oversight

Federal Information Security Management Act Audit FY 2009

Published by the Office of Personnel Management, Office of Inspector General on 2009-11-05.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

!
    /


                                                                  U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                                        OFFICE OF THE lNSPECTOR GENERAL
                                                                                         OFFICE OF AUDITS




     .Final Audit Report
     ,        ,          -              ,




         Subject: .



                        .FEDEIU.cL INF0 Rl\1:A1'IONSE(]URI1'Y
                             MANAGEMENT ACl'AUDIT
                                                                  . -. FY20()9 



                                                      Report No, . 4A-CI.60c()<)-031


                                                    ,Date:                     November '. '5~ · _2 0'0 9




                                                                   •


                                                                        -CAUTION·,
         iki£ audil rep(',1 hM bttll di$tt:ib\l Itd:_ I\)FflI~'nl olftdah who ,Ut rnp!)I!Pbit for thl atlmigj~lnlwa ullbtalldil(d p.-ognull,      n~ ",.dil
         ~epQf1l\!la, (Ontain p'ovmtnyiblM whirh ~ protetkdby Fdt-rall~!,,'(U1 U.5.c, 1'05). - Ttit1"tft)rt~ w~ilt ihisilut;lJ1 rrylll"l b ",,~labte
         IIlIdtr the FreedQIIl oJJnforlHalioe At_' and lUit:d,(" avaibhlt I(Hbt publk ill! Ibi OJG~tbp.'f, f/l.,lmIlKf ,d sto bt turd. td bdQU
         relu>iltg 11i~ repllrllD Iht:'"' ....1PQblk liS it olltj (t)lIbin prOJirittal)' isformlilioo Ibllt wu redac l~d Imlll tilt; pm,lidy amri"ul¢!J ~OP)" .
                               UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                Washington, DC 20415 



  Offic~ of the
Inspector General




                                                Audit Report 




                                  lJ.S. OFFICE OF PERSONNEL MANAGEM~; NT


                          FEDERAL INFORMA nON SECURITY MANAGEMENT ACT AUDIT 

                                                FY2009 


                                               WASHINGTON, D.C. 





                                       Report No.      4A-CI-OO-09-031


                                       Date:          November 5 , 2009




                                                                         Michael R. Esser
                                                                         Assistant Inspector General
                                                                           for Audits



        ........... opm .•Dv                                                                 \If... w.lIsaJobl.'o~ 

                          UNITED STATES OFFICE OF PERSONl'.'EL MANAGEMENT
                                               Washington, DC 204lS

   Offic.: of In::
Illspecwr Qenera!




                                          Executive Summary



                              U.S. OFFICE O~' PERSONNEL MANAGEMENT 



                      FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT 

                                            FY 2009 


                                             WASHINGTON, D.C. 





                                     Report No.        4A-CI-OO-09-031


                                     Date:            Noyember 5. 2009


        This final audit report documents the Office of Personnel Management's (OPM 's) continued
        efforts to manage and secure its infonnation resources. We have significant concerns regarding
        the overall quality of the infonnation security program at OPM. These concems are rooted in the
        lack of adequate information secnrity governance activities in accordance with legislative and
        regulatory requirements. Specifica11y~ the agency has not fully documented infonnation security
        poljcy and procedures or established appropriate roles and responsibilities.

        The lack ofpolicies and procedures was reported as a material weakness in the fiscal yeaI' (fY)
        2007 and FY 2008 Federallnfonnation Security Management Act (FISMA) audit reports. While
        some progress was made in FY 2009, detailed guidance is stiU lacking. An updated Information
        Securily and Privacy Policy was finalized in August 2009. This policy outlines the infonnation
        technology (1T) security controls that should be in place for the major applications owned by the
        agency_ ~owever. the majority of the text in this policy is derived or copied directly from
        National Institute of Standards and Technology (NIS1) guidance and bas not been tailored to
        specifically address OPM's JT environment. In addition, detailed procedures and jmpiementjng
        guidance arc stiU missing.


        = =; - - - - - - - - -- -'-------------==.. ~-
         ",-wl".opm.&OY                                                                       ",,,,,,,,.unJob$.gQY
This year we are expanding the material weakness to include the agency's overall information
security governance program and incorporating our concerns about the agency's information
security management structure. As of late September 2009, there had been no permanent senior
agency information security official (SAISO) in the agency for nearly 18 months. During this
time, we observed a serious decline in the quality of the agency's information security program.
In addition, there is no permanent Privacy Program Manager assigned to manage the agency's
privacy program. As a result, there are many deficiencies in OPM's privacy program.

The agency has recently appointed a new SAlSO; however, it remains to be seen whether it will
commit the necessary resources and develop the appropriate functions required of this role. We
will reevaluate this issue during the FY 2010 FISMA audit.

