U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
AUDIT OF THE INFORMATION TECHNOLOGY
SECURITY CONTROLS OF THE
U.S. OFFICE OF PERSONNEL MANAGEMENT’S
FEDERAL FINANCIAL SYSTEM
Report Number 4A-CF-00-17-044
September 29, 2017
EXECUTIVE SUMMARY
Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management’s Federal Financial System
Report No. 4A-CF-00-17-044 September 29, 2017
Why Did We Conduct the Audit? What Did We Find?
The Federal Financial System (FFS) is Our audit of the IT security controls of FFS and its host system, BFMS,
part of the Benefits Financial determined that:
Management System (BFMS); BFMS is
A Security Assessment and Authorization (Authorization) of BFMS was
one of the U.S. Office of Personnel
completed in 2016. An authorization to operate was granted for up to three
Management’s (OPM) major Information
years.
Technology (IT) systems. The Digital
Accountability and Transparency Act of
The security categorization of BMFS is consistent with Federal Information
2014 and the Federal Information Security
Processing Standards 199 and NIST Special Publication (SP) 800-60, and
Modernization Act (FISMA) require that we agree with the categorization of “moderate.”
the Office of the Inspector General (OIG)
perform an audit of IT security controls of OPM has not fully completed a Privacy Impact Assessment for BFMS.
this system.
The BFMS System Security Plan generally follows the OCIO template, but
What Did We Audit? there were instances where the documentation was incomplete or out of
date.
The OIG has completed a performance
audit of FFS to ensure that the system’s The CBIS risk assessment did not include an assessment of all known
security controls meet the standards control weaknesses.
established by FISMA, the National
Institute of Standards and Technology OPM could improve the continuous monitoring of the security controls of
BFMS.
(NIST), the Federal Information Security
Controls Audit Manual, and OPM’s Office
A contingency plan was developed for BFMS and is generally in
of the Chief Information Officer (OCIO).
compliance with NIST SP 800-34 Revision 1 and OCIO guidance.
However, the plan is missing several pieces of critical information.
The BFMS Plan of Action and Milestones (POA&M) documentation did
not include all required information and known weaknesses. In addition,
most POA&M remediation activities are more than six months past their
scheduled completion dates.
We evaluated a subset of the system controls outlined in NIST SP 800-53
Revision 4. We determined that most of the security controls tested appear
to be in compliance, however, we did note two areas for improvement.
______________________
Michael R. Esser
Assistant Inspector General
for Audits
i
ABBREVIATIONS
ATO Authorization to Operate
BFMS Benefits Financial Management System
DATA Act Digital Accountability and Transparency Act
FFS Federal Financial System
FIPS Federal Information Processing Standards
FISCAM Federal Information System Controls Audit Manual
FISMA Federal Information Security Management Act
IG Inspector General
ISCMP Information Security Continuous Monitoring Plan
IT Information Technology
MRB Management Review Board
NIST National Institute of Standards and Technology
OCFO Office of the Chief Financial Officer
OCIO Office of the Chief Information Officer
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
PIA Privacy Impact Analysis
POA&M Plan of Action and Milestones
PTA Privacy Threshold Analysis
Authorization Security Assessment and Authorization
SAP Security Assessment Plan
SAR Security Assessment Report
SP Special Publication
SSP System Security Plan
ii
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ........................................................................................ i
ABBREVIATIONS ..................................................................................................... ii
I. BACKGROUND ..........................................................................................................1
II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................6
A. Security Assessment and Authorization .................................................................6
B. FIPS 199 Analysis ...................................................................................................6
C. Privacy Impact Assessment .....................................................................................7
D. System Security Plan ...............................................................................................7
E. Security Assessment Plan and Report .....................................................................9
F. Continuous Monitoring..........................................................................................10
G. Contingency Planning and Contingency Plan Testing...........................................11
H. Plan of Action and Milestones Process..................................................................12
I. NIST 800-53 Evaluation ........................................................................................14
APPENDIX: OPM’s August 18, 2017, response to the draft audit report, issued
August 2, 2017.
