oversight

Federal Information Security Management Act Audit FY 2010

Published by the Office of Personnel Management, Office of Inspector General on 2010-11-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                     u.s. OFFICE OF PERSO,,'-1: L 'vL\'\.\GE\lE,\T
                                                                                   OFFICE OF Til E I'\SPEC lOR GF'\ERAL
                                                                                                       OFFIC I- OF ALDITS




                                               Final Audit Report 


      Subj":Cl :




                     FEDERAL INFORMATJON SECURITY 

                                         MANAGEMENT ACT AUDIT
                                                                           FY 2010 




                                                             Report :\0.             U-C1-00-10-019


                                                             Dale:                    Nov e mber 10, 2010




                                                                           -- C-\ F rIOI\--
Tloi, aull il rrpot'l h,,_   toe~1I   ui"lribu leti   I" ~
                                                   r e,k ral "m,i. l, \\ !J~ are n"p')",jbl ~ for lhe ~<lm'lIL> rr "lio!l ()f (la' ~ " di(~llllrn!: ,.~ m. 1 hi, al"l il 

[<I'"n ''' a.' ,'.," t "j n p"u pri ,"ar~ d~(" "hi"11 i, p. .. 1.~ 1<"d b~ F ed,-ra l b ... (18 t ' .'i.e I ?O~ I. 1 I,en,r"r~. "d l il ,) til; ' aUl!il rrp" rt j . <I' ai la hk 

Li nda 'h~ Fr ,"ecom fA l ofnrm :l1ion ,\ct "flU "'~lk a' ~j l ~ bh- 10 II,,· Plll)i it nO (I,,' 01( . "d>p,,:.:,-, ("ILUi"n Ilt'n]' t" Ilr ,'\ f r r"t(l IJ\ fnl"<' 

r d,·,"inl.' 110,- r~p"rt to th,'HlI lT:tl publif a~ i! m~' ("IU,,;n pr" pr ic ':tr~ i lOfurlll "Ii o li flt,, [ ,"" rtd" " I\'d I-r.. ", Iii,' puhl id' di"'lhlt,,-d '''r~. 

                      UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                       Washington. DC 20415 



  Oftk~ of the
Impcctor G~ncral




                                        Audit Report



                          U.S. OFFICE OF PERSONNEL MANAGEMENT 



                   FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT 

                                         FY 2010 


                                       WASHINGTON, D.C. 





                               Report No.        4A-CI-OO-\O-O\9


                               Date:               11 /10/ 10




                                                                ;ipe2t_ 

                                                                Michael R. Esser
                                                                Assistant Illspector General
                                                                  for Audits


                                                                                  -      _.   -   -­
                                                                                      www, usajcbs·iOV
                            UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                Washing.ton. DC 2MI:; 



    Ofli ce of the
Ill spcclor Geneml




                                            Executive Summary 




                                u .s. OFFICE OF PERSONNEL MANAGEMENT 



                         FEDERAL INFORMAnON SECURITY MANAGEMENT ACT AUDIT 

                                              FY 2010 


                                               WASHINGTON, D.C. 





                                      Report No.           4A-CI-OO-IO-019

                                      Date:                  11/10/10



          This fina l audit repon documents the Oflice of Personnel Management's (OPM's) continued
          efforts to manage and $Ceure its information resources, The Office of the Inspector General
          (OIG) has significant ongoing concerns regarding the overall quality orthe inform ation security
          program at OPM.

          In fiscal year (FY) 2007 and FY 2008 w!..' reported a material weakness in controls over the
          development and maintenance ofOPM's inlonnation technology (IT) sec urity polic ies. In FY
          2009, we issued a Flash Audit Alert to OPM's Director highlighting our concerns with the
          agency's IT security program, We also expanded the material weakness rdated to IT security
          policies to include concerns with the ageney's overall information security governance and it s
          information security management stmcture,

          Although we ackno,"vJedge that some limited progress ,"vas made in FY 20 10 to improvt' OrM's
          security program. \\'e continue to consider the IT security management structure. insufficient




        www . opm,a:Q~
staff, and the lack of policies and procedures to be a material weakness in OPM's IT security
program.

In addition, we are adding a second material weakness related to the management ofOPM's
Certification and Accreditation (C&A) process. The C&A concerns were reported as a
significant deficiency in the FY 2008 and FY 2009 Federal Infonnation Security Management
Act (FISMA) audit reports. Specilically, we noted that not all systems at OPM have an active
C&A, there is a wide range of quality in the C&A packages from various program offices, and
the Office of the Chief Infonnation Officer (OCIO) does not have the resources to facilitate the
C&A process.

The agency has recently appointed a new Senior Agency Infonnation Security Official.
However, it remains to be seen whether it will commit the necessary resources and develop the
appropriate functions required of this role. We will reevaluate this issue during the FY 2011
FISMA audit.

In addition to the material weaknesses describe above, the DIG noted the following controls in
place and opportunities for improvement
• 	 The OIG does not agree with the number of systems identified in OPM's mastcr system
    inventory. The OCIO takes a passive approach to maintaining the inventory, increasing the
    risk that applications containing sensitive data arc operating in a production environment
    without being subject to the IT security controls required by FISMA.
• 	 The OCID does not maintain a single centralized inventory of the computer hardware in its
    data centers.
• 	 "me DCIO has developed a Windows XP image that is generally compliant with Federal
    Desktop Core Configuration standards. However, this image has not been implemented on
    any production workstations.
• 	 The OCIO has developed thorough incident response and reporting capabilities.
• 	 The OCIO has implemented a process [0 provide annual IT security and privacy awareness
    training to all OPM employees and contractors. However, controls related to providing
    specialized security training to individuals with inrormation security responsibility could be
    improved.
• 	 A Plan of Action and Milestones (POA&Ms) should be continuously managed for all agency
    systems, but we fOWld that POA&Ms were updated evcry quarter in FY 20 I 0 for only 35 of
    OPM's 43 systems.
• 	 All 30 of the recommendations from the FY 2009 FISMA audit were appropriately
    incorporated into the OCIO POA&M . However, POA&M items from the system-specific
    audits conduc[ed by the OIG do not appear in the POA&M of the individual systems.
• 	 The POA&Ms for 9 OPM systems contain security weaknesses with remediation activitics
    over 120 days overdue.
•



                                                 ii
•
• 	 The OCJO has nOl developed a formal strategy to identify and continuously monitor the high­
    risk security controls for OPM information systems.
• 	 The aCIQ does not currently maintain a published list of common security controls.
• 	 The aCID and other aPM program offices maintain up-ta-date contingency plans for only
    36 of the 43 systems on OPM's master system inventory. The contingency plans for only 30
    of 43 systems were adequately tested in FY 2010.
• 	 aPM does not have a formal policy providing the aCIO and other program offices guidance
    on the appropriate oversight of contractors and contractor-run systems. In addition, the
    security controls were not tested in FY 20 I 0 for 7 of 11 contractor-operated systems.




                                              III
                                                                Contents



   Executive Summary ................................................................................................................... i 

   Introduction............................................................................................................................... 1 

   Background ............................................................................................................................... 1 

   Objectives ................................................................................................................................. 1 

    Scope and Methodology ........................................................................................................... 2 

   Compliance with Laws and Regulations ................................................................................... 3 

   Results ....................................................................................................................................... 4 

           I. Information Security Governance ................................................................................. 4 

          II. System Inventory .......................................................................................................... 7 

         III. Certification and Accreditation Program ...................................................................... 9 

        IV. Security Configuration Management .......................................................................... 15 

         V. Incident Response and Reporting Program................................................................. 18 

        VI. Security Training Program .......................................................................................... 18 

       VII. Plan of Action and Milestones Program ..................................................................... 20 

      VIII. Remote Access Program ............................................................................................. 24 

        IX. Account and Identity Management Program .............................................................. 26 

         X. Continuous Monitoring Program ................................................................................ 26 

        XI. Contingency Planning Program .................................................................................. 28 

       XII. Program to Oversee Contractor Systems .................................................................... 30 

      XIII. Follow-up From Prior OIG Audit Recommendations ................................................ 31 

   Major Contributors to this Report ........................................................................................... 43 


Appendix I: 	       Status of Prior Audit Recommendations Issued by the Office of the Inspector
                    General

Appendix II: 	 Office ofChiefInformation Officer's October 7, 2010 response to the draft audit
               report, issued September 22, 2010.

Appendix III: 	 Fiscal Year 2010 FISMA Reporting Metrics
                                         Introduction

On December 17, 2002, the President signed into law the E-Government Act (Public Law 107­
347), which includes Title III, the Federal Information Security Management Act (FISMA).
FISMA requires (I) annual agency program reviews, (2) annual Inspector General (IG)
evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of
IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing
the material received from agencies. In accordance with FISMA, we conducted an evaluation of
OPM's security program and practices. As part of our evaluation, we reviewed OPM's FISMA
compliance strategy and documented the status of its compliance efforts.

                                         Background

FISMA requirements pertain to all information systems (national security and unclassified
systems) supporting the operations and assets of an agency, including those systems currently in
place or planned. The requirements also pertain to information technology (IT) resources owned
and/or operated by a contractor supporting agency systems.

FISMA reemphasizes the Chief Information Officer's strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency's Office ofthe Chief
Information Officer (Ocro). FISMA also clearly places responsibility on each agency program
office to develop, implement, and maintain a security program that assesses risk and provides
adequate security for the operations and assets of programs and systems under its control.

To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities,
OMB issued memorandum M-IO-IS, FY 2010 Reporting Instructions for the Federal
Information Security Management Act and Agency Privacy Management. This memorandum
provides a consistent form and format for agencies to report to OMB. It identifies a series of
reporting topics that relate to specific agency responsibilities outlined in FISMA. Our audit and
reporting strategies were designed in accordance with the above OMB guidance.

                                          Objectives

Our overall objective was to perform an evaluation of OPM' s security program and practices, as
required by FISMA. Specifically, we reviewed the following areas ofOPM's IT security
program in accordance with OMB's FISMA IG reporting requirements:
   •   System Inventory;
   •   Status of Certification and Accreditation Program (C&A);
   •   Status of Security Configuration Management;
   •   Status ofIncident Response and Reporting Program;
   •   Status of Security Training Program;
   •   Status of Plans of Actions and Milestones (POA&M) Program;
   •   Status of Remote Access Program;
   •   Status of Account and Identity Management Program;
   •   Status of Continuous Monitoring Program;


                                                I

   •   Status of Contingency Planning Program; and
   •   Status of Agency Program to Oversee Contractor Systems.

In addition, we evaluated the security controls of two major applications/systems at OPM (see
Scope and Methodology for details of these audits). We also followed-up on outstanding
recommendations from prior FISMA audits (see Appendix I).

                                  Scope and Methodology

We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM's
FISMA compliance efforts throughout FY 2010.

We reviewed OPM's general FISMA compliance efforts in the specific areas defined in OMB's
guidance and the corresponding reporting instructions. We also evaluated the security controls
for the following major applications:
   •   Benefits Financial Management System (OlG Report No. 4A-CF-00-1O-018)
   •   Annuity Roll System (OlG Report No. 4A-CF-00-1O-047)

We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives. Accordingly, we obtained an understanding of the internal controls for these
various systems through interviews and observations, as well as inspection of various documents,
including information technology and other related organizational policies and procedures. This
understanding ofthese systems' internal controls was used to evaluate the degree to which the
appropriate internal controls were designed and implemented. As appropriate, we conducted
compliance tests using judgmental sampling to determine the extent to which established
controls and procedures are functioning as required.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attention during our audit testing to cause
us to doubt its reliability.

As appropriate, we conducted compliance tests using judgmental sampling to determine the
extent to which established controls and procedures are functioning as intended. The results
from tests performed on a sample basis were not projected to the universe of controls.

Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.


                                                 2

The criteria used in conducting this audit include:
• 	 OPM Information Technology Security Policy Volumes I and 2;
• 	 OMB Circular A-l30, Appendix III, Security of Federal Automated Information Resources;
• 	 OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information
    Security Management Act and Agency Privacy Management;
• 	 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
• 	 OMB Memorandum M-06-16, Protection of Sensitive Agency Information;
• 	 OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;
• 	 E-Government Act of2002 (P.L. 107-347), Title III, Federal Information Security
    Management Act of2002;
• 	 National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An
    Introduction to Computer Security;
• 	 NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
    Systems;
• 	 NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• 	 NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• 	 NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information
    Systems;
• 	 NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
    Systems;
• 	 NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to
    Security Categories;
• 	 Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
    Categorization of Federal Information and Information Systems;
• 	 FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and
• 	 Other criteria as appropriate.

The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from May through September 2010 in OPM's
Washington, D.C. office.

                        Compliance with Laws and Regulations

In conducting the audit, we performed tests to determine whether OPM's practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM's OCIO and other program offices were not in complete compliance with all standards, as
described in the "Results" section of this report.




                                                 3

                                             Results

     The sections below detail the results of the DIG's FY 2010 FISMA audit ofOPM's IT
     Security Program. Several recommendations issued in FY 2010 were rolled-forward from
     prior OrG audit repons, including:

     • 	 Report 4A-CI-OO-09-0S3: "Flash Audit Alert -Information Technology Security
         Program at the U.S. Office OfPC[SOTmei Management"
     • 	 Report 4A-CI-OO-07-01S : "Audit of the Privacy Program at OPM - FY 200T'
     • 	 Report 4A-CI-OO-06-016: "Federal Information Security Management Act Audit­
         FY 2006"
     • 	 Report 4A-CI-OO-07-D07: "Federal Infonnation Security Management Act Audit­
         FY 2007"
     • 	 Reporl4A-CI-DO-08-022: "Federal Infonnation Security Management Act Audit­
         FY 2008"
     • 	 Report 4A-CI-OO~09-031: "Fedcrallnforrnation Security Management Act Audit­
         FY 2009"

I.   Information Security Governance

     The sections below outline the 01G's review of IT security governance at OPM.

     a) 	 IT Security Policies and Procedures

        OPM's failure to adequately update its IT security and privacy policies and procedures
        has been highlighted in the past four OlG FISMA audit reports, and has been identified as
        a material \veakness in the IT security program in the FY 2007, FY 2008 , and FY 2009
        reports.

        The absence or severely outdated nature of the followi ng policies, procedures, or
        guidance has directly led to OIG audit findings in FY 2009 and 20 10 (this is not intended
        fa be a comprehensive list ofmissing policies al OPAl):
        • 	 Guidance for developing contingency plans, procedures for routinely conducting
            contingency plan tests, and templates for reporting test results;
        •
        • 	 Guidance for developing risk assessments;
        • 	 Guidance for dcveloping information system sec urity plans;
        • 	 Policy and procedures related to oversight of systems operated by a contractor;
        • 	 Policy related to roles and responsibilities for the Independent Verification and
            Validation (IV&V) process and procedures for managing an rv&V;
        • 	 Guidance for establishing agreements for interfaci ng system s;




                                                 4

•
• 	 Policy on remote access and telecommuting; and
• 	 Policy on patch management.

Although several new security and privacy documents were published in FY 2010, this
area continues to be a major concern as the limited IT policies available do not provide
OPM employees with adequate guidance to secure the agency's infonnation systems.

Recommendation 1 (Rol/4Forward (rom OIG Reports 4A-CI-OO-09-03J
Recommendation 30. 4A-C/-OO-09-0.B Rectlmmendation 2. 4A-C/-OO-OB-022
Recommendatioll19. 4A-CI-OO-07-007 Recommeudation 3 and 9. 4A-CI-OO-07-0J5
Recommendation I. and 4A-CI-OO-06-0J6 Recommendilliun 6)
We recommend that the DCIO develop up-te-date and comprehensive IT security
policies and procedures, and publish these documents to THEO. and a plan for updating
them at least annually.

OCID Response:
"The C/O concurs with this recommendation and offers clarifying remarks in order to
present a more current interpretation o/the .'itatus ofthe IT security policies and
procedures. The IT security and privacy policy ..,olumes 1 and volume 2 were last
updated and posted on TilED in August 2009. The CIO understands that additional
policy updates are required to comply with guidance issued by NIST durillg the last
year and to address some deficiencies in the current policies. n,e Bureau ofthe Public
Debt (BPD) has been retained through all Interagency Agreement to update and to
bring IT Security and Privacy policies into OPJl1 and FISI\1A compliance. A kickoff
meeting wa.·; heldfor tl,i" project on September 2010 and BPD is expected to be on site
to col/ect policy requirements during tile next 60 day.". A comprehen:iive IT security
and Privacy Ilandbook is expected to be completed in FY2011.

This recommeudation also cited the need/or procedure!J" and a number ofprocedures
were created or updated alld posted Oil TIIEO in 200912010 including:

•	   Certification and Accreditation Guide (July 1009)
•	   lneident Re...ponse and Reporting Guide (July 2009)
•	   LAN Complex Passwords (June 1009)
•	   OPM Computer User Re!J"/Jonsibilitie." (June 2009)
•	   Plan 0/ Action and Milestone (POA&iW Stllnl/ard Operating Procedure (September
     2009)
• 	 Process for Analyzing New alld Emerging in/ormation Security and Privacy
    Requirements (July 1009)
• 	 System Acce.\".\· Authorization Procedure (JuIJ' 2009)
• 	 Privacy Impact Assessment (PIA) Guide (April 1010)
• 	 System ofRecords Notice (SORN) Guit/e (April 2010)



                                        5

  The CIO believes that the abow! procedure!J' have enhanced IT !J'ecurity and privacy at
  OI'M and understands that additional work needs to be done to develop new
  procedures and to enhance existing ones as necessary. Current procedure!J' will be
  revisited and additional ones will be developed in FY20ii a!J' necessary. "

   OIG Reply:
   The majority of the new procedures referenced in the OCIO response were issued during
   FY 2009. Although this limi ted progress was acknowledged in the FY 2009 OIG FISt\1A
   audit report, we continued to label this issue as a material weakness in OPM ' s IT security
   program. The addition ora PIA Guide and SORN Guide in FY 2010 again represents
   very limited progress in improving OPM's IT security and privacy policies, and this issue
   continues to represent a material weakness in FY 2010.

b) Information Security Management Structure

   In FY 2009, the 0 1G issued a Flash Audit Alert to OPM's Director high li ghting OUT
   concerns with the agency's IT security program. We also expanded the existing IT
   security policy material weakness to include concerns with the agency' s overall
   informati on security governance and the information security management structure in
   the oero.

   At the end of FY 2009, arM had operated \vithout a pemlanent Senior Agency
   lnfomlation Security Officer (SAISO) for over 18 months. Although a new SA lSa was
   appointed in FY 2010, 24 of the 30 audjt recommendations issued in the FY 2009 FISMA
   audit report, and 2 of the 4 recommendations issued in the Flash Audit Alert, have been
   rolled-forward into thi s FY 2010 FISM A report. We believe thi s indicates that the aC IO
   does not have adequate resources to effectively remediate weaknesses in OPM's IT
   security program.

   Recommendation 2 (Roll-forward from OIG Report 4A-CI-OO-09-053
   Recommendation 3)
   We recommend that the OPM Director ensure that the aCIO has adequate resources to
   properly staff its IT Securi ty and Privacy Group.

   OCID Response:
  "TIle CTO concurs with this recommendation and offers clarifying remarks in order to
  present a more current interpretation of/he staffing situation in the iT Security and
  Privacy Group. During the pastfive months, a Senior Agem.y Information Security
  Officer has bein.l..!!i!:!!!..!nd the staff complement in the !J'ecurity and privacy group has
  increa.liiedfrom _ _ FTEs along witll contractor resources as needed.
  Recognizing that additional stuffresource!J' are needed, the CIO believes that
  incremental progress is being made ;n th;s area. "




                                            6

         OIG Reply:
         Although the OCIO has been authorized to hire. full time employees, only. of these
         positions have been filled to date. We continue to believe that the DCID does not have
         adequate resources to effectively remediate weaknesses in OPM's IT security program,
         and we recommend that the IT Security and Privacy Group increase its staffing resources .

      In September 20 I 0, the OCIO informed the OIG that OPM has secured funding to cnter into
      an interagency agreement with the Bureau of Public Debt for assistance in developing a
      comprehensive IT security handbook. The SAISO is also actively recruiting to fill several
      open positions in thc OCIO.

      Although the DIG acknowledges that DPM appears to be taking steps to improve its security
      program, \.ve continue to consider the insufficient reso urces and security governance in the
      DCIO and the lack of policies and procedures to be a material weakness in OPM's IT
      security program .

