oversight

Federal Information Security Management Act Audit FY 2008

Published by the Office of Personnel Management, Office of Inspector General on 2008-09-23.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                      US OFFICE OF PERSONNEL MANAGEMENT
                                                          OFFICE OF THE INSPECTOR GENERAL
                                                                          . OFFICE OF AUDITS




Final Audit Report



Subject:


         FEDERAL INFORMATION SECURITY
              MANAGEMENT ACT AUDIT
                     FY 2008

                                     Report No. 4A-CI-00-08-022


                                      Date:                September 23. 2008




                                                            --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited contract. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905); therefore, while this audit report is available
under the Freedom of Information Act, caution needs to be exercised before releasing the report to the general public.
                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                       Washington, DC 20415 


  Office of the
Inspector General


                                     Audit Report


                          U.S. OFFICE OF PERSONNEL MANAGEMENT 



                      FEDERAL INFORMATION SECURITY MANAGEMENT ACT 

                                      AUDIT FY 2008 


                                      WASHINGTON, D.C. 





                                     Report No. 4A-CI-00-08-022 



                                     Date:    September 23. 2008 





                                                           Michael R . Esser
                                                           A ssistant Inspector General
                                                              for Audits


        www.opm.gov                                                             www.usajobs.gov
                                Executive Summary 



                     U.S. OFFI CE OF PE R SONNEL MANAGEMENT 



         F EDERAL INFORMATION SECURITY MANAGEMENT AC T AUDIT 

                                FY 2008 


                                    W ASIDNGTON, D.C. 





                           Report No. 4A-CI-00-08-022


                           Date: September 23. 2008

This fmal audit report documents the Office ofPersonnel Management's (OPM's) continued
eff01ts to manage and secme its inf01mation resomces. We believe that overall OPM has made
progress in strengthening its inf01mation technology (IT) secmity program since the advent of
the FISMA auditing and rep01ting requirements in 2002. However, we have significant concems
this year with respect to several aspects of the program.

The smnmmy of om audit results below indicates that there are opp01tunities for improvement in
a multitude of processes relevant to the overall IT secmity program at OPM, with the most
notable deficiencies being related to the processes of ce1tification and accreditation (C&A), plan
of action and Inilestones, and maintenance of IT secmity policies and procedmes. Specifically,
the Office of the Inspector General (OIG) noted that:

• 	 An active C&A exists for 39 ofOPM's 40 systems. One system has not had an updated
    C&A since 2003. Another system went into production with a major element Inissing from
    its C&A package. The OIG considers this a significant deficiency in the control structure of
    OPM's IT secmity program.
• 	 OPM has implemented an agency-wide plan ofaction and milestones (POA&M) process to
    help track and prioritize known IT security weaknesses associated with the Agency's
    inf01mation systems. However, the POA&M process could be improved.
•		 OPM's IT security policies have not been updated in at least three years. The OIG considers
    this condition to be a material weakness in the internal control structure of OPM' s IT security
    program.

   In addition to weaknesses above, the OIG noted the following controls in place and opportunities
   for improvement:

•		 The contingency plans for 39 out of OPM's 40 systems were tested during fiscal year (FY)
    2008.
•		 The security controls for all40 systems in OPM's inventory were tested during FY 2008.
•		 OPM performs routine oversight and evaluation of its major applications operated by a
    contractor. However, OPM does not update its system inventory to clearly identify the state
    of the system (active, suspended, development, etc.).
•		 OPM maintains an inventory of all applications/systems under its control.
•		 OPM has established a process for conducting privacy impact assessments (PIAs). As of
    August 2008, PIAs have been completed for each of the required 28 systems.
•		 OPM has made good progress in implementing the requirements of the Office of Management
    and Budget's Memorandum 07-16, "Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information".
•		 A technical configuration guide has been implemented to provide guidance for securing a
    variety of operating platforms in use at OPM. OPM's systems almost always adhere to the
    requirements of the configuration guide.
•		 OPM has not implemented all elements of the Federal Desktop Core Configuration
    requirements.
•		 OPM has created an "Incident Response and Reporting Policy" that describes the
    responsibilities of OPM's Computer Incident Response Team, and documents procedures for
    reporting all abnormal IT security events to the appropriate entities.
•		 OPM has implemented a process to provide annual and mandatory information technology
    security and privacy awareness training.
•		 The security and privacy awareness training contains a section that defines peer-to-peer file
    sharing, and explicitly prohibits its use on OPM networks and workstations.
•		 E-authentication risk assessments have been completed for the appropriate systems at OPM.




                                                ii
                                                                  Contents



Executive Summary ................................................................................................................... i


Introduction ............................................................................................................................... .1


Background.......................................................................................................................................1


Objectives........................................................................................................................................ .1


Scope and Methodology ........................................................................................................... .2


Compliance with Laws and Regulations .................................................................................. .4


Results ....................................................................................................................................... .5


          I. System Inventory ....................................................................................................... ..5


         II.		 Certification and Accreditation, Security Controls Testing, and Contingency ............5


               Planning


        III. Agency Oversight of Contractor Systems and Quality of System Inventory .............. .7


        IV. Agency Plan of Action and Milestones Process ........................................................... 8


         V. Certification and Accreditation Process ...................................................................... 11


        VI. Agency Privacy Impact Assessment Process .............................................................. 12


       VII. Agency Progress in Implementing OMB M-07-16 ................................................ 13


      VIII. Configuration Management ..................................................................................... l6


        IX. Incident Reporting ........................................................................................................ 18


         X.		 Security Awareness Training .................................................................................. 19


        XI.		 Peer-to-Peer File Sharing ........................................................................................ 19


      XII. E-authentication Risk Assessments ........................................................................ ..20


     XIII. Security Policies and Procedures Review and Update ............................................... ..20


Major Contributors to this Report .......................................................................................... .24



Appendix A: 	Office
            	       of Management and Budget FISMA Reporting Template for
             Inspectors General
Appendix B: 	Center
            	        for Information Services and Chief Information
             Officer's September 3, 2008 response to the OIG's draft audit
             report, issued August 12, 2008.
                                        Introduction

 On December 17, 2002, the President signed into law the E-Government Act (Public Law 107­
 347), which includes Title III, the Federal Information Security Management Act (FISMA).
 FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)
 evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of
 IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing
 the material received from agencies. In accordance with FISMA, we conducted an evaluation of
 OPM's security program and practices. As part of our evaluation, we reviewed OPM's FISMA
 compliance strategy and documented the status of its compliance efforts.

                                        Background

FISMA requirements pertain to all information systems (national security and unclassified
systems) supporting the operations and assets of an agency, including those systems currently in
place or planned. The requirements also pertain to IT resources owned and/or operated by a
contractor supporting agency systems.

FISMA reemphasizes the Chief Information Officer's (CIO) strategic, agency-wide security
responsibility. It also clearly places responsibility on each agency program office to develop,
implement, and maintain a security program that assesses risk and provides adequate security for
the operations and assets of programs and systems under their control.

To assist agencies in fulfilling their FISMA evaluation and reporting responsibilities, OMB
issued memorandum M-08-21 (FY 2008 Reporting Instructions for the Federal Information
Security Management Act and Agency Privacy Management). This memorandum provides a
consistent form and format for agencies to report to OMB. It identifies a series of reporting
topics that relate to specific agency responsibilities outlined in FISMA. Our evaluation and
reporting strategies were designed in accordance with the above OMB guidance.

                                         Objectives

 Our overall objective was to perform an evaluation of OPM' s security program and practices, as
 required by FISMA. Specifically, we reviewed the following areas of OPM's IT security
 program in accordance with OMB's FISMA IG reporting requirements:
 •		 System Inventory
 •		 Certification and Accreditation, Security Controls Testing, and Contingency Planning
 •		 Agency Oversight of Contractor Systems and Quality of System Inventory
 •		 Agency Plan of Action and Milestones Process
 •		 Certification and Accreditation Process
 •		 Agency Privacy Impact Assessment Process
 •		 Agency Progress in Implementing OMB M-07-16, Safeguarding Against and Responding to
     the Breach of Personally Identifiable Information
 •		 Configuration Management
 •		 Incident Reporting

                                                1


•   Security Awareness Training
•   Peer-to-Peer File Sharing
•   E-authentication Risk Assessments
•   Security Policies and Procedures Review and Update

In addition, we evaluated the security controls of four major applications/systems at OPM. We
also followed-up on outstanding recommendations from prior system audits (see Scope and
Methodology for details of these audits).

                                 Scope and Methodology

We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives . We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM's
FISMA compliance efforts through September 2008.

We reviewed OPM's general FISMA compliance efforts in the specific areas defined in OMB's
guidance and the corresponding reporting instructions. In addition, we evaluated security
controls for the following four major applications:
•   Central Personnel Data File System (OIG Report No. 4A-WR-00-08-024)
•   Employee Benefit Information System (OIG Report No. 4A-RI-00-08-023)
•   USAJOBS (OIG Report No. 4A-HR-00-08-058)
•   Executive Schedule C System (OIG Report No. 4A-M0-00-08-059)

In addition, the FY 2008 FISMA follow-up audit (OIG Report No. 4A-CI-00-08-061) indicated
that the following OPM major applications had outstanding audit recommendations from the FY
2006 and FY 2005 FISMA reviews:
•   GoLearn Learning Management Systems
•   Government Financial Information System
•   Actuaries Group System
•   Learning Management System
•   Fingerprint Transaction System
•   Enterprise Human Resources Integration Data Warehouse
•   Electronic Questionnaire for Investigations Processing
•   PIPS Financial Interface System

While resource restrictions limited our ability to evaluate all major applications at OPM, we
believe that the results of the evaluations listed above are a fair representation of OPM's overall
FISMA compliance status.