REPORT FRAUD, WASTE, AND MISMANAGEMENT
I. BACKGROUND
IV. MAJOR CONTRIBUTORS TO THIS REPORT
On December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),
which includes Title III, the Federal Information Security Management Act. It requires (1)
annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency
reporting to the U.S. Office of Management and Budget (OMB) of the results of IG evaluations
for unclassified systems, and (4) an annual OMB report to Congress summarizing the material
received from agencies. In 2014, Public Law 113-283, the Federal Information Security
Modernization Act (FISMA), was established and reaffirmed the objectives of the prior FISMA.
As part of our evaluation, we will review the Office of Personnel Management (OPM)’s FISMA
compliance strategy and document the status of their compliance efforts.
On May 9, 2014, the President signed into law the Digital Accountability and Transparency Act
of 2014 (DATA Act) (P.L. 113-101), which includes Section 6, Accountability for Federal
Funding. It requires the Office of the Inspector General (OIG) to (1) review a statistically valid
sampling of the spending data submitted under the Data Act by the Federal agency; and (2)
submit to Congress and make publically available a report assessing the completeness,
timeliness, quality, and accuracy of the data sampled and the implementation and use of data
standards by the Federal agency. In accordance with the Data Act, we are conducting an
evaluation of OPM’s systems, processes, and internal controls in place over financial data
management.
The Federal Financial System (FFS) is a commercial-off-the-shelf general ledger application
used to keep record of financial transactions at OPM. The FFS application is a part of OPM’s
Benefits Financial Management System (BFMS), one of the agency’s major information
technology (IT) systems. BFMS is made up of several applications used by OPM’s Office of the
Chief Financial Officer’s (OCFO) Trust Fund Group to track and report on financial accounts
and transactions. Many of the security controls for FFS are inherited from BFMS or the
agency’s Enterprise Server Infrastructure (i.e., mainframe) and Local Area Network / Wide Area
Network General Support Systems. Not only is FFS a part of a major IT system on OPM’s
FISMA inventory, FFS is also one of the key systems generating data for DATA Act reports. As
such, FISMA and the DATA Act require the OIG to perform an audit of IT security controls of
this system.
1 Report No. 4A-CF-00-17-044
OPM’s Office of the Chief Information Officer (OCIO) and OCFO share responsibility for
implementing and managing the IT security controls of FFS. We discussed the results of our
audit with the OCIO and the OCFO representatives at an exit conference.
2 Report No. 4A-CF-00-17-044
IV. OBJECTIVES,
II. MAJOR CONTRIBUTORS
SCOPE, ANDTO THIS REPORT
METHODOLOGY
OBJECTIVES
Our goal was to perform an evaluation of the security controls for FFS to ensure the OCIO and
the OCFO officials have managed the implementation of IT security policies and procedures in
accordance with standards established by FISMA, the National Institute of Standards and
Technology (NIST), the Federal Information System Controls Audit Manual (FISCAM), and
OPM’s OCIO.
The audit objective was carried out by reviewing the degree to which a variety of security
program elements have been implemented for FFS, including:
Security Assessment and Authorization (Authorization);
Federal Information Processing Standards (FIPS) 199 Analysis;
Privacy Impact Assessment (PIA);
System Security Plan (SSP);
Security Assessment Plan and Report;
Continuous Monitoring;
Contingency Planning and Contingency Plan Testing;
Plan of Action and Milestones (POA&M) Process; and
NIST Special Publication (SP) 800-53, Revision 4, Security Controls.
SCOPE AND METHODOLOGY
This performance audit was conducted in accordance with the Generally Accepted Government
Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the
audit included an evaluation of related policies and procedures, compliance tests, and other
auditing procedures that we considered necessary. The audit covered security controls and
3 Report No. 4A-CF-00-17-044
FISMA compliance efforts of OPM officials responsible for FFS, including the evaluation of IT
security controls in place as of July 2017.