The continuing weaknesses in OPM's information security program result directly from
inadequate governance. Most, ifnot all, of the exceptions we noted this year resulted from a lack
of necessary leadership, policy, and guidance. Our most notable observations include:

• 	 As noted above, OPM continues to lack adequate and up-to-date IT security policies and
    procedures. We continue to consider this to be a material weakness in OPM's IT security
    program.
• 	 One system on OPM's inventory was placed into production before a certification and
    accreditation (C&A) was completed, and the prior C&A for three systems has expired and a
    new C&A has not been completed. Weaknesses in OPM's C&A process continue to remain
    a significant deficiency in OPM's IT security program.
• 	 Weaknesses in OPM's privacy impact assessment (PIA) process and the agency's failure to
    meet privacy-related requirements from the Office of Management and Budget (OMB) lead
    us to believe that there is a significant deficiency in OPM's management of its privacy
    program.

In addition to these weaknesses, the OIG noted the following controls in place and opportunities
for improvement:

• 	 OPM's Center for Information Services (CIS) maintains a master inventory ofOPM's major
    systems. We generally agree with the number of systems listed in the inventory (42), but we
    identified at least one major application that does not appear on the system inventory and has
    not been subject to a C&A. In addition, OPM's system inventory does not identifY interfaces
    between internal and external systems.
• 	 A C&A has been completed and remains active for 38 of the 42 systems in OPM's inventory.
• 	 The IT security controls have been adequately tested for 40 ofOPM's 42 systems during FY
    2009.
• 	 Four out ofOPM's 42 systems did not have an adequately documented and/or up-to-date
    contingency plan. In FY 2009, the contingency plans for 31 ofOPM's 42 systems were
    tested in full compliance with the requirements ofNIST Special Publication 800-34,
    Contingency Planning Guide for Information Technology Systems.


                                                II
• 	 Nothing has come to our attention to indicate that OPM program offices do not maintain
    oversight of systems operated by a contractor.
• 	 The Plan of Action and Milestones (POA&M) for three OPM systems did not contain aU
    security weaknesses identified during the annual security control tests of those systems.
• 	 POA&Ms are continuously managed for 40 of OPM's 42 systems; current POA&Ms were
    not submitted to CIS for two systems in the fourth quarter of 2009.
• 	 When dosing POA&M items. OPM program offices have provided adequate evidence to
    CIS that the weaknesses were corrected.
• 	 Five agency systems have POA&M weaknesses with remediation activities over 120 days
    old.
• 	 Two agency systems did not prioritize weaknesses on their POA&.i\.1s.
• 	 OPM"s PIA Guide has not been updated in over three years and fails to address several
   requirements of OMS Memorandum M-03-22.
• 	 The 01G has not received evjdence that system owners review their PIA documentation on
    an annual basis.
• 	 OPM has implemented a breach notification policy.
• 	 CIS developed a formal plan to reduce the use of social security numbers (SSNs) at OPM.
    However, the plan does not address participation in govemment-wide effort~ t() explore
    alternatives to agency usc of SSN~, us requircd by U.S. Office of Management and Budget
    Memorandum M-07-16.
• 	 OPM had developed a standard laptop image that utilizes software-based full-disk
    encryption. However, CIS was unable to provide evidence of how many laptops issued to
    OPM employees and contractors contain the new image with encryption capabilities.
• 	 OPM developed a methodology for logging computer-readable data extracts of personally
    identifiable infonnalion.
• 	 Several policies related to contiguration management have not been updated in over fottr
    years.
• 	 OPM has implemented several techniques for monitoring compliance with configuration
    management policies.
• 	 OPM has deve10ped a Windows XP image that is generally compliant with Federal Desktop
    Core Configuration standards. However, this image has not beeD implemented on any
    production workstations.
• 	 Language from 48 CFR Part 39, Acquisition ofInfonnation Technology, has not been
    included in all contracts relmed to common security settings.

• 	 One                  continu,osto run on an unsupported version o~ without It fonnally

• 	 OPM has developed an "Incident Response and Reporting Policy" that documents
    procedures for reporting alllT secttrity events to the appropriate entities.


                                               ill
" 	 CIS has implemented a process to provide annual1T security and privacy awareness training
    to all OPM employees and contractors.
• 	 OPM's system inventory does not identify all systems that are subject to e-Authentication
    requirements.




                                               IV
                                                                  Contents



Executive Summary ..........................................................................................................................i 

Introduction ..................................................................................................................................... 1 

Background...................................................................................................................................... 1 

Objectives ......................................................................................................................................... 1 

Scope and Methodology ..................................................................................................................2 

Compliance with Laws and Regulations .......................................................................... _..............3 

Results .............................................................................................................................................4 

         1. Infonnation Security Governance .................................................................................... .4 

        II. System Inventory ...............................................................................................................7 

      III. Certification and Accreditation, Security Controls Testing, 

           and Contingency Planning .................................................................................................9 

      IV. Agency Oversight of Contractor Systems ....................................................................... 11 

       V. Agency Plan of Action and Milestones Process .............................................................. 12 

      VI. Certification and Accreditation Process .......................................................................... 15 

     VII. Agency Privacy Program ................................................................................................. 16 

   VIII. Configuration Management.. ........................................................................................... 21 

