U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S FEDERAL FINANCIAL SYSTEM Report Number 4A-CF-00-17-044 September 29, 2017 EXECUTIVE SUMMARY Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management’s Federal Financial System Report No. 4A-CF-00-17-044 September 29, 2017 Why Did We Conduct the Audit? What Did We Find? The Federal Financial System (FFS) is Our audit of the IT security controls of FFS and its host system, BFMS, part of the Benefits Financial determined that: Management System (BFMS); BFMS is A Security Assessment and Authorization (Authorization) of BFMS was one of the U.S. Office of Personnel completed in 2016. An authorization to operate was granted for up to three Management’s (OPM) major Information years. Technology (IT) systems. The Digital Accountability and Transparency Act of The security categorization of BMFS is consistent with Federal Information 2014 and the Federal Information Security Processing Standards 199 and NIST Special Publication (SP) 800-60, and Modernization Act (FISMA) require that we agree with the categorization of “moderate.” the Office of the Inspector General (OIG) perform an audit of IT security controls of OPM has not fully completed a Privacy Impact Assessment for BFMS. this system. The BFMS System Security Plan generally follows the OCIO template, but What Did We Audit? there were instances where the documentation was incomplete or out of date. The OIG has completed a performance audit of FFS to ensure that the system’s The CBIS risk assessment did not include an assessment of all known security controls meet the standards control weaknesses. established by FISMA, the National Institute of Standards and Technology OPM could improve the continuous monitoring of the security controls of BFMS. (NIST), the Federal Information Security Controls Audit Manual, and OPM’s Office A contingency plan was developed for BFMS and is generally in of the Chief Information Officer (OCIO). compliance with NIST SP 800-34 Revision 1 and OCIO guidance. However, the plan is missing several pieces of critical information. The BFMS Plan of Action and Milestones (POA&M) documentation did not include all required information and known weaknesses. In addition, most POA&M remediation activities are more than six months past their scheduled completion dates. We evaluated a subset of the system controls outlined in NIST SP 800-53 Revision 4. We determined that most of the security controls tested appear to be in compliance, however, we did note two areas for improvement. ______________________ Michael R. Esser Assistant Inspector General for Audits i ABBREVIATIONS ATO Authorization to Operate BFMS Benefits Financial Management System DATA Act Digital Accountability and Transparency Act FFS Federal Financial System FIPS Federal Information Processing Standards FISCAM Federal Information System Controls Audit Manual FISMA Federal Information Security Management Act IG Inspector General ISCMP Information Security Continuous Monitoring Plan IT Information Technology MRB Management Review Board NIST National Institute of Standards and Technology OCFO Office of the Chief Financial Officer OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB U.S. Office of Management and Budget OPM U.S. Office of Personnel Management PIA Privacy Impact Analysis POA&M Plan of Action and Milestones PTA Privacy Threshold Analysis Authorization Security Assessment and Authorization SAP Security Assessment Plan SAR Security Assessment Report SP Special Publication SSP System Security Plan ii TABLE OF CONTENTS Page EXECUTIVE SUMMARY ........................................................................................ i ABBREVIATIONS ..................................................................................................... ii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................6 A. Security Assessment and Authorization .................................................................6 B. FIPS 199 Analysis ...................................................................................................6 C. Privacy Impact Assessment .....................................................................................7 D. System Security Plan ...............................................................................................7 E. Security Assessment Plan and Report .....................................................................9 F. Continuous Monitoring..........................................................................................10 G. Contingency Planning and Contingency Plan Testing...........................................11 H. Plan of Action and Milestones Process..................................................................12 I. NIST 800-53 Evaluation ........................................................................................14 APPENDIX: OPM’s August 18, 2017, response to the draft audit report, issued August 2, 2017. REPORT FRAUD, WASTE, AND MISMANAGEMENT I. BACKGROUND IV. MAJOR CONTRIBUTORS TO THIS REPORT On December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347), which includes Title III, the Federal Information Security Management Act. It requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency reporting to the U.S. Office of Management and Budget (OMB) of the results of IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. In 