We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature , although we did gain an

                                                2


understanding of management procedures and controls to the extent necessary to achieve our
audit objectives. Accordingly, we obtained an understanding of the internal controls for these
various systems through interviews and observations, as well as inspection of various documents,
including information technology and other related organizational policies and procedures. This
understanding of these systems' internal controls was used to evaluate the degree to which the
appropriate internal controls were designed and implemented. As appropriate, we conducted
compliance tests using judgmental sampling to determine the extent to which established controls
and procedures are functioning as required.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attention during our audit testing to cause
us to doubt its reliability.
                                                .
Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.

The criteria used in conducting this audit include:
•		   OPM Information Technology Security Policy;
•		   OPM IT Security Program Plan;
•		   OMB Circular A-130, Appendix Ill, Security of Federal Automated Information Resources;
•		   OMB Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal Information
      Security Management Act and Agency Privacy Management;
•		   OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
      Personally Identifiable Information;
•		   OMB Memorandum M-07-11, Implementation of Commonly Accepted Security
      Configurations for Windows Operating Systems;
•		   OMB Memorandum M-06-16, Protection of Sensitive Agency Information;
•		   OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;
•		   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
      Management Act of 2002;
•		   National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An
      Introduction to Computer Security;
•		   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
      Systems;
•		   NIST SP 800-26, Self Assessment Guide for Information Technology Systems;
•		   NIST SP 800-30, Risk Management Guide for Information Technology Systems;
•		   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
•		   NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information
      Systems;
•		   NIST SP 800-53 Revision 1, Recommended Security Controls for Federal Information
      Systems;


                                               3


•		 NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to
    Security Categories;
•		 Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
    Categorization of Federal Information and Information Systems;
•		 FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and
•		 Other criteria as appropriate.

The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from May through September 2008 in OPM' s
Washington, D.C. office.

                       Compliance with Laws and Regulations

In conducting the audit, we performed tests to determine whether OPM's practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
program offices were not in complete compliance with all standards, as described in the
"Results" section of this report.




                                               4


                                                 Results

       The sections below detail the results of the OIG's audit of OPM's FISMA compliance efforts.
       The results are formatted to be consistent with the questions outlined in the FY 2008 OMB
       Reporting Template for IGs.

I.		      System Inventory

          OPM has identified 40 major applications/systems within eight of its program offices.
          OPM's system inventory indicated that these 40 systems were comprised of the following
          PIPS 199 system impact classifications: 7 high, 32 moderate, and 1 low. The inventory
          also indicated that 30 systems operated within the agency and 10 are operated at a
          contractor facility.

II.		     Certification and Accreditation, Security Controls
          Testing, and Contingency Planning

          a) Number of systems certified and accredited (C&A)
              A C&A has been completed and remains active for 39 of the 40 systems in OPM 's
              inventory. See section V below for details of the system without a current C&A and a
              review of OPM's C&A process.

          b) Number of systems for which security controls have been tested in the past year
              FISMA requires each agency to perform for all systems "periodic testing and evaluation
              of the effectiveness of information security policies, procedures, and practices, to be
              performed with a frequency depending on risk, but no less than annually ...."

              The Center for Information Services and Chief Information Officer (CIS/CIO) at OPM
              has implemented procedures for conducting an annual review of the security controls
              for each of the agency's systems. These controls are tested through either an annual
              self-assessment or through a security test and evaluation conducted by an independent
              source as part of the C&A process.

              The OIG determined that as of August 2008 the security controls had been tested for 37
              of OPM 's 40 systems during the past year. We judgmentally selected 5 of these 37
              systems and conducted a detailed review of the documentation resulting from the test of
              security controls. We found that the security controls tests for all five systems in the
              sample were completed in accordance with NIST SP 800-53 Revision I guidance. The
              results of this sample were not projected to the entire population.

              An annual test of security controls provides a method for agency officials to determine
              the current status of their information security programs and, where necessary, establish
              a target for improvement. Failure to complete a security controls test increases the risk
              that agency officials are unable to make informed judgments to appropriately mitigate
              risks to an acceptable level.

                                                     5


  Recommendation 1
   We recommend that OPM ensure that an annual test of security controls has been
   completed for all systems.

   CIS/CIO Response:
   "We concur.

  In addition, we are providing [evidence that the security controls have been tested for
  the remaining systems]."

   OIG Reply:
   We acknowledge that a test of security controls was conducted for the remaining three
   systems. However, due to the fact that this documentation was submitted to the OIG
   after the draft audit report was issued, we did not have sufficient time to evaluate the
   quality of these tests of security controls. We will evaluate the quality of the security
   controls tests submitted after the fieldwork phase of this audit as part of the 2009
   FISMA audit.

c) Number of systems for which contingency plans have been t ested
   FISMA requires that a contingency plan be in place for each major application, and that
   the contingency plan be tested on an annual basis.

  The OIG judgmentally selected a sample of5 out of OPM's 40 system contingency plans
  and conducted an in-depth review of these plans to ensure that they met the requirements
  of NIST SP 800-34, "Contingency Planning Guide for Information Technology
  Systems." The review included, but was 'not limited to, the following elements of the
  contingency plan:

     System recovery on an alternate platform from backup media; 

     Coordination among recovery teams;


     Internal and external connectivity; 

     System performance using alternate equipment; 

     Notification procedures. 


   Nothing came to our attention to indicate that these contingency plans were not in
   compliance with NIST guidance. The results of this sample were not projected to the
   entire population.

   The OIG received documentation indicating that the contingency plans for 36 of OPM's
   40 systems were tested in the past year.

   Effective contingency planning and testing establishes procedures and technical measures
   that enable a system to be recovered quickly and effectively from a service disruption or


                                           6


        disaster. An incomplete or untested contingency plan increases the risk that a
        system could not recover from a service disruption in a timely manner.

        Recommendation 2
        We recommend that OPM's program offices program test the contingency plans for
        each system on an annual basis.

        CIS/CIO Response:
        "We concur.

        We are providing contingency plan test results for {three of the four systems that were
        missing on the date the draft audit report was issued]."

        OIG Reply:
        The CIS/CIO's response to the draft report included evidence of four additional
        contingency plan tests. However, only three of these four contingency plan tests
        correspond to the four that were identified as missing as of the date the draft audit
        report was issued. Therefore, one system continues to lack a contingency plan test less
        than one year old. We continue to recommend the contingency plans for a1140 OPM
        systems be tested on an annual basis.

III. Agency Oversight of Contractor Systems and Quality of System Inventory

     The CIS/CIO continuously maintains a master inventory of OPM's major systems.
     The CIS/CIO relies on the various program offices to identify the existence and status
     of systems to be included in the inventory. The OIG agrees with the total number of
     systems listed in the most recent system inventory (40) and agrees with the number of
     systems operated by a contractor (10).

     OPM performs routine oversight and evaluation of its systems operated by a contractor.
     Each of the 10 OPM systems that are operated by a contractor have been certified and
     accredited by OPM. In addition, the annual self-assessment of IT security controls for
     each of these systems was conducted by an OPM employee.

     Although OPM's system inventory accurately identifies all of the agency's active
     major systems, it also lists systems that are still in development and have not been
     certified and accredited. These systems are not clearly labeled as inactive or in
     development, which could lead to an inaccurate count of the total number of systems.

     Recommendation 3

     We recommend that OPM update its system inventory to clearly identify the state of
     the system (active, suspended, development, etc.).



                                               7


     CIS/CIO Response:
     "We concur."

IV. Agency Plan of Action and Milestones Process

     A plan of action and milestones (POA&M) is a tool used to assist agencies in identifying,
     assessing, prioritizing, and monitoring the progress of corrective efforts for IT security
     weaknesses. The sections below detail several weaknesses related to the appropriate use
     of POA&Ms at OPM. These weaknesses comprise items that are the responsibility of
     both the CIS/CIO and the various program offices owning the information systems. The
     OIG believes that these weaknesses represent a significant deficiency in OPM's overall
     POA&M methodology.

     a)		 The POA&M is an agency-wide process, incorporating all known IT security
          weaknesses
        OPM has implemented an agency-wide POA&M process to help track known IT
        security weaknesses associated with the agency's information systems. However, we
        found that three POA&Ms did not contain all security weaknesses identified during
        security controls tests of those systems.

        Failure to include all security weaknesses on POA&Ms limits the CIS/CIO's ability to
        monitor the program office's efforts in correcting IT security weaknesses.

        Recommendation 4
        We recommend that the program offices incorporate all known security weaknesses
        into the POA&Ms.

        CIS/CIO R esponse:
        "We concur."

     b)		 Program officials develop, implement, and manage POA&Ms for their systems
        OPM program office officials are responsible for developing, implementing, and
        managing POA&M's for each system that they own and operate. The OIG was provided
        evidence that POA&Ms are continuously managed for only 38 of OPM's 40 systems.

        Recommendation 5
        We recommend that an up-to-date POA&M exist for each system in OPM's inventory.

        CIS/CIO Response:
         "We concur.