      IX. Incident Reporting ...........................................................................................................23 

       X. Security Awareness Training ..........................................................................................24 

      XI. E-authentication Risk Assessments .................................................................................24 

     XII. IT Security Policies and Procedures ................................................................................25 

Major Contributors to this Report .................................................................................................27 


Appendix I: Follow-up of Prior OIG FISMA Audit Recommendations
Appendix II: Center for Infonnation Services' July 28, 2009 response to the OIG IT Security
             Flash Audit Alert, issued May 27, 2009
Appendix III: Center for Infonnation Services' October 20, 2009 response to the OIG's draft
              audit report, issued October 6, 2009
Appendix IV: OIG FISMA data submission to the U.S. Office of Management and Budget
                                         Introduction

On December 17, 2002, the President signed into law the E-Govermnent Act (Public Law 107­
347), which includes Title III, the Federal Information Security Management Act (FISMA).
FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)
evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the resul.ts of
IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing
the material received from agencies. In aecordance with FISMA, we conducted an evaluation of
OPM's security program and practices. As part of our evaluation, we reviewed OPM's FISMA
compliance strategy and docmnented the status of its compliance efforts.

                                         Background

FISMA requirements pertain to all information systems (national security and unclassified
systems) supporting the operations and assets of an agency, including those systems currently in
place or planned. The requirements also pertain to information technology (IT) resources owned
andlor operated by a contractor supporting agency systems.

FISMA reemphasizes the ChiefInformation Officer's (CIO) strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency's Center for
Information Services (CIS), which is managed by the CIO. FISMA also clearly places
responsibility on each agency program office to develop, implement, and maintain a security
program that assesses risk and provides adequate security for the operations and assets of
programs and systems under their control.

To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities,
OMB issued memorandum M-09-29, FY 2009 Reporting Instructions for the Federal
Information Security Management Act and Agency Privacy Management. This memorandmn
provides a consistent form and format for agencies to report to OMB. It identifies a series of
reporting topics that relate to specific agency responsibilities outlincd in FISMA. Our evaluation
and reporting strategies were designed in accordance with the above OMB guidance.

                                          Objectives

Our overall objective was to perform an evaluation ofOPM's security program and practices, as
required by FISMA. Specifically, we reviewed the following areas of OPM's IT security
program in accordance with OMB's FISMA IG reporting requirements:
   •   Information Security Governance;
   •   System Inventory;
   •   Certification and Accreditation, Security Controls Testing, and Contingency Planning;
   •   Agency Oversight of Contractor Systems;
   •   Agency Plan of Action and Milestones Process;
   •   Certification and Accreditation Process;
   •   Agency Privacy Program;
   •   Configuration Management;


                                                1

   •	   Incident Reporting;
   •	   Security Awareness Training;
   •	   E-authentication Risk Assessments; and
   •	   IT Security Policies and Procedures.

In addition, we evaluated the security controls of three major applications/systems at OPM (see
Scope and Methodology for details of these audits). We also followed-up on outstanding
recommendations from prior FISMA audits (see Appendix I).

                                  Scope and Methodology

This performance audit was conducted in accordance with Government Auditing Standards,
issued by the Comptroller General of the United States. Accordingly, the audit included an
evaluation of related policies and procedures, compliance tests, and other auditing procedures
that we considered necessary. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM's
FISMA compliance efforts throughout FY 2009.

We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attentiolliluring our audit testing to cause
us to doubt its reliability.

As appropriate, we conducted compliance tests using judgmental sampling to determine the
extent to which established controls and procedures are functioning as intended. The results
from tests performed on a sample basis were not projected to the universe of controls.

We reviewed OPM's general FISMA compliance efforts in the specific areas defined in OMB's
guidance and the corresponding reporting instructions. We also evaluated the security controls
for the following three major applications:
• 	 Enterprise Human Resources Integration Data Warehouse (OIG Report No. 4A-HR-00-09­
    032)
• 	 Electronic Official Personnel File (OIG Report No. 4A-HR-OO-09-032)
• 	 Integrated Security Management System (OIG Report No. 4A-CI-00-09-052)

In addition, in May 2009, the OlG issued a Flash Audit Alert (FAA) to OPM's Director
highlighting our concerns with the agency's IT security program (report 4A-CI-00-09-053). As
part of this audit, we followed up on OPM's progress in implementing recommendations from
the FAA



                                                 2

Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls at OPM taken as a whole.

The criteria used in conducting this audit include:
• 	 OPM Information Security and Privacy Policy Volume 2;
• 	 OMB Circular A-J30, Appendix III, Security of Federal Automated Information Resources;
• 	 OMB Memorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information
    Security Management Act and Agency Privacy Management;
• 	 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
• 	 OMB Memorandum M-06-16, Protection of Sensitive Agency Information;
• 	 OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;
• 	 E-Govemment Act of2002 (P.L. 107-347), Title III, Federal Information Security
    Management Act of2002;
• 	 National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An
    Introduction to Computer Security;
• 	 NIST SP 800-18 Revision I, Guide for Developing Security Plans for Federal Information
    Systems;
• 	 NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• 	 NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• 	 NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information
    Systems;
• 	 NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information
    Systems;
• 	 NIST SP 800-60 Volume I Revision I, Guide for Mapping Types ofinformation and
    Information Systems to Security Categories;
• 	 Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
    Categorization of Federal Information and Information Systems;
• 	 FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and
• 	 Other criteria as appropriate.