We considered the FFS internal control structure in planning our audit procedures. These
procedures were mainly substantive in nature, although we did gain an understanding of
management procedures and controls to the extent necessary to achieve our audit objectives.
To accomplish our objective, we interviewed representatives of OPM’s OCIO and OCFO
program offices with FFS security responsibilities, reviewed documentation and system
screenshots, viewed demonstrations of system capabilities, and conducted tests directly on the
system. We also reviewed relevant OPM IT policies and procedures, federal laws, OMB policies
and guidance, and NIST guidance. As appropriate, we conducted compliance tests to determine
the extent to which established controls and procedures are functioning as required.
Details of the security controls protecting the confidentiality, integrity, and availability of FFS
are located in the “Results” section of this report. Since our audit would not necessarily disclose
all significant matters in the internal control structure, we do not express an opinion on FFS’
internal controls taken as a whole. The criteria used in conducting this audit include:
OPM Information Security and Privacy Policy Handbook;
OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;
E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
Management Act of 2002;
P.L. 113-283, Federal Information Security Modernization Act of 2014;
The Federal Information System Controls Audit Manual;
NIST SP 800-12, An Introduction to Computer Security;
NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information
Systems;
NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;
NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;
4 Report No. 4A-CF-00-17-044
NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to
Federal Information Systems;
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations;
NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories;
NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities;
FIPS Publication 199, Standards for Security Categorization of Federal Information and
Information Systems; and
Other criteria as appropriate.
In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe the data was sufficient to
achieve the audit objectives. Except as noted above, the audit was conducted in accordance with
the Generally Accepted Government Auditing Standards issued by the Comptroller General of
the United States.
The audit was performed by the OPM Office of the Inspector General, as established by the
Inspector General Act of 1978, as amended. The audit was conducted from May through July
2017 in OPM’s Washington, D.C. office.
COMPLIANCE WITH LAWS AND REGULATIONS
In conducting the audit, we performed tests to determine whether OPM’s management of FFS is
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM was not in complete compliance with all standards, as described in section III of this
report.
5 Report No. 4A-CF-00-17-044
III. AUDIT FINDINGS AND RECOMMENDATIONS
The following sections detail the results from our audit of OPM’s Federal Financial System.
A. SECURITY ASSESSMENT AND AUTHORIZATION
A Security Assessment and Authorization (Authorization) includes 1) a comprehensive
assessment attesting that the system’s security controls meet security requirements and 2) an
official management decision to authorize operation of an information system and accept its
known risks. OMB’s Circular A-130, Appendix I mandates all Federal information systems
have a valid Authorization. Although OMB previously required periodic Authorizations every
three years, Federal agencies now have the option of continuously monitoring their systems to
fulfill the Authorization requirement. However, OPM does not yet have a fully mature program
in place to continuously monitor system security controls, so a current Authorization is required
for every OPM system.
BFMS was most recently authorized to operate (ATO) on FFS was appropriately
November 16, 2016. This ATO is valid for up to three years and subjected to the full
requires the system owner to monitor and remediate identified
Authorization process.
weaknesses on an ongoing basis.
B. FIPS 199 ANALYSIS
The E-Government Act of 2002 requires federal agencies to categorize all Federal information
and information systems. FIPS 199 provides guidance for how to appropriately assign the
categorization levels for information security according to a range of risk levels.
NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems
to Security Categories, provides an overview of the security objectives and impact levels
identified in FIPS Publication 199.
The BFMS security categorization documentation analyzes information processed by the system
and its corresponding potential impacts on confidentiality, integrity, and availability. BFMS is
categorized with a “moderate” impact level for each of these areas, resulting in an overall
categorization of “moderate.”
The security categorization of BFMS is consistent with FIPS Publication 199 and NIST SP 800-
60 requirements, and we agree with the categorization of “moderate.”
