!
/
U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE lNSPECTOR GENERAL
OFFICE OF AUDITS
.Final Audit Report
, , - ,
Subject: .
.FEDEIU.cL INF0 Rl\1:A1'IONSE(]URI1'Y
MANAGEMENT ACl'AUDIT
. -. FY20()9
Report No, . 4A-CI.60c()<)-031
,Date: November '. '5~ · _2 0'0 9
•
-CAUTION·,
iki£ audil rep(',1 hM bttll di$tt:ib\l Itd:_ I\)FflI~'nl olftdah who ,Ut rnp!)I!Pbit for thl atlmigj~lnlwa ullbtalldil(d p.-ognull, n~ ",.dil
~epQf1l\!la, (Ontain p'ovmtnyiblM whirh ~ protetkdby Fdt-rall~!,,'(U1 U.5.c, 1'05). - Ttit1"tft)rt~ w~ilt ihisilut;lJ1 rrylll"l b ",,~labte
IIlIdtr the FreedQIIl oJJnforlHalioe At_' and lUit:d,(" avaibhlt I(Hbt publk ill! Ibi OJG~tbp.'f, f/l.,lmIlKf ,d sto bt turd. td bdQU
relu>iltg 11i~ repllrllD Iht:'"' ....1PQblk liS it olltj (t)lIbin prOJirittal)' isformlilioo Ibllt wu redac l~d Imlll tilt; pm,lidy amri"ul¢!J ~OP)" .
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Offic~ of the
Inspector General
Audit Report
lJ.S. OFFICE OF PERSONNEL MANAGEM~; NT
FEDERAL INFORMA nON SECURITY MANAGEMENT ACT AUDIT
FY2009
WASHINGTON, D.C.
Report No. 4A-CI-OO-09-031
Date: November 5 , 2009
Michael R. Esser
Assistant Inspector General
for Audits
........... opm .•Dv \If... w.lIsaJobl.'o~
UNITED STATES OFFICE OF PERSONl'.'EL MANAGEMENT
Washington, DC 204lS
Offic.: of In::
Illspecwr Qenera!
Executive Summary
U.S. OFFICE O~' PERSONNEL MANAGEMENT
FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT
FY 2009
WASHINGTON, D.C.
Report No. 4A-CI-OO-09-031
Date: Noyember 5. 2009
This final audit report documents the Office of Personnel Management's (OPM 's) continued
efforts to manage and secure its infonnation resources. We have significant concerns regarding
the overall quality of the infonnation security program at OPM. These concems are rooted in the
lack of adequate information secnrity governance activities in accordance with legislative and
regulatory requirements. Specifica11y~ the agency has not fully documented infonnation security
poljcy and procedures or established appropriate roles and responsibilities.
The lack ofpolicies and procedures was reported as a material weakness in the fiscal yeaI' (fY)
2007 and FY 2008 Federallnfonnation Security Management Act (FISMA) audit reports. While
some progress was made in FY 2009, detailed guidance is stiU lacking. An updated Information
Securily and Privacy Policy was finalized in August 2009. This policy outlines the infonnation
technology (1T) security controls that should be in place for the major applications owned by the
agency_ ~owever. the majority of the text in this policy is derived or copied directly from
National Institute of Standards and Technology (NIS1) guidance and bas not been tailored to
specifically address OPM's JT environment. In addition, detailed procedures and jmpiementjng
guidance arc stiU missing.
= =; - - - - - - - - -- -'-------------==.. ~-
",-wl".opm.&OY ",,,,,,,,.unJob$.gQY
This year we are expanding the material weakness to include the agency's overall information
security governance program and incorporating our concerns about the agency's information
security management structure. As of late September 2009, there had been no permanent senior
agency information security official (SAISO) in the agency for nearly 18 months. During this
time, we observed a serious decline in the quality of the agency's information security program.
In addition, there is no permanent Privacy Program Manager assigned to manage the agency's
privacy program. As a result, there are many deficiencies in OPM's privacy program.
The agency has recently appointed a new SAlSO; however, it remains to be seen whether it will
commit the necessary resources and develop the appropriate functions required of this role. We
will reevaluate this issue during the FY 2010 FISMA audit.
The continuing weaknesses in OPM's information security program result directly from
inadequate governance. Most, ifnot all, of the exceptions we noted this year resulted from a lack
of necessary leadership, policy, and guidance. Our most notable observations include:
• As noted above, OPM continues to lack adequate and up-to-date IT security policies and
procedures. We continue to consider this to be a material weakness in OPM's IT security
program.
• One system on OPM's inventory was placed into production before a certification and
accreditation (C&A) was completed, and the prior C&A for three systems has expired and a
new C&A has not been completed. Weaknesses in OPM's C&A process continue to remain
a significant deficiency in OPM's IT security program.
• Weaknesses in OPM's privacy impact assessment (PIA) process and the agency's failure to
meet privacy-related requirements from the Office of Management and Budget (OMB) lead
us to believe that there is a significant deficiency in OPM's management of its privacy
program.
In addition to these weaknesses, the OIG noted the following controls in place and opportunities
for improvement:
• OPM's Center for Information Services (CIS) maintains a master inventory ofOPM's major
systems. We generally agree with the number of systems listed in the inventory (42), but we
identified at least one major application that does not appear on the system inventory and has
not been subject to a C&A. In addition, OPM's system inventory does not identifY interfaces
between internal and external systems.
• A C&A has been completed and remains active for 38 of the 42 systems in OPM's inventory.
• The IT security controls have been adequately tested for 40 ofOPM's 42 systems during FY
2009.
• Four out ofOPM's 42 systems did not have an adequately documented and/or up-to-date
contingency plan. In FY 2009, the contingency plans for 31 ofOPM's 42 systems were
tested in full compliance with the requirements ofNIST Special Publication 800-34,
Contingency Planning Guide for Information Technology Systems.
II
• Nothing has come to our attention to indicate that OPM program offices do not maintain
oversight of systems operated by a contractor.
• The Plan of Action and Milestones (POA&M) for three OPM systems did not contain aU
security weaknesses identified during the annual security control tests of those systems.
• POA&Ms are continuously managed for 40 of OPM's 42 systems; current POA&Ms were
not submitted to CIS for two systems in the fourth quarter of 2009.
• When dosing POA&M items. OPM program offices have provided adequate evidence to
CIS that the weaknesses were corrected.
• Five agency systems have POA&M weaknesses with remediation activities over 120 days
old.
• Two agency systems did not prioritize weaknesses on their POA&.i\.1s.
• OPM"s PIA Guide has not been updated in over three years and fails to address several
requirements of OMS Memorandum M-03-22.
• The 01G has not received evjdence that system owners review their PIA documentation on
an annual basis.
• OPM has implemented a breach notification policy.
• CIS developed a formal plan to reduce the use of social security numbers (SSNs) at OPM.
However, the plan does not address participation in govemment-wide effort~ t() explore
alternatives to agency usc of SSN~, us requircd by U.S. Office of Management and Budget
Memorandum M-07-16.
• OPM had developed a standard laptop image that utilizes software-based full-disk
encryption. However, CIS was unable to provide evidence of how many laptops issued to
OPM employees and contractors contain the new image with encryption capabilities.
• OPM developed a methodology for logging computer-readable data extracts of personally
identifiable infonnalion.
• Several policies related to contiguration management have not been updated in over fottr
years.
• OPM has implemented several techniques for monitoring compliance with configuration
management policies.
• OPM has deve10ped a Windows XP image that is generally compliant with Federal Desktop
Core Configuration standards. However, this image has not beeD implemented on any
production workstations.
• Language from 48 CFR Part 39, Acquisition ofInfonnation Technology, has not been
included in all contracts relmed to common security settings.
• One continu,osto run on an unsupported version o~ without It fonnally
• OPM has developed an "Incident Response and Reporting Policy" that documents
procedures for reporting alllT secttrity events to the appropriate entities.
ill
" CIS has implemented a process to provide annual1T security and privacy awareness training
to all OPM employees and contractors.
• OPM's system inventory does not identify all systems that are subject to e-Authentication
requirements.
IV
Contents
Executive Summary ..........................................................................................................................i
Introduction ..................................................................................................................................... 1
Background...................................................................................................................................... 1
Objectives ......................................................................................................................................... 1
Scope and Methodology ..................................................................................................................2
Compliance with Laws and Regulations .......................................................................... _..............3
Results .............................................................................................................................................4
1. Infonnation Security Governance .................................................................................... .4
II. System Inventory ...............................................................................................................7
III. Certification and Accreditation, Security Controls Testing,
and Contingency Planning .................................................................................................9
IV. Agency Oversight of Contractor Systems ....................................................................... 11
V. Agency Plan of Action and Milestones Process .............................................................. 12
VI. Certification and Accreditation Process .......................................................................... 15
VII. Agency Privacy Program ................................................................................................. 16
VIII. Configuration Management.. ........................................................................................... 21
IX. Incident Reporting ...........................................................................................................23
X. Security Awareness Training ..........................................................................................24
XI. E-authentication Risk Assessments .................................................................................24
XII. IT Security Policies and Procedures ................................................................................25
Major Contributors to this Report .................................................................................................27
Appendix I: Follow-up of Prior OIG FISMA Audit Recommendations
Appendix II: Center for Infonnation Services' July 28, 2009 response to the OIG IT Security
Flash Audit Alert, issued May 27, 2009
Appendix III: Center for Infonnation Services' October 20, 2009 response to the OIG's draft
audit report, issued October 6, 2009
Appendix IV: OIG FISMA data submission to the U.S. Office of Management and Budget
Introduction
On December 17, 2002, the President signed into law the E-Govermnent Act (Public Law 107
347), which includes Title III, the Federal Information Security Management Act (FISMA).
FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)
evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the resul.ts of
IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing
the material received from agencies. In aecordance with FISMA, we conducted an evaluation of
OPM's security program and practices. As part of our evaluation, we reviewed OPM's FISMA
compliance strategy and docmnented the status of its compliance efforts.
Background
FISMA requirements pertain to all information systems (national security and unclassified
systems) supporting the operations and assets of an agency, including those systems currently in
place or planned. The requirements also pertain to information technology (IT) resources owned
andlor operated by a contractor supporting agency systems.
FISMA reemphasizes the ChiefInformation Officer's (CIO) strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency's Center for
Information Services (CIS), which is managed by the CIO. FISMA also clearly places
responsibility on each agency program office to develop, implement, and maintain a security
program that assesses risk and provides adequate security for the operations and assets of
programs and systems under their control.
To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities,
OMB issued memorandum M-09-29, FY 2009 Reporting Instructions for the Federal
Information Security Management Act and Agency Privacy Management. This memorandmn
provides a consistent form and format for agencies to report to OMB. It identifies a series of
reporting topics that relate to specific agency responsibilities outlincd in FISMA. Our evaluation
and reporting strategies were designed in accordance with the above OMB guidance.