        In addition, we are the providing two system POA&Ms that we had not previously
        submitted as part of the original audit request."

                                                8


   OIG Reply:

   We acknowledge that a current POA&M exists and has been routinely updated for one
   of the two systems in question. However, the POA&M for the                    system
   provided to the OIG in response to the draft audit report was created on August 25, 2008,
   and had not been managed or updated since February 2007. Furthermore, this POA&M
   did not incorporate the majority of the security vulnerabilities identified during the 2008
   security controls testing for            The OIG believes that this represents a weakness
   in OPM's overall POA&M process, and continues to recommend that POA&M be
   continuously managed for each system in OPM's inventory.

c)		 Program officials and contractors report their progress on security weakness
     remediation to the CIO

   On a quarterly basis, OPM program officials are required to send the CIS/CIO an updated
   POA&M detailing the progress made in correcting the system's security weaknesses.
   However, POA&Ms were not submitted to the CIS/CIO for 3 systems in the third quarter
   of 2008.

   Recommendation 6

   We recommend that all program offices submit POA&Ms to the CIS/CIO office on a
   quarterly basis.

   CIS/CIO Response:
   "We concur.

   We are providing a total of three system POA&Ms that had not been previously
   submitted as a part of the original audit request. Two of these POA&Ms were provided
   as part of Recommendation 5. The third POA&M was not provided because it was a
   negative report, therefore no weaknesses were identified to report for that system. In
   the future, we will request that all systems provide a quarterly POA&M whether or not
   weaknesses are identified for each system."

   OIG Reply:

   The POA&MS provided by CIS/CIO in response to the draft audit report were for the 4th
   Quarter of 2008. This audit recommendation resulted from tests of 3rd quarter POA&M
   submissions which showed that POA&Ms for 3 of OPM's 40 systems were missing.
   We continue to recommend that all program offices submit POA&Ms to the CIS/CIO on
   a quarterly basis.

d)		 Agency CIO centrally tracks, maintains, and reviews POA&M activities on a
     quarterly basis

   OPM's agency-wide POA&M process requires program offices to provide the CIS/CIO
   with evidence, or "proof of closure," that the weaknesses identified in POA&Ms have
   been resolved.

                                           9

        The OIG judgmentally selected POA&M items from 13 systems and asked the CIS/CIO
        to provide the proof of closure documentation that they had received from the program
        offices when the POA&M item was labeled as "complete." The CIS/CIO was able to
        provide proof of closure documentation for only 6 of these 13 systems 1.

        Recommendation 7
        We recommend that the CIS/CIO require each program office to provide evidence (proof
        of closure) that POA&M weaknesses have been resolved before allowing that item to be
        labeled "complete."

        CIS/CIO Response:
         "We concur."

    e) IG findings are incorporated into the POA&M process
        In FY 2007, the OIG conducted audits of four OPM systems, and verified that the
        recommendations from these four audit reports were incorporated into the respective
        system's POA&M. However, three privacy program related audit recommendations from
        the OIG's 2007 FISMA final audit report did not appear on the POA&M maintained by
        OPM's Plans and Policies Group.

        In addition, OIG audit recommendations for one OPM system appeared on an older
        version of the POA&Ms for that system, but were not included in the most recent
        version.

        Recommendation 8
        We recommend that all OIG recommendations be included on POA&Ms and they not be
        removed until evidence of proof of closure is provided to the CIS/CIO.

        CIS/CIO Response:
        "We concur."

    f) POA&M process prioritizes IT security weaknesses
        Each program office at OPM prioritizes IT security weaknesses on their POA&Ms to
        help ensure significant IT security weaknesses are addressed in a timely manner and
        receive appropriate resources.




1 In the OMB FISMA Reporting Template for Inspectors General, Question 4 (see Appendix A), we projected these
results across the entire system population (40). Consequently, we determined that 46% of the systems POA&M
activities are tracked by the CIS/CIO.


                                                      10


V.   Certification and Accreditation Process

     Certification is a comprehensive assessment that attests that a system's secmity controls are
     meeting the secmity requirements of that system, and accreditation is the official
     management decision to authorize operation of an inf01mation system and accept its risks.
     Each major application at OPM is subject to the cettification and accreditation (C&A)
     process evety three years.

     The OIG reviewed the C&A documentation for all OPM systems in which a C&A was due
     in FY 2008. Dming this review we discovered that one system was operating with an
     expired C&A, and another (new) system went into alive operating status without a complete
     C&A package . It is the responsibility of OPM's CIS/CIO to ensure that all live/production
     systems in OPM's inventory are subject to a complete C&A evety three years, as required by
     FISMA. We believe that the following weaknesses in OPM' s C&A process indicate a
     significant deficiency in the control stiuctme of OPM's IT security program:

     a) 	Expired C &A
        OPM's -              system has not been subject to a full C&A since 2003 . The system
        did go through a prutial C&A in 2006, but the process did not include an independent
        test of the system's secmity contr·ols. The 2006 C&A documentation included an
        extended authorization to operate (ATO) for one yeru·, as a new system was scheduled
        to replace -           in Januaty 2007. In 2007, the ATO was extended for an additional
        yeru· because the release date of the new system was pushed back to August 2007 .

        As of August 2008, the ATO for -               has been extended a third time with no
        specified expiration date.

        Recommendation 9
         We recommend that the CIS/CIO take the appropriate steps to ensme that all active
         systems in OPM' s invent01y have a complete and cunent C&A.

         Q SIQ O Response;
         "We concur.

        In addition, we are providing the C&A

         OIG Renly :
        The documentation provided to the OIG in response to recommendation 9 included a
        fomth extension to the -        system's ATO, and did not comprise a complete C&A



        -
        package as required by FISMA. Specifically, the 2008 C&A documentation for


         • 	 Did not contain a cmTent lnf01mation System Secmity Plan (ISSP) . The ISSP
             provided was developed in August 2003 .
         • 	 Did not contain a contingency plan.

                                                11 

        • 	 Did not contain a cmTent contingency plan test.
        • 	 Did not contain signed Ce1tification and Accreditation statements.
        • 	 Contained an incomplete POA&M; the POA&M provided did not include all of
            the vulnerabilities identified in the August 25, 2008 Baseline Secmity
            Requirements Test for ­

        The OIG continues to consider the fact that -           has not been fully C&A'd in over
        five years a significant deficiency in the control stmctme of OPM's IT security program.

     b) 	Missing element from C&A
        The OIG conducted a detailed review of the C&A packages that were completed dming
        the past year. While the majority of the system's C&A documentation contained all of
        the elements required by FISMA and relevant NIST guidance, the C&A statements for
        one system were signed and approved even though a business contingency plan had not
        been created for that system. Although the OIG acknowledges that the Inissing
        contingency plan is listed as an action item on that system's POA&M, we believe that a
        system should not be C&A 'd and allowed to go into a live/production status without a
        contingency plan in place.

        Recommendation 10
        We recommend that all elements required by FISMA and relevant NIST guidance be in
        place before a system is formally C&A' d .

        Q SIQ O Response;
         "We concur. However, business reasons may compel the issuance of an JATO without
        all the required elements of a C&Apackage in place. As such, required components not
        included in the C&A package will be added to the appropriate system POA&M as
        weaknesses to be completed in a timely manner. "

        OJG Rep ly :
        We acknowledge that business reasons may compel the issuance of an interim ATO
        (IATO) without all the required elements of a C&A package in place. When taking this
        approach, the IATO should be set to expire after a period of time sufficient to remedy the
        outstanding problems (which should be no more than several months), at which point a
        full A TO can be issued. However, the system with a Inissing contingency plan received
        a full C&A with a three-year ATO signed by the Associate Director of the program
        office that owns the system.

VI. A gency Privacy Imp act Assessment Process

     The £-Govemment Act of 2002, section 208, requires agencies to conduct privacy impact
     assessments (PIA) of information systems that process personally identifiable inf01mation
     (PII). In 2007, OPM's IT secmity officer issued a "PII Questionnaire" to the designated
     secmity officer for each of the Agency's major systems to dete1mine whether the system


                                               12 

     contains PII. The results of the questionnaire indicated that 37 of OPM's 40 systems
     contained at least some PII. Of these 37 systems, 28 require PIAs.

     OPM's PIA Guide states that the Agency's Plan and Policies Group (PPG) is responsible
     for obtaining the CIO's review of the initial screening and PIA, if required. PPG is also
     responsible for publishing the PIA on OPM's website and sending a copy to OMB. As of
     August 2008, summaries of all 28 required PIAs had been published to OPM's website.
     OPM intends to replace each PIA summary with a full PIA prior to September 30, 2008.

VII. Agency Progress in Implementing OMB M-07-16
     The OIG evaluated OPM's privacy program by conducting a qualitative assessment of the
     agency's progress in implementing OMB Memorandum M-07-16, "Safeguarding Against
     and Responding to the Breach of Personally Identifiable Information." OMB M-07-16
     requires all federal agencies to develop and implement a "breach notification policy." The
     memorandum provides a framework for creating the policy, and outlines security and
     privacy requirements related to the protection of PII. The sections below highlight OPM's
     progress in implementing the various requirements ofM-07-16.

     a) Implement a breach notification policy
        OPM has developed an "Information and Security and Privacy Policy" that contains
        breach notification procedures. The policy identifies the internal and external entities
        that must be notified when a security breach occurs. OPM's Director also issued an
        agency-wide email labeled "New Procedures Regarding the Use of Personally
        Identifiable Information." This message provided OPM employees with specific
        instructions to notify the agency's "situation room" immediately after detecting any
        security or privacy breach.