II.   System Inventory
      OPM has identified 43 major systems within 8 of its program offices. OPM ' s system
      inventory indicated that these 43 systems were comprised of the following security
      categorizations (as defined by Federal Information Processing Standards Publication 199): 7
      high, 34 moderate, and 2 low. The inventory also indicated that 32 systems are operated by
      OPM within its own IT infrastructure and 11 are operated by a contractor facility on behalf of
      the agency.

      The OIG does not agree with the number of systems identified in OPM ' s master inventory.
      In FY 2010, the following anomalies were detected with the agency's inventory:
         • 	 An OIG audit of one system in FY 2010 revealed that several applications were
             inappropriately bundled into that single system on the inventory. The OIG
             recommended that this system be divided into at least four separate applications on
             the inventory.
         • 	 An OIG audit ofa second system containing multiple applicalions revealed that the
             program office owning the system does not have a clear understanding of which
             specific applications are actually part ofiliat system. Several applications were
             removed fro m this system and may not bc accounted for elsewhere on the inventory.
         • 	 One system has been in production for many years but was not added to the inventory
             and subjected to a C&A until FY 2010.
         • 	 The OIG received copies ofPOA&Ms for three systems that did not appear on the
             inventory.

      OPM's OCIO is responsible for maintaining the agency's master system inventory. The
      oelo relies heavily on OPM' s program offices to inform them of updates to the system
      inventory (e.g., new or decommissioned systems). Although monthly email reminders arc
      sent to the Designated Security Officer (OSO) community asking for inventory updates, the



                                                  7

oero generally maintained a passive approach to maintaining the agency's system inventory
in FY 2010.

rn September 2010, the oero began the process of surveying OPM's program offices in an
attempt to identify any systems not currently reported on the inventory. The OrG believes
that this is a good step toward implementing an active strategy for maintaining the system
inventory. However, the oero needs to implement additional techniques to help ensure that
the system inventory identifies all major applications in OPM's operating enviromnent. Such
techniques could include, but are not limited to:
   • 	 Routine review of database and hardware inventories to search for applications not
       accounted for on the system inventory;
   • 	 Use of software tools to scan the network environment for rogue hardware devices
       that are not accounted for on the system inventory; and
   • 	 Periodic survey ofOPM employees (not just the DSO community) to inquire about
       applications used in their job function.

Failure to properly maintain OPM's master system inventory increases the risk that
applications containing sensitive data are running in a production environment without being
subject to the IT security controls required by FrSMA. We consider the weaknesses related
to the management of the system inventory to be a significant deficiency in OPM's
information technology security program.

Recommendation 3
We recommend that the oero develop and implement an active strategy to maintain up-to­
date information regarding OPM's master system inventory.

OCIO Response:
"The CIa concurs with this recommendation and has already taken steps through the
issuance 0/ a data call to the IT Security Working Group on September 8, 2010 to identify
systems used by OPM that are not on the FISMA system inventory. The CIa has also
initiated an internal review to determine ifapplications were inappropriately bundled into
other larger systems as previously reported in prior audit findings. Additional systems
identified/rom the data call and internal system review will be evaluated/or addition to the
master system inventory. "

OIG Reply:
We acknowledge the limited progress the oero has made in improving the quality of its
system inventory. However, the data call referenced in the oero response relies on other
OPM program offices to notify the oero of new or modified information systems. We
continue to recommend that the oero develop and implement an active strategy to maintain
the system inventory using some or all of the suggested techniques outlined above.




                                           8

III.   Certification and Accreditation Program

       System certification is a comprehensive assessment that attests that a system's security
       controls are meeting the security requirements of that system, and accreditation is the official
       management decision to authorize operation of an information system and accept its risks.
       Each major application at OPM is subject to the C&A process every three years.

       The OIG's FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM's
       C&A process were a significant deficiency in the internal control structure of the agency's IT
       security program. The weaknesses cited related to inadequate management of the process
       and incomplete, inconsistent, and poor quality C&A products. In FY 2010 these
       longstanding conditions not only continued, but actually degraded. As a result, we are now
       reporting a material weakness in the IT security control structure related to OPM's C&A
       process.

       We believe that the root causes ofthese issues include insufficient staffing in the IT Security
       and Privacy Group, a lack of policy and procedures, and the decentralized DSO model in
       place at OPM.

       Insufficient staffing and the lack of documented policies are discussed in the Security
       Governance section of this report (section I). The third underlying weakness, in our opinion,
       relates to how OPM staffs the DSO position. OPM chose to implement a decentralized
       model in which the DSOs are typically appointed by and report to the program offices that
       own major computer systems. Very few of the DSOs have any background in information
       security, and most are only managing their security responsibilities as a collateral duty to
       their primary job function.

       Perhaps in recognizing the inherent weaknesses in this arrangement, the OCIO established an
       Information Technology Security Working Group to provide guidance to the DSO
       community in a series of monthly meetings. Initially these meetings were a useful forum that
       involved training in IT security, discussion of various security-related topics, and the
       dissemination of emerging guidance. However, the meetings eventually degenerated into
       sessions where DSOs were upbraided for not meeting the required FISMA metrics; the focus
       seemed to be on "playing the FISMA numbers game" rather than implementing the
       foundations of a successful IT security program. Of late the DSOs are complaining about
       being overly burdened as the OCIO, with limited resources, asks more of the DSO
       community.

       IT security is a shared responsibility between the OCIO and program offices. The OCIO is
       responsible for overall information security governance and program offices are responsible
       for the security of the systems that they own. There is a balance that must be maintained
       between a consolidated and a distributed approach to managing IT security. In our opinion,
       however, OPM's approach is too decentralized. OPM program offices should continue to be
       responsible for maintaining security ofthe systems that they own, but the DSO responsibility
       for the C&A process (documenting, testing, and monitoring system security) should be
       centralized within the OCIO.



                                                    9

Recommendation 4
We recommend that OPM implement a centralized information security governance structure
where all information security practitioners, including designated security officers, report to
the Senior Agency Information Security Official. Adequate resources should be assigned to
the ocro to create this structure. Existing designated security officers who report to their
program offices should return to their program office duties. The new staff that reports to the
SAISO should consist of experienced information security professionals.

OCIO Response:
"The CIO concurs with this recommendation. The overall IT security governance at OPM
can be improved by implementing a centralized information security governance structure
consisting ofIT security professionals. "

The sections below provide a detailed evaluation of OPM's C&A program.

a) C&A policy

   In July 2009, the OCIO published an agency-wide Certification and Accreditation Guide.
   The C&A Guide addresses the roles and responsibilities of key personnel, a walkthrough
   of the C&A process, and a listing of the various security documents that are required
   elements of a C&A, including:
   •   System Categorization;
   •   Privacy Impact Assessment (PIA);
   •   Information System Security Plan (ISSP);
   •   Risk Assessment;
   •   Security Control Test and Evaluation Plan and Report;
   •   Contingency Plan;
   •   System of Records Notice; and
   •   Plans of Action and Milestones.

   However, OPM's C&A Guide does not provide standard forms, templates, or detailed
   guidance on how to prepare each of the required elements. The lack of such guidance has
   led to extreme inconsistencies in the quality of C&A packages for various OPM systems
   (see "Quality and Consistency ofC&A Packages" below).

b) Appropriate use ofthe C&A process

   As referenced in Section II above, the OIG identified one OPM system that was in
   production for several years without being subject to a C&A.

   In addition, the prior C&A for six additional systems from OPM's inventory expired in
   FY 2010, and a new C&A has not been completed. Although an "Interim Authorization
   to Operate" (IA TO) was issued for these systems, they are currently running in a
   production environment without an active C&A.



                                            10 

An rATO may be appropriate to use in special circumstances where legitimate business
reasons result in a C&A package not being completed before the prior C&A expires.
However, we believe this process is abused at OPM and is used to extend the
authorization to operate for program offices that did not adequately plan for their
systems' required C&A.

Recommendation 5 (Roll-Forward (rom OIG Reports 4A-CI-OO-09-031
Recommendation 16 and 4A-CI-OO-08-22 Recommendation 9)
We recommend that all active systems in OPM's inventory have a complete and current
C&A.

OCIO Response:
"The CIO concurs with this recommendation and offers clarifying remarks in order to
present a more current interpretation. Program offices are responsible for the security
and C&A oftheir systems. C&As are often contracted to various entities that employ
different styles in preparing the final packages and this explains why all C &A
packages do not look alike. The CIO believes that all completed C&A packages must
properly address required security controls and contain required artifacts per the OPM
C&A Guide, and that the look andfeel ofpackages is a reflection ofthe various
sources contracted by the program offices to complete the packages.

Regarding, the six systems with expired C&A, the CIO agrees that all production
systems should have a current C&A. However, the OPMprocurement process can be
lengthy depending on workload has an effect on getting contracts and interagency
agreements for C&A in place. The extended Authority to Operate for the six systems
was issued in support ofOPM mission support activities. "

OIG Reply:
FrSMA states that it is the responsibility of the ocro to maintain an agency-wide
information security program. Although the C&A process is a shared effort with OPM
program offices, the ocro has the primary responsibility to ensure that all C&A
packages are completed in a timely manner and are of consistent quality.

The oro is discouraged to see that the ocro references the lengthy OPM procurement
process as justification for having production systems operating without a C&A. The
requirement for federal information systems to have an active C&A has been in place
since 2003, and there has been ample time to properly budget IT security into the system
development lifecycle. We believe that poor planning, insufficient staffing resources,
and the ocro's lack of authority over DSOs all contribute to this material weakness.

We believe that the centralized C&A approach referenced in Recommendation 4 would
allow the ocro to more efficiently manage the C&A process and ensure that an active
C&A exists for each OPM system as required by FrSMA.




                                       11 

c) Quality and consistency of C&A packages

   The OIG reviewed the full C&A packages of 15 systems that were subject to a C&A
   during FY 2010. Although the packages we reviewed contained all ofthe elements
   required by OPM's C&A Guide, the quality of these packages varied significantly
   between systems.

   The development of a C&A package is the responsibility of the OPM program office that
   owns the system. Each program office assigns a DSO to manage the security of its
   systems. The decentralized nature of the DSO community means that individuals with
   varying skill sets are tasked with C&A related responsibilities often as a collateral duty in
   addition to their normal job function.

   Although various forms of general guidance are available to assist program offices in the
   development of C&A elements, the OCIO has not implemented centralized policies,
   guidelines, or templates outlining how various C&A elements should be completed for
   OPM systems. As a result, the content and quality of a specific C&A element vary
   widely between systems. During our review of FY 20 I 0 C&A packages, we noticed the
   highest quality variance between the security controls tests (see "Testing of Security
   Controls," below), contingency plans (see section XI), risk assessments, and ISSPs of
   these systems.

   Recommendation 6
   We recommend that the OCIO develop a risk assessment policy to provide guidance to
   program offices conducting a risk assessment as part ofthe C&A process.

   OCIO Response:
   "The CIO does not concur with this recommendation. Risk assessment policies are
   documented in the current IT security and Privacy policy volume 2 that is posted on
   THEO. However, risk assessment policy will be revisited and updated in the new IT
   Security policy updates that BPD has been retained to complete."

   OIGReply:
   The IT Security and Privacy Policy Volume 2 states that the OCIO must develop a risk
   assessment policy along with procedures for facilitating the implementation ofthe policy.
   However, no such policies and procedures are contained within the document. The
   extreme range in quality between risk assessments conducted by various OPM program
   offices indicates that the OCIO has not provided adequate risk assessment guidance. We
   continue to recommend that the OCIO develop a risk assessment policy to provide
   guidance to program offices conducting a risk assessment as part of the C&A process.

   Recommendation 7
   We recommend that the OCIO develop an ISSP policy to provide guidance to program
   offices developing a security plan as part of the C&A process.



                                            12 

  OCIO Response:
  "The CIO does not concur with this recommendation. Information Systems Security
  Plan policies are documented in the current IT security and Privacy policy volume 2
  that is posted on THEO. The policies also references NIST security plan templates
  that can be used to build a security plan. However, IT security plans policy will be
  updated to provide additional as part ofthe BPD policy update project.

  Regarding the review of C&A packages, two full time resources have been hired to
  review C&A packages and to provide guidance to the DSO community. One ofthese
  resources is already onboard and the second is expected to start work after completing
  the necessary new employee onboarding procedures. "

  OIGReply:
  The IT Security and Privacy Policy Volume 2 states that system owners must work with
  the OeIO and DSOs to develop info=ation system security plans. However, the policy
  provides no actual guidance for doing so. We continue to recommend that the oeIO
  develop an ISSP policy to provide guidance to program offices developing a security plan
  as part ofthe e&A process.

d) DCID management ofC&A process

  The OeIO is responsible for assisting program offices in the development of e&A
  packages for their systems. OPM's e&A Guide also states that the oeIO must review
  completed e&A packages for quality and completeness before recommending the system
  for accreditation.

  Although the OeIO has procedures for conducting post-completion reviews of e&A
  packages, the post-completion review for at least one system (the LAN/WAN
  infrastructure) was conducted after the certification and accreditation statements were
  signed. The reviewer of the LAN/WAN e&A package found several errors and
  weaknesses in the documentation and made recommendations for improvement, but these
  were not presented to the certification and accreditation authority prior to the signing of
  the e&A statements.

  In addition, the oeIO does not have the resources available to actively participate in the
  planning or development of the e&A packages for each agency system. Inadequate
  oversight of the e&A process from the oero has led to OPM program offices
  developing inconsistent and low quality e&A packages.

  Recommendation 8
  We recommend that the oero assign additional resources to facilitate the e&A process
  to ensure the consistency and quality of e&A packages developed by OPM program
  offices.




                                          13 

   OCIO Response:
   "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. The CIO has doubled the number offull time
   resources assigned to the C&A program and this increase in resources will improve the
   quality of C&A packages. C&A packages found to be ofpoor quality are being
   returned to for rework for correction of deficiencies. "

e) Testing of security controls

   Although a full C&A is required for each system every three years, the security controls
   of that system must be tested on an annual basis. An annual test of security controls
   provides a method for agency officials to determine the current status of their information
   security programs and, where necessary, establish a target for improvement. Failure to
   complete a security controls test increases the risk that agency officials are unable to
   make informed judgments to appropriately mitigate risks to an acceptable level.

   We conducted a review of the documentation resulting from the security controls tests for
   each of the 43 systems in OPM's inventory. Our evaluation indicated that the IT security
   controls had been adequately tested for only 28 ofOPM's 43 systems during FY 2010.

   There was a wide range of quality amongst the 28 security control tests that were
   conducted. Some program offices tested all security controls applicable to that system
   while others tested only a small subset. There was also a variance in the security controls
   that program offices assumed to be "common controls" inherited from OPM's IT and
   facility infrastructures (see section X, Continuous Monitoring). In addition, the tests
   were documented in many different formats and templates. We believe that these
   inconsistencies are a result of OPM' s lack of agency-wide policy or guidance on how to
   adequately test information system security controls.

   Recommendation 9 (Roll-Forward from OIG Report 4A-CI-OO-09-03I
   Recommendation 5)
   We recommend that the OCIO develop a policy for adequately testing the security
   controls of OPM's systems, and provide training to the DSO community related to proper
   security control testing.

   OCIO Response:
   "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. The Information Security and Privacy Policy
   Volume 1 requires security controls to be Periodically assessed and CIO security staff
   works with the DSO community on annual testing efforts including keeping track of
   the number ofsystems that have tested their security controls. We will enhance the
   current security policy in the security handbook that is under development and provide
   additional guidance to DSOs to enhance the testing ofsecurity controls."




                                           14
         OIG Reply:
         The IT Security and Privacy Policy Volume I states that information system security
         controls must be assessed on a periodic basis, but provides no guidance for doing so. The
         extreme range in quality between security control tests conducted by various OPM
         program offices indicates that the OCIO has not provided adequate guidance on this
         topic. We continue to recommend that the OCIO develop a policy for adequately testing
         the security controls of OPM's systems, and provide training to the DSO community
         related to proper security control testing.

         Recommendation 10 (Roll-Forward from OIG Reports 4A-CI-OO-09-031
         Recommendation 6 and 4A-CI-OO-OB-022 Recommendation I)
         We recommend that OPM ensure that an annual test of security controls has been
         completed for all systems.

         OCIO Response:
         "The CIO concurs with this recommendation and offers clarifying remarks in order to
         present a more current interpretation. The CIO staff continues works with the DSO
         community to ensure that security controls have been testedfor all systems. The CIO
         security staffsends out a reminder to all DSOs each month informing them to complete
         required security controls testing and assist with technical guidance. We will continue
         to work with the DSO community and escalate systems where security controls have
         not been tested to the associated director in the specific business area."

IV.   Security Configuration Management

      The sections below detail the controls OPM has in place regarding the technical
      configuration management of its major applications and user workstations.

      a) Agency-wide security configuration policy

         The OCIO has implemented an agency·wide Configuration Management Policy. This
         policy was updated during FY 2010 and outlines the process for maintaining a securely
         configured network environment.

         The OCIO has also implemented a patch management policy that outlines the
         responsibilities and procedures for ensuring that OPM servers are routinely patched.
         However, this policy has not been updated since August 2005. In August 20 I 0, the
         OCIO informed the OIG that this policy is in the process of being updated.

         Recommendation 11 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J
         Recommendation 25)
         We recommend that the OCIO develop and publish to THEO an up·to-date Patch
         Management Policy.




                                                 15 

  OCIO Response:
  "The CIO does not concur with this recommendation. The OPM ISPP details the high
  level patch (flaw remediation) requirements and agency policy. (See ISPP Volume 2,
  page 71. 800-53 rev 3 Control SI-2). Low level procedures exist and are utilized by the
  Network Management administrators to patch desktops and servers. Ongoing
  improvements to the patch management process are being tested and implemented as
  new tools and processes become available. Current initiatives include procurement
  requests for enterprise-wide patch and vulnerability management tools (Big Fix and
  Window SUS) scheduled for implementation in FY 2011. "

   OIG Reply:
  The Information Security and Privacy Policy Volume 2 simply states that system
  stakeholders must "identify, report, and correct flaws discovered in the infonnation system
  software or hardware." This does not constitute a comprehensive patch management policy.
  We acknowledge that low level patch management procedures exist, but they have not been
  updated in over five years. We continue to recommend that the OeIO develop and publish
  to THEO an up-to-date Patch Management Policy.

b) Management of hardware inventory

   OPM currently uses several Excel spreadsheets to track its computer hardware inventory.
   These spreadsheets are manually updated when new hardware is purchased or old
   hardware is decommissioned. Separate spreadsheets are maintained by different
   individuals for Windows severs, Linux servers, and all servers operated by OPM's
   Federal Investigative Services program office. However, each ofthese spreadsheets is
   maintained independently from the other inventories, and no individual at OPM
   maintains a single inventory listing that contains all computer hardware owned by the
   agency. Therefore, the oeIO is unable to attest that all computer hardware in OPM's
   operating environment is accounted for.

   Recommendation 12
   We recommend that the OeIO develop a single centralized agency-wide hardware
   inventory.

   OCIO Response:
  "The CIO concurs with this recommendation and offers clarifying remarks in order to
  present a more current interpretation. Network Management is actively implementing
  a centralized agency-wide automated hardware inventory tracking system Asset tags
  are being applied to all accountable IT assets and pending procurements for scanning
  equipment are expected to quickly bring the outstanding inventory under control.
  Daily and weekly automated inventory reports are now being produced and internal
  audits ofthe process will begin this quarter."




                                           16 

     Recommendation 13
     We recommend that the OCIO develop and implement a strategy for using automated
     techniques for tracking hardware inventory.

     OC10 Response: 

     "Tire C/O concurs with this recommendation." 


c) Standard baseline configurations

     orM maintains standard baseline configurations and/or build sheets for all operating
     platforms reviewed by the OIG, including;




     The DCIO uses vulnerability scanning tools to routinely scan servers to ensure
     compliance with configuration guides and baselines for the majority of platforms.
     Nothing came to our artention during this review to indicate that there are weaknesses in
     OPM's baseline configuration controls.

d)   F~deral   Desktop Core Configuration

     OPM has developed a Windows XP standard image that is generally compliant with
     Federal Desktop Core Configuration (FDCC) standards and has documented nine
     deviations between this image and FDCC requirements.

     As of September 30,2010, OPM's FDCC compliant image has not been rolled out to the
     majority of aPM workstations.

     Recommendation 14 (Roll-Forward from DIG Reports 4A-C/-00-09-03J
     Recommendation 26 and 4A-CI-00-08-022 Recommendation 16)
     We recommend that the aCIa implement FDCC compliant images on all OPM
     workstations.