Objectives
Our overall objective was to perform an evaluation ofOPM's security program and practices, as
required by FISMA. Specifically, we reviewed the following areas of OPM's IT security
program in accordance with OMB's FISMA IG reporting requirements:
• Information Security Governance;
• System Inventory;
• Certification and Accreditation, Security Controls Testing, and Contingency Planning;
• Agency Oversight of Contractor Systems;
• Agency Plan of Action and Milestones Process;
• Certification and Accreditation Process;
• Agency Privacy Program;
• Configuration Management;
1
• Incident Reporting;
• Security Awareness Training;
• E-authentication Risk Assessments; and
• IT Security Policies and Procedures.
In addition, we evaluated the security controls of three major applications/systems at OPM (see
Scope and Methodology for details of these audits). We also followed-up on outstanding
recommendations from prior FISMA audits (see Appendix I).
Scope and Methodology
This performance audit was conducted in accordance with Government Auditing Standards,
issued by the Comptroller General of the United States. Accordingly, the audit included an
evaluation of related policies and procedures, compliance tests, and other auditing procedures
that we considered necessary. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM's
FISMA compliance efforts throughout FY 2009.
We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attentiolliluring our audit testing to cause
us to doubt its reliability.
As appropriate, we conducted compliance tests using judgmental sampling to determine the
extent to which established controls and procedures are functioning as intended. The results
from tests performed on a sample basis were not projected to the universe of controls.
We reviewed OPM's general FISMA compliance efforts in the specific areas defined in OMB's
guidance and the corresponding reporting instructions. We also evaluated the security controls
for the following three major applications:
• Enterprise Human Resources Integration Data Warehouse (OIG Report No. 4A-HR-00-09
032)
• Electronic Official Personnel File (OIG Report No. 4A-HR-OO-09-032)
• Integrated Security Management System (OIG Report No. 4A-CI-00-09-052)
In addition, in May 2009, the OlG issued a Flash Audit Alert (FAA) to OPM's Director
highlighting our concerns with the agency's IT security program (report 4A-CI-00-09-053). As
part of this audit, we followed up on OPM's progress in implementing recommendations from
the FAA
2
Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls at OPM taken as a whole.
The criteria used in conducting this audit include:
• OPM Information Security and Privacy Policy Volume 2;
• OMB Circular A-J30, Appendix III, Security of Federal Automated Information Resources;
• OMB Memorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information
Security Management Act and Agency Privacy Management;
• OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
• OMB Memorandum M-06-16, Protection of Sensitive Agency Information;
• OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;
• E-Govemment Act of2002 (P.L. 107-347), Title III, Federal Information Security
Management Act of2002;
• National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An
Introduction to Computer Security;
• NIST SP 800-18 Revision I, Guide for Developing Security Plans for Federal Information
Systems;
• NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information
Systems;
• NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information
Systems;
• NIST SP 800-60 Volume I Revision I, Guide for Mapping Types ofinformation and
Information Systems to Security Categories;
• Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
Categorization of Federal Information and Information Systems;
• FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and
• Other criteria as appropriate.
The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from May through September 2009 in OPM's
Washington, D.C. office.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether OPM's practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM's CIS and other program offices were not in complete compliance with all standards, as
described in the "Results" section of this report.
3
Results
The sections below detail the results of the OIG's audit ofOPM's FISMA compliance efforts.
The results are formatted to be consistent with the questions outlined in the FY 2009 OMB
Reporting Template for IGs. Throughout this report, we do not reference OPM systems by
name, but we have already provided detailed documentation to CIS discussing our concerns and
the specific systems involved.
I. Information Security Governance
In May 2009, the OIG issued a Flash Audit Alert (FAA) to OPM's Director highlighting our
concerns with the agency's IT security program. An FAA is used when issues have been
identified that require the immediate attention of the Director. The four primary issues
outlined in the FAA were:
• CIS misrepresented the status of the agency's IT security program in the FY 2009 second
quarter FISMA report issued to aMB;
• the agency's security policies and procedures continue to remain severely outdated;
• the IT security program at aPM is understaffed; and,
• the agency has operated without a senior agency information security official (SAlSa)
for over 14 months (as of May 2009).
In the interim, there has been limited progress in correcting these issues. The underlying
cause, in our opinion, is that aPM has not established adequate information security
governance activities in accordance with legislative and regulatory requirements.
Specifically, the agency has not fully doeumented information security policy and procedures
or established appropriate roles and responsibilities.
The lack of policies and procedures was reported as a material weakness in the FY 2007 and
I;Y 2008 FISMA audit reports. This year we are expanding the material weakness to include
the agency's overall information security governance program and incorporating our
concerns about the agency's information security management structure.
As of late September 2009, there had been no permanent SAlSa in the agency for nearly 18
months. During this time, we observed a serious decline in the quality of the agency's
information security program. In addition, there is no permanent Privacy Program Manager
assigned to manage the agency's privacy program. As a result, there are many deficiencies
in aPM's privacy program. See section VII of this report for details.
The agency has recently appointed a new SAISO; however, it remains to be seen whether the
agency will commit the necessary resources and develop the appropriate functions required
of this role. We will reevaluate this issue during the FY 2010 FISMA audit.
The following section discusses the original FAA recommendations, followed by the
management response and current status:
4
a) Flash Audit Alert Recommendation 1
We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately
reflect the status ofOPM's IT security position as of March 1,2009.
CIS Response to FAA:
"The Center for Information Services (CIS) security team acted on the best information
they had at the time. . .. We agree with the recommendation that OPM report the
number ofsystems with weaknesses more than 120 days overdue, instead ofthe number
ofweaknesses. This was a mistake in our understanding ofthe reporting requirement. "
Current Status
We verified that CIS corrected and submitted the FY 2009 second quarter FISMA report.
We also verified that the FY 2009 third quarter FISMA report accurately represented the
status ofOPM's security program at that time.
CIS Response:
"The Centerfor Information Services (CIS) security team will continue to ensure the
quarterly FISMA reports reflect correct and accurate information for OPlll's security
program."
b) Flash Audit Alert Recommendation 2
We recommend that CIS develop a comprehensive set of IT security policies and
procedures, and a plan for updating it at least annually.
CIS Response to FAA:
"We agree with this recommendation and have been working for many months to
complete needed updates. Work began as soon as funding was provided Many policies
andprocedures have already been revised, with the remainder targeted for completion by
8131109. "
Current Status
OPM's IT security policies and procedures continue to lack adequate current guidance on
managing IT security at the agency. See section XII ofthis report for details.
CIS Response:
"Please refer to section XIIfor our response to Recommendation 30 regarding the IT
security policies and procedures. "
c) Flash Audit Alert Recommendation 3
We recommend that the aPM Director ensure that CIS has adequate resources to
properly staff its IT Security and Privacy Group.
5
CIS Response to FAA:
"We agree with this recommendation. As we discussed with OIG staffon numerous
occasions, CIS has been working with fiRfor more than a year /0 reorganize and elevate
Ihe IT security function, to upgrade the level ofthe IT security officer from a GS-14 to a
GS-15, and to add staJ! A new organizational alignment, grade structure and resources
for the IT Security and Privacy Group were approved on March 4, 2009. Under this new
structure, the IT security staffwill grow from 3 /0 6. We consider this recommendation to
be closed"
Current Status
The organizational realignment ofOPM's IT security function remains incomplete, and
we continue to believe that CIS lacks the resources needed to manage an adequate IT
security program. Eleven ofthe 19 audit recommendations issued in the FY 2008
FISMA audit report have been rolled forward into this FY 2009 FISMA report, indicating
that CIS does not have the resources needed to remediate identified security weaknesses.
CIS Response:
"We agree with this recommendation. Currently the IT security group lacks the
resources necessary to establish and maintain an effective security and privacy
program. Tile new SAISO ••• that was hired in September 2009 has identified
resources needed and his recommendations are under review with senior management.
The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. We have created a CIS POA&M item
to track our progress (CIS POAM FY09-Q4-CIS-27). "
d) Flash Audit Alert Recommendation 4
We recorrunend that CIS recruit a permanent Senior Agency Information Security Officer
as soon as possible, and adequate staff to effectively manage the agency's IT security
program.
CIS Response to FAA:
"We agree with this recommendation. Recruiting has been in progress since the
reorganization was approved. We have made a couple ofoffers to fill the GS-15 and GS
J 4 positions, which were declined. We have identified another excellent candidate for
the GS-J5 position. We are currently in the process ofgetting ChiefofStaffapproval 10
extend an offer. We are targeting a report date in August. "
Current Status
CIS hired a permanent SAlSO in September 2009, However, the agency operated with
an acting SAISO for over 11 months ofFY 2009. In addition, the organization of the
staff reporting to the SAlSO has not been finalized. On a potentially positive note, the
OPM Director has recently appointed a new Acting Chieflnformation Officer, who has
6
developed preliminary plans to expand and improve OPM's IT security program. We
will reevaluate these developments during the FY 2010 FISMA audit.
CIS Response:
"We agree with this recommendation. Currently the IT security group lacks the
resources and the organizational structure necessary to establish and maintain an
effective security and privacy program. The new SAlSO • •• that was hired in
September 2009 has developed an organizational chart, roles and responsibilities and
resources needed. His recommendations are under review with senior management.
The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. As referenced in Flash Audit Alert
Recommendation 3, we have created a CIS POA&M item to track our progress (CIS
POAM FY09-Q4-CIS-27) regarding resources. "
II. System Inventory
OPM has identified 42 major applications/systems within 8 of its program offices. OPM's
system inventory indicated that these 42 systems were comprised of the following FIPS
Publication 199 system impact classifications: 7 high, 33 moderate, and 2 low. The
inventory also indicated that 32 systems operated within the agency and 10 are operated at a
eontractor facility.
CIS continuously maintains a master inventory of OPM' s major systems, and sends monthly
reminders to the various program offices askjng for updates on the status of systems included
in the inventory. CIS also faeilitates the process of adding new systems to the inventory and
removing decommissioned systems.
The quality ofOPM's system inventory has greatly improved since it was reviewed during
the OIG FY 2008 FISMA audit. Several fields have been added to the inventory spreadsheet
to clearly identify the status of each system (production, development, planning) along with
the name and contact information ofindividuals with security and ownership responsibility.
In addition, a revision history has been added to the inventory to track specific updates and
facilitate version control of the master inventory document.
The OIG generally agrees with the total number of systems listed in the most recent system
inventory (42) and agrees with the number ofsystems identified as operated by a contractor
(l0). However, we identified at least one major application that does not appear on the
system inventory and has not been certified and accredited (C&A).
OPM's system inventory does not identify interfaces between intemal and extemal systems,
and the agency does not have a policy related to security agreements between interfacing
systems. OPM's Information Security and Privacy Policy Volume 2 states that "this policy
applies to other agency's systems as delineated in memorandums of understanding (MODs)
and interconnection security agreements (lSAs) with OPM." However, this policy does not
provide any guidance outlining the appropriate use of MODs and ISAs (required elements of
these agreements, when they are required, etc),
7
In addition, CIS identified 21 systems used by OPM but owned and maintained by another
federal agency. However, this list was compiled at the request of the OIG in September 2009
and is not complete. .
Recommendation 1
We recommend that CIS conduct a survey of OPM program offices (particularly the Benefits
Systems Group) to identify any systems that exist but do not appear on the system inventory.