2014, Public Law 113-283, the Federal Information Security Modernization Act (FISMA), was established and reaffirmed the objectives of the prior FISMA. As part of our evaluation, we will review the Office of Personnel Management (OPM)’s FISMA compliance strategy and document the status of their compliance efforts. On May 9, 2014, the President signed into law the Digital Accountability and Transparency Act of 2014 (DATA Act) (P.L. 113-101), which includes Section 6, Accountability for Federal Funding. It requires the Office of the Inspector General (OIG) to (1) review a statistically valid sampling of the spending data submitted under the Data Act by the Federal agency; and (2) submit to Congress and make publically available a report assessing the completeness, timeliness, quality, and accuracy of the data sampled and the implementation and use of data standards by the Federal agency. In accordance with the Data Act, we are conducting an evaluation of OPM’s systems, processes, and internal controls in place over financial data management. The Federal Financial System (FFS) is a commercial-off-the-shelf general ledger application used to keep record of financial transactions at OPM. The FFS application is a part of OPM’s Benefits Financial Management System (BFMS), one of the agency’s major information technology (IT) systems. BFMS is made up of several applications used by OPM’s Office of the Chief Financial Officer’s (OCFO) Trust Fund Group to track and report on financial accounts and transactions. Many of the security controls for FFS are inherited from BFMS or the agency’s Enterprise Server Infrastructure (i.e., mainframe) and Local Area Network / Wide Area Network General Support Systems. Not only is FFS a part of a major IT system on OPM’s FISMA inventory, FFS is also one of the key systems generating data for DATA Act reports. As such, FISMA and the DATA Act require the OIG to perform an audit of IT security controls of this system. 1 Report No. 4A-CF-00-17-044 OPM’s Office of the Chief Information Officer (OCIO) and OCFO share responsibility for implementing and managing the IT security controls of FFS. We discussed the results of our audit with the OCIO and the OCFO representatives at an exit conference. 2 Report No. 4A-CF-00-17-044 IV. OBJECTIVES, II. MAJOR CONTRIBUTORS SCOPE, ANDTO THIS REPORT METHODOLOGY OBJECTIVES Our goal was to perform an evaluation of the security controls for FFS to ensure the OCIO and the OCFO officials have managed the implementation of IT security policies and procedures in accordance with standards established by FISMA, the National Institute of Standards and Technology (NIST), the Federal Information System Controls Audit Manual (FISCAM), and OPM’s OCIO. The audit objective was carried out by reviewing the degree to which a variety of security program elements have been implemented for FFS, including: Security Assessment and Authorization (Authorization); Federal Information Processing Standards (FIPS) 199 Analysis; Privacy Impact Assessment (PIA); System Security Plan (SSP); Security Assessment Plan and Report; Continuous Monitoring; Contingency Planning and Contingency Plan Testing; Plan of Action and Milestones (POA&M) Process; and NIST Special Publication (SP) 800-53, Revision 4, Security Controls. SCOPE AND METHODOLOGY This performance audit was conducted in accordance with the Generally Accepted Government Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the audit included an evaluation of related policies and procedures, compliance tests, and other auditing procedures that we considered necessary. The audit covered security controls and 3 Report No. 4A-CF-00-17-044 FISMA compliance efforts of OPM officials responsible for FFS, including the evaluation of IT security controls in place as of July 2017. We considered the FFS internal control structure in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. To accomplish our objective, we interviewed representatives of OPM’s OCIO and OCFO program offices with FFS security responsibilities, reviewed documentation and system screenshots, viewed demonstrations of system capabilities, and conducted tests directly on the system. We also reviewed relevant OPM IT policies and procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we conducted compliance tests to determine the extent to which established controls and procedures are functioning as required. Details of the security controls protecting the confidentiality, integrity, and availability of FFS are located in the “Results” section of this report. Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on FFS’ internal controls taken as a whole. The criteria used in conducting this audit include: OPM Information Security and Privacy Policy Handbook; OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; P.L. 113-283, Federal Information Security Modernization Act of 2014; The Federal Information System Controls Audit Manual; NIST SP 800-12, An Introduction to Computer Security; NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems; NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems; 4 Report No. 4A-CF-00-17-044 NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories; NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities; FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems; and Other criteria as appropriate. In conducting the audit, we relied to varying degrees on computer-generated data. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, nothing came to our attention during our audit testing utilizing the computer-generated data to cause us to doubt its reliability. We believe the data was sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in accordance with the Generally Accepted Government Auditing Standards issued by the Comptroller General of the United States. The audit was performed by the OPM Office of the Inspector General, as established by the Inspector General Act of 1978, as amended. The audit was conducted from May through July 2017 in OPM’s Washington, D.C. office. COMPLIANCE WITH LAWS AND REGULATIONS In conducting the audit, we performed tests to determine whether OPM’s management of FFS is consistent with applicable standards. While generally compliant, with respect to the items tested, OPM was not in complete compliance with all standards, as described in section III of this report. 5 Report No. 4A-CF-00-17-044 III. AUDIT FINDINGS AND RECOMMENDATIONS The following sections detail the results from our audit of OPM’s Federal Financial System. A. SECURITY ASSESSMENT AND AUTHORIZATION A Security Assessment and Authorization (Authorization) includes 1) a comprehensive assessment attesting that the system’s security controls meet security requirements and 2) an official management decision to authorize operation of an information system and accept its known risks. OMB’s Circular A-130, Appendix I mandates all Federal information systems have a valid Authorization. Although OMB previously required periodic Authorizations every three years, Federal agencies now have the option of continuously monitoring their systems to fulfill the Authorization requirement. However, OPM does not yet have a fully mature program in place to continuously monitor system security controls, so a current Authorization is required for every OPM system. BFMS was most recently authorized to operate (ATO) on FFS was appropriately November 16, 2016. This ATO is valid for up to three years and subjected to the full requires the system owner to monitor and remediate identified Authorization process. weaknesses on an ongoing basis. B. FIPS 199 ANALYSIS The E-Government Act of 2002 requires federal agencies to categorize all Federal information and information systems. FIPS 199 provides guidance for how to appropriately assign the categorization levels for information security according to a range of risk levels. NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems to Security Categories, provides an overview of the security objectives and impact levels identified in FIPS Publication 199. The BFMS security categorization documentation analyzes information processed by the system and its corresponding potential impacts on confidentiality, integrity, and availability. BFMS is categorized with a “moderate” impact level for each of these areas, resulting in an overall categorization of “moderate.” The security categorization of BFMS is consistent with FIPS Publication 199 and NIST SP 800- 60 requirements, and we agree with the categorization of “moderate.” 6 Report No. 4A-CF-00-17-044 C. PRIVACY IMPACT ASSESSMENT The E-Government Act of 2002 requires agencies to perform Privacy Threshold Analysis (PTA) screening of federal information systems to decide if the system needs a PIA. OMB Memorandum M-03-22 outlines the necessary elements of a PIA. The purpose of the assessment is to evaluate and document any personally identifiable information kept by an information system. A PTA and PIA were partially completed for BFMS (to include FFS) in September 2016. However, both documents are incomplete (e.g., required questions were left unanswered) and neither document has been formally approved and signed. OPM policy requires that “Both the PTA and PIA must be reviewed by the OPM Privacy Officer who recommends approval to the Chief Privacy Officer. These activities must be completed prior to the authorization decision . . . .” Recommendation 1 We recommend that OPM fully completes and approves a PIA for BFMS. OPM Response: “OPM concurs with the intent of the recommendation; … OPM has already determined that a PIA is required for the major system and is working to update the PIA.” OIG Comment: As part of the audit resolution process, we recommend that the OCIO provide OPM’s Internal Oversight and Compliance division with evidence that this recommendation has been implemented. This statement applies to all subsequent recommendations in this audit report that the OCIO agrees to implement. D. SYSTEM SECURITY PLAN Federal agencies must implement, for each information system, the security controls outlined in NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, requires and guides the documentation of controls in each system’s SSP. 7 Report No. 4A-CF-00-17-044 The SSP for BFMS was created using the OCIO’s SSP template, which uses NIST SP 800-18, Revision 1, as guidance. The template requires the following elements be documented within the SSP: System Name and Identifier; System Owner; System Categorization; Authorizing Official; Other Designated Contacts; Assignment of Security Responsibility; System Operational Status; Information System Type; General Description/Purpose; System Environment; System Interconnection/Information Laws, Regulations, and Policies Affecting Sharing; the System; Security