        Although the Information Security and Privacy policy has received final approval from
        OPM's senior management, it has not been distributed to the agency's general
        population of information system users.

        Recommendation 11
        We recommend that OPM issue its "Information Security and Privacy Policy" to all
        agency employees and post a copy to the agency's internal website.

        CIS/CIO Response:
        "We concur. The document has been posted on {OPM 's internal website]."

        OIG Reply:
        No further action is required.




                                               13


b)		 Privacy requirements
   OMB M-07-16 requires agencies to review and reduce the volume of PII processed
   through its systems.

   Review Current Holdings
   As mentioned in the Privacy Impact Assessment section above, each of OPM's program
   offices completed a "PII Questionnaire" to evaluate the current holdings of PII on
   the information systems they own.

   OPM's PIA Guide also mentions that it is the responsibility of each program office to
   review and update their PIAs on an annual basis.

   Reduce the Use o[Social Security Numbers
   OMB M-07-16 requires agencies to establish a plan to eliminate the unnecessary
   collection and use of social security numbers (SSNs) within 18 months. OPM has taken
   several steps to reduce the use of SSNs in its systems and programs, including:
   •		 OPM's Director issued a memo to all Chief Human Capital Officers providing


       guidance to agencies to protect and eliminate the unnecessary use of SSNs.


   •		 The designated security officers of OPM's major systems have been briefed on their
       responsibility for evaluating the unnecessary use of SSNs on their respective systems.
   •		 OPM has participated in the Interagency Best Practices Collaborative meeting to
       discuss ways of eliminating unnecessary SSNs and to share information on the
       development of an alternative identifier.
   •		 OPM has a "Forms Officer" designated with the responsibility of reviewing OPM-
       owned forms to ensure the reduction or elimination of unnecessary use of SSNs.

   Recommendation 12
   We recommend that OPM continue its efforts to reduce the use of SSNs and develop a
   formal plan to eliminate the unnecessary collection and use of SSNs within 18 months in
   accordance with OMB M-07-16.

   CIS/CIO Response:
   "We concur with the thrust of the recommendation and will continue our efforts
   to reduce the use of SSNs and will update our formal plan to eliminate the
   unnecessary collection and use of SSNs."

       c)		 Security requirements
   The security requirements outlined in OMB M-07-16 reference the elements below that
   originated from a prior OMB Memorandum, "Protection of Sensitive Agency
   Information" (M-06-16).




                                           14


  Encryption
  OPM's IT Security and Privacy Policy requires that all sensitive data on mobile
  computers be encrypted with FIPS 140-2 validated cryptographic modules. The agency
  has implemented a temporary solution that requires users to manually encrypt sensitive
  data using WinZip. OPM is in the process of developing a solution to automatically
  encrypt sensitive data on mobile computers.

   Recommendation 13
   We recommend that OPM continue its efforts to implement a solution to automatically
   encrypt all data on mobile computers/devices carrying agency data unless the data is
   determined not to be sensitive.

   CIS/CIO Response:
   "We concur."

   Control Remote Access
   OPM has implemented a two-factor authentication requirement for controlling remote
   access to its information systems. In order to access OPM's internal applications
   remotely, users must connect to the OPM network through a Virtual Private Network
   (VPN) connection that requires both a personal identification number (PIN) and a token
   PIN to authenticate.

   Time Out Function
   OPM users remotely connected to the network through VPN must re-authenticate after 10
   minutes of inactivity.

   Log and Verify
   OPM does not currently have an agency-wide methodology for logging computer-
   readable data extracts and is unable to determine whether sensitive data has been erased
   after 90 days.

   Recommendation 14
   We recommend that OPM continue its efforts to develop a methodology for logging
   computer-readable data extracts to determine whether sensitive data has been erased after
   90 days.

   CIS/CIO Response:
   "We concur with the need to continue the efforts to develop a methodology f or logging
   computer-readable data extracts."

d) Incident reporting and handling requirements
   See section IX. "Incident Reporting"



                                           15


   e) 	Rules and consequences
        In addition to the "Infmmation Secmity and Privacy Policy" and the "New Procedmes
        Regarding the Use ofPersonally Identifiable Infmmation," OPM has issued several
        additional policies and guidance related to mles and responsibilities regarding the
        protection of PIT, including:
        • 	 OPM Guidelines for Handling PIT- outlines specific mles to follow while possessing
            PIT outside of a secme worksite.
        • 	 Secmity, Privacy, and 508 Contract Compliance Requirements- sets fo1th
            requirements for contractors that have access to PII.
        • 	 Situation Room Incident Response Procedmes - provides detailed procedmes to be
            followed by the situation room when they are notified of a PIT breach.

        Although OPM's "Info1mation Secmity and Privacy Policy" outlines conective actions
        that can be imposed for the failme to adequately protect PIT, this policy is not cmTently
        available to all OPM system users. However, the agency has conducted mandato1y
        online "PIT Responsibilities" training that stated that the conective actions for improper
        disclosme of PIT may range from cmmseling to removal, and that additional penalties
        covered in the Privacy Act could also be implemented.

VIII.     Configuration Management

   This section details the controls OPM has in place regarding the technical configmation
   management of its major applications and user workstations.

    a) 	Agency-wide security configuration policy
        FISMA requires each agency to develop minimally acceptable system configmation
        requirements for all operating platfmms in use at that agency. OPM's Network
                                     has                                      for seeming its
                                                                                             operating
                                                 1m1p1emente(1 c~::>rnigutrarwn J:<.u •u"'" for seeming
                   , an~ the~tems Group (ASG) has implemented a configmation
                  secmmg ­

    b) 	Extent to which systems implement common security configurations
        NMG provided the OIG with documentation ..· •Ul•~<.-.•u;:; that the Agency's systems adhere
        to the configmation guidelines for                                   An independent
        contractor reviewed the corm~!;lmmcm                                        system to
        confi1m compliance with the secme configuration guide.

        The OIG conducted a vulnerability scan of 10prc,ctw::uo'n                                  The
        results of the scans indicated that all 10       contained at
        setting that was not compliant with OPM's         configmation policy.




                                                   16 

  Due to privacy and security concems, the technical details of these vulnerabilities will not
  be included in this audit report. However, this information has been provided to OPM's
  CIS/CIO and ASG through an informal audit inquiry.

  Recommendation 15
  We recommend that OPM configure its                       in a manner consistent with
  OPM's -         Configuration Policy. Each the vulnerabilities outlined in the OIG's
  audit inquiry should be formally documented, itemized, and prioritized in a POA&M . In
  the event that a vulnerability cannot be remediated due to a technical or business reason,
  the supported system' owner should document the reason in the system's ISSP to
  formally accept any associated risks.

   q s;q o   Response:
   "We concur.

  In addition, we have addressed the discovered vulnerabilities andprovided the
  supporting documentation to the 0/G. "

   OJG Rep l y ;
   The OIG agrees that OPM's ASG has addressed the discovered vulnerabilities for 5 of
  the 10 -          that were part ofthis review. Each ofthe five additional ~a
   single outstanding vulnerability in common. These five -           ar·e allr~
  -          · Because -           is no longer supported by the vendor, OPM is hesitant to
  make the system changes necessary to address this vulnerability.

   Two of the 40 systems in OPM's inventory are affected by the vulnerability in these 5
  -          · The owner of one of these ~s has formally accepted the risks associated
  with operating an outdated version of-         If ASG does not wish to update the other
  -        · we recommend that ASG work with the CIS/CIO to notify the system owners
  of the vulnerability so that the system owner can incorporate an acceptance of the
  vulnerability risk into their· ISSP.

c) Federal desktop core configuration
   OMB Memorandu~deral agencies to implement standar·d security
   configurations for· -                    by Febmary 2008 . These standard
   configurations were developed by NIST, the Department of Defense , and the Department
   of Homeland Security, and became known as the Federal Desktop Core Configuration
   (FDCC).

   As of August 2008 , OPM has created a new standar·d               image that generally
   adheres to FDCC requir·ements, and settings that deviate      FDCC requir·ements have
   been documented. However, the FDCC settings have only been implemented in one
   program office at OPM. Fmthermore, OPM has not included New Federal Acquisition
   Regulation 2007 -004language into all contracts related to common security settings.



                                           17 

         Recommendation 16
         We recommend that OPM continue its efforts to implement all required elements of the
         FDCC.

         CIS/CIO Response:
         "We concur."

IX. Incident Reporting

      OPM has created an "Incident Response and Reporting Policy" that outlines the
      responsibilities of OPM's Computer Incident Response Team (CIRT), and documents
      procedures for reporting all IT security events to the appropriate entities. We evaluated the
      degree to which OPM is following its own procedures and FISMA requirements for reporting
      security incidents internally, to the United States Computer Emergency Readiness Team
    · (US-CERT), and to law enforcement.

     a) Identifying and reporting incidents internally
         OPM's Incident Response and Reporting Policy requires the users of the Agency's IT
         resources to immediately notify OPM's situation room when IT security incidents occur.
         During the past year, OPM has provided its employees with various forms of training
         related to the procedures to follow in the event sensitive data is lost. In addition, OPM
         reiterates the information provided in the Incident Response and Reporting Policy in the
         annual IT security and privacy awareness training.