The systems discovered during this survey should be promptly added to the system inventory
and certified and accredited.
CIS Response:
"We agree with this recommendation. The IT Security and Privacy group will conduct a
network assessment to map out the OPM network and identify all missing systems and
created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-28)."
Recommendation 2
We recommend that CIS develop and maintain an inventory of all system interfaces.
CIS Response:
"We agree with this recommendation. The IT Security and Privacy team will include
system interface information on the OPM FISMA Master System Inventory going forward.
We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-29).
Please note as stated in response to IG Information Request #24, system interface
information is included within each System Security Plan for each system currently on the
OPM FISMA Master System Inventory."
Recommendation 3
We recommend that CIS develop a policy providing guidance on the development and
appropriate use of MOUs and ISAs.
CIS Response:
"We agree with this recommendation. Currently the IT Security and Privacy group lacks
the resources necessary to establish and maintain an effective security and privacy
program. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring
resources neededfor the IT Security and Privacy program. We have created a CIS
POA&M item to track our progress (CIS POAM FY09-Q4-CIS-30)."
Recommendation 4
We recommend that CIS conduct a survey to determine how many systems owned by another
agency are used by OPM.
8
CIS Response:
"We agree with this recommendation. We have made some progress with this task (please
refer to IG Information request #24) but we lack the resources to conduct a complete
network assessment to map out the OPM network and identify all systems. The Office of
the ChiefInformation OffICer (OCIO) is working on acquiring resources needed for the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-31)."
III. Certification and Accreditation, Security Controls Testing, and
Contingency Planning
a) Number of systems certified and accredited
A C&A has been completed and remains active for 38 of the 42 systems in OPM's
inventory. See section VI below for details of the systems without a current C&A and a
review of OPM's C&A process.
b) Number of systems for which security controls have been tested in the past year
NlST SP 800-53 Revision 2 outlines the security controls that should be implemented for
federal information systems. FlSMA requires each agency to perform for all systems
"Periodic testing and evaluation of the effectiveness of information security policies,
procedures, and practices, to be performed with a frequency depending on risk, but no
less than annually ...."
An annual test of security controls provides a method for agency officials to determine
the current status of tbeir information security programs and, where necessary, establish a
target for improvement. Failure to complete a security controls test increases the risk that
agency officials are unable to make informed judgments to appropriately mitigate risks to
an acceptable level.
We conducted a review of the documentation resulting from the test of security controls
for each system in OPM's inventory. In addition, we judgmentally selected specific
controls tested in FY 2009 from various systems and independently evaluated whether
the controls have been implemented. Our evaluation indicated that the IT security
controls had been adequately tested for 40 of OPM's 42 systems during FY 2009.
The quality of the security control tests among OPM's systems varied significantly, and
many different formats and templates were used to document the tests. We believe that
this variance is a result ofOPM's lack of agency-wide policy or guidance on how to
adequately test its systems' security controls.
9
Recommendation 5
We recommend that CIS develop a policy for adequately testing the security controls of
OPM's systems, and provide training to thc Designated Security Officer (DSO)
community related to proper security control testing.
CIS Response:
"We agree with this recommendation. Currently the IT security group lacks the
resources necessary to establish and maintain these policies and training program.
The Office ofthe ChiefInformation OffICer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. We have created a CIS POA&M item
to track our progress (CIS POAM FY09-Q4-CIS-32). "
Recommendation 6 (Roll-Forward from OIG Report4A-CI-OO-OB-022
Recommendation 1)
We recormnend that OPM ensure that an annual test of security controls has been
completed for all systems. The IT security controls should be immediately tested for the
two systems that were not subject to testing in FY 2009.
CIS Response:
"We agree with this recommendation. We are tracking this effort under CIS POAM
FY09-QI-ClS-1. "
c) Number of systems which have a contingency plan tested in accordance with policy
FISMA requires that a contingency plan be in place for-each major application, and thai
the contingency plan be tested on an annual basis. In addition, the OPM Certification and
Accreditation Guide states that "To fully address system security throughout the
certification and accreditation process, various security documents are required to be created
and maintained throughout the life of the system." The Guide states that one of the required
security documents is a contingency plan.
Four out of OPM's 42 systems did not have an adequately documented and/or up-to-date
contingency plan. One system was missing a contingency plan, one system did not have
an updated contingency plan after going through a major infrastructure change, and two
systems were placed into production before a contingency plan was developed.
In FY 2009, the contingency plans for 31 of OPM's 42 systems were tested in full
compliance with the requirements ofNIST SP 800-34, Contingency Planning Guide for
Information Technology Systems. Of the remaining II systems, 4 were not subject to
any form of contingency plan test in FY 2009, and 7 were tested, but not with a scenario
based contingency plan test eonducted in accordance with NIST SP 800-34 requirements.
OPM's Information Security and Privacy Policy Volume 2 states that each system owner
must "Test the contingency plan for the information system at least annually to determine
the plan's effectiveness and the system's readiness to execute the plan." However, this
10
policy does not provide instructions for conducting the contingency plan test in
accordance with NIST guidance or a standard template for reporting the results.
Effective contingency planning and testing establishes procedures and technical measures
that enable a system to be recovered quickly and effectively from a service disruption or
disaster. An incomplete or untested contingency plan increases the risk that a system
could not recover from a service disruption in a timely manner.
Recommendation 7
We recommend that OPM develop detailed guidance related to developing and testing the
contingency plans of agency systems and provide training to the DSO community related
to proper contingency planning and contingency plan testing.
CIS Response:
"We agree with this recommendation. Currently the IT security group lacks the
resources necessary to establish and maintain these policies and training program.
The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. We have created a CIS POA&M item
to track our progress (CIS POAM FY09-Q4-CIS-33). "
Recommendation 8
We recommend that up-to-date contingency plans be developed for all agency systems.
CIS Response:
"We agree with this recommendation. We have created a CIS POA&M item to track
our progress (CIS POAM FY09-Q4-CIS-34). "
Recommendation I} (Roll-Forward from OIG Report 4A-CI-OO-OB-021
Recommendation 1)
We recommend that OPM's program offices test the contingency plans for each system
on an annual basis. The contingency plans should be immediately tested for the I I
systems that were not subject to testing in FY 2009.
('7S Response:
"We agree with this recommendation. We are tracking this effort under CIS POAM
JCl'09-Ql-l7/S-2."
IV. Agency Oversight of Contractor Systems
Ten of OPM's 42 systems are operated by a contractor, and each ofthese systems has been
certified and accredited by OPM. Nothing has come to our attention to indicate that OPM
program offices do not maintain oversight of systems operated by a contractor. However, the
agency does not have a formal policy providing guidance on the appropriate oversight of
contractors and contractor-run systems.
Il
Recommendation 10
We recommend that OPM develop a policy providing guidance on providing adequate
oversight of contractor operated systems.
CIS Response:
"We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies and provide the oversight needed. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed
for the IT Security and Privacy program. We have created a CIS POA&M item to track
our progress (CIS POAM FY09-Q4-CIS-35)."
V. Agency Plan of Action and Milestones Process
A plan of action and milestones (POA&M) is a tool used to assist agencies in identii'ying,
assessing, prioritizing, and monitoring the progress of corrective efforts for IT security
weaknesses. The sections below detail several weaknesses related to the appropriate use of
POA&Ms at OPM. These weaknesses consist of items that are the responsibility of both CIS
and the various program offices owning the information systems.
a) Policy for establishing a POA&M process for reporting IT security deficiencies and
tracking the status of remediation efforts
Although CIS has provided informal guidance to OPM program offices related to the
POA&M process, they have not published a formal policy that documents how POA&Ms
should be managed at the agency. OPM has developed a draft version of "Plan of Action
and Milestone Standard Operating Procedures," but this. policy has not been published to
OPM's internal website (THEO), and the agency's DSO community has not received
training related to the new POA&M procedures.
Recommendation 11
We recommend that CIS publish the Plan of Action and Milestone Standard Operating
Procedure to THEO. Once the procedures have been published, CIS should work closely
with the DSO community, providing training and information-sharing sessions, to
implement the procedures and ensure that there is a clear understanding of the
appropriate management ofPOA&Ms.
CIS Response:
"We agree with this recommendation. We have created a CIS POA&M item to
document the. completion ofthis recommendation (CIS POAM FY09-Q4-CIS-36).
The POA&M Guide has been published as ofSeptember 1009 on Theo
http://theo.opm.gov/policies/ispplFINAL POAM Process SOP 093009.pdf'
12
OIGReply:
We acknowledge the steps that CIS has taken to publish the POA&M Guide to THEO
and continue to recommend that CIS work closely with the DSO community, providing
training and information-sharing sessions, to implement the procedures and ensure that
there is a clear understanding of the appropriate management ofPOA&Ms.
b) POA&M as an agency-wide process incorporating all known IT security weaknesses
In FY 2008, the OIG conducted audits of 4 OPM systems with a total of I3 audit
recommendations. We found that all 13 recommendations were included in the
appropriate system's POA&Ms. In addition, we verified that all of the recommendations
made during the FY 2008 FISMA audit were incorporated into the CIS POA&M.
However, we found that the POA&Ms for three OPM systems did not contain all security
weaknesses identified during the annual security control tests of those systems.
Recommendation 12 (Roll-Forward from OIG Report 4A-CI-00-08-022
Recommendation 41
We recommend that OPM program offices incorporate all known IT security weaknesses
into POA&Ms.
CIS Response:
"We agree with this recommendation. We are tracking this effort under CIS POAM
FY09-QI-CIS-4. Since the POA&M SOP was just recently published on Theo, we will
continue to assist program offices through this process. "
c) Management ofPOA&Ms by program offices
OPM program offices are responsible for developing, implementing, and managing
POA&Ms for each system that they own and operate. We were provided evidence that
POA&Ms are continuously managed for 40 of OPM's 42 systems; current POA&Ms
were not submitted to CIS for 2 systems in the fourth quarter of 2009.
Recommendation 13 (Roll-Forward from OIG Report 4A-CI-00-08-022
Recommendations 5 and 6)
We recommend that an up-to-date POA&M exist for each system in OPM's inventory,
and that system owners submit updated POA&Ms to CIS on a quarterly basis.
CIS Response:
"We agree with this recommendation. We are tracking this effort under CIS POAM
FY09-QI-CIS-5 and CIS POAM FY09-QI-CIS-6. The POA&M SOP has been
published as ofSeptember 1009 which provides guidance to DSO's regarding POA&M
submission. Please note that since OMB did not require any POA&M submissions for
FY09 quarter 4, CIS did not continue to follow up with program offices to ensure
submissions were provided to CISfor FY09 quarter 4."
13
d) Remediation of system deficiencies in a timely manner
Each program office is required to place all security deficiencies on POA&Ms and for
each deficiency must indicate when they expect the deficiency to be remediated.