Control Selection; Minimum Security Controls; and Completion and Approval Dates. The current SSP was signed on October 4, 2016. We reviewed the BFMS SSP and determined it does not adequately address all of the requirements of NIST. Specifically, we found instances of the following issues: System information and required control documentation were outdated, and Required controls were either not documented or incompletely documented. NIST SP 800-18, Revision 1, states “it is important to periodically assess the plan, review any change in system status, functionality, design, etc., and ensure that the plan continues to reflect the correct information about the system.” The lack of current and complete system documentation increases the Outdated, missing, and risks controls are not implemented and functioning as required. This incomplete information increases the difficulty of assessing risks to the system and to OPM was identified in the SSP. as a whole. 8 Report No. 4A-CF-00-17-044 Recommendation 2 We recommend that OPM update the BFMS SSP in accordance with the agency’s policies and NIST standards. OPM Response: “OPM concurs with the recommendation. The major system SSP was updated and routed for signature after the release of the draft report. OPM will provide OIG the signed SSP to address this recommendation.” E. SECURITY ASSESSMENT PLAN AND REPORT A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were completed for BFMS in August 2016 and October 2016, respectively, as a part of the system’s Authorization process. The SAP and SAR were completed by OPM IT security staff. We reviewed the documents to verify that a risk assessment was conducted in accordance with NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments. We also verified that the appropriate management, operational, and technical controls were tested for a system with a “moderate” security categorization. All known security The assessment results table showed 49 of the 69 controls tested were weaknesses were not fully satisfied. Of these 49 control deficiencies identified, 38 were not evaluated not included in the risk assessment of the SAR. The remaining 11 during the risk controls (those that were appropriately included in the risk assessment. assessment), were all appropriately added to the BFMS POA&Ms. OPM policy requires that each weakness identified in the assessment be assessed for risk as a part of the SAR. Failure to assess the risk associated with all identified weaknesses increases the risk that weaknesses are not properly prioritized for remediation. Recommendation 3 We recommend that OPM perform an analysis to assess the risk of the 38 control deficiencies that were omitted from the risk assessment, and update the BFMS risk assessment and POA&Ms to include all identified weaknesses and their risk levels. 9 Report No. 4A-CF-00-17-044 OPM Response: “OPM concurs with the recommendation. After receipt of the draft report, OPM reviewed the 38 security controls in question. OPM is in the process of updating the risk assessment and POA&Ms, as needed.” F. CONTINUOUS MONITORING OPM requires that the IT security controls of each application be assessed on a continuous basis. OPM’s OCIO has developed an Information Security Continuous Monitoring Plan (ISCMP) which includes a template outlining the security controls to be tested for all information systems. This template must be tailored to each individual system’s specific security control needs. All system owners are required to customize their system’s ISCMP and then test the system’s security controls on an ongoing basis. The test results must be provided to the OCIO routinely for centralized tracking. We reviewed the BFMS ISCMP submissions from fiscal year 2017. Although it was apparent that control testing activity was performed for this system, we noted significant issues with the testing process: There were five instances where the results of the controls test were not documented; There were numerous instances where the testing appears to be incomplete; and All controls with results are marked as being fully satisfied even if non-remediated weaknesses had been previously identified for certain controls. Failure to properly continuously monitor controls increases the likelihood of unidentified risks to the system. Recommendation 4 We recommend that OPM test the security controls of BFMS in accordance with the ISCMP testing schedule and ensure the results are properly documented. 10 Report No. 4A-CF-00-17-044 OPM Response: “OPM concurs with the recommendation. After receipt of the draft report, OPM completed testing the security controls of the major system and documented the results according to OPM security procedures.” G. CONTINGENCY PLANNING AND CONTINGENCY PLAN TESTING NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, says effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability. OPM’s security policies require all major applications to have viable and logical disaster recovery and contingency plans, and these plans to be routinely reviewed, tested, and updated. 