     OCIO Response:
     uTIle CIO concurs with litis recommendation and offers the following clarifying
     remarks; An FDCC workstation baseline iltUlge has been created and i\· currently
     heing deployed. All new workstations and all agency laptops are currently l·ecured
     utilizing an FDCC (USGBC) complu11I1 image. The FDCC image has been rolled out
     to 1200 laptops and BOO desktops as ofthis date. Image deployment and enfIJrcement


                                             17 

         ofthe legacy workstatiom i.,' currently an Q(:live project and is being pushed through
         domain GPO. The addition o/workstations occurs daily and is scheduled 10 have/ull
         completion by the end oftltefirst quarter of FY 2011. Part ofthe delay in
         implementation was due to working with the union to an'e~'~' the impact on employees."

V.    Incident Response and Reportine: Proe;ram
      OPM has developed an "Incident Response and Reporting Guide" that outlines the
      responsibilities of OPM's Computer lncident Response Team (CIRT) and documents
      procedures for reporting all IT security events to the appropriate entities. We evaluated the
      degree to which OPM is follo\ving internal procedures and FISMA requirements for
      reporting security incidents internally, to the United States Computer Emergency Readiness
      Team (US-CERT), and to appropriate law enforcement authorities.

      a) Identifying and reporting incidents internally

         OPM 's Incident Response and Reporting Guide requires any user of the agency's IT
         rcsources to immediately notify OPM's Situation Room when IT security incidents occur.
         During the past year, OPM has provided its employees with various form s of training
         related to the procedures to follow in the event sensitive data is lost. In addition, OPM
         reiterates the information provided in the Incident Response and Reporting Guide in the
         annual IT security and privacy awareness training.

      b) Reporting incidents to US·CERT

         OPM's Incident Response and Reporting policy states that OPM's CIRT is responsible
         for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT
         within one bour ofa reportable security incident occurrence. Comprehensive analysis
         and documentation of any reported security Incident along with ongoing correspondence
         with US-CERT is tracked through "Remedy Tickets" maintained by OPM's help desk.

      c) Reporting incidents to law enforcement

         The Incidenl Response and Reporting policy states that security incidents should also be
         reported to law enforcement authorities, where appropriate. aPM notifies OIG law
         enforcement of security incidents \vith a monthly report outlining all incidents where
         sensiti ve data was lost.

VI.   Security Traininl! Program

      The following sections detail OPM ' s methodology for providing security awareness training
      to all employees and specialized security training to individuals with IT security
      responsibility.




                                                  18 

a) Security awareness training

   The oero has implemented a process to provide annual IT security and privacy
   awareness training to all OPM employees and contractors. The training is conducted
   through an interactive web-based course. The course introduces employees and
   contractors to the basic concepts of IT security and privacy, including topics such as the
   importance of information security, security threats and vulnerabilities, viruses and
   malicious code, privacy training, peer-to-peer software, and the roles and responsibilities
   of users.

   Over 99 percent of OPM's employees and contractors completed the security awareness
   training course in FY 20 I O.

b) Specialized security training

   Agency employees with significant information security responsibilities are required to
   take specialized security training in addition to the annual awareness training.

   The oero has developed a table outlining the security training requirements for specific
   job roles. The oero uses a spreadsheet to track the security training taken by employees
   that have been identified as having security responsibility. Of those identified, 87 percent
   have completed at least one hour of specialized security training in FY 2010. However, a
   significant portion (33 percent) of the individuals on the spreadsheet are listed with a job
   role that does not appear on the training requirements table (i.e., "significant
   responsibility"), making it impossible to determine whether these individuals received
   adequate training in FY 20 I O.

   Recommendation 15
   We recommend that the oero improve the spreadsheet used to track security training to
   include a job function/responsibility for each individual that directly maps to the table
   containing training requirements.

   OCIO Response:
   "The CIO concurs with this recommendation and believes that the current spreadsheet
   used to track specialized security training can be improved. We will update the
   spreadsheet to include job function and responsibility for each individual that maps to
   the table containing training requirements. "

   Recommendation 16
   We recommend that the oero ensure that all employees with significant information
   security responsibility take meaningful and appropriate specialized security training on an
   armual basis.




                                            19 

        OCIO Response:
        "The CIO concurs with this recommendation and offers clarifying remarks in order to
        present a more current interpretation. The CIO believes that many employees are
        already taking meaningful and appropriate specialized training such as specialized
        courses offered through outside training providers, IT security conferences and other
        sources. However, OPM has contracted with Skills Soft to provide online training to
        employees at no additional cost. The CIO believes that the security courses available
        online through Skill Soft such as CISSP prep courses among others will be sufficient
        to meet the specialized training requirements."

VII. Plan of Action and Milestones Program

     A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and
     monitoring the progress of corrective efforts for IT security weaknesses. The sections below
     detail OPM's effectiveness in using POA&Ms to track the agency's security weaknesses.

     a) POA&M Policy

        The OeIO has developed a POA&M Guide and published it to THEO. However, the
        POA&M related weaknesses outlined below indicate that the OeIO has not provided
        adequate guidance and training to the DSO community regarding appropriate
        management ofPOA&Ms.

        Recommendation 17 (Roll-Forward from OIG Report 4A-CI-OO-09-03I
        Recommendation II)
        We recommend that the OeIO work closely with the DSO community, providing training
        and information-sharing sessions, to implement the procedures and ensure that there is a
        clear understanding of the appropriate management of POA&Ms

        OCIO Response:
        "The CIO concurs with this recommendation and offers clarifying remarks in order to
        present a more current interpretation. The CIO is working closely with the DSO
        community on training and information sharing activities through the IT Security
        Working Group (ITSWG) that isfacilitated by the Senior Agency Information Security
        Officer monthly. During FYI 0 we provided training on contingency plan testing,
        common security controls and POA&M management in addition to other areas. The
        CIO believes that this type oftraining is beneficial to the DSOs andfor maintaining the
        OPM IT Security program and will continue to provide training and information
        sharing sessions through the ITSWG. The CIO will encourage all DSOs to take
        advantage ofspecialized training opportunities through the OPM Skill Soft program."




                                                20 

b) POA&Ms incorporate all known IT security weaknesses

   In October 2009, the OIG issued the FY 2009 FISMA audit report with 30 audit
   recommendations. We verified that all 30 of the recommendations were appropriately
   incorporated into the ocro POA&M.

   The OIG conducted audits of three OPM systems in FY 2009 with a total of three audit
   recommendations that remained outstanding at the time the reports were issued.
   However, none of these audit recommendations appeared in the POA&M of the related
   system. Although each of these weaknesses has since been remediated, they should be
   documented in the system's POA&M for tracking purposes.

   Recommendation 18 (Roll-Forward from OIG Reports 4A-CI-00-09-031
   Recommendation 12 and 4A-CI-00-08-022 Recommendation 4)
   We recommend that OPM program offices incorporate all known IT security weaknesses
   into POA&Ms.

   OCIO Response:
  "The CIO concurs with this recommendation and offers clarifying remarks in order to
  present a more current interpretation. The CIO has dedicated multiple resources to
  ensure that all IT security weaknesses are incorporated into POA&Ms and has
  implemented safeguards to ensure accuracy. The CIO will continue to improve the
  POA&M management process."

c) Management ofPOA&Ms by program offices

   OPM program offices are responsible for developing, implementing, and managing
   POA&Ms for each system that they own and operate. We were provided evidence that
   current POA&Ms were submitted to the OCIO on a quarterly basis for only 35 of OPM's
   43 systems.

   Recommendation 19 (Roll-Forward from OIG Reports 4A-CI-00-09-031
   Recommendation 13 and 4A-CI-00-08-022 Recommendations 5 and 6)
   We recommend that an up-to-date POA&M exist for each system in OPM's inventory,
   and that system owners submit updated POA&Ms to the OCIO on a quarterly basis.

   OCIO Response:
   "The CIO does not concur with this recommendation. The CIO believes that up-to­
   date POA&Ms are in place for the systems on the OPM inventory and this is evident by
   a 100% compliance rate for Quarters 3 and 4 of FYJO. The CIO believes that this
   recommendation focused on a period prior to Quarter 3 of FYI O. "




                                         21 

   OIGReply:
   The OIG's review ofPOA&Ms did include Quarter 3 ofFY 2010; three systems did not
   submit an up to date POA&M during this period. We continue to recommend that an up­
   to-date POA&M exist for each system in OPM's inventory and that system owners
   submit updated POA&Ms to the OCTO on a quarterly basis.

d) Remediation plans for correcting security weaknesses

   When a POA&M item is remediated, OPM program offices are required to submit a work
   completion plan (WCP) along with evidence that the deficiency was corrected to the
   OCTO for review. We reviewed WCPs for eight systems and found that the majority of
   the program offices provided sufficient evidence that the weakness was corrected. One
   program office was unable to provide WCPs for closed security weaknesses and
   subsequently re-opened these POA&M items.

e) Compliance with estimated dates for remediation

   The POA&Ms for 9 OPM systems contain security weaknesses with remediation
   activities over 120 days overdue. Tn the third quarter of 20 I 0, OPM systems had a total
   of 58 POA&M items over 120 days overdue, an increase from 26 overdue items during
   the same time period in FY 2009.

   This indicates that the OCTO has not provided adequate leadership and guidance to
   ensure that program offices assign reasonable POA&M due dates and stay on track to
   meet those dates. Program offices are equally responsible for dedicating adequate
   resources to addressing POA&M weaknesses and meeting target objectives.

   Recommendation 20 (Roll-Forward (rom OIG Report 4A-CI-00-09-031
   Recommendation 14)
   We recommend that the OCTO develop a formal corrective action plan to immediately
   remediate all POA&M weaknesses that are over 120 days overdue. In addition, we
   recommend that the OCTO take a lead role in the future and work closely with OPM
   program offices to ensure that POA&M completion dates are achieved.

   OCIO Response:
    "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. The CIO agrees that an action plan to
   remediate POA&M weaknesses that are over 120 day is appropriate and will take steps
   to develop the action plan. However, the CIO does not agree that all POA&Ms that are
   over 120 days can be remediated immediately because the resolution to some ofthese
   POA&MS are beyond OPM's controls and require the cooperation ofother
   stakeholders outside of OPM such as other Federal agencies. Many ofthese agencies
   for example have not implemented two factor authentication for various reasons
   includingjinancial and this will prevent closure ofcertain POA&Ms that are over 120



                                           22 

     days. The CIO will make every effort to assess and remediate as many ofthese
     POA&Ms as possible."

     OIG Reply:
     The existence of POA&M items that require action from external stakeholders may
     indicate an inappropriate use of the POA&M, which is intended to track action items that
     must be completed by the POA&M owner in order to address a security weakness.

     While we acknowledge the ocro's efforts to remediate as many overdue POA&M items
     as possible, we believe that this issue will continue to escalate until the ocro addresses
     the problem of assigning unreasonable POA&M remediation deadlines. The drastic
     increase in overdue POA&M items from FY 2009 to FY 20 I 0 indicates that the ocro
     has not adequately provided leadership and guidance to ensure that program offices
     assign reasonable POA&M due dates.

1)   OCIO tracking and reviewing ofPOA&M activities on a quarterly basis

     The OCIO requires program offices to provide the evidence, or "proof of closure," that
     security weaknesses have been resolved before closing the related POA&M.

     We selected one closed POA&M item from nine OPM systems and reviewed the proof of
     closure documentation provided by the program offices when the POA&M items were
     closed. The 9 systems were selected from a universe of 48 systems and were
     judgmentally chosen by orG auditors. The results of the sample test were not projected
     to the entire population.

     Adequate proof of closure was provided for eight of the nine systems tested. Proof of
     closure was not available for three POA&M items selected for the ninth system, and the
     program office subsequently reopened these security weaknesses. The ocro's failure to
     adequately review proof of closure documentation before allowing program offices to
     close POA&M items increases the risk that security weaknesses remain unaddressed.

     Recommendation 21
     We recommend that the ocro verify that adequate proof of closure documentation exists
     for remediated weaknesses before allowing the program office to close POA&M items.

     OCIO Response:
      "The CIO does not concur with this recommendation. The POA&M management
     team in the Security and Privacy Group verifies that all POA&Ms submitted by
     Program Offices have adequate supporting evidence to close the POA&M and ensures
     that a proofofclosure form is completedfor each POA&M before closure takes place.
     Request to close POA&Ms with adequate documentation or completed proofofclosure
     forms are returned to the sender. "




                                             23
        OIG Reply:
        Although the OeIO believes that adequate procedures are in place, the results of the
        ~IG's sample test indicated that several POA&M items were, in fact, inappropriately
        closed without adequate proof of closure. We continue to recommend that the OeIO
        verify that adequate proof of closure documentation exists for remediated weaknesses
        before allowing the program office to close POA&M items.

     g) 	 POA&M process prioritizes IT security weaknesses

        Each program office at OPM is required to prioritize IT security weaknesses on their
        POA&Ms to help ensure significant IT security weaknesses are addressed in a timely
        manner. However, we found that the OeIO did not prioritize security weaknesses on the
        LAN/WAN general support system.

        Recommendation 22 (Roll-Forward from OIG Report 4A-CI-00-09-031
        Recommendation 15)
        We recommend that the program offices responsible for the LAN/WAN prioritize the
        system weaknesses listed on its POA&Ms.

        OCIO Response:
        "The CIO does not concur with this recommendation. The LANIWAN POA&Ms are
        prioritized and most recently updated during the June 2010 re-certification."

        OIG Reply:
        The OIG verified that the June 2010 version of the LAN/WAN POA&M prioritized
        security weaknesses. This recommendation is closed.

VIII. Remote Access Program

     The OIG evaluated OPM's remote access program by reviewing the agency's remote access
     and telecommuting policies and procedures and its progress in implementing the
     requirements of National Institute of Standards and Technology (NIST) Special Publication
     (SP) 800-46 Revision 1, "Guide to Enterprise Telework and Remote Access Security."

     a) Telecommuting policies and procedures

        NIST SP 800-46 Revision 1 states that a telework security policy should contain the
        following elements:
               • 	 Which forms of remote access the organization permits;
               • 	 Which types oftelework devices are permitted to use each form of remote
                   access;
               • 	 The type of access each type ofteleworker is granted;
               • 	 How user account provisioning should be handled; and



                                               24
           • 	 How the organization's remote access servers arc administered and how
               policies in those servers are updated.

   Although OPM has implemented a telecommuting policy that provides guidance on the
   establisluncnt, management, and maintenance oftelecomrnuting, it does not address any
   of the technical elements listed above. In addition, the telecommuting poliey has not
   been updated since 2001.

   Recommendation 23
   We recommend that the OeIO update its telecommuting and remote access policy in
   accordance with NIST SP 800-46 Revision 1 guidelines.

   0('10 Re.\"QIIU'ie:
   "The C/O concurs with this recommendation and offers clarifYing remarks ill order to
   pre:ient a more cllrrent interpretation. The remote access policy and procedures are
   currently under review while new remote access methods are being tested and
   evaluated. Review ami testing of new policy and procedures are expected to begbl the
   second quarter FY 201 1."

b) 	 Authentication requirements

   OPM utilizes a Virtual Private Network (VPJ-..T) client to provide remote users with secure
   access to the agency's network environment. The OPM VPN requires username and
   password authentication to uniquely identify users. Thc agency maintains logs of
   individuals who remotely access the network, and the logs are reviewed on a monthly
   basis for lillusual activity or trends.

   In FY 2009, OPM required two-factor authentication for remote access in the fonn of
   RSA token devices in combination with a password. However, the agency stopped
   enforcing two-factor authentication in FY 2010 and users were able to authenticate with
   only a password. OPM has recently implemented the capability of using Personal
   Identi ty Verification (PlV) cards along with a password for two factor authenti cation.
   Although two-factor authentication is not currently enforced, OPM plans to restrict the
   use of single- fac tor authentication by October 8, 201 o.

   Recommendation 24




   OCIO Response:
   nTlte CIO does not concur with tltis recommendatioll .




                                           •

         OlG Replv!




IX.   Account and Identity Management Program
      The follmving sections detail OPM's account and identity management program.

      a) Account management

         OPM maintains two policies regarding management of user accounts: one related to
         Windows network (LAN) users and the other related to mai nframe users. Both policies
         contain procedures for creating user accounts with the appropriate level of access as \-vell
         as procedures for removing access for tenninated employees.

         The OIG compared a list oftcnninated OPM employees to a list of active LAN users.
         Although we found that four employees maintained access after their termination date,
         we do not believe that this indicates a deficiency in the account management process.

      b) Properly autbenticating nctwork dcviccs

         As mentioned in section IV , above, OPM uses Excel spreadsheets to maintain an
         ;mlen,tol"y of hardware devices connected to its nenvork .



         Recommendation 25
         We recommend that the OeIO j',npilen}er,t


         DCID Response:
         "The CIO concur~i with this recommendation and "n'mrc,'ar.




X.    Continuous Monitoring Program

      The following sections detail OPM' s controls related to continuous monitoring of the
      security state of its informat ion systems.




                                                  26
a) Continuous monitoring policy aud procedures
   OPM's IT Security and Privacy Policy Volume 2 states that the security controls of all
   systems must be tested at least annually to determine the extent to which the controls are
   implemented correctly. operating as intended. and meeting the security requirements for the
   system.

   In addition to the annual tests. OPM's infrastructure systems (LAN/WAN and Enterprise
   Server) are subject to additional security control tests in the form of automated vulnerability
   scans. Although these scans are performed routinely. the OCIO has not developed a
   Continuous Monitoring Policy to provide guidance on identifying high-risk security controls
   along with a strategy for testing them on a continuous basis. In addition. the OCIO does not
   have a policy to provide guidance on continuous monitoring of systems operated by a
   contractor on behalf ofOPM (see section XII).

   Recommendation 26 (Roll-Forward (rom OIG Report 4A-CI-OO-07-0I 5
   Recommendation 7)
   We recommend that the OCIO develop a Continuous Monitoring Policy that outlines a
   strategy for identifying information security controls that need continuous monitoring as
   well as procedures for conducting tests ofthese controls.

   OCIO Response:
    "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. The CIO believes that continuous monitoring
   must be part ofthe IT Security policy updates that are now underway with assistance
   from the Bureau ofthe Public Debt. However, the CIO believes that security controls
   associated with continuous monitoring are documented in the Certification &
   Accreditation guide posted on THEO."

   OIG Replv:
   The Certification and Accreditation Guide states that system owners must "select security
   controls in the IT system to be continuously monitored" but provides no actual guidance
   on doing so. We continue to recommend OPM develop a Continuous Monitoring Policy
   that outlines a strategy for identifying information security controls that need continuous
   monitoring as well as procedures for conducting tests of these controls.

b) List of common security controls

   NIST SP 800-53 Revision 3, "Recommended Security Controls for Federal Information
   Systems," provides guidelines for selecting and specifying security controls for
   information systems supporting the executive agencies of the federal government.

   Many of the applications in OPM's system inventory are housed in OPM's LAN/WAN
   or Enterprise Server (mainframe) general support systems (GSS). These applications
   inherit a significant portion of information security controls required by NIST SP 800-53
   from these environments. These inherited controls are referred to as "common controls."



                                             27 

         When the security controls of a system are subject to testing, the program office
         conducting the test is not required to evaluate the controls inherited from the GSS, as
         these controls are certified by the OCIO. However, the OCIO does not currently
         maintain a published list of common security controls, and individual program offices are
         responsible for determining which controls are inherited from a GSS, increasing the risk
         that certain security controls remain untested.

         Recommendation 27
         We recommend that the OCIO create a list of common security controls and distribute
         this information to OPM program offices responsible for testing individual applications.

         OCIO Response:
         "The CIO concurs with this recommendation and offers clarifying remarks in order to
         present a more current interpretation, The CIO has initiated a project to established
         enterprise common controls under the management ofthe Senior Agency Information
         Security Officer. The IT Security Working Group has been briefed on this project and
         work has started with the program offices to identify common security controls and to
         consolidate them in a managed data repository. Enterprise common controls are
         expected to be in place in FYI 1. "

XI.   Contingency Planning Program

      FISMA requires that a contingency plan be in place for each federal information system, and
      that the contingency plan be reviewed and tested on an annual basis. In addition, the OPM
      Certification and Accreditation Guide states that "To fully address system security
      throughout the certification and accreditation process. various security documents are
      required to be created and maintained throughout the life of the system." The Guide states
      that one of the required security documents is a contingency plan.