Although the majority of program offices remediated POA&M deficiencies in a timely
manner, there are significantly overdue remediation efforts for several systems; see
section (t), below.
e) Effectiveness of deficiency remediation plans in correcting the security weakness
When a POA&M item is remediated, the program offices are required to submit a work
completion plan and evidence that the deficiency is corrected to CIS for review. We
reviewed work completion plans for 10 systems and found that all 10 provided sufficient
evidenee that the weakness was corrected.
t) Compliance witb estimated dates for remediation
We reviewed the POA&Ms for all OPM systems and determined that 5 agency systems
have POA&M weaknesses with remediation activities over 120 days overdue. This
indicates that CIS has not provided adequate leadership to ensure that program offices
assign reasonable due dates and stay on track to meet those dates. Program offices are
equally responsible for dedicating adequate resources to addressing POA&M weaknesses
and meeting target objectives.
Recommendation 14
We recommend that CIS develop a formal corrective action plan to immediately
remediate all POA&M weaknesses that are over 120 days overdue. In addition, we
.recommend that CIS take a lead role in the future and work closely with OPM program
offices to ensure that POA&M completion dates are achieved.
CIS Response:
"We agree with this recommendation. The POA&M SOP has been published as of
September 1009 which provides guidance to DSO's regarding POA&M management.
We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS
37) on supplemental guidance to the DSO's."
g) Agency CIO centrally tracks, maintains, and reviews POA&M activities on a
quarterly basis
CIS requires program offices to provide the evidence, or "proof of closure," that security
weaknesses have been resolved before closing the related POA&M.
We selected POA&M items from 10 systems and reviewed the proof of closure
documentation provided by the program offices when the POA&M items were closed.
The 10 systems were seleeted from a universe of 42 systems and were judgmentally
14
chosen by OIG auditors. Although the results of the sample test were not projected to the
entire population, nothing came to our attention to indicate that program offices are not
providing adequate proof of closure to CIS when closing POA&M items.
h) POA&M process prioritizes IT security weaknesses
Each program office at OPM is required to prioritize IT security weaknesses on their
POA&Ms to help ensure significant IT security weaknesses are addressed in a timely
manner. However, we found that two agency systems did not prioritize weaknesses on
their POA&Ms.
Recommendation 15
We recommend that the program offices responsible for the two systems in question
prioritize the system weaknesses listed on their POA&Ms.
CIS Response:
"We agree with this recommendation. The POA&M SOP has been published as of
September 2009 which provides guidance to DSO's regarding prioritizing weaknesses.
We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS
38) on supplemental guidance to the DSO's."
V1. Certification and Accreditation Process
Certification is a comprehensive assessment that attests that a system's security controls are
meeting the security requirements of that system, and accreditation is the official
management decision to authorize operation of an information system and accept its risks.
Each major application at OPM is subject to the certification and accreditation (C&A)
process cvery three years.
We reviewed the C&A documentation for all OPM systems subject to a C&A in FY 2009.
During this review we found that OPM program offices generally adhered to the
requirements of OPM's C&A guide, and presented the authorizing official with complete and
reliable C&A information to facilitate an informed system authorization to operate.
However, we discovered that one system on OPM's inventory was placed into production
before a C&A was completed, and the prior C&A for three systems has expired and a new
C&A has not been completed.
In addition, the OIG disagrees with the security categorization of one system whose C&A
was conducted in FY 2009. The system was categorized as "Low," but should have bcen
classified as "Moderate" because the system contains personal identity information that could
result in serious harm to individuals if it were disclosed.
According to OPM's C&A policy, ''all OPM divisions and offices must formally certify and
accredit all major and minor applications and general support systems." It is the
responsibility ofOPM's CIS to ensure that alllive/production systems at OPM are subject to
15
a complete C&A every three years, as required by FISMA. The FY 2008 OIG FISMA audit
report stated that weaknesses in OPM's C&A process are a significant deficiency in the
control structure ofthc agency's IT security program. We believe that this issue continues to
be a significant deficiency in FY 2009.
Reeommendation 16 (Rol/-Forward "om OIG Report 4A-CI-OO-08-022
Recommendation 9)
We recommend that all active systems in OPM's inventory have a complete and current
C&A.
CIS Response:
"We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to map out the OPlli network and identify all systems and
accountfor missing C and A's but we currently lack the resources to perform this task.
The Offree ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. We are tracking this effort under CIS
POAM FY09-QI-CIS-9."
Recommendation 17
We recommend that the FIPS Publication 199 security categorization be updated for the
inappropriately categorized system.
CIS Response:
"We agree with this recommendation. The Center for Information Services (CIS) security
team will work with the DSO's to ensure the FIPS 199 reflect the appropriate rating.
During the monthly October 2009 Information Technology Security Working Group
(ITSWG) meeting, the writer and subject matter expert from NISTprovided a briefing on
NIST 80()"60 (Guide for Mapping Types ofInformation and Information Systems to
Security Categories) to the DSO's and CIS. We have created a CIS POA&M item to
continue to track our progress (CIS POAM FY09-Q4-CIS-39}."
VII. Agency Privacy Program
The OIG evaluated OPM's privacy program by conducting a qualitative assessment of the
agency's privacy impact assessment (PIA) process and its progress in implementing the
requirements of privacy-related OMB Memoranda.
a) Privacy Impact Assessments
The E-Governrnent Act of 2002, section 208, requires agencies to conduct privacy impact
assessments (PIA) of infonnation systems that process personally identifiable
information (PH). OMB Memorandum M-03-22 provides guidance on implementing the
privacy.provisions of the E-Govemment Act of2002, including PlAs.
16
OPM has developed a PIA Guide that outlines the process for conducting a PIA for
agency systems. However, the PIA Guide has not been updated in over three years, and
fails to address several requirements of OMB Memorandum M-03-22, including:
• PIAs must identify what choices the agency made regarding an IT system or
collection of information as a result of performing the PIA; and
• PlAs for major applications should reflect more extensive analyses of:
o the consequences of collection and flow of information;
o the alternatives to collection and handling as designed;
o the appropriate measures to mitigate risks identified for each alternative; and
o the rationale for the final design choice or business process.
Although PIAs are only required for systems that collect or maintain information in
identifiable form about members of the general public, OMB encourages agencies to
conduct PIAs of systems that process sensitive information about government employees
and contractors. However, OPM's PIA Guide does not provide guidance for evaluating
which, if any, of these additional systems should be subject to a PIA.
The PIA Guide also states that each system owner must review their existing PIA
documentation on an annual basis, and submit evidence of the review to CIS by
September I of each year. However, the OIG has not received evidence that this review
has been completed for any OPM systems. In addition, one new system was placed into
production in FY 2009 without a PIA signed by the CIO.
Recommendation 18
We recommend that CIS update the PIA Guide to address all of the requirements of
OMB Memorandum M-03-22.
CIS Response:
"We agree with this recommendation. The privacy group is currently working on a
new PIA Guide and a new PIA Template. We have created a CIS POA&M item to
track our progress (CIS POAM FY09-Q4-CIS-40). "
Recommendation 19
We recommend that CIS conduct a new PIA survey to determine which OPM systems
require a PIA, including those systems that process sensitive information about
government employees and contractors.
CIS Response:
"We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to identify all PII information present on the OPM
network but we currently lack the resources to peiform this task. The network
assessment would be followed by a request to each office that owns the PII to conduct
privacy threshold analysis (PTA). The Office ofthe ChiefInformation Officer (OCIO)
is working on acquiring resources needed for the IT Security and Privacy program. We
17
have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS
41}."
Recommendation 20
We recommend that a new PIA be conducted for the appropriate systems based on the
updated PIA Guide. .
CIS Response:
"We agree with this recommendation. Conducting and reviewing PIAs require CIa as
well as program office resources. Once the new PIA Guide and Template is approved
and communicated, we will engage the DSO's so they can update their system privacy
documentation. We have created a CIS POA&M item to track our progress (CIS
POAM FY09-Q4-CIS-4Z). "
Recommendation 21
We recommend that each system owner annually review the existing PIA for their system
to reevaluate current holdings ofPII, and that they submit evidence of the review to CIS.
CIS Response:
"We agree with this recommendation. Conducting and reviewing PTAslPIAs require
CIO as well as program office resources. We plan on implementing a Privacy
Threshold Analysis (PTA) process as part ofour Privacy activities. The PTA is the
initial step in determining whether a PIA is necessary and as indicated in NIST-800
lZZ, an essential part ofthe Certifu:ation and Accreditation (C&A) process. The PTA
will be reviewed annually or when a change occurs with the system and the document
will become an artifact ased for reporting purposes. We have created a CIS POA&M
item to track our progress (CIS POAM FY09-Q4-CIS-43).
The Center for Information Services (CIS) security team has already began to share
the evidence ofannual PIA reviews with the Privacy Office to reflect that the DSO's
are reviewing their PIA's as part oftheir FY09 security controls testing. "
b) Compliance witb privacy-related OMB Memoranda
OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information, requires all federal agencies to develop and
implement a "breach notification policy." The memorandum also outlines the privacy
requirements related to the protection of PI!, and reemphasizes the security requirements
of OMB Memorandum M-06-16, Protection of Sensitive Agency Information. The
following sections outline OPM's progress in implementing the requirements of these
memoranda:
18
Implement a Breach Notification Process
OPM's Information Security and Privacy Policy Volume 2 contains limited instructions
regarding breach notification procedures. However, the policy references the Incident
Response and Reporting Guide, which contains a more detailed explanation of the
internal and external entities that must be notified when a security breach occurs.
Review Current Holdings
In 2007, OPM's IT security officer issued a "PH Questionnaire" to the designated
security oUicer for each of the Agency's major systems to determine whether the system
contained PlI. All new or significantly modified systems must complete an Initial
Screening Assessment to determine if a PIA is required. However, as mentioned above,
OPM's PIA process does not address all elements required by OMB, and system owners
have not armually reviewed their PIAs to reevaluate current holdings of PIT.
Reduce the Use o(Social Security Numbers
OMB Memorandum M-07-16 required federal agencies to eliminate the use of social
security numbers (SSNs) by the end ofFY 2009. Although OPM has made progress in
reducing the use of SSNs, the agency was unable to meet the timeline requirements of this
memorandum.
In September 2009, CIS developed a fonnal plan to reduce the use of SSNs at OPM. The
plan includes elements such as maintaining an inventory of OPM forms and validating
the need for SSNs on these forms, working with system owners to scrub existing
databases of SSNs, and providing guidance to system developers to mask SSN displays
on reports and computer screens. However, the plan does not address participation in
government-wide efforts to explore alternatives to agency use of SSNs, as required by OMB
Memorandum M-07-16.
Reeommendation 22 fRoll-Forward from OIG Report 4A-CI-OO-08-022
Recommendation 12)
We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs
in accordance with OMB Memorandum M-07 -16.
CIS Response:
"We agree with this recommendation. We are tracking this effort under CIS POAM
FY09-QI-CIS-12. However, the OCIO lacks the resources necessary to conduct the
detailed analysis needed to review all documentation (laws, policies, OPMforms and
other documents) that requires the use ofSSNs today. Furthermore, those resources
would be needed to establisJI and maintain the policies and procedures for an effective
program."
Recommendation 23
We recommend that OPM participate in government-wide efforts to explore alternatives to
agency use ofSSNs, as required by OMB Memorandum M-07-16.