6 Report No. 4A-CF-00-17-044
C. PRIVACY IMPACT ASSESSMENT
The E-Government Act of 2002 requires agencies to perform Privacy Threshold Analysis (PTA)
screening of federal information systems to decide if the system needs a PIA. OMB
Memorandum M-03-22 outlines the necessary elements of a PIA. The purpose of the assessment
is to evaluate and document any personally identifiable information kept by an information
system.
A PTA and PIA were partially completed for BFMS (to include FFS) in September 2016.
However, both documents are incomplete (e.g., required questions were left unanswered) and
neither document has been formally approved and signed.
OPM policy requires that “Both the PTA and PIA must be reviewed by the OPM Privacy Officer
who recommends approval to the Chief Privacy Officer. These activities must be completed
prior to the authorization decision . . . .”
Recommendation 1
We recommend that OPM fully completes and approves a PIA for BFMS.
OPM Response:
“OPM concurs with the intent of the recommendation; … OPM has already determined that a
PIA is required for the major system and is working to update the PIA.”
OIG Comment:
As part of the audit resolution process, we recommend that the OCIO provide OPM’s Internal
Oversight and Compliance division with evidence that this recommendation has been
implemented. This statement applies to all subsequent recommendations in this audit report that
the OCIO agrees to implement.
D. SYSTEM SECURITY PLAN
Federal agencies must implement, for each information system, the security controls outlined in
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal
Information Systems, requires and guides the documentation of controls in each system’s SSP.
7 Report No. 4A-CF-00-17-044
The SSP for BFMS was created using the OCIO’s SSP template, which uses NIST SP 800-18,
Revision 1, as guidance. The template requires the following elements be documented within the
SSP:
System Name and Identifier; System Owner;
System Categorization; Authorizing Official;
Other Designated Contacts; Assignment of Security Responsibility;
System Operational Status; Information System Type;
General Description/Purpose; System Environment;
System Interconnection/Information Laws, Regulations, and Policies Affecting
Sharing; the System;
Security Control Selection; Minimum Security Controls; and
Completion and Approval Dates.
The current SSP was signed on October 4, 2016. We reviewed the BFMS SSP and determined it
does not adequately address all of the requirements of NIST. Specifically, we found instances of
the following issues:
System information and required control documentation were outdated, and
Required controls were either not documented or incompletely documented.
NIST SP 800-18, Revision 1, states “it is important to periodically assess the plan, review any
change in system status, functionality, design, etc., and ensure that the plan continues to reflect
the correct information about the system.”
The lack of current and complete system documentation increases the Outdated, missing, and
risks controls are not implemented and functioning as required. This incomplete information
increases the difficulty of assessing risks to the system and to OPM was identified in the SSP.
as a whole.
8 Report No. 4A-CF-00-17-044
Recommendation 2
We recommend that OPM update the BFMS SSP in accordance with the agency’s policies and
NIST standards.
OPM Response:
“OPM concurs with the recommendation. The major system SSP was updated and routed for
signature after the release of the draft report. OPM will provide OIG the signed SSP to
address this recommendation.”
E. SECURITY ASSESSMENT PLAN AND REPORT
A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were completed for
BFMS in August 2016 and October 2016, respectively, as a part of the system’s Authorization
process. The SAP and SAR were completed by OPM IT security staff. We reviewed the
documents to verify that a risk assessment was conducted in accordance with NIST SP 800-30
Revision 1, Guide for Conducting Risk Assessments. We also verified that the appropriate
management, operational, and technical controls were tested for a system with a “moderate”
security categorization.
All known security
The assessment results table showed 49 of the 69 controls tested were weaknesses were
not fully satisfied. Of these 49 control deficiencies identified, 38 were not evaluated
not included in the risk assessment of the SAR. The remaining 11 during the risk
controls (those that were appropriately included in the risk assessment.
assessment), were all appropriately added to the BFMS POA&Ms.
OPM policy requires that each weakness identified in the assessment be assessed for risk as a
part of the SAR.
Failure to assess the risk associated with all identified weaknesses increases the risk that
weaknesses are not properly prioritized for remediation.