      The OIG verified that up-to-date contingency plans exist for only 36 of the 43 systems on
      OPM's master system inventory. Five of 43 systems had documented contingency plans, but
      they were not reviewed or updated in FY 2010. The OIG was not provided with evidence
      that a documented contingency plan exists for the remaining two systems.

      The contingency plans for 30 ofOPM's 43 systems were tested in FY 2010 in full
      compliance with the requirements ofNIST SP 800-34, Contingency Planning Guide for
      Information Technology Systems. Eleven of 43 system contingency plans were tested in FY
      20 I 0, but not with a scenario-based contingency plan test conducted in accordance with
      NIST SP 800-34 requirements. The remaining two system contingency plans were not
      subject to any form of contingency plan test in FY 2010.

      Of the 43 systems on OPM's inventory. only 29 had both an up-to-date contingency plan and
      an adequate contingency plan test in FY 2010.




                                                28
OPM's Information Security and Privacy Policy Volume 2 states that each system owner
must "Test the contingency plan for the information system at least annually to determine the
plan's effectiveness and the system's readiness to execute the plan." However, this policy
does not provide instructions for conducting business impact assessments, developing
contingency plans, or conducting the contingency plan test in accordance with NIST
guidance.

Recommendation 28 (Roll-Forward from OIG Report 4A-CI-OO-09-03J Recommendation
Zl
We recommend that the OCIO develop detailed guidance related to developing and testing
the contingency plans of agency systems and provide training to the DSO community related
to proper contingency planning and contingency plan testing.

OCJO Response:
"The CIO concurs with this recommendation and offers clarifying remarks in order to
present a more current interpretation. The CIO believes that the contingency plan
training provided to the Designated Security Officers through the IT Security Working
Group is adequate. The CIO plans to standardize the contingency plan templates to
improve the quality ofthe testing process. "

DIG Reply:
Although a brief contingency plan training session was provided at a single IT Security
Working Group meeting in FY 2010, we continue to believe that the OCIO's oversight of the
contingency planning program is insufficient. as evidenced by the significant number of
OPM systems without an adequate contingency plan or contingency plan test.

Recommendation 29 (Roll-Forward from OIG Report 4A-CI-OO-09-03J Recommendation
~
We recommend that up-to-date contingency plans be developed for all agency systems.

OCIO Response:
"The CIO concurs with this recommendation and offers clarifying remarks in order to
present a more current interpretation. The CIO believes that having up-to-date
contingency plans are important and will continue to work with the Designated Security
Officers to keep plans current. "

Recommendation 30 (Roll-Forward from OIG Reports 4A-CI-OO-09-03I
Recommendation 9 and 4A-CI-OO-OB-022 Recommendation 2)
We recommend that OPM's program offices test the contingency plans for each system on an
annual basis. The contingency plans should be immediately tested for the 13 systems that
were not subject to adequate testing in FY 2010.




                                           29 

     OCIO Response:
     "The CIO concurs with this recommendation and offers clarifying remarks in order to
     present a more current interpretation. Contingency plans are testedfor a majority of
     systems on an annual basis and the records ofeach test is maintaining by the Security and
     Privacy Group. The CIO acknowledges that some systems are behind schedule
     (approximately 10) with their testing in 2010 and will work to ensure that all testing is
     completed. "

XII. Program to Oversee Contractor Systems

     OPM's master system inventory indicates that II of the agency's 43 major applications are
     operated by a contractor.

     In prior audits, OIG has verified that the security controls of these contractor systems were
     tested by an OPM employee. However. in FY 2010, 7 of the II contractor systems were not
     subject to security control testing.

     In addition, OPM does not have a formal policy providing the OCIO and other program
     offices guidance on the appropriate oversight of contractors and contractor-run systems.

     Recommendation 31
     We recommend that an OPM employee test information security controls for all systems
     operated by a contractor on an annual basis.

     OCIO Response:
     "The CIO concurs with this recommendation and offers clarifying remarks in order to
     present a more current interpretation. The CIO has provided guidance for testing security
     controls for contractor operated systems and the Security and Privacy Group has assessed
     security controls at the hosting facility for the 1GS_ LMS Learning Management System.
     The Security and Privacy Group plans to extend security controls testing in FY11 at other
     contractor facilities operating OPM systems. "

     Recommendation 32 (Roll-Forward from OIG Report 4A-CI-00-09-031 Recommendation
     l.!Jl
     We recommend that OPM develop a policy providing guidance on adequate oversight of
     contractor-operated systems.

     OCIO Response:
     "The CIO concurs with this recommendation and offers clarifying remarks in order to
     present a more current interpretation. Policy covering oversight ofcontractor systems is
     documented in the IT Security & Privacy Handbook volume 1 that is posted on THEO.
     Additional related policy will be included in the policy update effort that is now in progress
     that will result in comprehensive IT security policies."



                                                 30
     OIG Reply;
     We were unable to locate any reference to oversight of contractor systems in Infonnation
     Security and Privacy Policy Volume I. We continue to recommend that OPM develop a
     policy providing guidance on adequate oversight of contractor-operated systems.

XIII. Follow-up From Prior OIG Audit Recommendations

     The following sections document the results of a follow-up review of prior IT security audit
     recommendations issued by the OIG.

     All prior audit recommendations that have not been remediated are rolled-forward with a
     new recommendation number in this FY 2010 FISMA audit report. A high level summary of
     the follow-up review can be found in Appendix I of this report.

     Audit recommendalions issued prior 10 FY 2010 reference OPM's Center for Informa,;on
     Services (CIS) as the program office responsible for the agency 's IT security program. After
     an organizational realignment. this group is now referred to as the Office afthe Chief
     Information Officer (OCIO).

     Follow-up 00 recommendations issued in OIG Audit Report 4A-CI-OO-07-01S. "Audit
     of the Privacy Program at OPM - FY 2007"

     a) 	 4A-CI-OO-07-0IS Recommendation 1
          We recommend that OPM develop a comprehensive privacy policy (or a series of
          policies), that addresses the required areas.

        FY 2010 Status
        This recommendation remains open and is rolled forward as Report 4A-CI-OO-I0-019
        Recommendation 1 (see section I, above).

     b) 	 4A-CI-OO-07-015 Recommendation 3
          We recommend that OPM continue its efforts to implement encryption capabilities on
          laptop computers and Blackberry mobile devices.

        FY 2010 Status 

        The OIG has been provided evidence that the Oe10 encrypts all data on all mobi l ~   

        computers containing sensitive infonnation; th is recommendation is closed. 


     c) 	 4A-CI-OO-07-01S Recommendation 4
          We recommend that OPM continue its efforts to


        FY 20 I 0 Status
        This recommendation was rolled-forward until FY 2009 Report 4A-CI-OO-09-031
        Recommendation 24, where it was closed, However, OPM stopped enforcing _



                                                31
                 in FY 2010, and this recommendation is reopened as Report 4A-CI-OO- 10­
        RecoTmrlen,dation 24 (see section VIII, above).

d) 	 4A-CI-00-07-015 Recommendation 7
     We recommend that OPM develop policics and procedures for periodically monitoring
     the Agency intranet, network, and websites for inadvertent privacy vulnerabilities.

   FY 20 I0 Status
   This recommendation is rolled-forward as Report 4A-CJ-OO-l 0-0 19 Recommendation 26
   (see section X, above).

Follow-up on recommendations issued in OIG Audit Report 4A-CI-OO-09-oS3. ""'Iash
Audit Alert Information Technology Security Program at the U,S. Officc of Personnel
Management"

a) 	 4A-CI-00-09-053 Recommendation     1
   We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately
   reflect the status ofOPM's IT security position as of March 1,2009.

   FY 2010 Status 

   This recommendation was closed in FY 1009. 


b) 	 4A-CI-OO-09-053 Recommendation 2
     \Ve recommend that CIS develop a comprehensive set of IT security pol icies and
     procedures, and a plan for updating it at least annually.

   FY 20 I 0 Status 

   This recommendation remains open and is rolled forward as 4A-CI-OO-l 0-019 

   Recommendat io n 1 (see section I, above). 


c) 	 4A-CI-OO-09-053 Recommendation 3
     We recommend that the OllM Director ensure that CIS has adequate resources to
     properly staff its IT Security and Privacy Group.

   FY 2010 Status 

   This recommendation remains open and is rolled forwa rd as 4A-CI-OO-1 0-0 19 

   Recommendation 2 (see section I, above). 


d) 	 4A-CI-OO-09-053 Recommendation 4

   We recommend that CIS recruit a permanent Senior Agency Infonnation Security Officer
   as soon as possible, and adequate staff to effectively managc the agency's IT security
   program.




                                            32 

   FY 20 I 0 Status 

   The OCIO hired a pennanent Senior Agency Information Security Officer in FY 2010; 

   this recommendation is closed. 


Follow-up on recommendations issued in OIG Audit Report 4A-CI-00-09-031, "Federal
Information Security Management Act Audit - FY 2009"

a) 	 4A-CI-00-09-031 Recommendation I
     We recommend that CIS conduct a survey ofOPM program offices (particularly the
     Benefits Systems Group) to identify any systems that exist but do not appear on the
     system inventory. The systems discovered during this survey should be promptly added
     to the system inventory and certified and accredited.

   FY 20 I 0 Status
   The OCIO is in the process of conducting a survey of program offices to identify all
   missing systems, but this assessment has not been completed. This recommendation
   remains open and is rolled forward as Report 4A-CI-00-I 0-019 Recommendation 33.

   Recommendation 33 (Roll-forward from OIG Report 4A-CI-OO-09-03J 

   Recommendation J) 

   We recommend that CIS conduct a survey of OPM program offices (particularly the
   Benefits Systems Group) to identify any systems that exist but do not appear on the
   system inventory. The systems discovered during this survey should be promptly added
   to the system inventory and certified and accredited.

   OCIO Response:
   "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. A survey has been distributed to identify systems
   used by OPM that might not be on the system inventory. The results ofthe survey will
   be used to update that system inventory as necessary. "

b) 	 4A-CI-00-09-031 Recommendation 2
     We recommend that CIS develop and maintain an inventory of all system interfaces.

   FY 20 10 Status 

   The OCIO's master system inventory now contains a listing of all known system 

   interfaces; this recommendation is closed. 


c) 	 4A-CI-00-09-031 Recommendation 3
     We recommend that CIS develop a policy providing guidance on the development and
     appropriate use ofMOUs and IS As.

   FY 20 I 0 Status
   The OCIO stated that the OPM Security and Privacy Policy addresses the use ofMOUs
   and ISAs at OPM. Although this policy states that it "applies to other agencies' systems
   as delineated in memorandums of understanding (MOUs) and interconnection security


                                          33
   agreements (lSAs) with OPM," it does not provide guidance on the development and
   appropriate use ofMOUs and ISAs. This recommendation remains open and is rolled
   forward as Report 4A-CI-00-I0-019 Recommendation 34.

   Recommendation 34 (Roll-forward from OIG Report 4A-CI-OO-09-03J
   Recommendation 3)
   We recommend that the OCIO develop a policy providing guidance on the development
   and appropriate use ofMOUs and ISAs.

   OCJO Response:
   "The CIO does not concurs with this recommendation and believe that MOU and ISA
   policies are documented in the IT Security and Privacy Handbook volume 2 that is
   posted on THEO. The current MOUIISA policies will be enhanced as part of the
   security policy update project. "

   OIGReply:
   The FY 2009 OIG FISMA audit report stated that:

   "OPM's Information Security and Privacy Policy Volume 2 states that "this policy
   applies to other agency's systems as delineated in memorandums ofunderstanding
   (MOUs) and interconnection security agreements (ISAs) with OPM .. However. this
   policy does not provide any guidance outlining the appropriate use ofMOUs and ISAs
   (required elements ofthese agreements, when they are required, etc) . ..

   The OCIO agreed to the recommendation to implement a policy providing guidance on
   the development and appropriate use of MOUs and ISAs. Since no such policy was
   published in FY 2010, this recommendation remains open.

d) 	 4A-CI-00-09-031 Recommendation 4
     We recommend that CIS conduct a survey to determine how many systems owned by
     another agency are used by OPM.

   FY 2010 Status
   The OCIO is in the process of completing a survey to determine how many systems
   owned by other agencies are used by OPM. However, this survey was not complete as of
   September 30. 2010. This recommendation remains open and is rolled forward as Report
   4A-CI-00-IO-019 Recommendation 35.

   Recommendation 35 (Roll-forward from OIG Report 4A-CI-OO-09-03J
   Recommendation 4)
   We recommend that CIS conduct a survey to determine how many systems o\'med by
   another agency are used by OPM.




                                        34 

   OCID Response:
   "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. A survey has been distributed to program
   offices 10 identify sy~ilenu ufJ'ed by OPM Ihat might nol be on Ihe system im·entory. The
   results ofthe survey will be used to update that system inventory as necessary and to
   determine other systems owned by other agencie.fi that are used by OPM."

e) 	 4A-C1-00-09-031 Recommendation 5
     We recommend that C IS develop a policy for adequately testing the security controls of
     OPM's systems, and provide training to the Designated Security Officer (DSO)
     community related to proper security control testing.

   FY 2010 Status
   This recommendation remains open and is rolled forw ard as Report 4A-CI-00-1O-019
   Recommendation 9 (see section III, above).

f) 	 4A-CI-00-09-031 Recommendation 6 (Roll-Forward from OIG Repon 4A-CI-OO-OB-022
     Recommendation I)
   We recommend that OPM ensure that an annual test of sccurity



   FY 2010 Status
   This recommendation remains open and is rolled forward as Report 4A·CI-00-1O-019
   Recommendation 10 (see section III. above).

g) 	 4A-CI-00-09-031 Recommendation 7
   We recommend that OPM develop detailed guidance related to developing and testing the
   contingency plans of agency systems and provide training to the DSO community related
   to proper contingency planning and contingency plan testing.

    FY 2010 Status
   Thi s recommendation remains open and is rolled forward to Report 4A-C I·OO-1 0·019
   Recommendation 28 (see section XI, above).

h) 	 4A-CI-00-09-031 Recommendation 8
     We recommend that up-to-date contingency plans be developed for all agency systems.

   FY 20 I 0 Status
   This recommendation remains open and is rolled fonvard to Report 4A-CI-00-10·019
   Recommendation 29 (see sect ion XI. above).

i) 	 4A· CJ·00·09-031 Recommendation 9 (Roll-Forward from (JIG Report 4A-CI-OO-OB-022
   Recommendation 2)
   We recommend that OPM's program offices test the contingency plans for each system
   on an annual basis.


                                           35
   FY 2010 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-IO-019
   Recommendation 30 (see section XI, above).

j) 	 4A-CI-00-09-031 Recommendation 10
     We recommend that OPM develop a policy providing guidance on providing adequate
     oversight of contractor operated systems.

   FY 2010 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19
   Recommendation 32 (see section XII, above).

k) 	 4A-CI-00-09-031 Recommendation II
     We recommend that CIS publish the Plan of Action and Milestone Standard Operating
     Procedure to THEO. Once the procedures have been published, CIS should work closely
     with the DSO community, providing training and information-sharing sessions, to
     implement the procedures and ensure that there is a clear understanding of the
     appropriate management ofPOA&Ms.

   FY 20 I 0 Status
   Although the OCIO has published a POA&M Guide to THEO, adequate training has not
   been provided to the DSO community. This recommendation remains open and is rolled
   forward to Report 4A-CI-00-1O-019 Recommendation 17 (see section VII, above).

I) 	 4A-CI-00-09-031 Recommendation 12 (Roll-Forward tram GIG Report 4A-CI-00-08­
     022 Recommendation 4)
     We recommend that OPM program offices incorporate all known IT security weaknesses
     into POA&Ms.

   FY 2010 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19
   Recommendation 18 (see section VII, above).

m) 4A-CI-00-09-031 Recommendation 13 (Roll-Forward tram GIG Report 4A-CJ-00-08­
   022 Recommendations 5 and 6)
   We recommend that an up-to-date POA&M exist for each system in OPM's inventory.
   and that system owners submit updated POA&Ms to CIS on a quarterly basis.

   FY 20 I 0 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I0-019
   Recommendation 19 (see section VII, above).




                                         36
n) 	 4A-CI-00-09-03I Recommendation 14
     We recommend that CIS develop a formal corrective action plan to immediately
     remediate all POA&M weaknesses that are over 120 days overdue. In addition, we
     recommend that CIS take a lead role in the future and work closely with OPM program
     offices to ensure that POA&M completion dates are achieved.

   FY 20 10 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19
   Recommendation 20 (see section VII, above).

0) 	 4A-CI-00-09-031 Recommendation IS
     We recommend that the program offices responsible for the two systems in question
     prioritize the system weaknesses listed on their POA&Ms.

   FY 20 10 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-019
   Recommendation 22 (see section VII, above).

p) 	 4A-CI-00-09-031 Recommendation 16 CRoll-Forward tram GIG Report 4A-CI-00-08­
     022 Recommendation 9)
     We recommend that all active systems in OPM's inventory have a complete and current
     C&A.

   FY 20 I 0 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-0 19
   Recommendation 5 (see section III, above).

q) 	 4A-CI-00-09-031 Recommendation 17
     We recommend that the FIPS Publication 199 security categorization be updated for the
     inappropriately categorized system.

   FY 20 I 0 Status
   The FIPS Publication 199 security categorization has been corrected for the system in
   question; this recommendation is closed.

r) 	 4A-CI-00-09-031 Recommendation 18
     We recommend that CIS update the PIA Guide to address all of the requirements of
     OMS Memorandum M-03-22.

   FY 20 10 Status 

   A new PIA Guide has been developed in compliance with OMS Memorandum M-03-22; 

   this recommendation is closed. 





                                          37 

s) 	 4A-CI-00-09-031 Recommendation 19
     We recommend that CIS conduct a new PIA survey to determine which OPM systems
     require a PIA, including those systems that process sensitive information about
     government employees and contractors.

   FY 2010 Status
   The OCIO has begun the process of helping program offices complete the PIA survey
   that is part of the new PIA Guide. However, the surveys were not complete as of
   September 30, 2010. This recommendation remains open and is rolled forward as Report
   4A-CI-00-I 0-0 19 Recommendation 36.

   Recommendation 36 (Roll-forward (rom DIG Report 4A-CI-00-09-031 

   Recommendation 19) 

   We recommend that the OCIO conduct a new PIA survey to determine which OPM
   systems require a PIA, including those systems that process sensitive information about
   government employees and contractors.

   DCID Response:
   "The CID does not concur with this recommendation. A Privacy Threshold Analysis
   documentation is performedfor each system to discover whether a PIA is required.
   This is in accordance with NIST 800-122 recommendations."

   OIG Reply:
   We confirmed that a Privacy Threshold Analysis has been conducted for each system in
   OPM's inventory. This recommendation is closed.

t) 	 4A-CI-00-09-031 Recommendation 20
     We recommend that a new PIA be conducted for the appropriate systems based on the
     updated PIA Guide.

   FY 2010 Status 

   The OCIO has begun the process of helping program offices complete new P1As. 

   However, the assessments were not complete as of September 30, 2010. This 

   recommendation remains open and is rolled forward as Report 4A-CI-00-I 0-019 

   Recommendation 37. 


   Recommendation 37 (Roll-forward (rom DIG Report 4A-CI-00-09-03I 

   Recommendation 20) 

   We recommend that a new PIA be conducted for the appropriate systems based on the
   updated PIA Guide.

   DCID Response:
   "The CID concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. The new PIA template was reviewed and


                                          38
   accepted by the OIG. We are informing DSO's that there are new requirements when
   they submit their PIA's for review. The PIA submitted by the DSO is being updated
   with the new questions required by the IG and returned to the DSO for completion.

   The 'guide' itself is being updated to reflect the new questions and will need to be
   approved in DMS through the established directive process before it can be published
   to the OPM.GOV and THEO websites."

u) 	 4A-CI-00-09-031 Recommendation 21
     We recommend that each system owner annually review the existing PIA for their system
     to reevaluate current holdings of personally identifiable information (PII), and that they
     submit evidence of the review to CIS.

   FY 2010 Status
   Each system owner is reviewing the PIA for their system as part of the process of
   implementing the new PIA Guide. However, the assessments were not complete as of
   September 30,2010. This recommendation remains open and is rolled forward as Report
   4A-CI-00-IO-019 Recommendation 38.