19
CIS Response:
"We agree with this recommendation."
Encryption
OMB Memorandum M-07-16 states that all data on mobile computers carrying sensitive
data must be encrypted. CIS recently developed a new standard laptop image that utilizes
software based full-disk encryption. We tested a sample laptop with this image and
verified that the data on the device was secure.
CIS facilitates the purchase of all new laptops at OPM and ensures that an image with
encryption capability is installed on each device. However, CIS was unable to provide
evidence ofhow many laptops issued to OPM employees and contractors contain the new
image with encryption capabilities.
Recommendation 24 (Roll-Forward from OIG Report 4A-CI-OO-08-022
Recommendation 13;
We recommend that CIS encrypt all data on all mobile computers containing sensitive
information.
CIS Response:
"We agree with this recommendation. OPM has implemented mandatory encryption
controls on OPM laptops, blackberries, and tape backups. OPM's IT Security and
Privacy Policy requires that any sensitive data be removed to removable media must be
encrypted. WinZip encryption has been provided to all OPM users to protect sensitive
data. The encryption policy and guidelines for WinZip are available on the OPM
Intranet site and are included in the annual security awareness training. We are
tracking this effort under CIS POAM FY09-QI-CIS-13."
Control Remote Access
OPM has implementcd a two-factor authentication requirement for controlling remote
access to its information systems. In order to access OPM's internal applications
remotely, users must connect to the OPM network through a Virtual Private Network
(VPN) connection that requires both a personal identification number and a token number
to authenticate.
Time-Out Function
OPM users remotely connected to the network through VPN must re-authenticate after 10
minutes of inactivity.
Log and Verify
In FY 2009, OPM developed a methodology for logging computer-readable data extracts
of personally identifiable information (PH). The agency uses Team Track software to
20
track PH downloads and send an automatic notice to users 90 days after PH has been
downloaded. When users receive this notification, they must either confinn PH data
destruction or explain why the data has not been destroyed.
Incident Reporting and Handling Requirements
See section IX, Incident Reporting.
Rules and Consequences
OPM's IT Security and Privacy Policy Volume 2 outlines the consequences of violating
OPM policies and procedures. The policy also outlines the penalties related to violations
of the Privacy Act of 1974.
The recommendations outlined in this" section indicate that OPM has not fully met the
requirements ofOMB Memoranda dating back to 2003. In addition, OPM's privacy group is
currently undergoing an organizational realignment, and there is no pennanent Privaey
Program Manager in place. These conditions lcad us to believe that there is a significant
deficiency in OPM's management of its privacy program.
VIII. Configuration Management
This section details the controls OPM has in place regarding the technical configuration
management of its major applications and user workstations.
a) Agency-wide security configuration policy
OPM has developed an agency-wide Security Configuration and Hardening Policy. This
policy establishes standards for baseline configuration of the various operating platfonns
used by the agency and references build sheets for each platform t11at provide specific
technical configuration guidance. OPM has also developed policies related to mainframe
configuration integrity, configuration change control management, patch management,
and system monitoring. However, the Security Configuration and Hardening Policy has
not been updated since November 2004, and the patch management and system
monitoring policies have not been updated since August 2005. See section XII, IT
Security Policies and Procedures.
Recommendation 25
We recommend that OPM develop an up-to-date Security Configuration and Hardening
Policy, Patch Management Policy, and System Monitoring Policy.
CIS Response:
"We agree with this recommendation. Some progress has been made in these
procedures but currently the IT security group lacks the resources necessary to finalize
and maintain these procedures. The Office of/he ChiefInformation Officer (OCIO) is
working on acquiring resources neededfor the IT Security and Privacy program. We
21
ha.'e created CiS POA&Msfor each po/icy to track our progress (CIS POAM FY09·
Q4-ClS-44, FY09-Q4-ClS-I5, FY09-Q4-CIS-46}."
b) Techniques for mODitoring compliance with policy
to routinely run
cormguraltion g~~~~~~~~ also uses
~ compliance.
, which
c) Federal Desktop Core Configuration
OPM has developed a Windows XP image that is gene.r(lily compliant wilh Federal
Desktop Core Configuration (FDCC) standards. There are eight settings in this image
that do not meet FOCC compliance; OPM has documented justification for these
deviations.
We conducted a test to verify that OPM's F'ID~~C~C~I\':~:i:=Sg~COmp1iant with VDCC
settings. OPM has implemented its fDCC 0 on a test workstaiion ill its
LAN/WAN enviroruncnt. We evaluate this
workstation's compliance with scan indicate that all
settings on this workstati on IlrC FDCC compliant.
However, as of September 30, 2009, OPM's FnCC compliant image has not been
implemented Oil any production workstations, and OPM has not documented and justified
FnCC deviations for the ~tandard image that is currenily implemented on OPM
workstations.
In addition, updated language from 48 CFR Part 39, Acquisition ofInfomlation
Technology, has not been included in all contracts related to common security settings.
Re(!ommendatioll 26 (Rol/~Forward from OIG Reporl4A~('7-00-08-022
Recommendatkm 16)
We rcoorrlllcnd that OPM implement FDCe compliant images on all OPM workstations.
CIS Response:
"We agree willi this recommendalioll. We ure tracking this effort mld~r CIS POAM
FY09-QI-ClS-16. "
RetolDw"endation 27
We recommend that OPM incorporate Federal Acquisition Regulation 2007~004
language in all contracts related to common security settings.
22
CIS Response:
"We agru with this recommendation. We ha...·e created a CIS POA&Jt..J item to trock
our progress (CIS POAM FY09-Q4-CIS47)."
d) FoU.,w.ap on FY 2008 OIG _Recommendation
FlSMA audjt report, we recommended that in the e ....ent that.
cannot be remediatcd due to a technical or business reason,
~
~~~~~SV;1iC1iTsowner should document the reason in the system's ISSP to
any associated risks. [n FY 2009, there remains o n e _
without a formally docmnented risk acceptance.
Recommendation 28 tRnll-Fmwurd frtlm OIG Rewa 4A-C/~ (10...nIJ-022
Rccommenduliou151
We n..'Commcnd that in the event that an_vulnerability caMot be rcmediated due to
R technicru or business reason, the system's owner should document the reason in the
system's ISSP and formany accept any associated risks.
CIS RespOII.w::
dWe agree with this recommendJJtiou.. We are tracking IhM' effort under CIS POAM
FY09-QI-CIS-15. "
IX. Incident Rcportine
opr",1 has developed an "Incident Response and Reporting Policy" that outlines the
responsibilities of OPM 's Computer fncident Response Team (CIR1) and documents
procedures for reporting alllT secwjty events to the appropriate enlilie$, We evaluated the
degree to which OPM .is following intemal procedures and FlSMA requirements for
reporting ~ecurity incid.ents internally. to the Uni ted States Computer Emergency Read,iness
Team (US-CERT), and to appropriate law enforcement authorities.
a) Identifying and reporting incideots internally
OPM"s Incident Response and Reporting Policy requires the users urthe agency's IT
resources to immediately notify OPM's situation room when IT security incidents occur.
During the past year, OPM has provided its employees with various forms of training
related to the procedures to foUow in the event sensitive data is lost. In addition, OPM
reiterates the information provided in the ]ncident Response and Reporting Policy in the
annual IT security and privacy awareness training.
OPM also notifies the OIG when security incidents occur by providing OIG investigators
with a monthly report that tracks the security tickets related to tbe loss of sensitive data,
23
b) Reporting incidents to US-CERT
OPM's Incident Response and Reporting policy states that OPM's CIRT is responsible
for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT .
within one hour of a reportable security incident occurrence. Notification and ongoing
eorrespondence with US-CERT is tracked through "security tickets" maintained by
OPM's help desk.
c) Reporting incidents to law enforcement
The Incident Response and Reporting policy states that seeurity incidents should also be
reported to law enforcement authorities, where appropriate. Nothing came to the OIG's
attention to indicate that this policy is not being followed.
x. Security Awareness Training
CIS has implemented a process to provide annual IT security and privacy awareness training
to all OPM employees and contractors.
The training is conducted through an interactive web-based course. The course
introduces employees and contractors to the basic concepts ofIT security and privacy,
including topics such as the importance of infonnation security, security threats and
vulnerabilities, viruses and malicious codes, privacy training, peer-to-peer software, and the
roles and responsibilities of users.
Over 99 percent of OPM's employees and contractors completed the security awareness
training course in FY 2009.
In addition, 99 percent of OPM employees and contractors with IT security-related
.responsibility completed specialized IT security training in FY 2009.
XI. E-authentication Risk Assessments
OMB Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies," states that
it "applies to remote authentication of human users of Federal agency IT systems for the
purposes of conducting government business electronically (or e-government)" and requires
agencies to conduct an e-Authentication risk assessment of these systems.
OPM's system inventory identifies 10 systems that CIS believes are subject to e
Authentication requirements. However, we believe that there are at least five additional
systems at OPM that are subject to e-Authentication requirements.
Recommendation 29
We recommend that CIS dctennine which systems in its inventory are subject to e
Authentication requirements and complete e-Authentication risk assessments for each of
these systems.
24
C1S Response:
"We agree with this recommendation. After meeting witl! your office on August 24,2009,
the Center for Information Services (CIS) security team sent correspondence to the
perspective DSO's that currently do not have an e-Authentication risk assessment but
should have one. We are tracking tltis effort under CIS POAM FY09-QI-CIS-48. "
XlI. IT Security Policies and Procedures
OPM's failure to adequately update its IT security policies and procedures has been
highlighted in the past three OIG FISMA audit reports and has been identified as a material
weakness in the IT security program in the FY 2007 and FY 2008 reports.
In FY 2009, OPM published a new Certification and Accreditation Guide and an Information
Security and Privacy Policy and deleted the majority of the outdated information from the
agency's internal website (THEO). However, the policies deleted from THEO have not been
replaced with current guidance on managing IT security at OPM.
Volume 2 of the Information Security and Privacy Policy was posted to THEO in August
2009. This policy outlines the IT security controls that should be in place for the major
applications owned by the agency. However, the majority of the text in this policy is derived
or copied directly from NIST SP 800-53 and has not been tailored to specifically address
OPM's IT environment. Although this policy assigns responsibility for the management of
various controls, it does not provide guidance on how these controls should be implemented
and monitored. OPM's DSO community has repeatedly voiced concern (directly to the OIG
and to CIS at monthly IT security working group meetings) that the lack of detailed IT
security policies and procedures has negatively impacted their ability to secure the
information systems they manage.
The absence of the following policies, procedures, or guidance has directly led to OlG audit
findings in FY 2009 (this is not intended to be a comprehensive list ofmissing policies at
OPM):
• Procedures for DSOs to manage POA&Ms for agency systems;
• Procedures for CIS to review quarterly POA&Ms and report POA&M status to OMB;
• Guidance for developing contingency plans, procedures for routinely conducting
contingency plan tests, and templates for reporting test results;
• Procedures for annually testing IT security controls and templates for recording test
results;
• Policy and procedures related to oversight of systems operated by a contractor;
• Policy related to roles and responsibilities for the Independent Verification and
Validation (IV &V) process and procedures for managing an IV &V; and
• Guidance for establishing agreements for interfacing systems.