The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from May through September 2009 in OPM's
Washington, D.C. office.

                        Compliance with Laws and Regulations

In conducting the audit, we performed tests to determine whether OPM's practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM's CIS and other program offices were not in complete compliance with all standards, as
described in the "Results" section of this report.




                                                 3

                                               Results
     The sections below detail the results of the OIG's audit ofOPM's FISMA compliance efforts.
     The results are formatted to be consistent with the questions outlined in the FY 2009 OMB
     Reporting Template for IGs. Throughout this report, we do not reference OPM systems by
     name, but we have already provided detailed documentation to CIS discussing our concerns and
     the specific systems involved.

I.      Information Security Governance
        In May 2009, the OIG issued a Flash Audit Alert (FAA) to OPM's Director highlighting our
        concerns with the agency's IT security program. An FAA is used when issues have been
        identified that require the immediate attention of the Director. The four primary issues
        outlined in the FAA were:

        • 	 CIS misrepresented the status of the agency's IT security program in the FY 2009 second
            quarter FISMA report issued to aMB;
        • 	 the agency's security policies and procedures continue to remain severely outdated;
        • 	 the IT security program at aPM is understaffed; and,
        • 	 the agency has operated without a senior agency information security official (SAlSa)
            for over 14 months (as of May 2009).

        In the interim, there has been limited progress in correcting these issues. The underlying
        cause, in our opinion, is that aPM has not established adequate information security
        governance activities in accordance with legislative and regulatory requirements.
        Specifically, the agency has not fully doeumented information security policy and procedures
        or established appropriate roles and responsibilities.

        The lack of policies and procedures was reported as a material weakness in the FY 2007 and
        I;Y 2008 FISMA audit reports. This year we are expanding the material weakness to include
        the agency's overall information security governance program and incorporating our
        concerns about the agency's information security management structure.

        As of late September 2009, there had been no permanent SAlSa in the agency for nearly 18
        months. During this time, we observed a serious decline in the quality of the agency's
        information security program. In addition, there is no permanent Privacy Program Manager
        assigned to manage the agency's privacy program. As a result, there are many deficiencies
        in aPM's privacy program. See section VII of this report for details.

        The agency has recently appointed a new SAISO; however, it remains to be seen whether the
        agency will commit the necessary resources and develop the appropriate functions required
        of this role. We will reevaluate this issue during the FY 2010 FISMA audit.

        The following section discusses the original FAA recommendations, followed by the
        management response and current status:



                                                   4
a) Flash Audit Alert Recommendation 1

   We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately
   reflect the status ofOPM's IT security position as of March 1,2009.

   CIS Response to FAA:
   "The Center for Information Services (CIS) security team acted on the best information
   they had at the time. . .. We agree with the recommendation that OPM report the
   number ofsystems with weaknesses more than 120 days overdue, instead ofthe number
   ofweaknesses. This was a mistake in our understanding ofthe reporting requirement. "

   Current Status
   We verified that CIS corrected and submitted the FY 2009 second quarter FISMA report.
   We also verified that the FY 2009 third quarter FISMA report accurately represented the
   status ofOPM's security program at that time.

   CIS Response:
   "The Centerfor Information Services (CIS) security team will continue to ensure the
   quarterly FISMA reports reflect correct and accurate information for OPlll's security
   program."

b) Flash Audit Alert Recommendation 2

   We recommend that CIS develop a comprehensive set of IT security policies and
   procedures, and a plan for updating it at least annually.

   CIS Response to FAA:
   "We agree with this recommendation and have been working for many months to
   complete needed updates. Work began as soon as funding was provided Many policies
   andprocedures have already been revised, with the remainder targeted for completion by
   8131109. "

   Current Status
   OPM's IT security policies and procedures continue to lack adequate current guidance on
   managing IT security at the agency. See section XII ofthis report for details.

   CIS Response:
   "Please refer to section XIIfor our response to Recommendation 30 regarding the IT
   security policies and procedures. "

c) Flash Audit Alert Recommendation 3

   We recommend that the aPM Director ensure that CIS has adequate resources to 

   properly staff its IT Security and Privacy Group. 



                                          5
   CIS Response to FAA:
   "We agree with this recommendation. As we discussed with OIG staffon numerous
  occasions, CIS has been working with fiRfor more than a year /0 reorganize and elevate
   Ihe IT security function, to upgrade the level ofthe IT security officer from a GS-14 to a
  GS-15, and to add staJ! A new organizational alignment, grade structure and resources
  for the IT Security and Privacy Group were approved on March 4, 2009. Under this new
  structure, the IT security staffwill grow from 3 /0 6. We consider this recommendation to
  be closed"

   Current Status
   The organizational realignment ofOPM's IT security function remains incomplete, and
   we continue to believe that CIS lacks the resources needed to manage an adequate IT
   security program. Eleven ofthe 19 audit recommendations issued in the FY 2008
   FISMA audit report have been rolled forward into this FY 2009 FISMA report, indicating
   that CIS does not have the resources needed to remediate identified security weaknesses.