   Recommendation 38 (Roll-forward (rom OIG Report 4A-CI-OO-09-03J
   Recommendation 21)
   We recommend that each system owner annually review the existing PIA for their system
   to reevaluate current holdings of PII. and that they submit evidence of the review to the
   OCIO.

   OCIO Response:
   "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. System Owners are required to validate PTAs
   annually. "

v) 	 4A-CI-00-09-031 Recommendation 22 (Roll-Forward from DIG Report 4A-CI-00-08­
     022 Recommendation 12)
     We recommend that OPM continue its efforts to eliminate the unnecessary use of social
     security numbers (SSNs) in accordance with OMB Memorandum M-07-16.

   FY 2010 Status
   The OCIO has developed a plan to eliminate the unnecessary use of SSNs, but does not
   currently have the resources to execute the plan. The recommendation remains open and
   will be rolled forward as Report 4A-CI-00-l 0-019 Recommendation 39.

   Recommendation 39 (Roll-Forward (rom OIG Reports 4A-CI-OO-09-03J
   Recommendation 22 and 4A-CI-OO-OB-022 Recommendation 12)
   We recommend that OPM continue its efforts to eliminate the unnecessary use ofSSNs
   in accordance with OMB Memorandum M-07-16.




                                            39
   OCIO Response:
   "The CIO concurs with this recommendation and offers clarifying remarks in order to
   present a more current interpretation. OPM currently does not have the funding to
   effectively pursue the elimination of unnecessary use ofSSN's as stated in OMB
   memorandum M-07-J6. Efforts are made when the unnecessary use ofSSN is
   discovered in PTA and PIA documentation and efforts are explored with the program
   office for alternatives. OPM does comply with the requirement to meet regularly with
   other federal agencies on this effort."

w) 	4A-CI-00-09-031 Recommendation 23
    We recommend that OPM participate in government-wide efforts to explore alternatives
    to agency use ofSSNs, as required by OMB Memorandum M-07-16.

   FY 20 I 0 Status
   The oro has been provided evidence that OPM participates in government-wide efforts
   to explore alternatives to agency use of SSNs; this recommendation is closed.

x) 	 4A-CI-00-09-031 Recommendation 24 CRoll-Fonmrd trom GIG Reports -IA-CI-00-08­
     022 Recommendation 13. 4A-CI-OO-07-015 Recommendation 3. and 4A-CI-00-07-007
     Recommendation 4 )
     We recommend that CIS encrypt all data on all mobile computers containing sensitive
     information.

   FY 2010 Status
   The oro has been provided evidence that the OCIO encrypts all data on all mobile
   computers containing sensitive information; this recommendation is closed.

y) 	 4A-CI-00-09-031 Recommendation 25
     We recommend that OPM develop an up-to-date Security Configuration and Hardening
     Policy, Patch Management Policy. and System Monitoring Policy.

   FY 2010 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-I 0-019
   Recommendation II (see section IV, above).

z) 	 4A-CI-00-09-031 Recommendation 26 (Roll-Forward trom GIG Report 4A-CI-OO-08­
   022 Recommendation 16)
   We recommend that OPM implement FDCC compliant images on all OPM workstations.

   FY 2010 Status
   This recommendation remains open and is rolled forward to Report 4A-CI -00-10-019
   Recommendation 14 (see section IV, above).

aa) 4A-CI-00-09-031 Recommendation 27
    We recommend that OPM incorporate Federal Acquisition Regulation 2007-004
    language in all contracts related to common security settings.


                                          40
   FY 20 to Status 

   T he aClo ha<; taken steps towards incorporating Federal Acquisition Regulation 2007· 

   004 language in all contracts related to common security settings, but the language does 

   not yet appear in all contracts. The fonnatting of the new language is still in draft fonn. 

   The recommendation remains open and is rolled forward as Repon 4A-CI-OO-l 0-019 

   Recommendation 40. 


   Recommendation 40 (Roll-Forward from OIG Report 4A-CI-OO-09-03J
   Recommendation 27J
   We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in
   all contracts related to common security settings.

   DClO Response:
   "The CIO concurs with this recommendation. "

bb) 4A-CI-OO-09-03 J Recommendation 28 (Roll-Forward from OIG Report 4A-CI-OO-08­
    022 Recommendation) 5)
    We recommend that in the event that                         cannot be remediated due to
    a technical or business reason, the       owner ilio;u[d do,cmnco' the reason in the
    system's lSSP and formally accept any associated risks.


                 vu lnerability in question has not been addressed as thi s database is currently
   in    process of migrating to a new version o f _ This recom mendation remains
   open and is rolled forward as Report 4A-CI-OO-I 0-019 Recommendation 41.

   Recommendation 41 (R(}II-Forward from OIG Report... 4A-Cf-OO-09-03/ 

   Recommendation 28 and 4A-CI-OO-08-012 Recommendation IS) 

   We recommend that in the event that                        cannot be remediatcd due to
   a technical or business reason, the       owner shc,u1d do,cmnem the reason in the
   system's ISSP and fonnally accept any associated risks.

   OCIO Response: 

   "The CIO concurs with Ihn recommendation." 


cc) 4A-Cl-OO-09-03 \ Recommendation 29
    We recommend that CIS determine which systems in its inventory are subject to e­
    Authentication requirements and complete e-Authentication risk assessments for eaeh of
    these systems.

   FY 20 to Status 

   OPM's master system inventory appropriately ident ifies systems that arc subject to an e­ 

   Authentication risk assessment; this recommendation is closed. 




                                            41
dd) 4A-CI-00-09-031 Recommendation 30 (Roll-Forward from GIG Reports 4A-Cl-00-08­
    022 Recommendation 19. 4A-CI-00-07-007 Recommendation 3 and 9. 4A-CI-00-07-015
    Recommendation 1. and 4A-CI-00-06-0J6 Recommendation 6)
    We recommend that CIS develop up-to-date and comprehensive IT security policies and
    procedures, and publish these documents to THEO.

   FY 2010 Status
   This recommendation remains open and is rolled forward to Report 4A-CI-00-IO-019
   Recommendation I (see section I, above).




                                        42 

                            Major Contributors to this Report

This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Infonnation Systems Audil'i Group. The following individuals participated in the audit
and the preparation of this report:

•                  , Group Chief

•                     Senior Team Leader

•                     Lead IT Auditor

•                 IT Auditor

•                     IT Auditor

•                 IT Auditor




                                              43 

                                                                        Appendix I

                                                       Status of Prior OIG Audit Recommendations

The tables below outline the current status of prior audit recommendations issued by the Office of the Inspector General.

Report No. 4A-IS-00-05-026: Audit of IT Security Controls for the Electronic Questionnaire for Investigative Processing (e-QIP), issued
June 16, 2005
                                                                                                                                                 ... ­
 Rec#                        Orieinal Recommendation                                 Recommendation History                     Current Status
             We recommend that FISO verify that only authorized users         Recommendation new in FY 2005. In FY
                                                                                                                          OPEN - OPM Form 1665
             have access to e-QIP and document and maintain on file           2009 FISO was in the process of updating
   18                                                                                                                     has not been updated as of
             authorizations for users, including administrators, operators,   OPM account access request form 1665 to
                                                                                                                          September 30, 20 I 0
             and developers.                                                  address this recommendation.


Report No. 4A-CI-00-06-016: FY 2006 Federal Information Security Management Act Audit, issued September 22, 2006

 Rec#                        Orieinal Recommendation                                 Recommendation History                     Current Status
                                                                              Recommendation new in FY 2006.
             We recommend that the CIS/CIO develop and document a             Rolled-forward as Report 4A-CI-00-07­       OPEN - Rolled-forward as
   6         formal process to promptly analyze new and existing              007 Recommendation 9, 4A-CI-00-08­          Report 4A-CI-00-1 0-019
             guidance and update OPM's IT security policies and               022 Recommendation 19, and 4A-CI-00­        Recommendation I.
             procedure according Iy.
        .   __. _ .                                                           09-031 Recommendation 30 .


Report No. 4A-CI-00-07-015: FY 2007 Audit of the Privacy Program at OPM, issued January 25,2007
                                                                                                                      -c----.
 Rec#                        Orieinal Recommendation                                 Recommendation History                     Current Status
             We recommend that OPM develop a comprehensive privacy            Recommendation new in FY 2007.              OPEN - Rolled-forward as
   I         policy (or a series of policies), that addresses the required    Rolled-forward as Report 4A-CI-00-07­       Report 4A-CI-00-I 0-019
             areas.                                                           007 Recommendation 3.                       Recommendation I.
                                                                     Recommendation new in FY 2007.
        We recommend that OPM continue its efforts to implement      Rolled-lorward as Report 4A-CI-00-07­
   3    encryption capabilities on laptop computers and Blackberry   007 Recommendation 4, 4A-CI-OO-08­       CLOSED 

        mobile devices. 
                                            022 Recommendation 13. and 4A-CI-OO­
                                                                     09·031 Recommendation 24.
                                                                     Recommendation new in FY 2007.
                                                                     Rollcd-Iorward as Report 4A-CI-00-07­
   4                                                                 007 Recommendation 4, 4A-CI-00-08­       CLOSED
                                                                     022 Recommendation 13, and 4A-CI-OO­
                                                                     09-031 Recommendation 24. 

        We recommend that OPM develop policies and procedures 
                                               OPEN - Rolled-forward as
                                                                     Recommendation new in FY 2007.
   7    for periodically monitoring the Agency intranet, network,                                             Rcporl4A-CI-OO-IO-OI9
        and wcbsitcs for inadvertent rivac vulnerabilities,                                                   Recommendation 26.


Report No. 4A-CI-OO-07-007: FY 2007 Federal Information Security Management Act Audit, issued September 18, 2007

 Rec#                   Ori2inal Recommendation                             Recommendation History                  Current Status
                                                                     Rolled-forward/rom Report 4A-CI-OO­
        We recommend that OPM's Plans and Policy Group               07·015 Recommendation 1.                 OPEN - Rolled·forward as
   3    continue its efforts to develop an Agency·wide privacy       Rolled lorward as Report 4A·CI-OO·08·    Reporl4A-CI-OO-IO-019
        policy.                                                      022 Recommendation 19, and 4A-CI-OO ­    Recommendation 1.
                                                                     09-031 Recommendation }o.
                                                                     Rolled-forward/rom Rcp()I1 4A-CI-OO-
        We recommend that OPM continue its efforts to protect        70-015 Recommendation 3.
   4    sensitive data by implementing technical controls in         Rolled-forward as Report 41\-CI-00-08­   CLOSED
        compliance with OMS Memorandum M-06-16.                      022 Recommendation 13, and 4A-CI·OO­
                                                                     09-031 Recommendation 24.
                                                                     Rolled-forward/TlJm Report 4A-CI-OO­
                                                                     06-016 Recommendation 6.                 OPEN - Rolled-forward as
        We recommend that the CIS/CIO promptly update OPM ' s
   9                                                                 Rollcd·forward as Report 4A-CI-00-08­    Reporl4A-CI-OO-IO-OI9
        IT security policies.
                                                                     022 Recommendation 19, and FY 2009       Recommendation I.
                                                                     4A-CI-OO-09-031 Recommendation 30.


                                                                      2

Report No. 4A-CI-00-08-022: FY 2008 Federal Information Security Management Act Audit, issued September 23, 2008

 Rec#                   Original Recommendation                 -
                                                                              Recommendation Historv                 Current Status
                                                                       Recommendation new in FY 2008.          OPEN - Rolled-forward as
   I    We recommend that OPM ensure that an annual test of            Rolled-forward as Report 4A-CI-00-09­   Report 4A-CI-00-10-019
        security controls has been completed for all systems.          031 Recommendation 6.                   Recommendation 10.
                                                                       Recommendation new in FY 2008.          OPEN Rolled-forward as
        We recommend that OPM's program offices test the
   2                                                                   Rolled-forward as Report 4A-CI-00-09­   Report 4A-CI-00-l 0-0 I 9
        contingency plans for each system on an annual basis.
                                                                       031 Recommendation 9.                   Recommendation 30.
                                                                      'Recommendation new in FY 2008.          OPEN Rolled-forward as
   4    We recommend that the program offices incorporate all          Rolled-forward as Report 4A-CI-00-09­   Report 4A-CI-00-l 0-019
        known security weaknesses into the POA&Ms.                     031 Recommendation 12.                  Recommendation 18.
                                                                       Recommendation new in FY 2008.          OPEN Rolled-forward as
   5    We recommend that an up-to-date POA&M exist for each           Rolled-forward as Report 4A-CI-00-09­   Report 4A-CI-00-I 0-0 19
        system in OPM's inventory.                                     031 Recommendation 13.                  Recommendation 19.
                                                                       Recommendation new in FY 2008.          OPEN Rolled-forward as
        We recommend that all program offices submit POA&Ms
   6                                                                   Rolled-forward as Report 4A-CI-00-09­   Report 4A-CI-00-I 0-0 19
        to the CIS/CIO oftice on a quarterly basis.
                                                                       031 Recommendation 13.                  Recommendation 19.
        We recommend that the CIS/CIO take the appropriate steps       Recommendation new in FY 2008.          OPEN - Rolled-forward as
   9    to ensure that all active systems in OPM's inventory have a    Rolled-forward as Report 4A-CI-00-09­   Report 4A-CI-00-10-019
        complete and current C&A.                                      031 Recommendation 16.                  Recommendation 5.
        We recommend that OPM continue its efforts to reduce the      Recommendation new in FY 2008.           OPEN - Rolled-forward as
  12    use of SSNs and develop a formal plan to eliminate the        Rolled-forward as Report 4A-CI-00-09­    Report 4A-CI-00-10-019
        unnecessary collection and use of SSNs within 18 months in    031 Recommendation 22.                   Recommendation 39.
        accordance with OMB M-07-16.
                                                                      Rolled-forward/rom Report 4A-CI-00­
        We recommend that OPM continue its efforts to implement
                                                                      07-007 Recommendation 4 and 4A-CI-00­
        a solution to automatically encrypt all data on mobile
  13                                                                  07-015 Recommendation 3. Rolled          CLOSED
        computers/devices carrying agency data unless the data is
                                                                      forward as Report 4A-CI-00-09-031
        determined not to be sensitive.
                                                                      Recommendation 24.



                                                                       3

         We
         a manner consistent with OPM's 

         Policy. Each of the vulnerabilities       in 

                                                                             Recommendation new in FY 2008.            OPEN   ~   Rolled-forward as
         audil inquiry should be lonnally documented, itemized, and
  15                                                                         Rolled-forward as Report 4A-CI-OO-09­     Report 4A-CI-00-1O-019
         prioritized in a POA&M. In the event that a vulnerability
                                                                             031 Recommendation 28.                    Recommendation 41 .
         cannot be remediated due to a technical or business reason, 

         the supported system's owner should document the [cason 

         in the         ISSP to                     ' associated ri sks. 

                                                                                              new                                                  as
         We recommend that aPM continue its efforts to implemem
  16                                                                         Rolled-forward as Report . 4A-CI-OO-09­   Report 4A-CI-00-I 0-0 19
         all required elements of the FDCC.
                                                                             031 Recommendation

                                                                             07-007 Recommendation 3 and 9, 4A-CI ­
                                                                                                                       OPEN - Rolled-forward as
         We recommend that the CIS/CIO promptly update OPM 's                00-07-015 Recommendation 1, and 4A­
  19                                                                                                                   Report 4A -CI -00- I0-019
         IT sec urity policies and publish them to THEO.                     CI-00-06-0 I6 Recommendation 6.
                                                                                                                       Recommendation I.
                                                                             Rolled-forward as Report 4A-CJ-00-09­




Report No. 4A-CI-OO-09-0S3:     (4~lash   Audit Alert -Information Technology Security Program at the U.S. Office of Personnel Management.
issued May 27,2009

 FY             Flash Audit Alert Original Recommendation                           Recommendation Histon.:                   Cnrrent Status
Rec ;;
         We recommend that CIS correct the FY 2009 second quarter
  1      FISMA rcport to accurately rencct the status ofOPM's IT             Recommendation new in FY 2009.            CLOSED
         security position as of March 1, 2009.

         We recommend that CIS dewlap a comprehens ive set of IT                                                       OPEN - Rolled-forward as
  2      security policies and procedures, and a plan for updating it at     Recommendation new in FY 2009.            Report 4A-CI-OO-I 0-0 19
         least annually.                                                                                               Recommendation t.

  3      We recommend that the OPM Director ensure that OS has               Recommendation new in FY 2009.            OPEN - Rolled-forward as


                                                                              4

        adequate resources to properly staff its IT Security and                                             Report 4A-CI-00-l 0-019
        Privacy Group.                                                                                       Recommendation 2.
                                                                                                            ..                      -­
        We recommend that CIS recruit a permanent Senior Agency
        Information Security Officer as soon as possible, and
  4                                                                     Recommendation new in FY 2009.          CLOSED
        adequate staff to effectively manage the agency's IT security
        program.


Report No. 4A-HR-00-09-033: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's
Enterprise Human Resources Integration Data Warehouse FY 2009, issued June 1,2009

 Rec#                Oril!inal Recommendation                                 Recommendation History                Current Status
        We recommend that HRLOB routinely audit active
   1                                                                    Recommendation new in FY 2009.          CLOSED
        EHRlDW user accounts for appropriateness.


Report No. 4A-CI-00-09-0S2: Audit of the Information Technology Security Controls of the V.S. Office of Personnel Management's
Integrated Security Management System, issued August to, 2009

Rec#                      Oril!inal Recommendation                            Recommendation History                Current Status
 1      We recommend that CSEA continue to develop and
        improve the ISMS contingency plan. This includes, but is
        not limited to, adding specific and detailed steps to the
                                                                        Recommendation new in FY 2009.
        recovery procedures and assigning specific individuals to                                               CLOSED
        the various recovery teams. CSEA should conduct another
        test of the contingency plan alier the plan has been
        moditied.                                                                                                                    -­
  2     We recommend that ISMS edit its POA&M template to               Recommendation new in FY 2009.
                                                                                                                CLOSED
        facilitate the prioritization of weaknesses.                                                     .._.
  3     We recommend that CSEA expand the ISMS audit
                                                                        Recommendation new in FY 2009.
        procedures to include a process for reviewing the activities                                            CLOSED
        of the system administrator.




                                                                         5

  4    We recommend that CSEA disable all shared user accounts
                                                                       Recommendation new in FY 2009.
       for ISMS, and enforce the use of individual accounts for all                                     CLOSED
       users.
  5    We recommend that CSEA document a baseline
       configuration for ISMS's application level settings and         Recommendation new in FY 2009.
                                                                                                        CLOSED
       develop procedures for requesting and approving changes to
       these settings.
  6    We recommend that CSEA have all ISMS users sign the             Recommendation new in FY 2009.
                                                                                                        CLOSED
       rules of behavior document.


Report No. 4A-CI-00-09-031: FY 2009 Federal Information Security Management Act Audit, issued November 4, 2009

 FY                    Original Recommendation                                Recommendation HistoD:         Current Status
Rec#
       We recommend that CIS conduct a survey ofOPM program
       offices (particularly the Benefits Systems Group) to identify
                                                                                                        OPEN - Rolled-forward as
       any systems that exist but do not appear on the system          Recommendation new in FY 2009.
  I                                                                                                     Report 4A-CI-00-l 0-019
       inventory. The systems discovered during this survey should
                                                                                                        Recommendation 33.
       be prompt! y added to the system inventory and certified and
       accredited.
       We recommend that CIS develop and maintain an inventory         Recommendation new in FY 2009.
  2                                                                                                     CLOSED
       of all system interfaces.
       We recommend that CIS develop a policy providing                                                 OPEN - Rolled-forward as
                                                                       Recommendation new in FY 2009.
  3    guidance on the development and appropriate use of MOUs                                          Report 4A-CI-00-l 0-019
       and ISAs.                                                                                        Recommendation 34.      -­
                                                                                                        OPEN - Rolled-forward as
       We recommend that CIS conduct a survey to determine how         Recommendation new in FY 2009.
  4                                                                                                     Report 4A-CI-00-l 0-019
       many systems owned by another agency are used by OPM.
                                                                                                        Recommendation 35.
       We recommend that CIS develop a policy for adequately
                                                                                                        OPEN - Rolled-forward as
       testing the security controls ofOPM's systems, and provide      Recommendation new in FY 2009.
  5                                                                                                     Report 4A-CI-00-\ 0-0\9
       training to the Designated Security Otftcer (DSO)
                                                                                                        Recommendation 9.
       community related to proper security control testing.