1) Contingency Plan The BFMS contingency plan documents the functions, operations, and resources necessary to restore and resume BFMS when unexpected events or disasters occur. The contingency plan adequately follows the format suggested by NIST SP 800-34, Revision 1, and OPM’s template for contingency plans. However, not all portions of the BFMS contingency plan have been completed. There are multiple sections of the contingency plan and 5 of its 13 appendices that do not contain all of the required information. Failure to fully document the required contingency plan information increases the risk that adverse effects from a disruptive event cannot be mitigated. Recommendation 5 We recommend that OPM update the BFMS contingency plan to include all required information from OPM’s template. OPM Response: “OPM concurs with the recommendation. OPM is in the process of updating the major system contingency plan.” 11 Report No. 4A-CF-00-17-044 2) Contingency Plan Testing Contingency plan testing is a critical element of a viable disaster recovery capability. OPM requires contingency plans to be tested routinely to determine the plan’s effectiveness and the organization’s readiness to execute the plan. NIST SP 800-34, Revision 1, provides guidance for testing contingency plans and documenting the results. The most recent contingency plan test for FFS was conducted in August 2016. The test was identified as a functional test, and was marked as successful. Nothing came to our attention to indicate the BFMS contingency plan testing process was inadequate. H. PLAN OF ACTION AND MILESTONES PROCESS A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for known IT security weaknesses. OPM has implemented an agency-wide POA&M process to help track known IT security weaknesses associated with the agency’s information systems. 1) Incomplete POA&M Lists We evaluated the BFMS POA&M documentation included in the Authorization package and a separate list of POA&Ms maintained by OPM in its tracking tool. Neither list was complete; the Authorization list did not include weaknesses previously identified and maintained in the tracking tool, nor was the tracking tool updated to include the weaknesses identified in the Authorization. OPM policy requires “For systems going through a reauthorization, the POA&M also includes all other open and draft weaknesses that are on the existing POA&M as well.” Without a complete list of known weaknesses, OPM is most likely underreporting the number of POA&Ms. Of greater concern, the authorizing official does not have a complete understanding of the current system risk when authorizing the system to operate. Furthermore, the POA&Ms in the Authorization package do not adhere to OPM’s POA&M template or include all of the required information (e.g., resources required for remediation, actual completion dates, milestone changes, and source information for weaknesses.) 12 Report No. 4A-CF-00-17-044 Without complete documentation there is an increased risk weaknesses are not resolved appropriately and timely. Recommendation 6 We recommend that OPM update the BFMS POA&M to include all identified weaknesses and required information per OPM policy. OPM Response: ‘OPM concurs with the recommendation. OPM is in transition from one POA&M tracking tool to another. After receipt of the draft report, OPM added the POA&Ms to the new tracking tool. The POA&Ms are now in the process of being updated with the required information.” 2) Overdue POA&Ms BFMS has a total of 46 open POA&M entries, and 45 have scheduled completion dates over six months overdue. Of these, 11 are more than two years overdue and 1 dates back to 2012. While we understand POA&Ms can be delayed due to resources constraints, it is imperative POA&M documentation be updated so the current risks to the system can be understood. The POA&M process is used to track both the progress and the delays in the remediation of system weaknesses so resources may be efficiently used when available. OPM’s POA&M policy states that “Should expected completion A large number of dates for milestones of POA&Ms be missed, the associated POA&Ms are POA&Ms will be brought before the [Management Review significantly overdue Board (MRB)] for review in order to address any corrective without revised and actions needed for remediating the POA&Ms in accordance with approved remediation the requirements defined in the [ATO] issued for the applicable plans. system. Updated milestones and expected completion dates will be required for the following MRB meeting.” Failure to properly maintain a system’s POA&M increases the likelihood of weaknesses not being addressed in a timely manner and potentially exposing the system to malicious attacks exploiting those unresolved vulnerabilities. 13 Report No. 4A-CF-00-17-044 Recommendation 7 We recommend that OPM develop a detailed action plan to remediate all overdue POA&M items. This action plan should include realistic estimated completion dates. OPM Response: “OPM concurs with the recommendation. OPM is in the process of updating the POA&M items with new estimated completion dates, taking into consideration any factors that have led to the previously missed dates.” I. NIST SP 800-53 EVALUATION NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, provides guidance for implementing a variety of security controls for information systems supporting the federal government. As part of this audit, we evaluated whether a subset of these controls had been implemented for FFS and BFMS. We tested approximately 21 controls as outlined in NIST SP 800-53, Revision 4, including one or more controls from each of the following control families: Access Control; Planning Audit and