Recommendation 3
We recommend that OPM perform an analysis to assess the risk of the 38 control deficiencies
that were omitted from the risk assessment, and update the BFMS risk assessment and POA&Ms
to include all identified weaknesses and their risk levels.
9 Report No. 4A-CF-00-17-044
OPM Response:
“OPM concurs with the recommendation. After receipt of the draft report, OPM reviewed the
38 security controls in question. OPM is in the process of updating the risk assessment and
POA&Ms, as needed.”
F. CONTINUOUS MONITORING
OPM requires that the IT security controls of each application be assessed on a continuous basis.
OPM’s OCIO has developed an Information Security Continuous Monitoring Plan (ISCMP)
which includes a template outlining the security controls to be tested for all information systems.
This template must be tailored to each individual system’s specific security control needs. All
system owners are required to customize their system’s ISCMP and then test the system’s
security controls on an ongoing basis. The test results must be provided to the OCIO routinely
for centralized tracking.
We reviewed the BFMS ISCMP submissions from fiscal year
2017. Although it was apparent that control testing activity was performed for this system, we
noted significant issues with the testing process:
There were five instances where the results of the controls test were not documented;
There were numerous instances where the testing appears to be incomplete; and
All controls with results are marked as being fully satisfied even if non-remediated
weaknesses had been previously identified for certain controls.
Failure to properly continuously monitor controls increases the likelihood of unidentified risks to
the system.
Recommendation 4
We recommend that OPM test the security controls of BFMS in accordance with the ISCMP
testing schedule and ensure the results are properly documented.
10 Report No. 4A-CF-00-17-044
OPM Response:
“OPM concurs with the recommendation. After receipt of the draft report, OPM completed
testing the security controls of the major system and documented the results according to
OPM security procedures.”
G. CONTINGENCY PLANNING AND CONTINGENCY PLAN TESTING
NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems,
says effective contingency planning, execution, and testing are essential to mitigate the risk of
system and service unavailability. OPM’s security policies require all major applications to have
viable and logical disaster recovery and contingency plans, and these plans to be routinely
reviewed, tested, and updated.
1) Contingency Plan
The BFMS contingency plan documents the functions, operations, and resources necessary to
restore and resume BFMS when unexpected events or disasters occur. The contingency plan
adequately follows the format suggested by NIST SP 800-34, Revision 1, and OPM’s
template for contingency plans. However, not all portions of the BFMS contingency plan
have been completed. There are multiple sections of the contingency plan and 5 of its 13
appendices that do not contain all of the required information.
Failure to fully document the required contingency plan information increases the risk that
adverse effects from a disruptive event cannot be mitigated.
Recommendation 5
We recommend that OPM update the BFMS contingency plan to include all required
information from OPM’s template.
OPM Response:
“OPM concurs with the recommendation. OPM is in the process of updating the major
system contingency plan.”
11 Report No. 4A-CF-00-17-044
2) Contingency Plan Testing
Contingency plan testing is a critical element of a viable disaster recovery capability. OPM
requires contingency plans to be tested routinely to determine the plan’s effectiveness and the
organization’s readiness to execute the plan. NIST SP 800-34, Revision 1, provides guidance
for testing contingency plans and documenting the results.
The most recent contingency plan test for FFS was conducted in August 2016. The test was
identified as a functional test, and was marked as successful.
Nothing came to our attention to indicate the BFMS contingency plan testing process was
inadequate.
H. PLAN OF ACTION AND MILESTONES PROCESS
A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring
the progress of corrective efforts for known IT security weaknesses. OPM has implemented an
agency-wide POA&M process to help track known IT security weaknesses associated with the
agency’s information systems.
1) Incomplete POA&M Lists
We evaluated the BFMS POA&M documentation included in the Authorization package and
a separate list of POA&Ms maintained by OPM in its tracking tool. Neither list was
complete; the Authorization list did not include weaknesses previously identified and
maintained in the tracking tool, nor was the tracking tool updated to include the weaknesses
identified in the Authorization.
OPM policy requires “For systems going through a reauthorization, the POA&M also
includes all other open and draft weaknesses that are on the existing POA&M as well.”