                                                                        6

     We recommend that OPM ensure that an annual test of
                                                                                                           OPEN - Rolled-forward as
     security controls has been completed for all systems. The IT   Rolled-forward from Report 4A-CI-00­
6                                                                                                          Report 4A-CI-00-1O-019
     security controls should be immediately tested for the two     08-022 Recommendation 1.
                                                                                                           Recommendation 10.
     systems that were not subject to testing in FY 2009.
     We recommend that OPM develop detailed guidance related
                                                                                                           OPEN - Rolled-forward as
     to developing and testing the contingency plans of agency
7                                                                   Recommendation new in FY 2009.         Report 4A-CI-00-I 0-019
     systems and provide training to the DSO community related
                                                                                                           Recommendation 28.
     to proper contingency planning and contingency plan testing.
                                                                                                           OPEN - Rolled-forward as
     We recommend that up-to-date contingency plans be
8                                                                   Recommendation new in FY 2009.         Report 4A-CI-00-1O-019
     developed for all agency systems.
                                                                                                           Recommendation 29.
     We recommend that OPM's program offices test the
                                                                                                           OPEN - Rolled-forward as
     contingency plans for each system on an annual basis. The      Rolled-forward from Report 4A-CI-00­
9                                                                                                          Report 4A-CI-00-IO-019
     contingency plans should be immediately tested for the II      08-022 Recommendation 2.
                                                                                                           Recommendation 30.
     systems that were not subject to testing in FY 2009.
     We recommend that OPM develop a policy providing                                                      OPEN - Rolled-forward as
                                                                    Recommendation new in FY 2009.         Report 4A-CI-00-IO-019
10   guidance on providing adequate oversight of contractor
     operated systems.                                                                                     Recommendation 32.
     We recommend that CIS publish the Plan of Action and
     Milestone Standard Operating Procedure to THEO. Once
     the procedures have been published, CIS should work                                                   OPEN - Rolled-forward as
                                                                    Recommendation new in FY 2009.
11   closely with the DSO community, providing training and                                                Report 4A-CI-00-1O-019
     information-sharing sessions, to implement the procedures                                             Recommendation 17.
     and ensure that there is a clear understanding of the
     appropriate management of POA&Ms.
                                                                                                           OPEN - Rolled-forward as
     We recommend that OPM program offices incorporate all          Rolled-forward from Report 4A-CI-00­
12                                                                                                         Report 4A-CI-00-IO-019
     known IT security weaknesses into POA&Ms.                      08-022 Recommendation 4.
                                                                                                           Recommendation 18.

     We recommend that an up-to-date POA&M exist for each                                                  OPEN - Rolled-forward as
                                                                    Rolled-forward from Report 4A-CI-OO­
13   system in OPM's inventory, and that system owners submit                                              Report 4A-CI-00-1O-019
                                                                    08-022 Recommendations 5 and 6.
     updated POA&Ms to CIS on a quarterly basis.                                                           Recommendation 19.



                                                                     7

     We recommend that CIS develop a formal corrective action
     plan to immediately remediate all POA&M weaknesses that
                                                                                                           OPEN - Rolled-forward as
     are over 120 days overdue. In addition, we recommend that      Recommendation new in FY 2009.
14                                                                                                         Report 4A-CI-00-I 0-019
     CIS take a lead role in the future and work closely with
                                                                                                           Recommendation 20.
     OPM program offices to ensure that POA&M completion
     dates are achieved.
     We recommend that the program offices responsible for the                                             OPEN - Rolled-forward as
                                                                    Recommendation new in FY 2009.
IS   two systems in question prioritize the system weaknesses                                              Report 4A-CI-00-I 0-019
     listed on their POA&Ms.                                                                               Recommendation 22.
                                                                                                           OPEN - Rolled-forward as
     We recommend that all active systems in OPM's inventory        Rolled-forward from Report 4A-CI-00­
16                                                                                                         Report 4A-CI-00-IO-019
     have a complete and current C&A.                               08-022 Recommendation 9.
                                                                                                           Recommendation 5.
     We recommend that the FIPS Publication 199 security
                                                                    Recommendation new in FY 2009.
17   categorization be updated for the inappropriately                                                     CLOSED
     categorized system.
     We recommend that CIS update the PIA Guide to address          Recommendation new in FY 2009.
18                                                                                                         CLOSED
     all of the requirements ofOMB Memorandum M-03-22.
                                                                                                           CLOSED - Rolled-forward
     We recommend that CIS conduct a new PIA survey to
                                                                                                           as Report 4A-CI-00-I 0-019
     determine which OPM systems require a PIA, including           Recommendation new in FY 2009.
19                                                                                                         Recommendation 36, but
     those systems that process sensitive information about
                                                                                                           closed due to response from
     government employees and contractors.
                                                                                                           draft report.
                                                                                                           OPEN - Rolled-forward as
     We recommend that a new PIA be conducted for the               Recommendation new in FY 2009.
20                                                                                                         Report 4A-CI-00-1O-019
     appropriate systems based on the updated PIA Guide.
                                                                                                           Recommendation 37.
     We recommend that each system owner annually review the                                               OPEN - Rolled-forward as
                                                                    Recommendation new in FY 2009.
21   existing PIA for their system to reevaluate current holdings                                          Report 4A-CI-00-1O-019
     of PII, and that they submit evidence of the review to CIS.                                           Recommendation 38.
     We recommend that OPM continue its efforts to eliminate                                               OPEN - Rolled-forward as
                                                                    Rolled-forward from Report 4A-CI-00­
22   the unnecessary use of SSNs in accordance with OMB                                                    Report 4A-CI-00-l 0-0 19
                                                                    08-022 Recommendation 12.
     Memorandum M-07-16.                                                                                   Recommendation 39.
     We recommend that OPM participate in government-wide
23                                                                  Recommendation new in FY 2009.         CLOSED
     efforts to explore alternatives to agency use ofSSNs, as


                                                                     8

     required by OMB Memorandum M-07-16.
                                                                  Rolled-forward from Report 4A-CI-00­
     We recommend that CIS encrypt all data on all mobile         07-007 Recommendation 4, 4A-CI-OO-07­
24                                                                                                        CLOSED
     computers containing sensitive infonnation.                  015 Recommendation 3, and Report 4A­
                                                                  CI-OO-OS-022 Recommendation 13.
     We recommend that OPM develop an up-to-date Security                                                 OPEN - Rolled-forward as
25   Configuration and Hardening Policy, Patch Management         Recommendation new in FY 2009.          Report 4A-CI-00- 10-0 I 9
     Policy, and System Monitoring I'olicy.                                                               Recommendation II.
                                                                                                          OPEN - Rolled-rorward as
     We recommend that OPM implement FDCC compliant               Rolled-forward from Report 4A-CI-OO­
26                                                                                                        Report 41\-CI-00- I 0-0 I9
     images on all OPM workstations.                              08-022 Recommendation 16.
                                                                                                          Recommendation 14.
     We recommend thaI OPM incorporate Federal Acquisition                                                OPEN - Rolled-forward as
27   Regulation 2007-004 language in all contracts related to     Recommendation new in FY 2009.          Report 4A-CI-00-1O-019
     common security settin~ls.                                                                           Recommendation 40.
     We recommend that in lhc event that a n _
     vulnerability cannot be rcmediated due to a technical or                                             OPEN - Rolled-Iorward as
                                                                  Rolled-forward from Report 4A-CI-00­
28   business reason, the system ' s owner should document the                                            Report 4A-CI -00-10-019
                                                                  08-022 Recommendation 15.
     reason in the system's ISSP and formally accept any                                                  Recommendation 41.
     associated risks .
     We recommend that CIS detenninc which systems in its
     inventory are subject to e-Authentication requirements and
29                                                                Recommendation new in FY 2009.          CLOSED
     complete e-Authemication risk assessments for each of
     these systems.
                                                                  Rolled-forward from Repon 4A-CI -00­
                                                                  06-016 Recommendation 6, 4A-CI-00-07­
     We recommend that CIS develop up-to-date and                                                         OPEN - Rolled-forward as
                                                                  007 Recommendation 3 and
30   comprehensive IT security policies and procedures, and                                               Report 4A-CI-00-I 0-0 19
                                                                  Recommendation 9, 4A-CI-OO-07-015
     publish these documents to TIIEO.                                                                    Recommendation I.
                                                                  Recommendation 1, and 4A-CI-OO-08-022
                                                                  Recommendation 19.




                                                                   9

                                          Appendix"




                    UNITED STATES OffICE OF PERSONNEL MANAGEMENT
                                           Wll!ihinglon, DC 20415




MEMORANDUM
                               ini'Oi:m.iiiOnS;:;;ems Audit Group

                         MATTHEW E. PERRY
                         Chief Infonnation Officer
                                                         .~?~  10/1> 7/.;...010

Subject:                 Response to the Federa11nformation Security Management Act Audit ­
                             FY2OJO, Report NO. 4A-CI-OO-JO-019


Thank you for the opportunity to comment on the subject report. The results provided in the draft report
consist of a number of recommendations. The recommendations arc vaJuablc to our prognm
improvement efforts and most of them are generally consistent with our plan.

OIG Re4:0mmead.tioa,,:

Bec:ommmdatioa 1 (RoY-Forwllrt/ (rom ole RuP" 4A.c1-lJO..lJUJI RecolftllfDldatitm 10, 4A-Cl­
tHJ..IJH22 RtctntyttptdptUHr 19, Ad 1A-CI..fJHHU R«OIftIfKlldqtion 2)
We reeommeod tbat CIS develop up--to··4:t.te aDd compreheDsive IT Hcarity policies aDd
procedures, and publish these documeots to THEO, aDd. plao for updatiDg them at least
anDuaUy.

'me CIO concurs with this recommendation and offers clarifying remarks in order to present a more
current interpretation of the status of the IT security policies and procedures. The IT security and
privacy policy volumes 1 and volume 2 were last updated and posted on ll-lEQ in August 2009. The
CIO understands that additional policy updates art required to comply with guidance issued by NIST
during the last year and to address some deficiencies in the current policies. The Bureau of the Public
Debt (BPD) has been retained through an lnteragco\.-y Agreement to update and to bring IT Security and
Privacy policies into OPM and FJSMA compliance. A kickoff meeting was held for this project on
September 2010 and BPD is expected to be on site to conect policy requirements during the next 60
days. A comprehensive IT security and Privacy handbook is expected to be completed in FY20 11.

This recommendation also cited the need for procedures and a number of procedures were created or
updated and posted on 11IEO in 200912010 including:

   •   Certification and Accreditation Guide (July 2009)
   •   Incident Response and Reporting Guide (July 2009)
   •   LAN Complex Passwords (June 2009)
   •   OPM Computer User Responsibilities (June 2009)
   • 	 Plan of Action and Milestone (POA&M Standard Operating Procedure (September 2009)
   • 	 Process for Analyzing New and Emerging Infonnation Security and Privacy 

       Requirements (July 2009) 

   • 	 System Access Authorization Procedure (July 2009)
   • 	 Privacy Impact Assessment (PIA) Guide (April 20 I 0)
   • 	 System o f Records Notice (SORN) Guide (April 2010)

The CIO believes that the above procedures have enhanced IT security and privacy at OPM and
understands that additional work needs to be done to develop new procedures and to enhance
existing ones as necessary . Current procedures wilt be revi sited and additional ones will be
developed in FY201 I as necessary.

Reeommendation 2 (Roll-forward [rom OIG Rep,}rt 4A-CI-OO-09-053 Recommendati'm 3)
We recommend tbat tbe OPM Director ensure that CIO has adequate resourees to
propcrl~' staff its IT Seeurity and Privacy Group.


The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation of the staffing situation in the IT Secunty and Privacy Group. During
the past five months, a Senior Agency Tnfo nnation Security Officer has being hired and the staff
complement in the security and privacy group has increased from _              FTEs along with
contractor resources as needed . Recognizing that additional staff resources are needed. the CIO
believes that incremental progress is being made in this area.

Recommendation 3
We recommend that CIO develop and implement an active strategy to maintain up-to-date
information regarding OPM's master system inventory.

The CIO concurs v.ith thi s recommendation and has already taken steps thro ugh the issuance of
a data call to the IT Securi ty Working Group on September 8, 20 10 to identify systems used by
OPM that are not on the FISMA system inventory . The CIa has also initiated an internal review
to detennine if applications werc inappropriately bundled into other larger systems as previously
reported in prior audit findings. Additional system s idenlified from the data call and internal
system review will be evaluated for addition to the master system inventory.

Recommendation 4
We recommend tbat OPM implement a centralized information securit)' governance
structure where all information security practitioners, including designated seeurity
officers, report to the Senior Agency Information Seeurity Official. Adequate resources
should be assigned to the OCIO to create this structure. Existing designated security
officers who report to their program offices should return to their program office duties.
The new staff that reports to the SAISO should consist of experienced information security
professionals.

The CIO concurs with this recommendation. The overall IT security governance at OPM can be
improved by implementing a centralized information security governance structure consisting of
IT security professionals.


Recommendation 5 (Roll-Forward from DIG Report No. 4A-CI-OO-09-03J Recommendation
l..§l
We recommend that all active systems in OPM's inventory have a complete and current
C&A.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. Program offices are responsible for the security and C&A of their
systems. C&As are often contracted to various entities that employ different styles in preparing
the final packages and this explains why all C&A packages do not look alike. The CIO believes
that all completed C&A packages must properly address required security controls and contain
required artifacts per the OPM C&A Guide, and that the look and feel of packages is a reflection
of the various sources contracted by the program offices to complete the packages.

Regarding, the six systems with expired C&A, the CIO agrees that all production systems should
have a current C&A. However, the OPM procurement process can be lengthy depending on
workload has an effect on getting contracts and interagency agreements for C&A in place. The
extended Authority to Operate for the six systems was issued in support of OPM mission support
activities.

Recommendation 6
We recommend that CIO develop a risk assessment policy to provide guidance to program
offices conducting a risk assessment as part of the C&A process.

The CIO does not concur with this recommendation. Risk assessment policies are documented
in the current IT security and Privacy policy volume 2 that is posted on THEO. However, risk
assessment policy will be revisited and updated in the new IT Security policy updates that BPD
has been retained to complete.
Recommendation 7
We recommend that CIO develop an ISSP policy to provide guidance to program offices
developing a security plan as part of the C&A process.

The CIO does not concur with this recommendation. Information Systems Security Plan policies
are documented in the current IT security and Privacy policy volume 2 that is posted on THEO.
The policies also references NIST security plan templates that can be used to build a security
plan. However. IT security plans policy will be updated to provide additional as part of the BPD
policy update project.

Regarding the review of C&A packages, two full time resources have been hired to review C&A
packages and to provide guidance to the DSO community. One of these resources is already
onboard and the second is expected to start work after completing the necessary new employee
onboarding procedures.

Recommendation 8
We recommend that CIO assign additional resources to facilitate the C&A process to
ensure the consistency and quality of C&A packages developed by OPM program offices.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO has doubled the number of full time resources assigned to
the C&A program and this increase in resources will improve the quality of C&A packages.
C&A packages found to be of poor quality are being returned to for rework for correction of
deficiencies.

Recommendation 9 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J Recommendation
Jl
We recommend that CIS develop a policy for adequately testing the security controls of
OPM's systems, and provide training to the DSO community related to proper security
control testing.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The Information Security and Privacy Policy Volume 1 requires
security controls to be Periodically assessed and CIO security staff works with the DSO
community on annual testing efforts including keeping track of the number of systems that have
tested their security controls. We will enhance the current security policy in the security
handbook that is under development and provide additional guidance to DSOs to enhance the
testing of security controls.


Recommendation 10 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J Recommendation
6 and Report 4A-CI-OO-08-022 Recommendation J)
We recommend that OPM ensure that an annual test of security controls has been
completed for all systems.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO staff continues works with the DSO community to ensure
that security controls have been tested for all systems. The CIO security staff sends out a
reminder to all DSOs each month informing them to complete required security controls testing
and assist with technical guidance. We will continue to work with the DSO community and
escalate systems where security controls have not been tested to the associated director in the
specific business area.

Recommendation 11 (Roll-Forward from OIG Report No. 4A-CI-OO-09-03J Recommendation
m
We recommend that CIO develop and publish to THEO an up-to-date Patch Management
Policy.

The CIO does not concur with this recommendation. The OPM ISPP details the high level patch
(flaw remediation) requirements and agency policy. (See ISPP Volume 2. page 71.800-53 rev 3
Control SI-2). Low level procedures exist and are utilized by the Network Management
administrators to patch desktops and servers. Ongoing improvements to the patch management
process are being tested and implemented as new tools and processes become available. Current
initiatives include procurement requests for enterprise-wide patch and vulnerability management
tools (Big Fix and Window SUS) scheduled for implementation in FY 2011.

Recommendation 12 

We recommend that CIO develop a single centralized agency-wide hardware inventory. 


The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. Network Management is actively implementing a centralized
agency-wide automated hardware inventory tracking system. Asset tags are being applied to all
accountable IT assets and pending procurements for scanning equipment are expected to quickly
bring the outstanding inventory under control. Daily and weekly automated inventory reports are
now being produced and internal audits of the process will begin this quarter.

Recommendation 13
We recommend that CIO develop and implement a strategy for using automated
techniques for tracking hardware inventory.

The CIO concurs with this recommendation. 

Recommendation 14 (Roll-Forward from OIG Report 4A-CI-OO-09-031 Recommendation 26 

and Report 4A-CI-OO-08-022 Recommendation 16) 

We recommend that CIO implement FnCC compliant images on all OPM workstations.

The CIO concurs with this recommendation and offers the following clarifying remarks: An
FDCC workstation baseline image has been created and is currently being deployed. All new
workstations and all agency laptops are currently secured utilizing an FDCC (USGBC)
compliant image. The FDCC image has been rolled out to 1200 laptops and 800 desktops as of
this date. Image deployment and enforcement of the legacy workstations is currently an active
project and is being pushed through domain GPO. The addition of workstations occurs daily and
is scheduled to have full completion by the end of the first quarter of FY 2011. Part of the delay
in implementation was due to working with the union to assess the impact on employees.

Recommendation 15
We recommend that CIO improve the spreadsheet used to track security training to
include a job function/responsibility for each individual that directly maps to the table
containing training requirements.

The CIO concurs with this recommendation and believes that the current spreadsheet used to
track specialized security training can be improved. We will update the spreadsheet to include
job function and responsibility for each individual that maps to the table containing training
requirements.

Recommendation 16
We recommend that CIO ensure that all employees with significant information security
responsibility take meaningful and appropriate specialized security training on an annual
basis.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The ClO believes that many employees are already taking
meaningful and appropriate specialized training such as specialized courses offered through
outside training providers. IT security conferences and other sources. However, OPM has
contracted with Skills Soft to provide online training to employees at no additional cost. The
CIO believes that the security courses available online through Skill Soft such as CISSP prep
courses among others will be sufficient to meet the specialized training requirements.
Recommendation 17 (Roll-Forward (rom OIG Report 4A-CI-OO-09-031 Recommendation 11)
We recommend that CIO work closely with the DSO community, providing training and
information-sharing sessions, to implement the procedures and ensure that there is a clear
understanding of the appropriate management of POA&Ms.
The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO is working closely with the DSO community on training
and information sharing activities through the IT Security Working Group (ITSWG) that is
facilitated by the Senior Agency Information Security Officer monthly. During FYIO we
provided training on contingency plan testing. common security controls and POA&M
management in addition to other areas. The CIO believes that this type of training is beneficial
to the DSOs and for maintaining the OPM IT Security program and will continue to provide
training and information sharing sessions through the ITSWG. The CIO will encourage all DSOs
to take advantage of specialized training opportunities through the OPM Skill Soft program.

Recommendation 18 (Roll-Forward (rom OIG Report 4A-CI-OO-09-031 Recommendation 12
and OIG Report 4A-CI-OO-08-022 Recommendation 41
We recommend that OPM program offices incorporate all known IT security weaknesses
into POA&Ms.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO has dedicated multiple resources to ensure that all IT
security weaknesses are incorporated into POA&Ms and has implemented safeguards to ensure
accuracy. The CIO will continue to improve the POA&M management process.

Recommendation 19 CRoll-Forward (rom OIG Report 4A-CI-OO-09-031 Recommendation 13
and 4A-CI-OO-08-022 Recommendations 5 and 61
We recommend that an up-to-date POA&M exist for each system in OPM's inventory, and
that system owners submit updated POA&Ms to CIS on a quarterly basis.