Accountability; Risk Assessment; Configuration Management; Security Assessment and Authorization; Contingency Planning; System and Communications Protection; and, Identity and Authentication; System and Information Integrity. These controls were evaluated by interviewing individuals with security responsibilities, reviewing documentation and system screenshots, viewing demonstrations of system capabilities, and conducting tests directly on the system. We determined the tested security controls appear to be in compliance with the requirements of NIST SP 800-53, Revision 4, with the following exceptions: 14 Report No. 4A-CF-00-17-044 1) Control CM-6 – Configuration Settings OPM maintains a security guide and user manual for BFMS, but these documents do not detail the approved configuration settings for the system. Configuration settings are the system options that are adjusted to enforce or enhance protection of system components and data. Documented settings are necessary so the system can be reviewed for compliance against an approved standard. NIST SP 800-53, Revision 4, states that “Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers . . . .” Documented configuration settings for a system ensure that security settings are configured to reduce the risk of unapproved changes. Recommendation 8 We recommend that OPM document the approved security configuration settings for BFMS. OPM Response: “OPM concurs with the recommendation. OPM will assess the risk of this finding and create an action plan to apply security controls to mitigate the identified risk, where appropriate.” 2) Control SI-2 – Flaw Remediation FFS is a commercial software product developed and supported by a third-party vendor. This vendor had historically developed OPM has not had a and released updated versions of the FFS software, but OPM has support contract in not had a support contract in place to receive these updates since place for FFS since 2002. Although OPM has staff in place to manage the 2002. configuration of the software (e.g., modify the system reports), this does not alleviate the operational and security risks associated with running unsupported software. 15 Report No. 4A-CF-00-17-044 The Office of Management and Budget has released specific guidance that states “Agencies shall: . . . Prohibit the use of unsupported information systems and system components, and ensure that systems and components that cannot be appropriately protected or secured are given a high priority for upgrade or replacement;” and details that this “includes hardware, software, or firmware components no longer supported by developers, vendors, or manufacturers through the availability of software patches, firmware updates, replacement parts, and maintenance contracts.” NIST SP 800-53, Revision 4, requires that, “The organization: . . . Identifies, reports, and corrects information systems flaws . . . [and] Installs security-relevant software and firmware updates . . . .” FISCAM states “Procedures should ensure that only current software releases are installed in information systems. [and explains the risk that] Noncurrent software may be vulnerable to malicious code such as viruses and worms.” In addition to the security risks inherent in operating an application that no longer receives updates, there are two other critical issues OPM faces by continuing to use the unsupported FFS application. First, FFS and BFMS inherit the majority of their security controls from the general support systems that host these applications (OPM’s mainframe and Local Area Network / Wide Area Network). As the support systems’ technology continues to evolve, the FFS application may no longer be compatible with those host environments. This could either make FFS obsolete, or it could increase the security risks of OPM as a whole should the agency refrain from updating the support systems in order to keep the FFS application operational. Second, OPM’s financial reporting needs continue to evolve (e.g., new requirements from the DATA Act), and the core functionality of the FFS application cannot be updated to meet these needs. As a result, OPM must currently rely on inefficient manual processes to meet DATA Act reporting requirements. Recommendation 9 We recommend that OPM develop and implement a plan to replace FFS with a fully supported financial system. OPM Response: “OPM concurs with the recommendation. OPM has embarked upon an initiative to modernize the application. As a part of this effort, OPM is in the acquisition planning stage of assessing commercially available alternatives for systems implementation services, application hosting services, operational support (post implementation including help desk 16 Report No. 4A-CF-00-17-044 services), and Commercial Off-The-Shelf (COTS) financial management software applications. The objectives of the application replacement / Trust Funds Modernization effort are to modernize/replace the current system to facilitate greater transparency, compliance, and overall stability and sustainability of the system.” 