Without a complete list of known weaknesses, OPM is most likely underreporting the
number of POA&Ms. Of greater concern, the authorizing official does not have a complete
understanding of the current system risk when authorizing the system to operate.
Furthermore, the POA&Ms in the Authorization package do not adhere to OPM’s POA&M
template or include all of the required information (e.g., resources required for remediation,
actual completion dates, milestone changes, and source information for weaknesses.)
12 Report No. 4A-CF-00-17-044
Without complete documentation there is an increased risk weaknesses are not resolved
appropriately and timely.
Recommendation 6
We recommend that OPM update the BFMS POA&M to include all identified weaknesses
and required information per OPM policy.
OPM Response:
‘OPM concurs with the recommendation. OPM is in transition from one POA&M
tracking tool to another. After receipt of the draft report, OPM added the POA&Ms to the
new tracking tool. The POA&Ms are now in the process of being updated with the
required information.”
2) Overdue POA&Ms
BFMS has a total of 46 open POA&M entries, and 45 have scheduled completion dates over
six months overdue. Of these, 11 are more than two years overdue and 1 dates back to 2012.
While we understand POA&Ms can be delayed due to resources constraints, it is imperative
POA&M documentation be updated so the current risks to the system can be understood.
The POA&M process is used to track both the progress and the delays in the remediation of
system weaknesses so resources may be efficiently used when available.
OPM’s POA&M policy states that “Should expected completion
A large number of
dates for milestones of POA&Ms be missed, the associated
POA&Ms are
POA&Ms will be brought before the [Management Review
significantly overdue
Board (MRB)] for review in order to address any corrective
without revised and
actions needed for remediating the POA&Ms in accordance with
approved remediation
the requirements defined in the [ATO] issued for the applicable
plans.
system. Updated milestones and expected completion dates will
be required for the following MRB meeting.”
Failure to properly maintain a system’s POA&M increases the likelihood of weaknesses not
being addressed in a timely manner and potentially exposing the system to malicious attacks
exploiting those unresolved vulnerabilities.
13 Report No. 4A-CF-00-17-044
Recommendation 7
We recommend that OPM develop a detailed action plan to remediate all overdue POA&M
items. This action plan should include realistic estimated completion dates.
OPM Response:
“OPM concurs with the recommendation. OPM is in the process of updating the POA&M
items with new estimated completion dates, taking into consideration any factors that have
led to the previously missed dates.”
I. NIST SP 800-53 EVALUATION
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, provides guidance for implementing a variety of security controls for information
systems supporting the federal government. As part of this audit, we evaluated whether a subset
of these controls had been implemented for FFS and BFMS. We tested approximately 21
controls as outlined in NIST SP 800-53, Revision 4, including one or more controls from each of
the following control families:
Access Control; Planning
Audit and Accountability; Risk Assessment;
Configuration Management; Security Assessment and Authorization;
Contingency Planning; System and Communications Protection;
and,
Identity and Authentication; System and Information Integrity.
These controls were evaluated by interviewing individuals with security responsibilities,
reviewing documentation and system screenshots, viewing demonstrations of system
capabilities, and conducting tests directly on the system.
We determined the tested security controls appear to be in compliance with the requirements of
NIST SP 800-53, Revision 4, with the following exceptions:
14 Report No. 4A-CF-00-17-044
1) Control CM-6 – Configuration Settings
OPM maintains a security guide and user manual for BFMS, but these documents do not
detail the approved configuration settings for the system. Configuration settings are the
system options that are adjusted to enforce or enhance protection of system components and
data. Documented settings are necessary so the system can be reviewed for compliance
against an approved standard.
NIST SP 800-53, Revision 4, states that “Configuration settings are the set of parameters that
can be changed in hardware, software, or firmware components of the information system
that affect the security posture and/or functionality of the system. Information technology
products for which security-related configuration settings can be defined include, for
example, mainframe computers, servers . . . .”