25
In addition to the missing policies, the following OPM policies have not been updated in the
past 3 years:
• Privacy Impact Assessment Guide (updated May 2006);
• Security Configuration and Hardening Policy (updated November 2004);
• Patch Management Policy (updated August 2005); and
• System Monitoring Policy (updated August 2005).
Although OPM has taken several steps to improve and update the agency's IT policies, we
will continue to consider this condition a material weakness until adequate policies exist for
all aspects of IT security program management at OPM. See section I, Information Security
Governance.
R~ommendation 30 (Roii-Forward {rom OIG Report 4A-CI-OO-08-022 Recommendation
l..21.
We recommend that CIS develop IIp-to-date and comprehensive IT security policies and
procedures, and publish these documents to THEO.
CIS Response:
"We agree with this recommendation. With limited resources there was some progress
made over the last 12 months in the creation ofpolicies andprocedures. However, the IT
security group lacks the resources necessary to establish and maintain the IT security
policies and procedures needed for an effective IT Security and Privacy program. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed
for the IT Security and Privacy program. This effort is being tracked under CIS POAM
FY09-QI-CIS-19. "
26
Major Contributors to This Report
This audit report was prepared by the U.S, Office of Personne1 Management, Office of Inspector
General, Infonnation Systems Audits Group. The following individuals participated in the audit
and the preparatjon of thi's report:
• Group Chief
• Audilor-in-Charge
• lnformatiop Technology Auditor
• Information Technology Auditor
• lnformation Technology Auditor
27
Appendix I
Follow-up of Prior OIG FISMA Audit Recommendations
Report 4A-OD-00-05-013: Audit ofthe Information Technology Security Controls ofthe
U.S. Office of Personnel Management's Enterprise Human Resources Integration (EHRI)
Data Warehouse, issued May 9, 2005.
Rec# Orildnal Recommendation Current Status
-
We recommend that the Office of e-Government
Initiatives (e-Gov) implement independent organization
3 CLOSED
segments for the development and migration of system
programming changes to EHRl.
Report 4A-IS-OO-05-026: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Electronic Questionnaire for Investigations
Processing System (EQIP), issued June 16, 20OS.
r'-----·· .....-
~-
-
Rec# Orieinal Recommendation -.- Current Status __
We recommend that each existing EQIP user
(administrators, operators, and developers) sign a rules of
6 CLOSED
behavior document. The signed documents should be
maintained by the system DSO.
We recommend that the F ederallnvestigative Services OPEN. FISD is
Division (FISD) verify that only authorized users have current! y updating
18 access to EQIP and maintain authorization forms for OPM form 1665 to
users, including administrators, operators, and developers. address this
.'-
recommendation
Report 4A-IS-00-06-021: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Fingerprint Transaction System (ITS), issued
August 29, 2006.
Rec# Original Recommendation Current Status
We recommend that FISD document and maintain on file
authorizations that specify the authorized privileges for
each FTS user. In addition, we recommend that FISD
4 CLOSED
periodically verify that only authorized users have access
to FTS by reviewing user authorization forms and
comparing them to access lists.
-
We recommend that FISD update the FTS contingency
plan to fully document the following information:
7 • contact information, CLOSED
• recovery goals/objectives,
• recovery procedures,
-
,-----,---------------------------------------- --.-----------------,
• original or new site restoration procedures,
• concurrent processing procedures, and
• responsible teams.
Report 4A-RI-00-08-023: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Employee Benefits Information System (EBIS),
issued April 10, 2008.
Rec# Original Recommendation Current Status
We recommend that the Center for Human Capital
Management Services (HCMS) develop a formal business
1 CLOSED
impact analysis to determine the effect that EBIS system
outages would have on HCMS, GRB, and EBIS users.
The EBIS contingency plan should be improved to
include the appropriate elements outlined in NIST SP
2 CLOSED
800-34, as determined by the results of the business
impact analysis.
Report 4A-WR-00-08-024: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Central Personnel Data File (CPDF), issued
April 17, 2008.
Rec# Original Recommendation Current Status
We recommend that the Strategic Human Resources
Policy Division update its Business Contingency Plan to
1 include all elements required by NIST SP 800-34. This CLOSED
should include detailed recovery procedures sufficient to
test the restoration of all CPDF processes.
Report 4A-HR-00-08-058: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's USAJOBS System, issued September 5, 2008.
Rec# Oril!inal Recommendation Current Status
We recommend that the Human Resources Products and
Services Division (HRPS) and Monster World Wide
1 CLOSED
(MWW) update, review, and test its contingency plan on
an annual basis.
We recommend that HRPSIMWW develop formal
procedures for media sanitization and disposal in
2 CLOSED
accordance with NIST SP 800-53 Revision 1 control MP
6.
We recommend that HRPS update the most current
3 POA&M template to identifY and prioritize all security CLOSED
-
weaknesses identified for USAJOBS.
Report 4A-MO·oo..OS..oS9: Audit of the Information Technology Security Controls of the
U.s. Office ofPersonncJ Management 's Executive Schedule C System (ESCS), issued
September 8, 2008.
the Human CapitaJ
Merit System Accountability Division (HCLMSA) update
CLOSED
the ESCS contingency p1an to include the elements
CLOSED
update
POA&M to include the weaknesses outlined in this audit
report, and continue to update the POA&M with any
4 CLOSED
additional weaknesses discovered by the program ollice
or an outside party conducting a security review of the
Report 4A-CI-OO-08-022: FY 2008 Federal Information Security MaDligement Act Audit,
issued September 23, 2008.
Rec# Original Recommendation Current Status
OPEN. Rolled fo,,~iiTd
We recommend that OPM ensure that an annual test of
J as 4A-CI-OO-09-031
security controls has been completed for all systems.
Recommendation 6
OPEN. Rolled forward
We recommend that OPM's program offices test the '
2 as 4A-CI-OO-09-03J
contingency plans for each system on an annual basis.
Recommendation 9
. We recommend that OPM update its system inventory to
3 clearly identify the state of the system (active, su spended ~ CLOSED
develovment, etc).
OPEN. Rolled forward
We recommend that tbe program offices incorporate all
4 as 4A-CI-OO-09-03 I
known security weaknesses into the POA&Ms.
Recommendation 12
OPEN. Rolled forward
We recommend that an up-io.date POA&M exist for each
5 as 4A-Cl-OO-09-031
sy'!'1<.-'tl1 in orM's inventory,
Recommendation 13
OPEN. Rolled forward
We reconunend that all program offices submit POA&Ms
6 as 4A-CJ-OO-09-031
to the CIS/CIO office on a quarterly basis.
Recommendation 13
We recommend that the CIS/CIO require each program
office to provlde evidence (proof of closure) that
7 CLOSED
POA&M weaknesses have been resolved before allowing
that item to be labeled "comp.J~te."
We recommend that aU OIG recommendations be
8 included on POA&Ms and they not be removed until CLOSED
evidence of proof of closure is provided to the CIS/CIO.
We recommend that CIS take the appropriate steps to OPEN. Rolled forward
9 ensure that all active systems in OPM's inventory have a as 4A-CI-OO-09-031
complete and current C&A. Recommendation ]6
We recommend that all elements required by fISMA and
10 relevant NIST guidance be in place before a system is CLOSED
fom,allv c&A'd.
We rewmmcnd that OPM issue its "Information Security
11 and Privacy Policy" to all agency employees ,md post a CLOSED
copy to the !!,Eencis internal website.
We recommend that aPM continue its efforts to reduce
OPEN. Rolled forward
the use of SSNs and develop a formal plan to eliminate
12 as 4A-CJ-OO-09-031
the unnecessary coHeetlon and use ofSSNs within 18
Recommendation 22
months in accordance with OMB Memorandum M·07·16.
We recommend that aPM contillue its effort.'i to
OPEN. Rolled forward
implement a solution to automatically encrypt aU data on as 4A-CI-OO-09-031
lJ
mobile computers/devices carrying agency data unless the
Recommendation 24
data is detennincd not to be sensitive.
We recommend that OPM continue its efforts to develop
a methodology for logging comptltcr·readable data
14 CLOSED
extracts to determine whether sensitive data has been
erased after 90 days.
We recommend that OPM COnfigUr~
in a marmer consistent with OPM's on figuration
Policy. Eacb of the vuJnerabilities outlined in the DIG's
audit inquiry should be formal ly documented, itemized,
OPEN. Rolled forward
1,5 and prioritized in a POA&M. In the event that a as 4A-CI-OO-09·031
vulnerability cannot be remediated due to a technical or Recommendation 28
business reason, the supported system's owner should
document the reason in the system's lSSP to fonnatly
accept any associated risks.
- OPEN. Rolled fonvard
We recommend that OPM continue its efforts to
16 as 4A-CJ-OO-09-031
implement all required elements of the FDCC.
Recommendation 2~_
We recommend that aPM continue its efforts to ensure
that all federal employees and contractors with access to
17 CLOSED
OPM's IT resources complete IT security and privacy
awareness training on an annual basis.
We recommend that c-authentication risk assessments be
18 completed for the required systems in accordance with
CLOSED
OMB Memorandum M-04-04. .
OPEN. Rolled forward·
We recommend that CIS promptly update OPM's IT
19 as 4A-CI-OO-09-031
security policies and publish them to THEO_._ _ _ _........l.-.CR:.:e.::.:c:.:o:.:;mm:.::;endation 30
Report 4A-CI-OO-09-053: Flash Audit Alert - Iuformation Technology Security Program
at the U.S. Office of Personnel Management, issued May 27, 2009.
Rec# Oril!inal Recommendation _..-. Current Status
We recommend that CIS correct the FY 2009 second
I quarter FlSMA report to accurately reflect the status of CLOSED
OPM's IT security position as of March 1,2009.
We recommend that CIS develop a comprehensive set of OPEN. Rolled forward
2 IT security policies and procedures, and a plan for as 4A-CI-00-09-031
updating it at least annually. Recommendation 30
We recommend that the OPM Director ensure that CIS
3 has adequate resources to properly staff its IT Security OPEN
and Privacy Group. .... _._._ ...
OPEN. OPM hired an
We recommend that CIS recruit a permanent Senior
ITSO, but the
Agency Information Security Officer as soon as possible
4 organization of the
and adequate staff to effectively manage the agency's IT
ITSO's staff has not
security program.
been finalized.
Appendix II
UNITED STATts OFFl~8'"brPERsoNNEL MANAGEMENT
.....'l,UIirlVQJI.. DC 2Q4J5
JUU'$1009
Tho.4'.U·I"M.Oflke ofinspeclQr QcneraI(OIG)'r.eleasOO a f.4t';h Audit Alert'dated May va,
Zl)()9. wJ.Uch.outl~d :a","eral ~~dations. regiU'dirig the OPM rr SecUiitY Pr.bgnvtl.
l1}.ese ~1.iuJ)f ·arr.: ·n(J\ed bcll)W-iOOng Wi!.h-ttlll rt..'qlO1l5e.