17 Report No. 4A-CF-00-17-044 APPENDIX UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 August 18, 2017 Chief Information Officer MEMORANDUM FOR CHIEF, INFORMATION SYSTEMS AUDIT GROUP OFFICE OF THE INSPECTOR GENERAL FROM: DAVID L. DEVRIES CHIEF INFORMATION OFFICER DENNIS D. COLEMAN CHIEF FINANCIAL OFFICER Subject: Office of Personnel Management Response to the Office of the Inspector General Audit Report No. 4A-CF-00-17-044 Thank you for the opportunity to provide comments to the Office of the Inspector General (OIG) draft report 4A-CF-00-17-044. We recognize that even the most well-run programs benefit from external evaluation and we appreciate your assessment of our operations as it will help guide our improvements to enhance the security of the data provided to OPM by the Federal workforce, the Federal agencies, Private industries, and the general public. We welcome a collaborative dialogue to help us fully understand the OIG’s recommendations as we plan our remediation efforts so that our actions, and the closure of the recommendations, thoroughly address the underlying issues. The response to your recommendations is provided below. Recommendation 1 We recommend that OPM fully complete and approve a PTA and PIA for the [major system]. OPM Response: OPM partially concurs with the recommendation. OPM concurs with the intent of the recommendation; however, OPM has already determined that a PIA is required for the major system and is working to update the PIA. Since OPM has already created a PIA for the system, we do not intend to recreate a PTA at this time. Report No. 4A-CF-00-17-04 Recommendation 2 We recommend that OPM update the [major system] SSP in accordance with the agency’s policies and NIST standards. OPM Response: OPM concurs with the recommendation. The major system SSP was updated and routed for signature after the release of the draft report. OPM will provide OIG the signed SSP to address this recommendation. Recommendation 3 We recommend that OPM perform an analysis to assess the risk of the 38 control deficiencies that were omitted from the risk assessment, and update the [major system] risk assessment and POA&Ms to include all identified weaknesses and their risk levels. OPM Response: OPM concurs with the recommendation. After receipt of the draft report, OPM reviewed the 38 security controls in question. OPM is in the process of updating the risk assessment and POA&Ms, as needed. Recommendation 4 We recommend that OPM test the security controls of [the major system] in accordance with the ISCMP testing schedule and ensure that the results are properly documented. OPM Response: OPM concurs with the recommendation. After receipt of the draft report, OPM completed testing the security controls of the major system and documented the results according to OPM security procedures. Recommendation 5 We recommend that OPM update the [the major system] contingency plan to include all required Information from OPM’s template. OPM Response: OPM concurs with the recommendation. OPM is in the process of updating the major system contingency plan. Recommendation 6 We recommend that OPM update the [the major system] POA&M to include all identified weaknesses and required information per OPM policy. OPM Response: OPM concurs with the recommendation. OPM is in transition from one POA&M tracking tool to another. After receipt of the draft report, OPM added the POA&Ms to the new tracking tool. The POA&Ms are now in the process of being updated with the required information. Recommendation 7 We recommend that OPM develop a detailed action plan to remediate all overdue POA&M items. This action plan should include realistic estimated completion dates. Report No. 4A-CF-00-17-044 OPM Response: OPM concurs with the recommendation. OPM is in the process of updating the POA&M items with new estimated completion dates, taking into consideration any factors that have led to the previously missed dates. Recommendation 8 We recommend that OPM document the approved security configuration settings for [the major system]. OPM Response: OPM concurs with the recommendation. OPM will assess the risk of this finding and create an action plan to apply security controls to mitigate the identified risk, where appropriate. Recommendation 9 We recommend that OPM develop and implement a plan to replace [the application] with a fully supported financial system. OPM Response: OPM concurs with the recommendation. OPM has embarked upon an initiative to modernize the application. As a part of this effort, OPM is in the acquisition planning stage of assessing commercially available alternatives for systems implementation services, application hosting services, operational support (post implementation including help desk services), and Commercial Off-The-Shelf (COTS) financial management software applications. The objectives of the application replacement / Trust Funds Modernization effort are to modernize/replace the current system to facilitate greater transparency, compliance, and overall stability and sustainability of the system Again, thank you for the opportunity to provide comment to this draft report. Please contact us or if you have questions or need additional information. cc: Chief Information Security Officer Mark W. Lambert Associate Director, Merit Systems Accountability and Compliance Janet L. Barnes Director, Internal Oversight and Compliance Jason D. Simmons Chief of Staff Report No. 4A-CF-00-17-044 Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100
IT Security Controls of the OPM's Federal Financial System
Published by the Office of Personnel Management, Office of Inspector General on 2017-09-29.
Below is a raw (and likely hideous) rendition of the original report. (PDF)