         OPM also notifies the OIG when security incidents occur by providing OIG investigators
         with a monthly report that tracks the security tickets related with the loss of sensitive
         data. In addition, an OIG representative was added to OPM's incident notification email
         distribution list.

     b) Reporting incidents to US-CERT
         OPM' s Incident Response and Reporting policy states that OPM's CIRT is responsible
         for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT
         within one hour of a reportable security incident occurrence. Notification and ongoing
         correspondence with US-CERT is tracked through "security tickets" maintained by
         OPM's help desk.

     c) Reporting incidents to law enforcement
         The Incident Response and Reporting policy states that security incidents should also be
         reported to law enforcement authorities, where appropriate. Nothing came to the OIG's
         attention to indicate that this policy is not being followed.




                                                 18


X.   Security Awareness Training
     The CIS/CIO at OPM has implemented a process to provide annual IT security and privacy
     awareness training. OPM's IT Security Policy states that "Education and training are key
     elements in our IT Security Program. At a minimum, annual computer security awareness
     training is mandatory for all OPM users."

     The training is conducted through an interactive online course provided through OPM's
     online training website. The course introduces employees and contractors to the basic
     concepts of IT security and privacy. The comprehensive training covers various topics such
     as: the importance of information security; threats and vulnerabilities; viruses and malicious
     codes; privacy training; and roles and responsibilities of users. Individuals are required to
     complete an assessment at the end of the training course to verify their understanding of the
     material.

     In FY 2008, the CIS/CIO implemented various controls to ensure that the training was
     completed as required. Such controls include, but are not limited to, notifying various levels
     of management of individuals who had not completed the training and temporarily disabling
     system access to those who have not completed the training in a timely manner.

     The CIS/CIO's goal was to have all employees and contractors complete the training by
     July 25,2008. As of September 2008, over 96 percent of the 12,231 OPM employees
     and contractors have completed the training.

     Recommendation 17
     We recommend that OPM continue its efforts to ensure that all federal employees and
     contractors with access to OPM's IT resources complete IT security and privacy awareness
     training on an annual basis.

     CIS/CIO Response:
     We concur. We are providing screenshots of our current status for the Security
     Awareness Training completion percentage from the GoLearn portal. Our current
     agency wide completion rate for Security Awareness Training is 98.32%.

XI. Peer-to-Peer File Sharing
     FISMA requires agencies to implement policies regarding the use of peer-to-peer file sharing
     on its networks. Peer-to-peer software programs traditionally bypass network security
     controls. All OPM employees and contractors are required to take an online IT security and
     privacy awareness training course (see section X. Security Awareness Training). The annual
     training course contains a section that defines peer-to-peer file sharing and explicitly prohibits
     its use on OPM networks and workstations.




                                                   19


XII. E-authentication Risk Assessments
     OMB Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies," states that
     it "applies to remote authentication of human users of Federal agency IT systems for the
     purposes of conducting government business electronically (ore-government)," and requires
     agencies to conduct an e-authentication risk assessment of the e-government system.

     M-04-04 requires agencies to identify the various electronic transactions conducted by each
     system and ensure that authentication processes provide the appropriate level of assurance.
     The guidance identifies four levels of identity assurance for electronic transactions, and
     outlines a five step process to determine the appropriate assurance level of each transaction.

     According to OPM's official system inventory, seven of the Agency's systems are subject to
     e-authentication requirements. The OIG was provided withe-authentication risk assessments
     for six of these seven systems.

     Recommendation 18
     We recommend that e-authentication risk assessments be completed for the required systems
     in accordance with OMB M-04-04.                            ·

     CIS/CIO Response:
     We concur. We are providing thee-authentication risk assessment for eOPF to the OIG.

     OIG Reply:
     No further action is required.

XIII.Security Policies and Procedures Review and Update
     The CIS/CIO follows the issuance of new IT security guidance closely and provides
     applicable guidance to agency DSOs in a timely manner. However, this information has not
     been routinely incorporated into the Agency's IT security policies.

     As indicated in the table below, the majority of OPM's IT security polices and procedures
     available to OPM employees via the agency's intranet (THEO) have not been updated in at
     least three years.

         IT Security Policies on OPM Intranet (THEO)                Issue Date (Per THEO)
      IT Security Program Plan                                    May 2003
      IT Security Program Plan Implementation Guide               May2003
      IT Security Policy Implementation Guide -
                                                                  May2003
      Certification and Accreditation




                                                  20


IT Security Policy Implementation Guide - Security
                                                          April 2003
Documentation Requirements
IT Security Policy Implementation Guide - Incident
                                                          July 2005
Response and Reporting policy


OPM did provide the OIG with an updated "IT Security Policy Implementation Guide 
­
Incident Response and Reporting." However, this policy has not been updated on THEO.
As a result, OPM employees do not have access to the most recent OPM policy on reporting
data breaches.

OPM's failure to adequately update IT security policies and procedures has been highlighted
in the past three OIG FISMA audit reports. We acknowledge the steps that OPM has taken
in creating updated policies and procedures, but will continue to consider this condition a
material weakness in OPM's IT security program until all policies and procedures have been
updated and published to THEO.

Recommendation 19
We recommend that the CIS/CIO promptly update OPM's IT security policies and publish
them to THEO.

CIS/CIO Response:
"We concur that the CIS/CIO promptly update OPM's IT security policies and
publish them to THEO. However, we disagree with the determination that this a
material weakness."

OIG Reply:
This recommendation was first identified as a material weakness in the FY 2007 FISMA
audit report, in which the CIS/CIO concurred with our position. IT security policies and
procedures are the foundation of an IT security program. Without reasonably current policies
and procedures, the program will be ineffective. In FY 2008, the majority of these policies
have gone another year without a documented update, and the OIG continues to believe that
this condition represents a material weakness in OPM's IT security program.

          Additional CIS/C/O Comments on Excerpts from Draft Audit Report:

Draft Report Excerpt 1:
"OPM did provide the OIG with an updated "IT Security Policy Implementation Guide
Incident Response and Reporting." However, this policy has not been updated on THEO.
As a result, OPM employees do not have access to the most recent OPM policy on reporting
data breaches."




                                           21


CIS/CIO Comment:
 "We disagree with this comment. "IT Security Policy Implementation Guide Incident
Response and Reporting" that is posted on THEO is current."

OIG Reply:
We continue to believe that the copy of the IT Security Policy Implementation Guide 
­
Incident Response and Reporting available to OPM employees via THEO is not the most
current copy of the document. The copy provided to the OIG during the FY 2008 FISMA
audit indicates a review/revision was completed in March/April 2008. However, the copy
available on THEO indicates that the last review/revision was in July 2005.

Draft Report Excerpt 2:
 "We acknowledge the steps that OPM has taken in creating updated policies and procedures,
but will continue to consider this condition a material weakness in OPM's IT security
program until all policies and procedures have been updated and published to THEO."

CIS/CIO Comment:
 "The agency's Information Security and Privacy Policy have been published to THEO.
In addition, the remainder of the documents cited were reviewed during February 2008
as part of an ongoing review of OPM's information security and privacy policy. We
determined that the policies and procedures substantively represent current policies and
practices and no immediate changes were deemed to be required. Furthermore, we are
scheduling another review of these policies and procedures to ensure alignment in FY09.
Based on the information provided above we do not believe this weakness could be
considered material. "

OIG Reply:
The OIG has not received any evidence that the documents cited were reviewed in February
2008, and the revision history in each of the documents on THEO also provides no indication
that this review took place. The list below provides specific evidence that the IT security
policies and procedures are in urgent need of update, and that they have not been subject to
recent reviews as suggested by the CIS/CIO. The multitude of outdated, inaccurate, or
irrelevant material contained within these policies and procedures leads the OIG to continue
to assert that this represents a material weakness in OPM's IT Security Program.

Weaknesses in OPM IT security policies and procedures contained on THEO (Note- this list
may not represent all deficiencies in OPM's IT security policies and procedures, and should
not be used as a "checklist" to resolve this audit recommendation):
•		 OPM's IT Security Program Plan references OPM's IT Security Policy, which no longer
    exists as it has been replaced by the IT Security and Privacy Policy.
•		 OPM's IT Security Program Plan provides contact information for an ITSO who has not
    worked at OPM for several years.
•		 OPM's IT Security Program Plan references outdated NIST guidance (Special
    Publications that have been replaced by subsequent revisions).


