proper accreditation and be recertified every 3 years or when a major system change occurs. All of FCA’s systems have been certified and accredited, and all connections to FCA systems have been documented and authorized. Recently, the OIG performed an audit of the FCA’s C&A process used on its IT infrastructure during 2008. The results of our audit revealed that FCA’s C&A process was well planned and managed, and complied with the requirements and guidance provided by the FISMA, OMB, and NIST. Our observations of the C&A process followed by the Agency disclosed the process contained the following elements: • Proper and adequate planning; • Security control testing executed in accordance with NIST guidance; • No material gaps identified in security control testing; • Appropriate reuse of previous assessments and evaluations; • Adequate certification testing documentation; • Accreditation decision based on balancing mission and operations with security; and • Effective continuous monitoring program. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 6 Periodic security assessments of the Agency’s information systems are performed using a combination of continuous monitoring, self-assessments, and independent contractors. Issues identified during security assessments were resolved in a timely manner. Continuous monitoring of security controls includes network security testing, configuration management, security event monitoring, security alert and vulnerability analysis, patch management, and intrusion detection monitoring. FCA has a process for developing plans of corrective action for significant information security weaknesses and tracking their implementation. Personnel Security The Agency’s personnel security program includes classifying positions for sensitivity level and obtaining appropriate clearances for employees and contractors. FCA’s Office of Management Services (OMS) identified personnel security as a control element in its Management Control Plan and tested related controls in 2009 to ensure appropriate records for background verifications and security clearances were established for FCA’s personnel security related actions. When an employee terminates from the Agency, a separation checklist is completed. Before providing system access, new employees and contractors are required to certify their understanding of FCA security policies and procedures. However, this policy does not apply to employees and contractors hired before 2000, and security certifications are not periodically updated even though security policies and procedures may have changed. FCA is in the process of revising its logon banner and significant information security policies. Once the policies are approved, all employees and contractors will be required to certify their understanding of applicable security policies. In response to an issue identified during the 2008 FISMA evaluation, OMS improved its process for tracking contractors. The Personnel Security Officer and IT Security Specialist are notified prior to hiring a contractor so that adequate documentation and clearances are completed before providing the contractor with access to an information system. Physical and Environmental Protection FCA implemented several physical and environmental controls to limit physical access to the building and its information systems, monitor visitor access, and prevent physical damage to information system components. Physical and environmental protection was provided at FCA through the Farm Credit System Building Association (FCSBA). The FCSBA provides 24-hour guard protection, visitor access controls, and card readers for FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 7 entry into the building and sensitive areas. OMS performed quarterly reviews of physical access control lists to ensure access to the building and sensitive areas were limited to authorized individuals. Fire protection is provided by a halon system in the computer facility and sprinkler systems in the remainder of the building. The FCSBA performs regular maintenance on the heating and air conditioning systems and maintains an emergency backup generator. In addition, the computer facility has an uninterruptible power supply and redundant heating, ventilation, and air conditioning units. A specialized cleaning crew is used to maintain the environment in the computer facility. Contingency Planning FCA committed resources to ensure the continuity of operations of essential functions in emergency situations. A business continuity plan and disaster recovery plan were developed and periodically updated to support the restoration of operations and systems after a disruption or failure. In addition, FCA took precautionary measures with respect to the H1N1 flu including additional building cleaning, disseminating current information regarding the flu, providing seasonal flu vaccines to employees, and coordinating H1N1 vaccines for employees. The Agency has an alternative IT processing site that was successfully activated during a government wide test. Employees from several offices participated in the test ensuring the availability of critical systems and alternative communication systems. Several managers and senior executives participated, including the Chairman of the Agency. The business continuity exercise generated productive discussions between functional areas regarding the importance of continuity planning, succession planning, communication, and prioritization of services. The exercise identified areas that need further testing or refinement, but no significant weaknesses were identified. The Agency has an IT backup strategy that includes daily and weekly backups of data and systems. A disaster recovery kit is also maintained offsite that contains critical software needed to recreate systems. FCA has two off-site storage facilities for backups. Configuration Management FCA maintains a baseline configuration and enforces the security configuration settings for its information systems. Configuration management policies and procedures were developed and periodically updated. A standard configuration was maintained for laptops and servers. Any deviations to the standard configuration must be approved by the CIO. Both policy and technical settings prohibit most users from changing the configuration. An inventory of hardware and software components was maintained and updated regularly. FCA performed vulnerability assessments to confirm functions, ports, protocols, and services were limited to essential functions and services necessary to support operations. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 8 To improve security of Federal information systems, OMB required agencies to adopt commonly accepted security configurations. In June 2008, NIST released the first major version of the Federal Desktop Core Configuration (FDCC)2, which provided standard security settings for Windows XP and Vista. FCA successfully deployed some of the FDCC settings and is in the process of testing and implementing additional settings. Where deviations from the FDCC are necessary, justifications are developed and approved by the CIO. Because of the intense analysis and testing required to deploy over 400 FDCC settings, the Agency developed a POA&M. Maintenance FCA has an information system maintenance program with established controls over the tools, techniques, and personnel used to conduct information system maintenance. Most maintenance is performed by the Technology Team’s (TT) staff on weekends to minimize disruption of IT services. When contractors are used to perform maintenance, they are closely supervised by TT personnel. Remote contractor access for diagnostic purposes is tightly controlled by IT staff. FCA maintains a current list of various maintenance and support agreements. System and Information Integrity FCA identifies and corrects information system flaws, monitors information system security alerts, maintains current patches on information systems, and provides protection from malicious code within information systems. Key IT personnel receive risk alerts from vendors and security organizations identifying information system flaws. These alerts are analyzed to determine the potential impact on Agency systems, tracked in a database, and remediated where applicable. In addition, key IT personnel participate in various list serves and security organizations that share information regarding new threats, vulnerabilities, and security practices. Anti-virus and anti-spam protection are installed on the Agency’s information systems and updated automatically. E-mail messages and data files are scanned automatically without user intervention. FCA policy restricts employees from using USB thumb drives not issued by FCA on Agency laptops. If a thumb drive is received from other sources and needed for an FCA business purpose, it must be scanned by the Helpline to ensure they do not contain malicious software. IT personnel continuously monitor audit logs, firewall logs, and security alerts. Controls implemented to ensure data integrity includes data entry validation, transaction log and error log review. 2 The FDCC was developed by the NIST, the Department of Defense, and the Department of Homeland Security. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 9 Media Protection FCA issued policies and procedures and implemented several controls designed to protect sensitive information, including PII, on information system media. Sensitive information maintained on a local machine is protected by an encrypted hard drive. Employees that need to share sensitive data are provided with an encrypted USB drive and a local printer. The encrypted USB drives contain a feature that formats the data after several failed password attempts. Sensitive information in paper format is maintained in locked cabinets. The ability to create a CD or DVD has been disabled on the standard configuration, and the TT monitors USB ports for unauthorized devices. FCA has documented procedures for protecting backup media. Access to backup media is limited to authorized personnel, stored in locked facilities, and transported in locked containers. Before disposal, backup media is sanitized preventing retrieval of the data. Incident Response FCA established an incident handling program that includes detection, reporting, analysis, containment, recovery, and user response activities. FCA has distributed several incident response policies and procedures over the past few years. In addition, staff was educated on the importance of reporting incidents to the Agency’s Helpline of any IT equipment, PII, or sensitive data suspected to be missing, lost, or stolen. OMS maintains a 24 hour Helpline for reporting security incidents and provided employees with wallet cards with the contact information. A log is maintained of security incidents, and appropriate officials, including the OIG, are notified depending on the nature of the incident. During the past year, OMS enhanced its information security program by identifying areas of improvement and implementing lessons learned from actual incidents. For example, there were several instances where employees failed to notify the Helpline within one hour of a security incident. As a result, OMS sent notices to all staff defining a security incident and reminding them of the importance of reporting any incidents immediately to the Helpline. Once incidents were reported to the Helpline, actions taken by OMS were timely and appropriate. OMS also implemented new procedures designed to mitigate potential infection from privileged network accounts in response to a Trojan that was identified on an Agency issued laptop. Awareness and Training FCA ensures users are aware of security risks associated with their activities by providing an ongoing IT security awareness program which includes formal training and e-mail alerts. New employees and contractors are provided with security awareness and privacy training before they are granted system access. In 2009, the IT Security FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 10 Specialist performed annual security awareness training for employees and contractors using small group sessions. The security awareness training focused on how to minimize risks from malicious software and the importance