The CIO does not concur with this recommendation. The CIO believes that up-to-date
POA&Ms are in place for the systems on the OPM inventory and this is evident by a 100%
compliance rate for Quarters 3 and 4 ofFYIO. The CIO believes that this recommendation
focused on a period prior to Quarter 3 of FY I O.
Recommendation 20 (Roll-Forward {rom DIG Report 4A-CI-OO-09-03I Recommendation 141
We recommend that CIS develop a formal corrective action plan to immediately remediate
all POA&M weaknesses that are over 120 days overdue. In addition, we recommend that
CIS take a lead role in the future and work closely with OPM program offices to ensure
that POA&M completion dates are achieved.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO agrees that an action plan to remediate POA&M
weaknesses that are over 120 day is appropriate and will take steps to develop the action plan.
However, the CIO does not agree that all POA&Ms that are over 120 days can be remediated
immediately because the resolution to some of these POA&MS are beyond OPM's controls and
require the cooperation of other stakeholders outside of OPM such as other Federal agencies.
Many of these agencies for example have not implemented two factor authentication for various
reasons including financial and this will prevent closure of certain POA&Ms that are over 120
days. The CIO will make every effort to assess and remediate as many of these POA&Ms as
possible.

Recommendation 21
We recommend that CIO verify that adequate proof of closure documentation exists for
remediated weaknesses before allowing the program office to close POA&M items.

The CIO does not concur with this recommendation. The POA&M management team in the
Security and Privacy Group verifies that all POA&Ms submitted by Program Offices have
adequate supporting evidence to close the POA&M and ensures that a proof of closure form is
completed for each POA&M before closure takes place. Request to close POA&Ms with
adequate documentation or completed proof of closure forms are returned to the sender.

Recommendation 22 (Roll-Forward {rom DIG Report 4A-CI-OO-09-031 Recommendation 151
We recommend that the program offices responsible for the LANIW AN prioritize the
system weaknesses listed on its POA&Ms.

The CIO does not concur with this recommendation. The LAN/W AN POA&Ms are prioritized
and most recently updated during the June 2010 re-certification.

Recommendation 23
We recommend that CIO update its telecommuting and remote access policy in accordance
with NIST SP 800·46 Revision 1 guidelines.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The remote access policy and procedures are currently under review
while new remote access methods are being tested and evaluated. Review and testing of new
policy and procedures are expected to begin the second quarter FY 2011 .

Recommendation 24




Recommendation 25:
We recommend that C)O implement an automated process to detect unauthenticated
network devices.

The CIO concurs with thi s recommendation and offers clarifying remarks in order to present a
more current interpretation. An automated process to detect unauthenticated network devices
has been procured and is expected to be in place and operational in the third quaner FY 2011.

Recommendation 26
We recommend OPM denlop a Continuous Monitoring Policy that outlines a strategy for
identifying information security controls that need continuous monitoring as well as
procedures for conducting the tests.

The CIO concurs with thi s recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO believes that continuous monitoring must be part of the IT
Security policy updates that are now underway with assistance from the Bureau of the Public
Debt. Hov,;ever, the CIO believes that security controls associated with continuous monitoring
are documented in the Certification & Accreditation guide posted on T1·{EO.

Recommendation 27
We recommend OPM create a list of common security controls and distribute tbis
information to OPM program offices responsible for testing individual applications.
The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO has initiated a project to established enterprise common
controls under the management of the Senior Agency Information Security Officer. The IT
Security Working Group has been briefed on this project and work has started with the program
offices to identify common security controls and to consolidate them in a managed data
repository. Enterprise common controls are expected to be in place in FYI!.

Recommendation 28 CRoll-Forward from DIG Report 4A-CI-OO-09-03J Recommendation 7)
We recommend that OPM develop detailed guidance related to developing and testing the
contingency plans of agency systems and provide training to the DSO community related to
proper contingency planning and contingency plan testing.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO believes that the contingency plan training provided to the
Designated Security Officers through the IT Security Working Group is adequate. The CIO
plans to standardize the contingency plan templates to improve the quality of the testing process.

Recommendation 29: (Roll-Forward from DIG Report 4A-CI-OO-09-03J Recommendation 8)
We recommend that up-to-date contingency plans be developed for all agency systems.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO believes that having up-to-date contingency plans are
important and will continue to work with the Designated Security Officers to keep plans current.

Recommendation 30: CRoll-Forward from DIG Report 4A-CI-OO-09-03J Recommendation 9
and DIG Report 4A-CI-OO-08-022 Recommendation 2)
We recommend that OPM's program offices test the contingency plans for each system on
an annual basis. The contingency plans should be immediately tested for the 17 systems
that were not subject to adequate testing in FY 2010.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. Contingency plans are tested for a majority of systems on an annual
basis and the records of each test is maintaining by the Security and Privacy Group. The CIO
acknowledges that some systems are behind schedule (approximately 10) with their testing in
2010 and will work to ensure that all testing is completed.

Recommendation 31
We recommend that an OPM employee test information security controls for all systems
operated by a contractor on an annual basis.
The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The CIO has provided guidance for testing security controls for
contractor operated systems and the Security and Privacy Group has assessed security controls at
the hosting facility for the IGS _LMS Learning Management System. The Security and Privacy
Group plans to extend security controls testing in FY 11 at other contractor facilities operating
OPM systems.

Recommendation 32 (Roll-Forward (rom OIG Report 4A-CI-00-09-03I Recommendation 101
We recommend that OPM develop a policy providing guidance on adequate oversight of
contractor operated systems.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. Policy covering oversight of contractor systems is documented in
the IT Security & Privacy Handbook volume 1 that is posted on THEO. Additional related
policy will be included in the policy update effort that is now in progress that will result in
comprehensive IT security policies.

Recommendation 33 (Roll-forward (rom OIG Report 4A-CI-00-09-03I Recommendation 11
We recommend that CIS conduct a survey ofOPM program offices (particularly the
Benefits Systems Group) to identify any systems that exist but do not appear on the system
inventory. The systems discovered during this survey should be promptly added to the
system inventory and certified and accredited.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. A survey has been distributed to identify systems used by OPM that
might not be on the system inventory. The results of the survey will be used to update that
system inventory as necessary.

Recommendation 34 (Roll-forward (rom OIG Report 4A-CI-00-09-03I Recommendation 31
We recommend that CIO develop a policy providing guidance on the development and
appropriate use ofMOUs and ISAs.

The CIO does not concurs with this recommendation and believe that MOD and ISA policies are
documented in the IT Security and Privacy Handbook volume 2 that is posted on THEO. The
current MOUlISA policies will be enhanced as part of the security policy update project.

Recommendation 35 (Roll-forward (rom OIG Report 4A-CI-00-09-03I Recommendation 41
We recommend that CIS conduct a survey to determine how many systems owned by
another agency are used by OPM.
The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. A survey has been distributed to program offices to identify systems
used by OPM that might not be on the system inventory. The results of the survey will be used to
update that system inventory as necessary and to determine other systems owned by other
agencies that are used by OPM.

Recommendation 36 (Roll-forward from OIG Report 4A-CI-00-09-031 Recommendation 191
We recommend that CIO conduct a new PIA survey to determine which OPM systems
require a PIA, including those systems that process sensitive information about
government employees and contractors.

The CIO does not concur with this recommendation. A Privacy Threshold Analysis
documentation is performed for each system to discover whether a PIA is required. This is in
accordance with NIST 800-122 recommendations.

Recommendation 37 (Roll-forward from OIG Report 4A-CI-00-09-03I Recommendation 201
We recommend that a new PIA be conducted for the appropriate systems based on the
updated PIA Guide.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. The new PIA template was reviewed and accepted by the OIG. We
are informing OSO's that there are new requirements when they submit their PIA's for review.
The PIA submitted by the OSO is being updated with the new questions required by the IG and
returned to the OSO for completion.
The "guide" itself is being updated to reflect the new questions and will need to be approved in
OMS through the established directive process before it can be published to the OPM.GOY and
THEO websites.

Recommendation 38 (Roll-forward from OIG Report 4A-CI-00-09-031 Recommendation 211
We recommend that each system owner annually review the existing PIA for their system
to reevaluate current holdings of PH, and that they submit evidence of the review to CIO.

The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more current interpretation. System Ovmers are required to validate PTAs annually.

Recommendation 39 (Roll-Forward from OIG Report 4A-CI-00-09-031 Recommendation 22
and Report 4A-CI-00-08-022 Recommendation 121
We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in
accordance with OMB Memorandum M-07-16.
 The CIO concurs with this recommendation and offers clarifying remarks in order to present a
more cutTcnt interpretation. OPM currently does not have the funding to effectively pursue the
elimination of unnecessary usc of SSN's as stated in OMS memomndum M-07-J6. Efforts are
made when the unnecessary use of SSN is discovered in PTA and PiA documentation and efforts
arc explored '...ith the program office for alternatives. OPM does comply wilh the requirement to
meet regularly with other federal agencies on this effort.

Recommendation 40 (Roll-Forward from OIG Report 4A-CI-OO-09-03/ Recommendation 271
We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all
contracts related to common security settings.

The   cro concurs with this recommendation.

Recommendation 41 fRolI-Forward from OIG Report 4A-CI-OO-09-03/ Recommendation 28
and Report 4A-CI-OO-OR-022 Re''lJmmendation 15)
We recommend tbat in the event tbat an Oracle vulnerability cannot be remediated due to
a technical or business reason, the system's owner should document the reason in tbe
system's ISSP and formally accept any associated risks.

The   cro concurs with this recommendatioll.

cc:
                    Tnf'onnalion Security Officer




      Internal Oversight and Compliance
                                   Appendix III




Inspector General 

Section Report




                 Office of Personnel Management 





                          Printed: October 29, 2010, 815 am
~tion 1: Status oCCertifieation and Accreditation Program
1.        Selected response is:
          b. The Agency has established and is maintaining a certification and accreditation program. However, the Agency needs to make
          significant improvements as noted below.
                                                     .-----~----~------------------------~-----------------,
                                     Comments:       The OIG's FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM's C&A pro~ess were a ..
                                                     significant deficiency in the internal control structure ofthe agency's IT security program. The weaknesses cited
                                                     related to inadequate management ofthe process and incomplete, inconsistent, and poor quality C&A prmlucts.
                                                     In FY 20 I0 these longstanding conditions not only continued, but actually degraded. As a result, we are now
                                                     reporting a material weakness in the IT security control structure related to OPM's C&A process.

                                                     We believe that the root causes of these issues include insufficient staffing in the IT Security and Privacy Group, a
                                                     lack of policy and procedures, and the decentralized designated security officer (DSO) model in place at OPM.
          la.       Areas for Improvement:
                    \a(\).   Certification and accreditation policy is not fully developed. 

                             Yes 

                                     Comments: 
 In July 2009, OPM's Office of the ChiefInformation Officer (OCIO) published an agency-wide Certification and
                                                 Accreditation Guide. The C&A Guide addresses the roles and responsibilities ofkey personnel, a walkthrough of
                                                 the C&A Process, and a listing of the various security documents that are required elements of a C&A.

                                                     However, OPM's C&A Guide does not provide standard forms, templates, or detailed guidance on how to
                                                     prepare each ofthe required elements. The lack of such guidance has led to extreme inconsistencies in the quality
                                                     of C&A packages for various OPM systems.
                    la(2).   Certification and accreditation procedures are not fully developed, sufficiently detailed or consistently implemented.
                             Yes




OIG Report· Annual 21110                                                                                                                                               Page I of t7
                                                                             For Official Use Only
~on 1: Status of Certification and Accreditation Program
                                          Comments:     The OIG reviewed the full C&A packages of 15 systems that were subject to a C&A during FY 2010. Although
                                                        the packages we reviewed contained all of the elements required by OPM's C&A Guide, the quality ofthese
                                                        packages varied significantly between systems.

                                                        Although various forms ofgeneral guidance are available to assist program offices in the development of C&A
                                                        elements; the OCIO has not implemented centralized policies, guidelines, or templates outlining how various C&A
                                                        elements should be completed for OPM systems. As a result, the content and quality ofa specific C&A element
                                                        varies widely between systems.
                    la(3).    Information systems are not properly categorized (FIPS 199/SP SOO-60).
                              No
                    la(4).    Accreditation boundaries for agency information systems are not adequately defined.
                              No
                    I a(5).   Minimum baseline security controls are not adequately applied to information systems (FIPS 200/SP SOO-53).
                              No
                    la(6).    Risk assessments are not adequately conducted (SP SOO-30).
                              Yes
                                          Comments:     OPM's OCIO has not developed an risk assessment policy. The extreme range in quality between risk
                                                        assessments conducted by various OPM program offices indicates that the OCIO has not provided adequate risk
                                                        assessment guidance.
                    I a(7).   Securit~'   control baselines are not adequately tailored to individual information systems (SP S00-30).
                              No
                    la(S).    Security plans do not adequately identify security requirements (SP SOO-IS).
                              Yes
                                          Comments:     OPM's OCIO has not developed an information system security plan (ISSP) policy. The extreme range in quality
                                                        between ISSPs conducted by various OPM program offices indicates that the OCIO has not provided adequate
                                                        ISSP guidance.
                    I a(9).   Inadequate process to assess security control effectiveness (SPSOO-53A).
                              Yes


OIG Report - Annu:.12010                                                                                                                                           Page 2 of 17
                                                                               For Official Use Only
~tion 1: Status of Certification and Accreditation Program
                                           Comments:         TheOIG cOl)ducted a review of the docunlentation resulting from the sec~ty controls tests for each ofthe 43
                                                             systems in OPM's inventory. Our evaluation indicated that the IT iecurity controls had beenadeqlU\lely tested for
                                                             only 280fOPM's 43 systems during FY 2010.

                                                             There was a wide range ofquality amongst the 28 security control tests that were conducted. Some program
                                                             offices tested all security controls applicable to that system while others tested only a small subset. There was also
                                                             a variance in the security controls that program offices assumed to be "common controls" inherited from OPM's IT
                                                             and facility infrastructures. in addition, the tests were documented in 'many different formats and templates. We
                                                             believe that these inconsistencies are a result ofOPM's lack of agency-wide policy or guidance on how to
                                                             adequately test information system security controls.
                      la(IO).      Inadequate process to determine risk to agency operations. agency assets, or individuals, or to authorize information systems
                                   to operate (SP 800-37).
                                    Ves
                                           Comments:         Seven OPM systems are currently operating without an active C&A.

                                                             The OIG identified one OPM system that was in production for several years without being subject to a C&A.

                                                             In addition, the prior C&A for six additional systems from OPM's inventory expired in FY 2010, and a new C&A
                                                             has not been completed. Although an "interim Authorization to Operate" (IATO) was issued for these systems,
                                                             they are currently running in a production environment without an active C&A.
                      I a( 1 t).   Inadequate process to continuously track changes to information systems that may necessitate reassessment of control
                                   effectiveness (SP 800-37).
                                   No

                      la(12). Other
                                   Ves
                                   Explanation for Other
                                   OCIO management of C&A Process




OJ(; Report - Annu:.t12010
                                                                                     For Official Use Only
~eetion 1: Status of Certification and Accreditation Program
                                      Comments: 
 OPM's OCIO is responsible for assisting program offices in the development ofC&A packages for their systems. 

                                                  OPM's C&A Guide also states that the OCIO must review completed, C&Apackages for quality and 

                                                  completeness before recommending the systelil for accreditation. 


                                                    Although the OCIO has procedures for conducting post-completion reviews ofC&A packages, the OCIO does 

                                                    not have the resources available to actively participate in the planning or development of the C&A packages for 

                                                    each agency system, 


~tion 2: Status or Security Configuration Management
2.        Selected response is:
          b. The Agency has established and is maintaining a security configuration management program. However, the Agency needs to 

          make significant improvements as noted below. 

                                                    r-----------------------------------------~------------_.
                                      Comments: 	 OPM's OCIO has implemented an agency-wide Configuration Management Policy. This policy was updated
                                                  during FY 20 I 0 and outlines the process for maintaining a secure configuration network environment.
          2a.       Areas for Improvement:
                     2a(I).   Configuration management policy is not fully developed.
                              No
                     2a(2).   Configuration management procedures are not fully developed or consistently implemented.
                              No
                     2a(3).   Software inventory is not complete (NIST 800-53: CM-8).
                              No
                     2a(4).   Standard baseline configurations are not identified for all software components (NIST 800-53: CM-8).
                              No
                     2a(5).   Hardware inventory is not complete (NIST 800-53: CM-8).
                              Yes




OIG Report - Annual 2010 	                                                                                                                                         Page4ofl7
                                                                            For Official Use Only
lSKtion 2: Status of Security Configuration Management
                                          Com ments:    OPM currently uses several Excel spreadsheets to track its computer hardware inventory. These spreadsheets are
                                                        manUally updiited when new hardware is purchased or old hardware is decOinmissioned. Separatespreadsheetll
                                                        are maintained by different individUals for Wind~ws severs, Linuii servers, and all servers operated by OPM's
                                                        Federal Investigative Services program office. However, each ofthese spreadsheetll is maintained independently
                                                        from the other inventories, and no individUal at OPM maintains a single inventory listing that contains all computer
                                                        hardware owned by the agency. Therefore, the OGIO is unable to attest that all computer hardware in OPM's
                                                        operating environment is accounted for.

                     2a(6).    Standard baseline configurations are not identified for all hardware components (NIST 800-53: CM-2).
                               No
                     2a(7).    Standard baseline configurations are not fully implemented (NIST 800-53: CM-2). 

                               No 

                     2a(8).    FDCC is not fully implemented (OM B) and!or all deviations are not fully documented. 

                               Yes 

                                          Comments: 
 OPM has developed a Windows XP standard image that is generally compliant with Federal Desktop Core
                                                      Configuration (fDCC) standards, and has documented nine deviations between thiS image and FDCC
                                                      requirements. However, as of September 30, 2010, OPM's FDCC compliant image has not been rolled out to
                                                      the majority ofOPM workstations.
                     2a(9).    Software scanning capabilities are not fully implemented (NIST 800-53: RA-5, SI-2). 

                               No 

                     2a( I 0). 	 Configuration-related vulnerabilities have not been remediated in a timely manner (NIST 800-53: CM-4, CM-6, RA-5, SI-2).
                               No
                     2a(II).   Patch management process is not fully developed (NIST 800-53: CM-3, SI-2). 

                               Yes 

                                          Comments: 
 OPM's OCIO has implemented a patch management policy that outlines the responsibilities and procedures for
                                                      ensuring that OPM servers are routinely patched. However, this policy has not been updated since August 2005.
                                                      In August 2010, the OCIO informed the OIG that this policy is in the process of being updated.
                     2a( 12). 	 Other 

                               No 

3.        Identify baselines reviewed: 

0](; Report - Annual 2010                                                                                                                                               Pagt50fl7 

                                                                                For Official Use Only
jSOdiOD 2: Stotus or Security CODllgantioD MaDaaem••t




~1ioD 3: Statu. or IDeideDt RespoD.e 8< ReporliDg Program
4.         Selected response is:
           a. The Agency has established and is mai'Haining an incident      r~lmllsc   and reporting program that is generally consistent wilh NIST's
           and OMB's FISMA requiremt'nts.         Allhuu~h   improvt'me"1 opportunities may have been identified by the 0((;, the program includes
           the following attributes:
                      I. Documented policies and procedures for responding and reporling In incidents.
                      2. CORlprchensin" analysis, validatillil and tlocumcntatioll orillcitlents.
                      3. When IdJllllicahle, reports to US-CERT within established timeframes. 

                      ... When appli(able. reporls to law enforcement within established timeframes. 

                      5. Responds 10 and rcsol,.,cs incidents in a timely manner to minimize further damage.
                                         Comments:      OPM has developed an "lncideDt Response and Reporting Guide" that outlines the responsibilities ofOPM's
                                                        Computer Inddent Response Team (CIRT) and documents procedures for reporting all IT security events to the
                                                        appropriate entities. OPM appropriately reports security incidents intemally, to US~CERT, and to law
                                                        enforcement.

ii<CIioD 4: Statu. of SeeDrity TroiDiDg Program
5.         Selected   re~pollst'   is:
           b. The Agelu:y hlls estllblished lind is maintaining a security training program. 1I0\\,('ver, the A~enc}' ne('ds to make significant
           improvements as nott'd bdow.




(JIG Repllr. - ,\nnulIllOIO
                                                                                 For OffiCial Usc Only
~eetion 4: Status of Security Training Program
                                   Comments:       OPM's OCIO has implemented a process to provide annual IT secllrity and privacy awareness trjIining to all OPM .
                                                   employees and contractors.