                                           22


•		 OPM's IT Security Program Plan Implementation Guide references outdated NIST
    guidance (Special Publications that have been replaced by subsequent revisions).
•		 OPM's IT Security Program Plan Implementation Guide states that NIST SP 800-26,
    "Security Self-Assessment Guide for Information Technology Systems" should be used
    as a tool to conduct self-assessments of OPM systems. However, FISMA no longer
    recognizes NIST 800-26 as an acceptable tool, and requires the use of NIST SP 800-53 as
    a self-assessment guide.
•		 OPM' s IT Security Program Plan Implementation Guide outlines deadlines for quarterly
    POA&M submissions that are no longer accurate.
•		 OPM's IT Security Program Plan Implementation Guide outlines deadlines for self-
    assessment submissions that are no longer enforced.
•		 OPM's IT Security Program Plan Implementation Guide provides contact information for
    an ITSO who has not worked at OPM for several years.
•		 OPM's IT Security Program Plan Implementation Guide includes a POA&M template
    that is outdated. OPM's current POA&M template has been modified to include a
    column to prioritize POA&M weaknesses.
•		 OPM's IT Security Policy Implementation Guide- Certification and Accreditation does
    not identify a POA&M, contingency plan, or contingency plan test as required
    documentation to be submitted with a C&A package.
•		 OPM's IT Security Policy Implementation Guide- Incident Response and Reporting
    indicates that OPM employees should contact the OPM Help Desk to report security
    incidents. However, new procedures issued by the Director indicate that the OPM
    Situation Room should be notified of security/privacy incidents.
•		 OPM's IT Security Policy Implementation Guide- Incident Response and Reporting
    contains the contact information of at least five individuals who are no longer employed
    at OPM.
•		 OPM's IT Security Policy Implementation Guide- Security Documentation
    Requirements does not indicate that a POA&M is required to be in place prior to
    authorizing a system for processing, as required by FISMA.
•		 OPM's IT Security Policy Implementation Guide- Security Documentation
    Requirements references OPM's IT Security policy, which no longer exists as it has been
    replaced by the IT Security and Privacy Policy.




                                           23


                            Major Contributors to this Report
This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:

•                  , Group Chief
•                    , Auditor-in-Charge
•                  , Information Technology Auditor
•                      , Information Technology Auditor




                                              24


              Appendix A 





OFFICE OF MANAGEMENT AND BUDGET FISMA 

  REPORTING TEMPLATE FOR INSPECTORS 

               GENERAL 

                                                                                                             Inspector General: Q....tlons 1 and 2
    ..          •NIMit                  Office o f ....,., ~~"""' Mar" •.,.. 	                                                                                          :: .._,_,_"elate:                                Se pt. 2 3, 2008
                                                                                                   "
                                                                                                                  1• FISMA~·                                   ·~
1. Aa ' '"'~"'' .... In FISMA, the IG shall evaluate a representahe subeet of systems used or operated by an agency or by a contraetor of an agency or other
"""""'-""''on behalf of an agency.
In the table below,lclentlfy the nurne- of agency and con1ractor Information ......., and the IUIIber rwlewed, by camponentlburwau and FJPS

                            ........ 

199 .,.._. Impact level (high, moderate, low, « not c:ategootzed). Extend the worbhMt onto aubllequent paga If naceuary to Include all


~:co~ systems shall               Include information systems used or operated by an agency. Conllactcr systems shall include information systems used or operated by
a
         -
....... ..... 

A .	
                         of an agency or Olher organization on behalf of an agency. The to1a1 number of systems shall include boa'l agency systems and contractcr


                 are responsible for ensuring lhe security of infonnalion systems used by a COidractOr of their agency orother organization on behalf of their agency;
u 	.... .;~ ...  self reporting by contrac:IDrS does not meet the requirements t:llaw. Selfof'8POI'Iing by another Federal agency, for example, a Federal service
                 may be sufficient             and service .... ~·~· G have a Shared,...._._.....~ for FISMA
                                 n ,	
                                      •••. 2: --·              and:.W-·                                            .....              --..
                                                                                               ··~·e Testing, and __, .......,.....~ Plan Testing

2. Few the Total Number ol 8ystema reviewed by Component~Burau ancl FPS 8ylltem lm.-:t Level In the table for Question 1, Identify the ,_,...., 1
and              of ayatema which have: a c:urnnt certification and accNdltatlon, aecurtty conlrola tested ancl nMewed within the put,...., and a
........._ _,.plan tested In accordance wHh policy.



                                                                           Agenc:y Systems
                                                                                          ••             Contl"lctor
                                                                                                                       b.
                                                                                                                            11
                                                                                                                                                      e.
                                                                                                                                           Total Number of
                                                                                                                                                                                  ..
                                                                                                                                                                           Number of
                                                                                                                                                                                                 b.
                                                                                                                                                                                             Number of
                                                                                                                                                                                                       12
                                                                                                                                                                                                                     e.
                                                                                                                                                                                                                 Number of
                                                                                                                                              Systems                    s~ms c:ertlfild aystllma f or which systllma for which
                                                                                                                                            (Agency and                  and accradltlld  HCUrlty control s c:onUnganc:y plana
                                                                                                                                             Contractor                                   have been tiiStlld have been tiiStlld
                                                                                                                                              systems)                                     and revi-ICI In In accordance with
                                                                                                                                                                                            the past year          policy



                                       FIPS 1111 Systut                                                                                                    Total
Bureau Name
                                                                                  Number          Number   Totlll          Tolal                                                         Percent            Total        Percent           Tolal        Percent
                                                                        NIMI1ber Reviewed Number                  Number
                                       lmpect Level                                              Reviewed Number Reviewed Number                                                         of Total          Number        of Total      Number           of Total


                                                                                                                                               ~ 1-                           3~·           1~~                             ~~~~               3~!1    r-i
                      /Bureau .        J:figh                                  5         5     2
                                        Moderate
                                                           -
                                                                                    24             24             8               ~                                32                                           3d
                                        Low                                          1              1             0               0              1                  1           1_          100o/~                  1)      100%
                                        Not "."l ""nn7" ri            !.._                                                                                          c
                                                                                  ~                JoT           10,             10            J                   4(           39           98%                40          100%               39           98%
                      I D UI..iS U .   -High
                                                                                                       ~
                                                                                                                                                 0                  c                -          -               -1
                                                                                                                                                ~ ~-        ~c
                                                Hac                                                                                                                                                                                   I~

                                        Low~.
                                                 .,.         ~-       ~""""
                                                                                  =rr                                       -!                   c                  c
                                                                                     Oj_
                                                                                                    ~~            0
                                                                                                                                                ~
                                                                                                                                                                                 0
                                                                                                                                                                                                     v- ~ 1-                          l= ~ r-
                                                                                                                                  0                                 (
y y• .,,...   ·~ •   ow D U !_,U dU_   . High                                                                                                                       c                                                                                  1-