of reporting incidents immediately. Agency staff were periodically sent e-mails and news alerts that contain security tips and notices of new threats. All employees and contractors with login privileges were provided with security awareness training during the past year. In addition, all IT specialists with significant information security responsibilities were provided with specialized training related to technology implemented at FCA during the past year. Identification and Authentication FCA identifies and authenticates information system users, processes, and devices before allowing access to information systems. Policies and procedures have been developed that support identification and authentication controls. In addition, OMS performed a risk assessment for e-authentication. Information system users are uniquely identified and authenticated on Agency information systems, and unauthorized devices are prevented from connecting to the Agency’s network. Passwords are not displayed when entered and protected by encryption. Access Control FCA limits and monitors access to information systems to protect against unauthorized modification, loss, and disclosure. Policies and procedures for requesting, issuing, and closing information system accounts are documented. Information system accounts are created, managed, monitored, and disabled by authorized personnel. OMS controls access to information system data through groups and permissions assigned to files, folders, and databases. Users of FCA information systems are provided with the least amount of system access needed to perform their responsibilities, and sensitive database access is granted only after authorization from an employee’s supervisor and the system sponsor. During 2009, TT strengthened security for privileged network access. Periodically, information system sponsors review accounts to ensure access permissions provided to information system users is current and appropriate. OMS uses a combination of technical configuration settings and other automated controls to prevent, detect, or notify authorized individuals of suspicious account activity. Remote access to FCA’s information systems is controlled through a virtual private network (VPN). FCA intends to expand the use of HSPD12 cards for logical access to computers and networks with the next generation of laptops. Audit and Accountability FCA creates, protects, and retains audit records for its information systems. Policies and procedures were established to identify events which FCA determined as significant and FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 11 relevant to the security of the information system. Access to audit logs is restricted to authorized individuals. Administrators are automatically notified by e-mail of suspicious events and audit processing failures, and the CIO is notified of significant events. Unusual activity is investigated and necessary action is taken by appropriate personnel. Audit events are recorded in an audit log which is periodically archived. System and Communications Protection FCA has established controls that separate user functionality from information system management functionality, protect against external attacks, and establish trusted communication paths between the user and the system. System communications at key boundaries and interfaces are monitored and controlled. Internal networks are protected at all connection points to the internet. A VPN provides for secure encrypted transmission of data outside of the Agency’s network. Encryption is used to protect sensitive data and PII. Privacy Related Our review of privacy matters was limited to obtaining sufficient information to respond to the privacy related questions in OMB’s template for IGs. FCA does not have any systems that collect PII regarding members of the public, and therefore has not conducted any privacy impact assessments. In response to various OMB memorandums, the Agency reviewed the use of social security numbers and the collection of PII and other sensitive information throughout the Agency. FCA reduced the collection of sensitive information to the minimum necessary to perform Agency functions. The Agency also implemented safeguards such as encryption and employee training to protect sensitive data. In 2009, the Agency developed two official confidentiality notices that may be attached to e-mail messages related to sensitive supervision or examination activities and other types of business communications. FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB Inspector General 2009 Section Report Annual FISMA Annual FISMA Report Farm Credit Administration For Official Use Only APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB Question 1: FISMA Systems Inventory & Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 1. Identify the number of Agency and contractor systems by component and FIPS 199 impact level (low, moderate, high) reviewed. 2. For the Total Number of Reviewed Systems Identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy. Question 1 Question 2 a. b. c. a. b. c. Agency Systems Contractor Systems Total Number of Number of Number of systems Number of systems Systems(Agency and systems certified for which security for which Contractor systems) and accredited controls have been contingency plans tested and reviewed have been tested in in the past year accordance with policy Agency/Component Category Total Number Total Number Total Number Number Reviewed Number Reviewed Number Reviewed FCA High 0 0 0 0 0 0 0 0 0 Moderate 3 3 3 3 6 6 6 6 6 Low 0 0 0 0 0 0 0 0 0 Not Categorized 0 0 0 0 0 0 0 0 0 Sub Total 3 3 3 3 6 6 6 6 6 Agency Totals High 0 0 0 0 0 0 0 0 0 Moderate 3 3 3 3 6 6 6 6 6 Low 0 0 0 0 0 0 0 0 0 Not Categorized 0 0 0 0 0 0 0 0 0 Total Systems 3 3 3 3 6 6 6 6 6 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 1 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory The Agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the Agency or other organization on behalf of the Agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and Agency policy. Agencies are responsible for ensuring the security of information systems used by a contractor of their Agency or other organization on behalf of their Agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal Agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. 