                                                   Over 99 percent ofOPM's employees and contractors completed the security awareness training course in FY
                                                   20 I 0; However, only 87 percent of employees with security responsibility took specialized security training in FY
                                                   2010.
         Sa.      Areas for Improvement:
                  5a(I).   Security awareness training policy is not fully developed.
                           No
                  5a(2).   Security awareness training procedures are not fully developed, sufficiently detailed or consistently implemented.
                           No
                  5a(3).   Specialized security training policy is not fully developed.
                           Yes
                                   Comments:       Agency employees with significant information security responsibilities are required to take specialized security
                                                   training in addition to the annual awareness training.

                                                   OPM's OCIO has issued developed a table outlining the security training reqnirements for specific job roles. The
                                                   OCIO uses a spreadsheet to track the security training taken by employees that have been identified as having
                                                   security responsibility. However, a significant portion (33 percent) ofthe individuals on the spreadsheet are listed
                                                   with a job role that does not appear on the training requirements table (i.e., "significant responsibility"), making it
                                                   impossible to determine whether these individuals received adequate training in FY 20 IO.
                  5a(4).   Specialized security training procedures are not fully developed or sufficiently detailed (SP 800-50, SP 800-53). 

                           Yes 

                                   Comments:      ISee comments in 5a(3).

                  5a(5).   Training material for security awareness training does not contain appropriate content for the Agency (SP 800-50, SP 800-53).
                           No
                  5a(6).   Identification and tracking of employees with login privileges that require security awareness training is not adequate (SP
                           800-50, SP 800-53).
                           No
OIG Report· Annual20JO                                                                                                                                                 rage 7 of 17
                                                                            For Official Use Only
~OD 4: Status oC Security TraiDiDg Program
                    5a(7).     Identification and tracking of employees without login privileges that require security awareness training is not adequate (SP
                               800-50, SP 800-53).
                               No
                    5a(8).     Identification and tracking of employees with significant information security responsibilities is not adequate (SP 800-50, SP
                               800-53).
                               Yes
                                          Comments:   ISee comments in Sa(3).

                    5a(9).     Training content for individuals with significant information security responsibilities is not adequate (SP 800-53, SP 800-16).
                               No
                    5a(lO).    Less than 90% of employees with login privileges attended security awareness training in the past year.
                               No
                    5a( II).   Less than 90% of employees, contractors, and other users with significant security responsibilities attended specialized
                               security awareness training in the past year.
                               Yes
                                          Comments:   Eighty-seven percent ofOPM's employees identified as having information security responsibility have completed
                                                      at least one hour ofspecialized security traioing inFY 2010.

                    5a( 12). Other
                               No
~tiOD 5: Status ofPIaDs of ActioDs & MilestoDes (POA&M) Program
6.       Selected response is:
         b. The Agency has established and is maintaining a POA&M program that tracks and remediates known information security
         weaknesses. However, the Agency needs to make significant improvements as noted below. 

          6a.       Areas for Improvement: 

                    6a(l).     POA&M Policy is not fully developed. 

                               No 

                    6a(2).     POA&M procedures are not fully developed, sufficiently detailed or consistently implemented. 

                               Yes 


OU; Report - Annual 2010                                                                                                                                         Pat:=e 8 of 17
                                                                                For Official Use Only
~ection 5: Status of Plans of Amons & MUestones (POA&M) Proanun
                                     Comments: 
 OPM's OCIO has developed a POA&M Guide and published it to the agency's internal website. HQ)Vever, the 

                                                 OIG identifie~ several POA&M refllted weaknessesthljt indicate that the OCIO.has.not provided adequate 

                                                 procedure guidance and training regarding appropriate management of POA&Ms. 

                    6a(3).   POA&Ms do not include all known security weaknesses (OMB M-04-25).
                             Ves
                                     Comments:      In October 2009, the OIG issued the FY 2009 FISMA audit report with 30 audit recommendations. We verified
                                                    that a1130 of the recommendations were I!PPropriately incorporated into the OCIO POA&M.

                                                    The OIG conducted audits oftbree OPM systems in FY 2009 with a total ofthree audit recommendations that
                                                    remained outstanding at the time the reports were issued. However, none ofthese audit recommendations
                                                    appeared in the POA&M ofthe related system. Although each ofthese weaknesses has since been remediated,
                                                    they should be documented in the system's POA&M for tracking purposes.
                    6a(4).   Remediation actions do not sufficiently address weaknesses (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security
                             Controls).
                             No
                    6a(5).   Initial date of security weaknesses are not tracked (OMB M-04-25).
                             No
                    6a(6).   Security weaknesses are not appropriately prioritized (OMB M-04-25).
                             No
                    6a(7).   Estimated remediation dates are not reasonable (OMB M-04-25).
                             Ves
                                     Comments:      The POA&Ms for nine OPM systems contain security weaknesses with remediation activities over 120 days
                                                    overdue. In the third quarter of2010, OPM systems had a total of 58 POA&M items over 120 days overdue, an
                                                    increase from 26 overdue items during the same time period in FY 2009.

                                                    This indicates that the OCIO has not provided adequate leadership and guidance to ensure that program offices
                                                    assign reasonable POA&M due dates and stay on track to meet those dates. Program offices are equally
                                                    responsible for dedicating adequate resources to addressing POA&M weaknesses and meeting target objectives.
                    6a(8).   Initial target remediation dates are frequently missed (OMB M-04-25).

OIG Reporl - Annual 2010                                                                                                                                        Page 9 of 17
                                                                           For Official Use Only
~eetion 5: Status of Plans of Actions & Milestones (POA&M) Program
                               Yes
                                       Comments:      ISee comments in 6a(7)

                      6a(9).   POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25).
                               No
                      6a(IO). Costs associated with remediating weaknesses are not identified (NIST SP 800-53, Rev. 3, Control PM-J & OMB M-04-25).
                               No
                      6a(II). Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25).
                               Yes
                                       Comments:       The OIG selected one closed POA&M item from nine OPM systems and reviewed the proof of closure
                                                       documentation provided by the program offices when the POA&M items were closed. Adequate proof of closure
                                                       was provided for eight ofthe nine systems tested. Proof of closure was not available for three POA&M items
                                                       selected for the ninth system, and the program office subsequently reopened these security weakness.es. The
                                                       OeIO's failure to adequately review proof ofclosure documentation before allowing program offices to close
                                                       POA&M items increases the risk that security weaknesses remain unaddressed.
                      68( 12). Other
                               No

lSIclion 6: Status of Remote Access Program
7.        Selected response is:
          h. The Agency has established and is maintaining a remote access program. However, the Agency needs to make significant 

          improvements as noted below. 

           7a.       Areas for Improvement: 

                      7a(I).   Remote access policy is not fully developed. 

                               Yes 

                                       Comments: 
 Although OPM has implemented a telecommuting policy that provides guidance on the establishment, management,
                                                   and maintenance of telecommuting, it does not address the technical elements oftelecommuting suggested by the
                                                   NIST "Guide to Enterprise Telework and Remote Access Security." In addition, the telecommuting policy has not
                                                   been updated since 200 I. 

                      7a(2).   Remote access procedures arc not fully developed, sufficiently detailed or consistently implemented. 

OIG Report - Annual 20 III                                                                                                                                     Page 10 of 17
                                                                                For Official Use Only
~OD 6: Status of Rmtote Aeeess Pl'OIram

                                     Comments:      ISee COtiunenl,Sin 7a(1).
                  7a(3).    Telecommuting policy is Dot fully den loped (NIST 800-46. St'clion S.I ,.
                            y"
                                     Comments:      ISee comments in 7a(1).
                  7a( 4).   TeJecomnlUting procedures are not fully developed or sllfficiently detailed (NIST 800-46, Sedion 5.4).
                            Yes
                                     Comments:      ISee tomments in 7a(1}.
                  73(5).    Agency cannot idl'ntify all users who require remole access (NIST 800-46. Section ".2. ~C1iOD S.1).
                            No

                  'a(Ii}.   Mulli· lilctor authentication is not properly deployed (NIST 800-46. Section 2.2, Section J.3).
                            y"
                                     Comments:                      VirtUal Private                     client to provide remote users with secure access to the agency's
                                                    In~~:;'~nvirorunent The OPM VP~ requires uscmame and paasword authentication to uniquely identify users.
                                                    11          maintains logs of individuals who remotely access-the network, and the Jogs are reviewed on a monthly
                                                         for unusual activity or trends.




                  7a(7).    A~ency   has not identified all remote devices (N 1ST 800-46, S('ction 2.1).
                            No

                  7a(8).    A~ency  has nOI determined all rem ole devices antllor end user com pulers have been prflilerly scrured (NIST 800-46, S«tilln
                            3.1 and 4.2).
                            No
                  7a(9).    Agency does not :.tdcqlllltely monilor remote devices when COllllec(ed tn the agency's netl\o'orks remotely (NIST 800-46,
                            Section 3.2).
OI(;R~port _ Annu:dWIO                                                                                                                                                 Pagcllorli
                                                                                For Official Use Only
~oIl6: Status ofRemote Access Program
                              No
                    7a(10).   Lost or stolen devices are not disabled and appropriately reported (NIST 800-46, Section 4.3, US-CERT Incident Reporting
                              Guidelines).
                              No
                    7a(II).   Remote access rules of behavior are not adequate (NIST 800-53, PL-4).
                              No
                    7a(12).   Remote access user agreements are not adequate (NIST 800-46, Section 5.1, NIST 800-53, PS-6).
                              No
                    7a(13).   Other
                              No

~tiOil 7: Status of Account and Identity Muagement Program
8. 	     Selected response is:
         b. The Agency has established and is maintaining an account and identity management program that identifies users and network
         devices. However, the Agenc,Y needs to make significant improvements as noted below. 

          8a.      Areas for Improvement: 

                    8a( I). 	 Account management policy is not fully developed. 

                              No 

                                      Comments:     OPM maintains two policies regarding management ofuser accounts: one related to Windows network (LAN)
                                                    users and the other related to mainframe users. Both policies contain procedures for creating user accounts with
                                                    the appropriate level of access as well as procedures for removing access for terminated employees.

                    8a(2).    Account management procedures are not fully developed, sufficiently detailed or consistently implemented.
                              No
                    8a(3).    Active Directory is not properly implemented (NIST 800-53, AC-2).
                              No
                    8a(4).    Other Non-Microsoft account management software is not properly implcmented(NIST 800-53, AC-2).
                              No
                    8a(5).    Agene) cannot identify all User and Non-User Accounts (NIST 800-53, AC-2).

OIG Report - Annual 2010                                                                                                                                          Page 12   or 17
                                                                           For Official Use Only
fj;1iO. 1: Statas of A_aa' _ad Ide.1ity MoD_gemea' PnpaIa
                                No
                      SM(6).    Accounts are not properly issued 10 new users (NIST 800-53, AC.2).
                                No
                      8a(7}.    Accounts are nut properly terminated wbeD users no longer require access (NIST 800-53, AC-Z).
                                No
                     8a(H).     Agency does nol usc multi-bctor au'hcnlitalion where required (NIST 80U-53, IA-2),
                                y.,
                                        Comments:      Isee comme~ts in 1a(6).
                      83(9).    Alleney bas not adequately planned for implementation of PIV for logical access (HSPD 12. FIPS 201. OMR M-OS-24. OMR
                                M-07-06, OMS M-GH-UI).
                                No
                      8a(tO).   Privilegl.'S granted are excessive or resul. in capability to perform conniclillg functions (NIST 800-53, AC-2. i\C-6).
                                No
                      8a(II).   Agency does nol usc dual aeruuols for administrators (N 1ST SOO-53, AC-S, AC--6).
                                No

                     8a(12).    Network de\'ices lIrc nof prollerly au'hen'ica'cd (NIST 800-53, IA-3),
                                y"
                                        Comments:




                      8a(I3),   Other
                                No

~tloD 8: Status of CODtinuous Monitorinl Program
9,        Selected response is :
          b, The Agency has established an entity-wide continuous monitoring program thtlt assesses the s«urity state of information systems.
          Howcl'Cr. the Agency needs to make signifi('allt imllronmcnts as ooted below,
           9a.       Areas for Improvement :

OIG Report - Annll:ll 2010                                                                                                                                1'~l:t   1J of 17
                                                                                 For Oflicial Use Only
IStetiOD 8: Status of CODtinUOU8 MODitoriag Program
                         9a(I).     Continuous monitoring policy is not fully developed.
                                    Ves
                                              Comments:     OPM'sIT Sellurity and PrlvaeyPolicy Volume Z·"tateS    ".,.. . 	 that-
                                                                                                                                 the .
                                                                                                                                     security	
                                                                                                                                             controisofall
                                                                                                                                                      ­.,'
                                                                                                                                                           systems must be tested at
                                                            least lIlinuaily to detern:line. the ~l\tent towhi~1l the controls are implemented correctly, .operating as intended, and .
                                                            meeting the security requireifients for the system;

                                                            In addition. to
                                                                          _
                                                                            the 'annual
                                                                                 	  '
                                                                                        tests; OPM's infrastructure systems (LANIWANanllEnterprise
                                                                                                                                           _ '_' r,:' __',
                                                                                                                                                            Seiver) are subject
                                                                                                                                                           ,_,_~_'       "
                                                                                                                                                                                to
                                                            additional security control tests in the form of automated vulnerability scans.· Although these scans are performed
                                                            routinely, the OCIO has not developed a Continuous Monitoring Policy to provide guidance on identifying
                                                            high-risk security controls along with a strategy for testing them on a continuous basis.
                         9a(2). 	   Continuous monitoring procedures are not fully developed or consistently implemented.
                                    Ves
                                              Comments:    ISee comments in 9a(1).

                         9a(3).     Strategy or plan has not been fully developed for entity-wide continuous monitoring (NIST 800-37).
                                    Ves
                                              Comments:    ISee comments in 9a(1).

                         9a(4).     Ongoing assessments of selected security controls (system-specific, hybrid, and common) have not been performed (NIST
                                    800-53, NIST 800-53A).
                                    Ves
                                              Comments:     The security controls were tested for only 28 ofOPM's 43 systems in FY 2010

                         93(5). 	   The following were not provided to the system authorizing official or other key system officials: security status reports
                                    covering continuous monitoring results, updates to security plans, security assessment reports, and POA&Ms (NIST 800-53,
                                    NIST 800-53A). 

                                    No 

                         9a(6).     Other 

                                    Ves 

                                    Explanation for Other 

                                    List of Common Security Controls 



OIG Repor1   M   Annual 2010 	                                                                                                                                                   Page 1-' of 17
                                                                                     For Official Use Only
~on 8: Status of Continuous Monitoring Program
                                      Comments:      Many ofthe applications in OPM'ssystem inventory are housed in OPM's LANIWAN or Enterprise Server
                                                     (mainframe) general suJjJjort s¥sttms (GSS). These applications inherit a significant portion ofinfoniiation s~curity
                                                     controls required by NIST SP.Soo,.S3from these environments. These inherited controls are referred tQ ~
                                                     "common controls."

                                                     When the security controls of a system are subject to testing, the program office conducting the test is not required
                                                     to evaluate the controls inherited from the GSS, as these controls are certified by OPM's OCIO. HQwever, the
                                                     OCIO does not currently maintain a publisl)ed list ofcommon security controls, and individual program offices are
                                                     responsible for determining which cOntrols are inherited from a GSS, increasing the risk that certain security
                                                     controls remain untested.           .                                                                     .

~eetion 9: Status of Contingency Planning Program
10. 	    Selected response is:
         b. The Agency has established and is maintaining an entity-wide business continuity/disaster recovery program. However, the Agency
         needs to make significant improvements as noted below.
          t Oa.     Areas for Improvement: 

                    10a(\). Contingency planning policy is not fully developed. 

                              Yes 

                                      Comments: 
 OPM's Information Security and Privacy Policy Volume 2 states that each system owner must "Test the
                                                  contingency plan for the information system at least annually to determine the plan's effectiveness and the system's
                                                  readiness to execute the plan." However, this policy does not provide instructions for conducting business impact
                                                  assessments, developing contingency plans, or conducting the contingency plan test in accordance with NIST
                                                  guidance.
                    IOa(2). 	 Contingency planning procedures are not fully developed or consistently implemented. 

                              Yes 

                                      Comments:     ISee comments in lOa(I).
                    IOa(3). An overall business impact assessment has not been performed (NIST SP 800-34).
                            No
                    IOa(4).   [)evelopment of organization, component, or infrastructure recovery strategies and plans has not been accomplished (NIST
                              SP 800-34).
OIG Report - Annual 2010                                                                                                                                             Pa~r    15   or 17
                                                                             For Official Use Only
~on 9: Statos of Contingency Planning Program
                              No
                    IOa(5).   A business continuity/disaster recovery plan has not been developed (FCDI, NIST SP 800-34).
                              No
                    IOa(6).   A business continuity/disaster recovery plan has been developed, but not fully implemented (FCDI, NIST SP 800-34).
                              No
                    IOa(7). System contingency plans missing or incomplete (FCDI, NIST SP 800-34, NIST SP 800-53).
                              Ves
                                         Comments:   Up-to-date contingency plans did not exist for 7 ofthe 43 systems on OPM's master system inventory. Five of43
                                                     systems had documented contingency plans, but they were not reviewed or updated in FY 2010. The OIG was
                                                     not provided with evidence that a documented contingency plan exists for the remaining two systems.
                    IOa(8). Critical systems contingency plans are not tested (FCD!, NIST SP 800-34, NIST SP 800-53).
                              Ves
                                         Comments:   The contingency plans for 30 ofOPM's 43 systems were tested in FY 2010 in full compliance with the
                                                     requirements ofNIST SP 800-34, Contingency Planning Guide for Information Technology Systems. Eleven of
                                                     43 system contingency plans were tested in FY 2010, but not with a scenario-based contingency plan test
                                                     conducted in accordance with NIST SP 800-34 requirements. The remaining two system contingency plans were
                                                     not subject to any form of contingency plan test in FY 2010.
                    lOa(9). Training, testing, and exercises approaches have not been developed (FCDI, NIST SP 800-34,NIST 800-53).
                              Ves
                                         Comments:   OPM's Information Security and Privacy Policy Volume 2 states that each system owner must "Test the
                                                     contingency plan for the information system at least annually to determine the plan's effectiveness and the system's
                                                     readiness to execute the plan." However, this policy does not provide instructions for conducting business impact
                                                     assessments, developing contingency plans, or conducting the contingency plan test in accordance with NIST
                                                     guidance.
                    10a(10). Training, testing, and exercises approaches have been developed, but are not fully implemented (FCDI, NIST SP 800-34,
                             N1ST SP 800-53).
                              No
                    I Oa(1 t). 	Disaster reco\'ery exercises were not successful re\'caled significant weaknesses in the contigency planning. (NIST SP
                              800-34).

OIG Report - Annual20lO 	                                                                                                                                           Pa~e   16 of 17
                                                                            For Official Use Only
~tion 9: Status olContingency Planning Program
                             No
                    lOa(12). After-action plans did not address issues identified during disaster recovery exercises (FCDI, NIST SP 800-34).
                             No
                    IOa(13). Critical systems do not have alternate processing sites (FCDI, NIST SP 800-34, NIST SP 800-53).
                             No
                    IOa(l4). Alternate processing sites are subject to same risks as primary sites (FCDI, NIST SP 800-34, NIST SP 800-53).
                             No
                    IOa(15). Backups of information are not performed in a timely manner (FCDI, NIST SP 800-34, NIST SP 800-53).
                             No
                    IOa(16). Backups are not appropriately tested (FCDI, NIST SP 800-34, NIST SP 800-53).
                             No
                    IOa(17). Backups are not properly secured and protected (FCDI, NIST SP 800-34, NIST SP 800-53).
                             No
                    lOa( 18). Other
                             No

§ection 10: Status of Agency Program to Oversee Contractor Systems
II.      Selected response is:
         c. The Agency does not have a program to oversee systems operated on its behalf by contractors or other entities.
                                      Comments:     OPM's master system inventory indicates that II ofthe agency's 43 major applications are operated by a
                                                    contractor.

                                                    In prior audits, OIG bas verified that the security controls ofthese contractor systems were tested by an OPM
                                                    employee. However, in FY 2010, 7 of the II contractor systems were not subject to security control testing.

                                                    In addition OPM does not have a formal policy providing the OCIO and other program offices guidance on the
                                                    appropriate oversight ofcontractors and contractor-run systems.




OIG Report - Annual 2010                                                                                                                                            Page 17 of 17
                                                                           For Official Use Only