   CIS Response:
  "We agree with this recommendation. Currently the IT security group lacks the
  resources necessary to establish and maintain an effective security and privacy
  program. Tile new SAISO ••• that was hired in September 2009 has identified
  resources needed and his recommendations are under review with senior management.
  The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
  neededfor the IT Security and Privacy program. We have created a CIS POA&M item
  to track our progress (CIS POAM FY09-Q4-CIS-27). "

d) Flash Audit Alert Recommendation 4

   We recorrunend that CIS recruit a permanent Senior Agency Information Security Officer
   as soon as possible, and adequate staff to effectively manage the agency's IT security
   program.

   CIS Response to FAA:
   "We agree with this recommendation. Recruiting has been in progress since the
   reorganization was approved. We have made a couple ofoffers to fill the GS-15 and GS­
   J 4 positions, which were declined. We have identified another excellent candidate for
   the GS-J5 position. We are currently in the process ofgetting ChiefofStaffapproval 10
   extend an offer. We are targeting a report date in August. "

   Current Status
   CIS hired a permanent SAlSO in September 2009, However, the agency operated with
   an acting SAISO for over 11 months ofFY 2009. In addition, the organization of the
   staff reporting to the SAlSO has not been finalized. On a potentially positive note, the
   OPM Director has recently appointed a new Acting Chieflnformation Officer, who has




                                           6

         developed preliminary plans to expand and improve OPM's IT security program. We
         will reevaluate these developments during the FY 2010 FISMA audit.

         CIS Response:
         "We agree with this recommendation. Currently the IT security group lacks the
         resources and the organizational structure necessary to establish and maintain an
         effective security and privacy program. The new SAlSO • •• that was hired in
         September 2009 has developed an organizational chart, roles and responsibilities and
         resources needed. His recommendations are under review with senior management.
         The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
         neededfor the IT Security and Privacy program. As referenced in Flash Audit Alert
         Recommendation 3, we have created a CIS POA&M item to track our progress (CIS
         POAM FY09-Q4-CIS-27) regarding resources. "

II.   System Inventory
      OPM has identified 42 major applications/systems within 8 of its program offices. OPM's
      system inventory indicated that these 42 systems were comprised of the following FIPS
      Publication 199 system impact classifications: 7 high, 33 moderate, and 2 low. The
      inventory also indicated that 32 systems operated within the agency and 10 are operated at a
      eontractor facility.

      CIS continuously maintains a master inventory of OPM' s major systems, and sends monthly
      reminders to the various program offices askjng for updates on the status of systems included
      in the inventory. CIS also faeilitates the process of adding new systems to the inventory and
      removing decommissioned systems.

      The quality ofOPM's system inventory has greatly improved since it was reviewed during
      the OIG FY 2008 FISMA audit. Several fields have been added to the inventory spreadsheet
      to clearly identify the status of each system (production, development, planning) along with
      the name and contact information ofindividuals with security and ownership responsibility.
      In addition, a revision history has been added to the inventory to track specific updates and
      facilitate version control of the master inventory document.

      The OIG generally agrees with the total number of systems listed in the most recent system
      inventory (42) and agrees with the number ofsystems identified as operated by a contractor
      (l0). However, we identified at least one major application that does not appear on the
      system inventory and has not been certified and accredited (C&A).

      OPM's system inventory does not identify interfaces between intemal and extemal systems,
      and the agency does not have a policy related to security agreements between interfacing
      systems. OPM's Information Security and Privacy Policy Volume 2 states that "this policy
      applies to other agency's systems as delineated in memorandums of understanding (MODs)
      and interconnection security agreements (lSAs) with OPM." However, this policy does not
      provide any guidance outlining the appropriate use of MODs and ISAs (required elements of
      these agreements, when they are required, etc),


                                                  7
In addition, CIS identified 21 systems used by OPM but owned and maintained by another
federal agency. However, this list was compiled at the request of the OIG in September 2009
and is not complete.                                                                 .

Recommendation 1
We recommend that CIS conduct a survey of OPM program offices (particularly the Benefits
Systems Group) to identify any systems that exist but do not appear on the system inventory.
The systems discovered during this survey should be promptly added to the system inventory
and certified and accredited.

CIS Response:
"We agree with this recommendation. The IT Security and Privacy group will conduct a
network assessment to map out the OPM network and identify all missing systems and
created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-28)."

Recommendation 2
We recommend that CIS develop and maintain an inventory of all system interfaces.

CIS Response:
"We agree with this recommendation. The IT Security and Privacy team will include
system interface information on the OPM FISMA Master System Inventory going forward.
We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-29).
Please note as stated in response to IG Information Request #24, system interface
information is included within each System Security Plan for each system currently on the
OPM FISMA Master System Inventory."