3a. Does the Agency have policies for oversight of contractors? No Comments: Although FCA does not have documented policies addressing oversight of contractor systems, FCA performed due diligence of its contractor systems. FCA reviewed independent security assessments, obtained signed interconnection agreements, and performed site visits of its financial systems provider to review security documentation. In addition, FCA developed security plans for each contractor system, performed data validations, and periodically reviewed user accounts and privileges. 3b. Does the Agency have a materially correct inventory of major information systems (including national security systems) operated by or under the control of such Agency? Yes 3c. Does the Agency maintain an inventory of interfaces between the Agency systems and all other systems, such as those not operated by or under the control of the Agency? Yes 3d. Does the Agency require agreements for interfaces between systems it owns or operates and other systems not operated by or under the control of the Agency? Yes Comments: The Agency has agreements for all system interconnections. 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 2 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB 3e. The Agency inventory is maintained and updated at least annually. Yes 3f. The IG generally agrees with the CIO on the number of Agency-owned systems. Yes 3g. The IG generally agrees with the CIO on the number of information systems used or operated by a contractor of the Agency or other organization on behalf of the Agency. Yes Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process Assess whether the Agency has developed, implemented, and is managing an Agency-wide plan of action and milestones (POA&M) process, providing explanatory detail in the area provided. 4a. Has the Agency developed and documented an adequate policy that establishes a POA&M process for reporting IT security deficiencies and tracking the status of remediation efforts? Yes 4a(1). Has the Agency fully implemented the policy? Yes 4b. Is the Agency currently managing and operating a POA&M process? Yes 4c. Is the Agency's POA&M process an Agency-wide process, incorporating all known IT security weakness, including IG/external audit findings associated with information systems used or operated by the Agency or by a contractor of the Agency or other organization on behalf of the Agency? Yes 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 3 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB 4d. Does the POA&M process prioritize IT security weakness to help ensure significant IT security weaknesses are corrected in a timely manner and receive appropriate resources? Yes 4e. When an IT security weakness is identified, do program officials (including CIOs, if they own or operate a system) develop, implement, and manage POA&Ms for their system(s)? Yes 4f. For Systems Reviewed: 4f(1). Are deficiencies tracked and remediated in a timely manner? Yes 4f(2). Are the remediation plans effective for correcting the security weakness? Yes 4f(3). Are the estimated dates for remediation reasonable and adhered to? Yes 4g. Do Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis (at least quarterly)? Yes 4h. Does the Agency CIO centrally track, maintain, and independently review/validate POA&M activities on at least a quarterly basis? Yes Question 5: IG Assessment of the Certification and Accreditation Process Provide a qualitative assessment of the Agency's certification and accreditation (C&A) process, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" for C&A work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems," to determine a system impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans. 5a. Has the Agency developed and documented an adequate policy for establishing a C&A process that follows the NIST framework? 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 4 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB Yes 5b. Is the Agency currently managing and operating a C&A process in compliance with its policies? Yes 5c. For Systems reviewed, does the C&A process adequately provide: 5c(1). Appropriate risk categories Yes 5c(2). Adequate risk assessments Yes 5c(3). Selection of appropriate controls Yes 5c(4). Adequate testing of controls Yes 5c(5). Regular monitoring of system risks and the adequacy of controls Yes 5d. For systems reviewed, is the Authorizing Official presented with complete and reliable C&A information to facilitate an informed system Authorization to Operate decision based on risks and controls implemented? Yes Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process Provide a qualitative assessment of the Agency's process, as discussed in the SAOP section, for protecting privacy-related information, including adherence to existing policy, guidance and standards. Provide explanatory information in the area provided. 6a. Has the Agency developed and documented adequate policies that comply with OMB guidance in M-07-16, M-06-15, and M-06-16 for safeguarding privacy-related information? Yes 6b. Is the Agency currently managing and operating a privacy program with appropriate controls in compliance with its policies? Yes 6c. Has the Agency developed and documented an adequate policy for PIAs? Yes 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 5 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB 6d. Has the Agency fully implemented the policy and is the Agency currently managing and operating a process for performing adequate PIAs? Yes Comments: FCA does not have any systems that collect PII regarding members of the public, and therefore has not conducted any privacy impact assessments. Question 7: Configuration Management 7a. Is there an Agency wide security configuration policy? Yes 7a(1). For each OS/platform/system for which your Agency has a configuration policy, please indicate the status of implementation for that policy. OS/Platform/System