                                                                                                                                                ~          ~c
-
                                        ~~~~-                                                                                                                                                                                         <-
                                                                                                                                      f- ~
                                                                                                                                                                    (
                                                                                     Ol            .Qj_           0
                                                                                                                                 ~
                                                                                                                                                                    (       0                                       0                              0
                     ow D UIO:dU        High
                                                        -                                                -                                       0                  c            ,,                                                                         -
                                        Modera te
                                                    - I~                                  -            ~
                                                                                                                                                 0                  c
                                        Low                                                                                                                         c             ll
                                        Not Categorized
                                        ~



                                       . High                         ,..::;
                                                                                     or"            Ol            0              ~
                                                                                                                                      1-       j
                                                                                                                                               ·a
                                                                                                                                                                   ~( .~ 0-
                                                                                                                                                                    c                - - lo-
                                                                                                                                                                                                -
                                                                                                                                                                                               - !'=--
                                                                                                                                                                                                                    0                              0

                                                                                                                                                 0                  c            ..11
                                                                                                                                                                                                                                                       1--
                                        Low
                                                                                                                                      1-         6r-                c            -1-                                        ~




                                        Not
                                                       ""'"""                                                                                                       c
                                                                                     0              Ol            0               0              0                  (
                                                                                                                                                                                ~                                   0                              0
                      IDUI '           . High                                                                                                    0                  c                         ·-·1-                                                         -
                                         Moderate
                                                         -                                                                                       0                  c                     ~

                                                                                                                                                                                                                               -
                                         Low
                                                                                      "                                                          0                  c
                                         Not                                                                                                     c                  c                                II'
                                                                                     0
                                                                                               '    c             0               0              c                  (            0                                  0                           0
Agency Totals                          Hlah                                          5              5                             2              1                               7          1~                      7      _1!lQ'!'             7           100%

                                                                                                                                                                                            1~                              ~~
                                                                                    24             24                                                                                                                                          31            97%
                                                                                                                  ~          ·~               ··~ r- ·             ~                                            3~
                                                                                                                                                                                31
                                       -~                 -·    ··-
                                                                                                                                                                                 1                                                              11-         100%
                                       -~:                                           0              c             0               0              ~                  c            0                                  0                           0
                                       Total                                        3CI            3CI          -1 ~             10           _<4!1            ~                31          .9!1%              -40         10(ij6              ~            98%

~                                      r                        :l~=           Data Entry Cells
                                                                               Editable Calculations (no Data Entry-ONLY edit Formulas when I'IEIC8UIII'y)
............   ,
 ~
                                                                 C -Inspector General: Question 3           lJ
                        Office of .,, "'u""'" '"'"""""' ""' ..
                              13:            of Agency ....... '"'""I of       ,      ....
                                                                                        .and Quality of Agency System ........... 7 

                        The agency performs ov.rslgllt and waUtlon to . . . . . lnt'alllldon sya.ms used 011 operated
               3.a. 	   bf a contractor rA the agency 011 aa.r orpnlallon on behlllf rA the agency meet the
                        NqUiremenla of FJSMA. OMB policy and NIST ........... national aecurlly policy, and agency
                        policy.

                        Agencies ant responsible for ensuring lhe security d infomla1lon systems used by a COilbac:tor of lheir
                        agency or allier crganlzation on behafd their agency; therefore, self reporting by CCfltrac:lors does not
                        meet lhe ntqUi'emenls of law. Self-raporting by anc11er Federal agency, for example, a Federal service Almost Always (96· 100%
                        provider, may be suf'ficient. Agencies and service providers have a lhar8d reeponsibility for FISMA       of the time)
                        compliance.

                        Response Categories:
                         • Ranlly- for example, approximately o-50% of lhe lime
                         • Sometimes- fer example, approxnata~y 51·70'!1. d lhe time
                         • Fraquanay. for example, approxirnat8ly 71-80% d lhe time 

                         - Mostly- for example, appR»Cimateey 81-95% of lhe time 

                         -   Almost ANisty$- for 8lC8111p18, approximately 96-100% of lhe lime 

                        The agency haa clevelopecla COIIIpllte lnventGry rA lllltP Woimdon sya.ms (lncludlnQ IIIIP
               3.b.     n.uon.1 MCUI'Ity ayat8ma) operated bf or uncllr the c:onlrol rA IUdll au-nc;y, Including . .
                        ldentlftcatlon rA .... lnlilrfac:e. between NCb auch .,..... and . . aa.r .,...... 011 networks,
                        Including thOR net operated bf 011 uncllr .... control rA the..,c:y.
                                                                                                                             Inventory is 96- 100%
                        Response Ca18gories: 

                         - The inventory is approxinately o-50% complete 
                                                    "'"'>''0'"
                         • The inventory Is approximately 51·70'!1. complete
                         • The inventory is approxmately 71-80% complel8
                         • The inventoly Is approxmalaly 81-95% complete 

                         - The inventory is approxmately 96-100% complete 

               3.c. 	   The IG generdy agreea with the CIO on the number rA agency-owned ayat~~M. V• or No.                                Yes
                                                    -
                        The IG generaly..,.... with the CIO on the number rA Jnt'onnMion sya.ms UMd or operat.cl by
               3.d.                                                                                                                        Yes
                        a contractor rA the agency 011 aa.r 011gMizalion on behalf of the agency. V• or No.
         -                                      -­                                                           -      -
               3.e.     The agency Inventory Is IMintalned and upciMicl at leMt .....u,. V• 011 No.                                        Yes
   --­       ----­              -
                        If the Agency IG does net evalu8tie the Aglncy'a lnvelltoi'/M 81-100% ~• .,._lcllntlf'/ the known mlaaing
               3.f.     8'/Slema by Cclmponent/BurMu, the Unique Prajecl kllntlfler (UPI) aaaoclatiiCI with the a,.a.m • preaentlld In '/(IUr
                        FY2008 l!xlllblt 53 (If known), and lncllciD If the system Is . . agency 011 contractor ayatem.



                                                                                                       ,....... 

                                                                                                     Exlllblt 53~-~             Agenq or Conlrector
                                       ~
                                                                                  ~--                                               ay.tam?




                        INIII'IIIIer ol ~.,....,.. IIIIMlng from
                        lnwMol!f:
                                                            ..
                                                                        I= 	
                                                                           Dabl Enlry Cell
                                                                                                   I
                                                                    Inspector General: Questions 4 and 5




I R•-IWUIA~
 - Rarely- for example, approxlllllltel 0-50% of the ...... 

 - Sometimes- for eumpJe. ~ 51-70% of the time 

 • Frequently- for example, approxlrnltely 71-80% t:A the time
 • Mostly- for example. ..,.-oxlma181y 81-15% of.... time
 • Almost           for                         96-100% of the time
                     The POA&M is an agency-wide process, incorporaliiQ al known IT &ealrity weaknesses associalad wi1h information
       4.a.          systems used or operated by the agency or by a contraclllr d the agency or Olher organization on behalf d the            Mostly (81-95% of the
                                                                                                                                              time)

                       When an IT security weakness is identified, program oftk:ials (lnc:llmlg CIOs, if they own or operate a system)                A lways (96­
         4.b.          develop, implement, and manage POA&Ms for their system(a).                                                              100% of the time)
                        Program officials and contractors report their progress on security weaknesS remediation to the CIO on a regular      Mostly (81-95% of the
                        basis (at least quarterly).                                                                                           time)
       -----------------------------------------------------------------------------------4 Rarely (0-50% of the
     4.d.   ~ CIO centrally tracks, maintains, and reviews POA&M adiYities on at least a quarterty basis.
                                                                                                          time)
~----------------------------------------------------------------------------~ Mostly (81-95% of the
     4.e.   IG findings are incorporated into the POA&M process.
                                                                                                          time)
                        POA&M process prioritizes IT security weaknesses to help ensure s9'1ilcant IT security weaknesses are addressed               A lways (96­
          4.f.
                        in a timely maMer and receive appropriate resources.                                                                   100% o f the time)
           ----      - ~~~--~~~--~----~~~--~~~~------~~--~~~~~----~~
                             OIG considers the weaknesses in OPM's overall POA&M process a s ignificant deficiency in the control structu re of OPM's IT
  POA&II process sec urity program.
    comments:




                                                                                                                          to existing policy, guidance,


IAatmc:M• shaUfellow NIST Special Publication 800-37, "Guide for the Sea.irity Certification and Aa:rediiBtlon of Fedenlllnfonnation Systems• (May 2004) for
IC8lrtlllc:atlc.n and accredlladon work lnltlatad attar May 2004.
                                                             This includes use of the FIPS 199, "Standards for Sea.lrity C8tegollzali0n of Federallnfonnatlcli and
 lnfo11N11tion Systems" (February 2004) tc determine a system impad level, as well as associated NIST document used as guidance for completing risk
I&SS411SS1'1118nts and~~·

                       The IG rates the overall quality of the Aaeney"s c:ertlflclltlon and ac:c:redltallon process as:

                        Response CategorieS:
                         - Excellent
          S.a.                                                                                                                                Satisfactory
                         • Good
                         • Sallsfadory
                         • Poor
                         • Faling

                       The IG'a quality l1ltlng Included or considered the following ...-:ta of the         Security plan                                 X
                       C&A process: (check all that apply)                                                                                                X