Documented configuration settings for a system ensure that security settings are configured
to reduce the risk of unapproved changes.
Recommendation 8
We recommend that OPM document the approved security configuration settings for BFMS.
OPM Response:
“OPM concurs with the recommendation. OPM will assess the risk of this finding and
create an action plan to apply security controls to mitigate the identified risk, where
appropriate.”
2) Control SI-2 – Flaw Remediation
FFS is a commercial software product developed and supported
by a third-party vendor. This vendor had historically developed OPM has not had a
and released updated versions of the FFS software, but OPM has support contract in
not had a support contract in place to receive these updates since place for FFS since
2002. Although OPM has staff in place to manage the 2002.
configuration of the software (e.g., modify the system reports),
this does not alleviate the operational and security risks
associated with running unsupported software.
15 Report No. 4A-CF-00-17-044
The Office of Management and Budget has released specific guidance that states “Agencies
shall: . . . Prohibit the use of unsupported information systems and system components, and
ensure that systems and components that cannot be appropriately protected or secured are
given a high priority for upgrade or replacement;” and details that this “includes hardware,
software, or firmware components no longer supported by developers, vendors, or
manufacturers through the availability of software patches, firmware updates, replacement
parts, and maintenance contracts.” NIST SP 800-53, Revision 4, requires that, “The
organization: . . . Identifies, reports, and corrects information systems flaws . . . [and] Installs
security-relevant software and firmware updates . . . .”
FISCAM states “Procedures should ensure that only current software releases are installed in
information systems. [and explains the risk that] Noncurrent software may be vulnerable to
malicious code such as viruses and worms.”
In addition to the security risks inherent in operating an application that no longer receives
updates, there are two other critical issues OPM faces by continuing to use the unsupported
FFS application. First, FFS and BFMS inherit the majority of their security controls from the
general support systems that host these applications (OPM’s mainframe and Local Area
Network / Wide Area Network). As the support systems’ technology continues to evolve, the
FFS application may no longer be compatible with those host environments. This could
either make FFS obsolete, or it could increase the security risks of OPM as a whole should
the agency refrain from updating the support systems in order to keep the FFS application
operational. Second, OPM’s financial reporting needs continue to evolve (e.g., new
requirements from the DATA Act), and the core functionality of the FFS application cannot
be updated to meet these needs. As a result, OPM must currently rely on inefficient manual
processes to meet DATA Act reporting requirements.
Recommendation 9
We recommend that OPM develop and implement a plan to replace FFS with a fully
supported financial system.
OPM Response:
“OPM concurs with the recommendation. OPM has embarked upon an initiative to
modernize the application. As a part of this effort, OPM is in the acquisition planning
stage of assessing commercially available alternatives for systems implementation services,
application hosting services, operational support (post implementation including help desk
16 Report No. 4A-CF-00-17-044
services), and Commercial Off-The-Shelf (COTS) financial management software
applications. The objectives of the application replacement / Trust Funds Modernization
effort are to modernize/replace the current system to facilitate greater transparency,
compliance, and overall stability and sustainability of the system.”
17 Report No. 4A-CF-00-17-044
APPENDIX
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
August 18, 2017
Chief Information
Officer
MEMORANDUM FOR
CHIEF, INFORMATION SYSTEMS AUDIT GROUP
OFFICE OF THE INSPECTOR GENERAL
FROM: DAVID L. DEVRIES
CHIEF INFORMATION OFFICER
DENNIS D. COLEMAN
CHIEF FINANCIAL OFFICER
Subject: Office of Personnel Management Response to the Office of the Inspector
General Audit Report No. 4A-CF-00-17-044
Thank you for the opportunity to provide comments to the Office of the Inspector General (OIG)
draft report 4A-CF-00-17-044. We recognize that even the most well-run programs benefit from
external evaluation and we appreciate your assessment of our operations as it will help guide our
improvements to enhance the security of the data provided to OPM by the Federal workforce, the
Federal agencies, Private industries, and the general public.