.Rr(o~j .. 'We ~~ tba1 CI.S ·corrcc.1 the.fY 2009 second
iltwtetiiJ!MA t~ol1 iO' ~nf'rcly_ reflect ~·st.alu.'i uf OPM ' $ IT r.eci.lrity
~i~ a.<I' orM8I:C)t .~.2009. Thls would.inclUde reportJnS that eoJSf' and Ifle
E.,.u Data Wartbouse sy5tems both imvc weaknesses mor~ thah 120 days
overdUe, tmd dtaiiginB' 'tbe_rrn:tricSoD ihe entire rq;ort frQll') the nup':l~ (If
·OYerd~.,..el\_kne.-c;ses to t~ JlUfIlb!lT:oi;sysit;m:,-wnh overdue wcaknes.~es.
114PDrP.e.: T~ Center for Infonnauon Serv~ (CIS) secll~ team llctcd O~ the
'best 'infomlation.lhc),_had:at .'il1e time.in clo$ing.!!OPF _mx! eURJ D-oI~ WarchI'Ju:Je
'wiakbesscs. 'In respOflSOto ~ ~em ,ra1sed~)' Old staffl~at' 21 ""~ clqsed
~ll8pPtQpna&tly ~'.(iiil ntit total of268.tOf,al prog,rMtl weUne,S8e!l · ClS ~ta
'the OlG ' f4ti0JJ;31~ for why ~ 21 shouJdremain open (~(ju idBi1ce (ln 1hi$ is
1).pt.~) ant) jigreed lo-re,.,opm them. -They me: been J:e~Qpene.;i wid). the
orlginW '~:oom()let4m:date; -010 W3!:a1f\IJ~d <I.t'ibis.atti'on PPUf 10 Akl~
Report.
We.:~wiih t!w m:ommt."¢ll!ioo that OPM report the mmiber of SYStem$ will!
we~~innore than 120~Y!lovtidue. instead 6r-thC.nw'nber P~~
ThiS was 3 oitstake.m ourUnd~- oflbe itpDrtijls I~~ It: sllonld
btnrikd 1hanhis, mist:D:-e,~eth!! PPM melr:M$)ook '\l'or~ fhap ihey really
~ ...·so .'Po'e ~ most 'WilHog to ma,kc: {bis-dunge. As soon AJ'We eonfinned
the OJ6!s .~tiQn was (;9ITCCI;-we:made the ebMtlp.e,·io time for the 3,;1 quru1er
FlSMA n:porl 010 'Was. notified _o f the tomttiem prioILO the AJtrt Report. The
~ quarter rijJoithas·-.lSo .bc:~ updati:d 6lIil·Stlor lo 6MB. We consider thi,
reconinie.il/illtiOll.to be _d01:Cd,
Recommendtliion 2: We recommend !hat crs deve/Gpa COOIprehensiveset ofIT
security policies and procedures, and a plan for updating them at leastatl11U1l11y,
R€$J1(Jnse: We agree wlthtlliueeonunendati!>!l a.n4have been working for many
months to £ompleleneeded .upQale~, Work began as ~OOl;l !IS funding wru;
provided. Many policies and procedures have already been re.vised, with the
remainder targeted f!>l' completion by 8!31109. We have k.epl OlG apprised of our
efforts t.o comptete this work.
Recommendidwn.J: We recommend that Ihe OPM Director ensure thst CIS has
adequate fesources to properly starr its IT SecurtQiand Fnvacy Group.
Response: We agree with thi$ leco1ll/ll<;l\dation. Ail VI<: discllllsed with DIG staff
on numerous occasions, CIS has been working withHR for IPore'than a year to
reorganize end elevate the IT """uril)' function, to upgrade the l.ve.1 of the IT
secwily officer from a OS-]4 to a OS-15, and to!idd staff. A neworgaruzational
alignment, gradestrnctllre lind tesource~ f!>:rtheTf SeellritylWd :Privacy Groll])
were approved ol;l Maroh 4,2il09. Under this new struct)lre,the IT se;:uti\y sta:tr
will grow from 3 to 6. We consider this recommendation to beclosea
Recommendtliion; 4: We recommend that CIS recruit II petlllaMnI ~nior Agel;lcy
lnform.won ~c\lrityOfficeras sOQn as P9ssibl., and adequate itlltf to :e:!fecIiYely
manage the agency's IT security program.
R£spt!l1st; We agree withthisrtC<!mmendation. Recruilinghasbeel;l in progreU
sinoe thereorganiUltiol;l was approveq. We have made 1I ct!uple of.offers to.flll
lb.. G('l-15l\1ld 08-14 posi\i!>/ll!; which were declined. We!laYe ide!lulled another
excellent candidate fbr the 6s~ 15 position. We are eurrentl:r in the precess of
getting ChiefofSta:trapprovai to eJderid an offer. Weare liitgetitJg.a.repOrt.date
in Augu$t.
As you can see, aU of the OlG .issues with <:lUTsecurity program nored in the Alert R.eporI
have eitber been com])!eted or are well on lheir way to complelion. With lbe'exception of
the selection ofthe ITSO, which Is a very rtcent.decisJon, we have attempted to keep
OIG staff apprised pf our stalU$on thes.eiss.ues. Their recommendatiOns were seriously
considered, reviewed ;md acted upon'/lS appropxiate.
Appendix IIJ
October 20, 2009
Report No. 4A-CI-00-09-03 I
MEMORANDUM FOR LEWIS F. PARKER, Jr.
Chief, Information Systems Audit Group
FROM:
Inf(,mlatiCln Officcr
SUBJECT: Fed~ral Information Security Management Act Audit - FY 2009
Attached you wilJ find our responses to the draft Federallnformation Security Management Act
audit report. The protection oftbe Office of Personnel Management (OPM) network and
resources is criticaJ to the su!;:cess of the OPM mission. AJI OPM Components rely extensively
on infonnation technology (IT) assets and the OPM network to achieve mission objectives. For
that reason, we thank you and agree with the recommendations provided jn the draft rePQrt
identifying areas for improvement within the OPM IT security and privacy program. The Officc
of the ChiefInfonnation Officer (OCrO) is committed to ensuring an effective IT security and
privacy program_ Please note that we have created CIO POA&M entries for lhese findings and
will develop a plan to mitigate these as additional resources become available.
an)! qlleSilior" regarding the responses in this cen,ort. please don 't hesitate to cont~ct
me or _ (ITSO) We look forward to continue to
iQS;etli<:TiiO mop",V(; tile IT security program al OPM ,
Attachmenf
cc;
Direct""lf E:xt,mai Affairs
nancial Officer & Policy and Internal Control Group
"off ,_" Executive Secretarial
Current Status of Flash Audit Alert Recommendation 1
We verified that CIS corrected and submitted the FY 2009 second quarter FISMA report. We
also verified that the FY 2009 third quarter FISMA report accurately represented the status of
OPM's security program at that time.
CIS Replv 10120109
.The Centerfor Information Services (CIS) security team will continue to ensure the quarterly
FISMA reports reflect correct and accurate information for OPM's security program.
Current Status of Flash Audit Alert Recommendation 2
OPM's IT security policies and procedures continue to lack adequate current guidance on
managing IT security at the agency. See section XII of this report for details.
CIS Replv 10120109
Please refer to section XIIfor our response to Recommendation 30 regarding the IT security
policies and procedures.
Current Status of Flash Audit Alert Recommendation 3
We continue to believe that CIS lacks the resources needed to manage an adequate IT security
program. Eleven of the nineteen audit recommendations issued in the FY 2008 f'ISMA audit
report have been rolled forward into this FY 2009 FISMA report, indicating that CIS does not
have the resources needed to remediate identified security weaknesses.
CIS Replv 10120109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain an effective security and privacy program. .The new
SAISO (referred to as the ITSO) that was hired in September 2009 has identified resources
needed and his recommendations are under review with senior management. The Office ofthe
ChiefInformation Officer (OCIO) is working 011 acquirillg resources needed for the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-27).
Current Status of Flash Audit Alert Recommendation 4
CIS hired a permanent SAISO (referred to as the ITSO) in September 2009. However, the
agency operated with an acting IISO for over 11 months of FY 2009. In addition, the
organization of the staff reporting to the ITSO has not been finalized. On a potentially positive
note, the OPM Director has recently appointed a new Acting Chief Information Officer, who has
developed preliminary plans to expand and improve OPM's IT security program. We will re
evaluate these developments during the FY 2010 FISMA audit.
CIS Replv 10120109
We agree with this recommendation. Currently the I.T security group lacks the resources and
the organizational structure necessary to establish and maintain all effective security and
privacy program. The new SAISO (referred to as the ITSO) that was hired in September 2009
has developed an organizational chart, roles and responsibilities and resources needed. His
recommendations are under review with senior management The Office ofthe Chief
Information Officer (OCIO) is working on acquiring resources needed for the IT Security and
Privacy program. As referenced in Flash Audit Alert Recommendation 3, we have created a
CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-27) regarding resources.
Recommendation 1
We recommend that CIS conduct a survey ofOPM program offices (particularly the Benefits
Systems Group) to identifY any systems that exist but do not appear on the system inventory.
The systems discovered during this survey should be promptly added to the system inventory and
certified and accredited.
CIS Replv 10/20109
We agree with this recommendation. The IT Security and Privacy group will conduct a
network assessment to map out the OPM network and identify all missing systems and created
a CIS POA&M item to track Ollr progress (CIS POAM FY09-Q4-CIS-28).
Recommendation 2
We recommend that CIS develop and maintain an inventory of all system interfaces.
CIS Replv 10120109
We agree with this recommendation. The IT Security and Privacy team will include system
interface information on the OPM FISMA Master System Inventory going forward. We have
created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-29). Please
note as stated in response to IG Information Request #24, system interface information is
included within each System Security Plan for each system currently on the OPM FISMA
Master System Inventory.
Recommendation 3
We recommend that CIS develop a policy providing guidance on the development and
appropriate use of MOUs and ISAs.
CIS Replv 10/20109
We agree with this recommendation. Currently the IT Security and Privacy grollp lacks the
resources necessary to establish and maintain an effective security and privacy program. The
Office ofthe ChiefInformation OffICer (OCIO) is working on acquiring resources needed for
the IT Security and Privacy program. We have created a CIS POA&M item to track our
progress (CIS POAM FY09-Q4-CIS-30).
Recommendation 4
We recommend that CIS conduct a survey to determine how many systems owned by another
agency are used by OPM.
CIS Replv 10110109
We agree with this recommendation. We have made some progress witll this task (please refer
to IG Information request #24) but we lack the resources to conduct a complete network
assessment to map out the OPM network and identify all systems. The Office ofthe Chief
Information Officer (OClO) is working on acquiring resources needed for the IT Security and
Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM
FY09-Q4-ClS-3l).
Recommendation 5
We r",.commend that CIS develop a policy for adequately testing the security controls ofOPM's
systems, and provide training to the Designated Security Officer (DSO) community related to
proper security control testing.
CIS Reply 10110109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies and training program. The Office ofthe
ChiefInformation OffICer (OC70) is working on acquiring resources needed for the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-32).