Recommendation 3
We recommend that CIS develop a policy providing guidance on the development and
appropriate use of MOUs and ISAs.

CIS Response:
"We agree with this recommendation. Currently the IT Security and Privacy group lacks
the resources necessary to establish and maintain an effective security and privacy
program. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring
resources neededfor the IT Security and Privacy program. We have created a CIS
POA&M item to track our progress (CIS POAM FY09-Q4-CIS-30)."

Recommendation 4
We recommend that CIS conduct a survey to determine how many systems owned by another
agency are used by OPM.




                                           8

      CIS Response:
     "We agree with this recommendation. We have made some progress with this task (please
     refer to IG Information request #24) but we lack the resources to conduct a complete
     network assessment to map out the OPM network and identify all systems. The Office of
     the ChiefInformation OffICer (OCIO) is working on acquiring resources needed for the IT
     Security and Privacy program. We have created a CIS POA&M item to track our progress
     (CIS POAM FY09-Q4-CIS-31)."

III. 	 Certification and Accreditation, Security Controls Testing, and
       Contingency Planning

      a) Number of systems certified and accredited

         A C&A has been completed and remains active for 38 of the 42 systems in OPM's
         inventory. See section VI below for details of the systems without a current C&A and a
         review of OPM's C&A process.

      b) Number of systems for which security controls have been tested in the past year

         NlST SP 800-53 Revision 2 outlines the security controls that should be implemented for
         federal information systems. FlSMA requires each agency to perform for all systems
         "Periodic testing and evaluation of the effectiveness of information security policies,
         procedures, and practices, to be performed with a frequency depending on risk, but no
         less than annually ...."

         An annual test of security controls provides a method for agency officials to determine
         the current status of tbeir information security programs and, where necessary, establish a
         target for improvement. Failure to complete a security controls test increases the risk that
         agency officials are unable to make informed judgments to appropriately mitigate risks to
         an acceptable level.

         We conducted a review of the documentation resulting from the test of security controls
         for each system in OPM's inventory. In addition, we judgmentally selected specific
         controls tested in FY 2009 from various systems and independently evaluated whether
         the controls have been implemented. Our evaluation indicated that the IT security
         controls had been adequately tested for 40 of OPM's 42 systems during FY 2009.

         The quality of the security control tests among OPM's systems varied significantly, and
         many different formats and templates were used to document the tests. We believe that
         this variance is a result ofOPM's lack of agency-wide policy or guidance on how to
         adequately test its systems' security controls.




                                                  9

   Recommendation 5
   We recommend that CIS develop a policy for adequately testing the security controls of
   OPM's systems, and provide training to thc Designated Security Officer (DSO)
   community related to proper security control testing.

   CIS Response:
   "We agree with this recommendation. Currently the IT security group lacks the
   resources necessary to establish and maintain these policies and training program.
   The Office ofthe ChiefInformation OffICer (OCIO) is working on acquiring resources
   neededfor the IT Security and Privacy program. We have created a CIS POA&M item
   to track our progress (CIS POAM FY09-Q4-CIS-32). "

   Recommendation 6 (Roll-Forward from OIG Report4A-CI-OO-OB-022
   Recommendation 1)
   We recormnend that OPM ensure that an annual test of security controls has been
   completed for all systems. The IT security controls should be immediately tested for the
   two systems that were not subject to testing in FY 2009.

   CIS Response:
   "We agree with this recommendation. We are tracking this effort under CIS POAM
   FY09-QI-ClS-1. "

c) Number of systems which have a contingency plan tested in accordance with policy

   FISMA requires that a contingency plan be in place for-each major application, and thai
   the contingency plan be tested on an annual basis. In addition, the OPM Certification and
   Accreditation Guide states that "To fully address system security throughout the
   certification and accreditation process, various security documents are required to be created
   and maintained throughout the life of the system." The Guide states that one of the required
   security documents is a contingency plan.

   Four out of OPM's 42 systems did not have an adequately documented and/or up-to-date
   contingency plan. One system was missing a contingency plan, one system did not have
   an updated contingency plan after going through a major infrastructure change, and two
   systems were placed into production before a contingency plan was developed.

   In FY 2009, the contingency plans for 31 of OPM's 42 systems were tested in full
   compliance with the requirements ofNIST SP 800-34, Contingency Planning Guide for
   Information Technology Systems. Of the remaining II systems, 4 were not subject to
   any form of contingency plan test in FY 2009, and 7 were tested, but not with a scenario­
   based contingency plan test eonducted in accordance with NIST SP 800-34 requirements.

   OPM's Information Security and Privacy Policy Volume 2 states that each system owner
   must "Test the contingency plan for the information system at least annually to determine
   the plan's effectiveness and the system's readiness to execute the plan." However, this


                                            10 

         policy does not provide instructions for conducting the contingency plan test in
         accordance with NIST guidance or a standard template for reporting the results.