                                                                                                                                                          X
          S.b.                                                                                                                                            X
                                                                                                                                                          X
                                                                                                                                                          X
                                                                                                                                                          X

                              system has not received an updated C&A since 2003. Another system went into production with a major e lement missing from its C&A
                       l pac1<a1ge. The O IG considers this a significant defi ciency in the control structure of OPM's IT security program.
                                                                                         General: Questions 6, 7, and
:.
        1Nllfttl           l Office of Personnel•••a"u"'" •v•
                                n......tlnn 6-7: IG        :of Agency Privacy . •vv•a"' and Privacy Impact
                                                                                                                                     ~·-··
                               Provide a qualitative assessment of the agency's Privacy Impact Aseeumant (PIA) process, • d!Kussed In
             8                 Sec:aon D Queetlon 16 (SAOP reporting template), Including adherence to uldng policy, guidance, and
                               standards.

                               Response Categories:
                                • Response Categories:                                                                                                  Excellent
                                • Excellent
                                - Good
                                - Satisfactory
                                -Poor
                                - Failing
                                                                                                                                                      J
                                                 -
:-   ..._.._
                     -

             7                 Provide a qualitative..........,.. of the agency's progNU to datil In ~-the provisions of IW7-18
                               Safeguardlnsl Aplnst and Responding to the Breech of Personally lclantlflable Information.

                               Response Categories:
                                • Response Categories:
                                                                                                                                                        G ood
                                - Excellent
                                - Good
                                • Satisfactory
                                • Poor
                                • Falling




                                                            -~

                                                                       n    ... :8: ,.
        B.a.                   Is there an agency-wide security conflg&ntlon polq? Y• or No.                                                            Yes
                               As of the date the FISMA draft audit report was issued. 10 of 10- - -reviewed by the OIG contained vulnerabilities or issues of non-compliance
                               with the security configuration policy. The weaknesses for 9 of 1o  were corrected or the risk was fonmafly accepted in August 2008.

       ---       -       --~




                               Approximate the extent to which applicable aystemslmplement common MCUrlty conllguratlons, Including
        S.b.
                               use of common security c:onllguratlons available from the National Institute of Stanct.ds and Technology's
                                                                                                                                                        Almost Always (96­
                               websll8 at l'lttp:llcheckiJsts.n~.
                                                                                                                                                        100% of the time)
                               Reaponae cat8gorlea:
                                                                                                                                                                           ~




                                - Raraly- for exa~. approximately O-SO% of the time
                                - ~for -.np~e, apptOldmately 51-70'11. of the time
                                - F18QU81111y- for e.nple, approx1mete1y 71~ of the time
                                - Moelly- for -~. approxirnalely 81-$5% of the time
                                • Amolt ANtay&- for example, approximately 86-100% of the time

        B.c.                   Indicate which apects of Federal Desktop Core Conllgunitlon (FDCC) have been Implemented • of this report:

                               c.1. Agency haa adopted and lmpleme!Ucl FDCC standard c:onllguratlona and haa documented diMatlona.                      Almost Always (96­
                               Y•orNo.                                                                                                                  100% of the time)

                               c.2 New Federal Acquisition Regulation 2007-G041anguage. which modified •Part ~ulllltlon of                              Rarely (0-50% of the
                               lnfonnlltlon Technology", Is Included In au     c:ontrac1a.,.......
                                                                                        to common security aettlnga. Y• or No.                          time)

                                                                                                                                                        Rarely (0-50% of the
                               c.3 All                            computing syal8ms have lnlplerrlefUd the FDCC security aettlngs. Y• or No:
                                                                                                                                                        time)
llnclllcalle whether or not tha agency follows documentacl policies and~ lor NPQI1Ifta lncldenta lnlemally, to ~ERT. and to law anforcam~lnt.l
   appropriate or naceeaary, Include comrnanta In tha . . . provided below.


        9.a.         The
                     ~or~
                         ~~gency followa documentacl pollc:les and ~ for Identifying and .-.porting kiiCiclanm lntamai:.JY
                                                                                                                         ~
                      ----              -   -   -      -----~       -   ----               --    -   -----          ---
                     The agency followa documented pollc:les Mel proc:eduNS for axlernal reporting to ~- Yea or No.          Y
        9.b.         (http://www.~)                                                                                           es

        8.c:.        The agency followa documanled pollclaa Mel procaduraa for reporting to law enforcernanL Yea or No.      Yes




I Res.pon~~e Caeegor~es:
                                                                                                                             Almost Always (96­
 - ~-or~NO%ofemplo}4Ms 
                                                                                                     100% of employees)
 - Samet!.....- or~ 51-70%ofemployMa 

 - Frequently- or~ 71-80% of employMs 

 - Mostly- or ~ly 81-85% of eq»loyees 

 - Almoet                H-100% of


       the agency explain pollc:les raprcllng tha UH of collllboratlve web t8chi101ogiaa Mel~ fila aherlng In IT MCUI"'ty    Yes
law'IINnetiS training. ethics training, or any olhar agency-wide training? Yea or No.



      HM tha agency ldantlfleclall ~ appllcationa and vdclatM tlud thaiiPPIIcalllona '--operationally M:hlawd
    required auurwK» lllvelln ac:cordanc:a with the NIST Special Publication -.G. •Eiactronlc Aulhentlc:atlon Guldallnaa"?   Yes
     or No.
       If the NSpOnM Is "No", then plaaaa Identify tha aystema In wl'llch tha agency Ita not
11mrpterne1111ed the a-authentication guldanca ancllndk:* If the agency ha • planned dale of
                                     Appendix B


Center for Information Services and Chief Information Officer's September 3, 2008
response to the OIG's draft audit report, issued August 12, 2008.

Recommendation 1
We recommend that OPM ensure that an annual test of security controls has been completed for
all systems.

Comments
We concur.

In addition, we are providing Paper Data Capture and Conversion Services (PDCCS)
and Leadership Website annual test of security controls.

Recommendation 2
We recommend that OPM's program offices test the contingency plans for each system on an
annual basis.

Comments
We concur.

We are providing contingency plan test results for the PDCCS, Enterprise
Human Resources Integration (EHRI) Data Warehouse, Electronic Official
Personnel Folder (eOPF), and Leadership Website systems as evidence that their
contingency plans have been tested this fiscal year.

Recommendation 3
We recommend that OPM update its system inventory to clearly identify the state of the system
(active, suspended, development, etc.).

Comments
We concur.

Recommendation 4
We recommend that the program offices incorporate all known security weaknesses into the
POA&Ms.

Comments
We concur.

Recommendation 5


We recommend that an up-to-date POA&M exist for each system in OPM's inventory.



Comments
We concur.
In addition, we are the providing two system POA&Ms that we had not previously
submitted as part of the original audit request.

Recommendation 6
We recommend that all program offices submit POA&Ms to the CIS/CIO office on a quarterly
basis.

Comments
We concur.

We are providing a total of three system POA&Ms that had not been previously
submitted as a part of the original audit request. Two of these POA&Ms were
provided as part of Recommendation 5. The third POA&M was not provided because
it was a negative report, therefore no weaknesses were identified to report for that
system. In the future, we will request that all systems provide a quarterly POA&M
whether or not weaknesses are identified for each system.

Recommendation 7
We recommend that the CIS/CIO require each program office to provide evidence (proof of
closure) that POA&M weaknesses have been resolved before allowing that item to be labeled
"complete."

Comments
We concur.

Recommendation 8
We recommend that all OIG recommendations be included on POA&Ms and they not be
removed until evidence of proof of closure is provided to the CIS/CIOs office.

Comments
We concur.

Recommendation 9
We recommend that the CIS/CIO take the appropriate steps to ensure that all active systems in
OPM's inventory have a complete and current C&A.

Comment
We concur.
In addition, we are providing the C&A for


Recommendation 10
We recommend that all elements required by FISMA and relevant NIST guidance be in place
before a system is formally C&A'd.
Comment
We concur. However, business reasons may compel the issuance of an IATO without
all the required elements of a C&A package in place. As such, required components
not included in the C&A package will be added to the appropriate system POA&M as
weaknesses to be completed in a timely manner.

Recommendation 11
We recommend that OPM issue its "Information Security and Privacy Policy" to all agency
employees and post a copy to the agency's internal website.

Comments


We concur. The document has been posted on THEO.



Recommendation 12
We recommend that OPM continue its efforts to reduce the use of SSNs and develop a formal
plan to eliminate the unnecessary collection and use of SSNs within 18 months in accordance
with OMB M-07- 16

Comments
We concur with the thrust of the recommendation and will continue our efforts to
reduce the use of SSNs and will update our formal plan to eliminate the unnecessary
collection and use of SSNs.

Recommendation 13
We recommend that OPM continue its efforts to implement a solution to automatically encrypt
all data on mobile computers/devices carrying agency data unless the data is determined not to
be sensitive.

Comments
We concur.

Recommendation 14
We recommend that OPM continue its efforts to develop a methodology for logging computer-
readable data extracts, and is unable to determine whether sensitive data has been erased after 90
days.

Comments
We concur with the need to continue the efforts to develop a methodology for logging
computer-readable data extracts.

Recommendation 15
We recommend that OPM configure its                       in a manner consistent with OPM's
       Configuration Policy. Each of the vulnerabilities outlined in the OIG's audit inquiry
should be formally documented, itemized, and prioritized in a POA&M. In the event that a
vulnerability cannot be remediated due to a technical or business reason, the supported system's
owner should document the reason in the system's ISSP to formally accept any associated risks.
Comments
We concur.

In addition, we have addressed the discovered vulnerabilities and provided the
supporting documentation to the OIG.

Recommendation 16


We recommend that OPM continue its efforts in implementing all requirements of the FDCC.



Comments
We concur.

Recommendation 17
We recommend that OPM continue its efforts to ensure that all federal employees and
contractors with access to OPM's IT resources complete IT security and privacy awareness
training on an annual basis.

Comments
We concur. We are providing screenshots of our current status for the Security
Awareness Training completion percentage from the GoLearn portal. Our current
agency wide completion rate for Security Awareness Training is 98.32%.

Recommendation 18
We recommend that e-authentication risk assessments be completed for the required systems in
accordance with OMB M-04-04.

Comments
We concur. We are providing thee-authentication risk assessment for eOPF to the
OIG.

Recommendation 19
We recommend that the CIS/CIO promptly update OPM's IT security policies and publish them
to THEO.

Comments
We concur that the CIS/CIO promptly update OPM's IT security policies and
publish them to THEO. However, we disagree with the determination that this a
material weakness.

OIG Comment:


"OPM did provide the OIG with an updated "IT Security Policy Implementation Guide Incident


Response and Reporting." However, this policy has not been updated on THEO . As a result,


OPM employees do not have access to the most recent OPM policy on reporting data breaches."



Response: We disagree with this comment. "IT Security Policy Implementation Guide
Incident Response and Reporting" that is posted on THEO is current. In addition, OPM
policy on reporting data breaches was provided to OPM employees and contractors by
the agency Director in an email of November 5, 2007, entitled New Procedures Regarding
Personally Identifiable Information (PII). The email outlines policy and current processes
for reporting actual or suspected data breaches. Furthermore, the same policy and
instructions were posted to THEO at
http://theo.opm.gov/references/privacy/pii/reporting.asp where OPM employees and
contractors have access to them. In addition, all OPM employees completed mandatory
training in May 2008 entitled Personally Identifiable Information (PII)Responsibilities
that included the same policy and instructions for reporting data breaches. Finally,
OPM employees and contractors have just completed the agency's online Security
Awareness and Privacy Training for 2008 which contains the instructions for reporting
data breaches. As noted in our comments on Recommendation 17, above, the training
has been completed by more than 98.32% of agency employees and contractors.

OIG Comment:
"OPM has also developed a new "Information Security and Privacy Policy, " that has been
approved by OPM's senior management. Although this document provides updated information
on several of the topics covered by the policies listed above, this document has not been
published to THEO, and therefore cannot be readily accessed by OPM employees."

Response: The IT Security Policy has been replaced on THEO with the new policy titled
Information Security and Privacy Policy.

OIG Comment:


"We acknowledge the steps that OPM has taken in creating updated policies and procedures, but


will continue to consider this condition a material weakness in OPM 's IT security program until


all policies and procedures have been updated and published to THEO."



Response: The agency's Information Security and Privacy Policy have been published to
THEO. In addition, the remainder of the documents cited were reviewed during
February 2008 as part of an ongoing review of OPM's information security and
privacy policy. We determined that the policies and procedures substantively
represent current policies and practices and no immediate changes were deemed to be
required. Furthermore, we are scheduling another review of these policies and
procedures to ensure alignment in FY09.

Based on the information provided above we do not believe this weakness could be
considered material.