Recommendation 6 (Roll-Forward from 01G Report 4A-CI-00-OB-022 Recommendation 1)
We recommend that OPM ensure that an annual test of security controls has been completed for
all systems.
CIS Reply 10110109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Q1
CIS-I.
Recommendation 7
We recommend that OPM develop detailed guidance related to developing and testing the
contingency plans of agency systems, and provide training to the DSO community related to
proper contingency planning and contingency plan testing.
CIS Reply 10110109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies and training program. The Office ofthe
ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-33).
Recommendation 8
We recommend that up-to-date contingency plans be developed for all agency systems.
CIS Replv 10110109
We agree with this recommendation. We have created a CIS POA&M item to track our
progress (CIS POAM FY09-Q4-CIS-34).
Recommendation 9 (Rol/-Forward from OIG Report 4A-CI-00-08-022 Recommendation 2)
We recommend that OPM's program offices test the contingency plans for each system on an
annual basis.
CIS Reply 10120109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Q1
CIS-2.
Recommendation 10
We recommend that OM develop a policy providing guidance on providing adequate oversight
of contractor operated systems.
CIS RepLv 10120109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies andprovide the oversight needed. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for
the IT Security and Privacy program. We have created a CIS POA&M item to track our
progress (CIS POAM FY09-Q4-CIS-35).
Recommendation 11
We recommend that CIS publish the Plan of Action and Milestone Standard Operating Procedure
toTHEO.
CIS Reply 10/20109
We agree with this recommendation. We have created a CIS POA&M item 10 document the
completion ofthis recommendation (CIS POAM FY09-Q4-CIS-36). The POA&M Guide has
been published as ofSeptember 2009 on Theo
hltp:lltheo.opm.govlpolicies/lSpplFlNAL POAM Process SOP 093009.pd{
Recommendation 12 (Roll-Forward from 016 Report 4A-CI-00-08-022 Recommendation 41
We recommend that OPM program offices incorporate all known IT security weaknesses into
POA&Ms.
CIS Reply 10120109
We agree with this recommendation. We are tracking this effort under G1S POAM .FY09-Ql
CIS-4. Since the POA&M SOP was just recently pubLished on Thea, we will continue to assist
program offices through this process.
Recommendation 13 (Roll-Forward from 016 Report 4A-CI-00-08-022 Recommendations 5
and 61
We recommend that an up-to-date POA&M exist for each system in OPM's inventory, and that
system owners submit updated POA&Ms to C1S on a quarterly basis.
CIS Reply 10/20109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI
CIS-5 and CIS POAM FY09-QI-CIS-6. The POA&M SOP has been published as of
September 2009 which provides guidance to DSO's regarding POA&M submission. Please
note that since OMB did not require any POA&M submissions for FY09 quarter 4, CIS did
not continue to follow up with program offices to ensure submissions were provided to CISfor
FY09 quarter 4.
Recommendation 14
We recommend that CIS provide guidance to program offices to evaluate the resources and time
requirements needed to remediate security weaknesses so that reasonable remediation due dates
are established for all POA&M items.
CIS Replv 10120109
We agree with this recommendation. The POA&M SOP has been published as ofSeptember
2009 which provides guidance to DSO's regarding POA&M management. We have created a
CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-37) on supplemental
guidance to the DSO's.
Recommendation 15
We recommend that each program office prioritize the system weaknesses listed on their
POA&Ms.
CIS Reply /0120109
We agree with this recommendation. The POA&M SOP has been published as ofSeptember
2009 which provides guidance to DSO's regarding prioritizing weaknesses. We have created a
CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-38) on supplemental
guidance to the DSO's.
Recommendation 16 (Roll-Forward from OIG Report 4A-CI-00-08-022 Recommendation 91
We recommend that all active systems in OPM's inventory have a complete and current C&A.
CIS Reply 10120109
We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to map out the OPM network and identify all systems and
accountfor missing C and A's but we currently lack the resources to perform this task. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for
the IT Security and Privacy program. We are tracking this effort under CIS POAM FY09-Q1
CIS-9.
Recommendation 17
We recommend that the FIPS Publication 199 security categorization be updated for the
inappropriately categorized system.
CIS Replv 10120109
We agree with this recommendation. The Center for In/ormation Services (CIS) security leam
will work with the DSO's to ensure the FIPS 199 reflect the appropriate rating. During the
monthly October 2009 Information Technology Security Working Group (1TSWG) meeting,
the writer and subject matter expert from NIST provided a briefing on N1ST 800-60 (Guide for
Mapping Types ofInformation and Information Systems to Security Categories) to the DSO's
and CIS. We have created a CIS POA&M item to continue to track our progress (CIS POAM
FY09-Q4-CIS-39).
Recommendation 18
We recommend that CIS update the PIA Guide to address all of the requirements ofOMB
Memorandum M-03-22.
CIS Replv 10120109
We agree with this recommendation. The privacy group is currently working on a new PIA
Guide and a new PIA Template. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-40).
Recommendation 19
We recommend that CIS conduct a new PIA survey to determine which OPM systems require a
PIA, including those systems that process sensitive information about government employees
and eontractors.
CIS Replv 10120109
We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to identify all PII information present on the OPM network but
we currently lack the resources to perform this task. The network assessment would be
followed by a request to each offue that owns the PII to conduct privacy threshold analysis
(PTA). The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track
our progress (CIS POAM FY09-Q4-CIS-41).
Recommendation 20
We recommend that a new PIA be conducted for the appropriate systems based on the updated
PIA Guide.
CIS Reply 10120/09
We agree with this recommendation. Conducting and reviewing PIAs require CI0 as well as
program office resources. Once the new PIA Guide and Template is approved and
communicated, we will engage the DSO's so they can update their system privacy
documentation. We have created a CIS POA&M item to track our progress (CIS POAM
FY09-Q4-CIS-42).
Recommendation 21
We recommend that each system owner annually review the existing PIA for their system to
reevaluate current holdings of PH, and that they submit evidence of the review to CIS.
CIS Replv 10120/09
We agree with this recommendation. Conducting and reviewing PTAslPIAs require CIO as
well as program office resources. We plan on implementing a Privacy Threshold Analysis
(PTA) process as part ofour Privacy activities. The PTA is the initial step in determining
whether a PIA is necessary and as indicated in NIST-SOO-122, an essential part ofthe
Certification and Accreditation (C&A) process. The PTA will be reviewed annually or when a
change occurs with the system and the document will become an artifact used for reporting
purposes. We have created a CIS POA&M item to track ourprogress (CIS POAM FY09-Q4
CIS-43).
The Center for Information Services (CIS) security team has already began to share the
evidence ofannual PIA reviews with the Privacy Office to reflect that the DSO's are reviewing
their PIA's as part oftheir FY09 security controls testing.
Recommendation 22 (Roll-Forward from OIG Report 4A-CI-00-OS-022 Recommendation 12)
We recommend that OPM continue its efforts to eliminate the unnecessary use ofSSNs
accordance with OMB Memorandum M-07 -16.
CIS Reply 10120109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Ql
CIS-l2. However, the OCIO lacks the resources necessary to conduct the detailed analysis
needed to review all documentation (laws, policies, OPMforms and other documents) that
requires the use ofSSNs today. Furthermore, those resources would be needed to establish
and maintain the policies and procedures for an effective program.
Recommendation 23
We recommend that OPM participate in government-wide efforts to explore altematives to
agency use ofSSNs, as required by OMB Memorandum M-07-16.
CIS Reply 10/20/09
We agree with this recommendation..
Recommendation 24 (Roll-Forward from OIG Report 4A-CI-00-OS-022 Recommendation 13)
We recommend that CIS encrypt all data on all mobile computers containing sensitive
information.
CIS Replv 10120109
We agree with this recommendation. OPM has implemented mandatory encryption controls
on OPM laptops, blackberries, and tape backups. OPM's IT Security and Privacy Policy
requires that any sensitive data be removed to removable media must be encrypted. WinZip
encryption has been provided to all OPM users to protect sensitive data. The encryption policy
and guidelines for WinZip are available on the OPM intranet site and are included in the
annual security awareness training. We are tracking this effort under CIS POAM FY09-Ql
CIS-13.
Reeommendation 25
We recommend that OPM develop an up-to-date Security Configuration and Hardening Policy,
Patch Management Policy, and System Monitoring Policy.
CIS Reply 10/20109
We agree with this recommendation. Some progress has been made in these procedures but
currently the IT security group lacks the resources necessary to finalize and maintain these
procedures. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring
resources neededfor the IT Security and Privacy program. We have created CIS POA&111s
for each policy to track our progress (CIS POAM FY09-Q4-CIS-44, FY09-Q4-CIS-45, FY09
Q4-CIS-46).
Recommendatioll 26 tRoll-Forward from OIG Report 4A.-CI-OO-08..Q21 ReMmmendnfit>n J6~
We recommend that OPM implcmcllt FDCC compliant images on all OPM workstations.
CIS Replv 10110109
We agree with 'his recommendation. We are tracking fhi.f; effort under CIS POAM FY09~Ql
CIS-16.
Recommendation 27
We recommend that OPM incorporate Federal Acquisition Regulation 2007-004 Janguage in aU
contracts related to common security settings,
CIS Reple 10110109
We agree with this recommem/ution. We have created a as POA&M item to track mu
progress (CIS POAM FY09-Q4-CIS-47).
Recommendation 28 (Roll-Forward from DIG Report 4A-CJ-OO-OB-022 Recommendation 15)
We recommend that in the event that cannot be remediated due to a
te<:hnical or business reason, the sys"e,n', owner should doculnen' the reason in the system's
lSSP and fomlally accept any associated risks.
CIS lIeP/y 10110109
We agree with Ihis recommendation. We are tracking this effort under CIS POA.M FY09-Ql
ClS-l5.
Recommelldation 29
We recommend that CIS detcmllne which systems in its inventory are subject to e
Atlthelltication requirements and complete e-Autl}entication risk assessments for each of these
systems,
CIS Reply 10110109
We agree with this recommendation. After meeting with your office on August 24, 2009, the
Centerfor Information Service... (CIS) security team sent correspondenu to the perspective
])SO'!j' that currently do not have an e-Authentication risk assessment but should have one.
We are tracking this effort under CIS POAM FY09-QI-CIS-/8.
Recommendation 30 (Roll-Forwgrd from OIG Report 4A-CI-OO-OB-022 Recommendation 19)
We recommend that CIS develop up-to-date and comprehensive IT security policies and
procedures, and publish these documents to THEO,
CIS Reply 10120109
We agree wilh Ihis recommenflation. With IimiJed resources there was some progre1'.f; mllde
over the last 12 months in the creation a/policies amI procedures. However, the IT security
group lacks the u ..\'ources necessary to establish and /nailltain the IT security policies Dud
procedures "teded/or an effective IT Security and PtilJocy program. The Office of the Chief
Information Officer (OCIO) is working on acquiring resources neededfor the IT Security and
Privacy program. This effort is being tracked under CIS POAM FY09-QI-CIS-I9.
Federal Information Security Management Act Audit FY 2009
Published by the Office of Personnel Management, Office of Inspector General on 2009-11-05.
Below is a raw (and likely hideous) rendition of the original report. (PDF)