         Effective contingency planning and testing establishes procedures and technical measures
         that enable a system to be recovered quickly and effectively from a service disruption or
         disaster. An incomplete or untested contingency plan increases the risk that a system
         could not recover from a service disruption in a timely manner.

         Recommendation 7
         We recommend that OPM develop detailed guidance related to developing and testing the
         contingency plans of agency systems and provide training to the DSO community related
         to proper contingency planning and contingency plan testing.

         CIS Response:
         "We agree with this recommendation. Currently the IT security group lacks the
         resources necessary to establish and maintain these policies and training program.
         The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
         neededfor the IT Security and Privacy program. We have created a CIS POA&M item
         to track our progress (CIS POAM FY09-Q4-CIS-33). "

         Recommendation 8
         We recommend that up-to-date contingency plans be developed for all agency systems.

         CIS Response:
         "We agree with this recommendation. We have created a CIS POA&M item to track
         our progress (CIS POAM FY09-Q4-CIS-34). "

         Recommendation     I}   (Roll-Forward from OIG Report 4A-CI-OO-OB-021
         Recommendation 1)
         We recommend that OPM's program offices test the contingency plans for each system
         on an annual basis. The contingency plans should be immediately tested for the I I
         systems that were not subject to testing in FY 2009.

         ('7S Response:
         "We agree with this recommendation. We are tracking this effort under CIS POAM
         JCl'09-Ql-l7/S-2."

IV.   Agency Oversight of Contractor Systems

      Ten of OPM's 42 systems are operated by a contractor, and each ofthese systems has been
      certified and accredited by OPM. Nothing has come to our attention to indicate that OPM
      program offices do not maintain oversight of systems operated by a contractor. However, the
      agency does not have a formal policy providing guidance on the appropriate oversight of
      contractors and contractor-run systems.


                                                 Il
     Recommendation 10
     We recommend that OPM develop a policy providing guidance on providing adequate
     oversight of contractor operated systems.

     CIS Response:
      "We agree with this recommendation. Currently the IT security group lacks the resources
     necessary to establish and maintain these policies and provide the oversight needed. The
     Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed
     for the IT Security and Privacy program. We have created a CIS POA&M item to track
     our progress (CIS POAM FY09-Q4-CIS-35)."

V.   Agency Plan of Action and Milestones Process
     A plan of action and milestones (POA&M) is a tool used to assist agencies in identii'ying,
     assessing, prioritizing, and monitoring the progress of corrective efforts for IT security
     weaknesses. The sections below detail several weaknesses related to the appropriate use of
     POA&Ms at OPM. These weaknesses consist of items that are the responsibility of both CIS
     and the various program offices owning the information systems.

     a) 	Policy for establishing a POA&M process for reporting IT security deficiencies and
        tracking the status of remediation efforts

        Although CIS has provided informal guidance to OPM program offices related to the
        POA&M process, they have not published a formal policy that documents how POA&Ms
        should be managed at the agency. OPM has developed a draft version of "Plan of Action
        and Milestone Standard Operating Procedures," but this. policy has not been published to
        OPM's internal website (THEO), and the agency's DSO community has not received
        training related to the new POA&M procedures.

        Recommendation 11
        We recommend that CIS publish the Plan of Action and Milestone Standard Operating
        Procedure to THEO. Once the procedures have been published, CIS should work closely
        with the DSO community, providing training and information-sharing sessions, to
        implement the procedures and ensure that there is a clear understanding of the
        appropriate management ofPOA&Ms.

        CIS Response:
        "We agree with this recommendation. We have created a CIS POA&M item to
        document the. completion ofthis recommendation (CIS POAM FY09-Q4-CIS-36).
        The POA&M Guide has been published as ofSeptember 1009 on Theo­
        http://theo.opm.gov/policies/ispplFINAL POAM Process SOP 093009.pdf'




                                               12 

   OIGReply:
   We acknowledge the steps that CIS has taken to publish the POA&M Guide to THEO
   and continue to recommend that CIS work closely with the DSO community, providing
   training and information-sharing sessions, to implement the procedures and ensure that
   there is a clear understanding of the appropriate management ofPOA&Ms.

b) POA&M as an agency-wide process incorporating all known IT security weaknesses

   In FY 2008, the OIG conducted audits of 4 OPM systems with a total of I3 audit
   recommendations. We found that all 13 recommendations were included in the
   appropriate system's POA&Ms. In addition, we verified that all of the recommendations
   made during the FY 2008 FISMA audit were incorporated into the CIS POA&M.
   However, we found that the POA&Ms for three OPM systems did not contain all security
   weaknesses identified during the annual security control tests of those systems.

   Recommendation 12 (Roll-Forward from OIG Report 4A-CI-00-08-022
   Recommendation 41
   We recommend that OPM program offices incorporate all known IT security weaknesses
   into POA&Ms.