We welcome a collaborative dialogue to help us fully understand the OIG’s recommendations as
we plan our remediation efforts so that our actions, and the closure of the recommendations,
thoroughly address the underlying issues.
The response to your recommendations is provided below.
Recommendation 1
We recommend that OPM fully complete and approve a PTA and PIA for the [major system].
OPM Response: OPM partially concurs with the recommendation. OPM concurs with the
intent of the recommendation; however, OPM has already determined that a PIA is required for
the major system and is working to update the PIA. Since OPM has already created a PIA for
the system, we do not intend to recreate a PTA at this time.
Report No. 4A-CF-00-17-04
Recommendation 2
We recommend that OPM update the [major system] SSP in accordance with the agency’s
policies and NIST standards.
OPM Response: OPM concurs with the recommendation. The major system SSP was updated
and routed for signature after the release of the draft report. OPM will provide OIG the signed
SSP to address this recommendation.
Recommendation 3
We recommend that OPM perform an analysis to assess the risk of the 38 control deficiencies
that were omitted from the risk assessment, and update the [major system] risk assessment and
POA&Ms to include all identified weaknesses and their risk levels.
OPM Response: OPM concurs with the recommendation. After receipt of the draft report, OPM
reviewed the 38 security controls in question. OPM is in the process of updating the risk
assessment and POA&Ms, as needed.
Recommendation 4
We recommend that OPM test the security controls of [the major system] in accordance with the
ISCMP testing schedule and ensure that the results are properly documented.
OPM Response: OPM concurs with the recommendation. After receipt of the draft report, OPM
completed testing the security controls of the major system and documented the results according
to OPM security procedures.
Recommendation 5
We recommend that OPM update the [the major system] contingency plan to include all required
Information from OPM’s template.
OPM Response: OPM concurs with the recommendation. OPM is in the process of updating
the major system contingency plan.
Recommendation 6
We recommend that OPM update the [the major system] POA&M to include all identified
weaknesses and required information per OPM policy.
OPM Response: OPM concurs with the recommendation. OPM is in transition from one
POA&M tracking tool to another. After receipt of the draft report, OPM added the POA&Ms to
the new tracking tool. The POA&Ms are now in the process of being updated with the required
information.
Recommendation 7
We recommend that OPM develop a detailed action plan to remediate all overdue POA&M
items. This action plan should include realistic estimated completion dates.
Report No. 4A-CF-00-17-044
OPM Response: OPM concurs with the recommendation. OPM is in the process of updating
the POA&M items with new estimated completion dates, taking into consideration any factors
that have led to the previously missed dates.
Recommendation 8
We recommend that OPM document the approved security configuration settings for [the major
system].
OPM Response: OPM concurs with the recommendation. OPM will assess the risk of this
finding and create an action plan to apply security controls to mitigate the identified risk, where
appropriate.
Recommendation 9
We recommend that OPM develop and implement a plan to replace [the application] with a fully
supported financial system.
OPM Response: OPM concurs with the recommendation. OPM has embarked upon an
initiative to modernize the application. As a part of this effort, OPM is in the acquisition
planning stage of assessing commercially available alternatives for systems implementation
services, application hosting services, operational support (post implementation including help
desk services), and Commercial Off-The-Shelf (COTS) financial management software
applications. The objectives of the application replacement / Trust Funds Modernization effort
are to modernize/replace the current system to facilitate greater transparency, compliance, and
overall stability and sustainability of the system
Again, thank you for the opportunity to provide comment to this draft report. Please contact us
or if you have questions or need additional information.
cc:
Chief Information Security Officer
Mark W. Lambert
Associate Director, Merit Systems Accountability and Compliance
Janet L. Barnes
Director, Internal Oversight and Compliance
Jason D. Simmons
Chief of Staff
Report No. 4A-CF-00-17-044
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations to
us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
IT Security Controls of the OPM's Federal Financial System
Published by the Office of Personnel Management, Office of Inspector General on 2017-09-29.
Below is a raw (and likely hideous) rendition of the original report. (PDF)