Implementation Status What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 6 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB OS/Platform/System Implementation Status What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 7 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB OS/Platform/System Implementation Status What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 8 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB OS/Platform/System Implementation Status What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 9 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB OS/Platform/System Implementation Status What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category What tools and techniques is your Agency using for monitoring compliance? Tool/Technique Name Tool Category Comments: Although the OIG did not perform independent verification of the CIO's response on each of the OS/platform/systems listed, we observed results from a recent scan performed by IT personnel that did not reveal any high or medium vulnerabilities. 7b. Indicate the status of the implementation of Federal Desktop Core Configuration (FDCC) at your Agency: 7b(1). Agency has documented deviations from FDCC standard configuration. No Comments: FCA successfully deployed approximately 25% of the FDCC settings and in the process of testing additional settings. Where deviations from the FDCC are necessary, justifications are developed and approved by the CIO. The Agency developed a plan of action and milestones for the FDCC. 7b(2). New Federal Acquisition Regulation 2008-004 language, which modified "Part 39-Acquisition of Information Technology," is included in all contracts related to common security settings. No Comments: Although FCA is not required to follow the FAR, new acquisitions must comply with standard FCA security configurations. 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 10 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB Question 8: Incident Reporting 8a. How often does the Agency comply with documented policies and procedures for identifying and reporting incidents internally? 60 % to 70 % Comments: There were several instances where employees failed to notify the Helpline within one hour of a security incident. Once incidents were reported to the Helpline, actions taken were timely and appropriate. 8b. How often does the Agency comply with documented policies and procedures for timely reporting of incidents to US-CERT? 100 % to 100 % Comments: Once the incident was reported internally to the Helpline, US-CERT was notified timely. Three incidents were reported to US-CERT during FY 2009. 8c. How often does the Agency follow documented policies and procedures for reporting to law enforcement? 100 % to 100 % Comments: One incident was reported to law enforcement during FY 2009. Question 9: Security Awareness Training Provide an assessment of whether the Agency has provided IT security awareness training to all users with log-in privileges, including contractors. Also provide an assessment of whether the Agency has provided appropriate training to employees with significant IT security responsibilities. 9a. Has the Agency developed and documented an adequate policy for identifying all general users, contractors, and system owners/employees who have log-in privileges, and providing them with suitable IT security awareness training? Yes 9b. Report the following for your Agency: 9b(1). Total number of people with log-in privileges to Agency systems. 290 Comments: Includes employees and contractors as of 9/16/2009. 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 11 of 12 APPENDIX A: INSPECTOR GENERAL SECTION REPORT for OMB 9b(2). Number of people with log-in privileges to Agency systems that received information security awareness training during the past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program." 290 (100 %) Comments: as of 11/6/2009 9b(3). Total number of employees with significant information security responsibilities. 29 9b(4). Number of employees with significant security responsibilities that received specialized training, as described in NIST Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model." 29 (100 %) Question 10: Peer-to-Peer File Sharing 10. Does the Agency explain policies regarding the use of peer-to-peer file sharing in IT security awareness training, ethics training, or any other Agency-wide training? Yes 2009 Annual FISMA Report - Farm Credit Administration For Official Use Only IG Report - Page 12 of 12 APPENDIX B: ACRONYMS AND ABBREVIATIONS AFMS Agency Financial Management System Agency Farm Credit Administration C&A certification and accreditation CIO Chief Information Officer CISSP Certified Information Systems Security Professional CRS Consolidated Reporting System EA enterprise architecture eOPF electronic Official Personnel Folder system FCA Farm Credit Administration FCSBA Farm Credit System Building Association FDCC Federal Desktop Core Configuration FIPS Federal Information Processing Standards Publications FISMA Federal Information Security Management Act IG Inspector General IRM information resources management IT information technology NIST National Institute of Standards and Technology Notes Lotus Notes OIG Farm Credit Administration’s Office of Inspector General OMB Office of Management & Budget OMS Farm Credit Administration’s Office of Management Services PII personally identifiable information POA&M plan of action and milestones PPS Personnel/Payroll System SP Special Publication TT Technology Team VPN virtual private network FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL R E P O R T Fraud | Waste | Abuse | Mismanagement FARM CREDIT ADMINISTRATION OFFICE OF INSPECTOR GENERAL • Phone: Toll Free (800) 437-7322; (703) 883-4316 • Fax: (703) 883-4059 • E-mail: firstname.lastname@example.org • Mail: Farm Credit Administration Office of Inspector General 1501 Farm Credit Drive McLean, VA 22102-5090 FARM CREDIT ADMINISTRATION ♦ OFFICE OF INSPECTOR GENERAL
Published by the Farm Credit Administration, Office of Inspector General on 2009-11-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)