   CIS Response:
   "We agree with this recommendation. We are tracking this effort under CIS POAM
   FY09-QI-CIS-4. Since the POA&M SOP was just recently published on Theo, we will
   continue to assist program offices through this process. "

c) Management ofPOA&Ms by program offices

   OPM program offices are responsible for developing, implementing, and managing
   POA&Ms for each system that they own and operate. We were provided evidence that
   POA&Ms are continuously managed for 40 of OPM's 42 systems; current POA&Ms
   were not submitted to CIS for 2 systems in the fourth quarter of 2009.

   Recommendation 13 (Roll-Forward from OIG Report 4A-CI-00-08-022
   Recommendations 5 and 6)
   We recommend that an up-to-date POA&M exist for each system in OPM's inventory,
   and that system owners submit updated POA&Ms to CIS on a quarterly basis.

   CIS Response:
   "We agree with this recommendation. We are tracking this effort under CIS POAM
   FY09-QI-CIS-5 and CIS POAM FY09-QI-CIS-6. The POA&M SOP has been
   published as ofSeptember 1009 which provides guidance to DSO's regarding POA&M
   submission. Please note that since OMB did not require any POA&M submissions for
   FY09 quarter 4, CIS did not continue to follow up with program offices to ensure
   submissions were provided to CISfor FY09 quarter 4."


                                          13
d) 	 Remediation of system deficiencies in a timely manner

   Each program office is required to place all security deficiencies on POA&Ms and for
   each deficiency must indicate when they expect the deficiency to be remediated.
   Although the majority of program offices remediated POA&M deficiencies in a timely
   manner, there are significantly overdue remediation efforts for several systems; see
   section (t), below.

e) 	 Effectiveness of deficiency remediation plans in correcting the security weakness

   When a POA&M item is remediated, the program offices are required to submit a work
   completion plan and evidence that the deficiency is corrected to CIS for review. We
   reviewed work completion plans for 10 systems and found that all 10 provided sufficient
   evidenee that the weakness was corrected.

t) 	 Compliance witb estimated dates for remediation

   We reviewed the POA&Ms for all OPM systems and determined that 5 agency systems
   have POA&M weaknesses with remediation activities over 120 days overdue. This
   indicates that CIS has not provided adequate leadership to ensure that program offices
   assign reasonable due dates and stay on track to meet those dates. Program offices are
   equally responsible for dedicating adequate resources to addressing POA&M weaknesses
   and meeting target objectives.

   Recommendation 14
   We recommend that CIS develop a formal corrective action plan to immediately
   remediate all POA&M weaknesses that are over 120 days overdue. In addition, we
  .recommend that CIS take a lead role in the future and work closely with OPM program
   offices to ensure that POA&M completion dates are achieved.

   CIS Response:
   "We agree with this recommendation. The POA&M SOP has been published as of
   September 1009 which provides guidance to DSO's regarding POA&M management.
   We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS­
   37) on supplemental guidance to the DSO's."

g) 	 Agency CIO centrally tracks, maintains, and reviews POA&M activities on a
     quarterly basis

   CIS requires program offices to provide the evidence, or "proof of closure," that security
   weaknesses have been resolved before closing the related POA&M.

   We selected POA&M items from 10 systems and reviewed the proof of closure
   documentation provided by the program offices when the POA&M items were closed.
   The 10 systems were seleeted from a universe of 42 systems and were judgmentally


                                           14 

         chosen by OIG auditors. Although the results of the sample test were not projected to the
         entire population, nothing came to our attention to indicate that program offices are not
         providing adequate proof of closure to CIS when closing POA&M items.

      h) POA&M process prioritizes IT security weaknesses

         Each program office at OPM is required to prioritize IT security weaknesses on their
         POA&Ms to help ensure significant IT security weaknesses are addressed in a timely
         manner. However, we found that two agency systems did not prioritize weaknesses on
         their POA&Ms.

         Recommendation 15
         We recommend that the program offices responsible for the two systems in question
         prioritize the system weaknesses listed on their POA&Ms.

         CIS Response:
         "We agree with this recommendation. The POA&M SOP has been published as of
         September 2009 which provides guidance to DSO's regarding prioritizing weaknesses.
         We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS­
         38) on supplemental guidance to the DSO's."

V1.   Certification and Accreditation Process
      Certification is a comprehensive assessment that attests that a system's security controls are
      meeting the security requirements of that system, and accreditation is the official
      management decision to authorize operation of an information system and accept its risks.
      Each major application at OPM is subject to the certification and accreditation (C&A)
      process cvery three years.

      We reviewed the C&A documentation for all OPM systems subject to a C&A in FY 2009.
      During this review we found that OPM program offices generally adhered to the
      requirements of OPM's C&A guide, and presented the authorizing official with complete and
      reliable C&A information to facilitate an informed system authorization to operate.
      However, we discovered that one system on OPM's inventory was placed into production
      before a C&A was completed, and the prior C&A for three systems has expired and a new
      C&A has not been completed.

      In addition, the OIG disagrees with the security categorization of one system whose C&A
      was conducted in FY 2009. The system was categorized as "Low," but should have bcen
      classified as "Moderate" because the system contains personal identity information that could
      result in serious harm to individuals if it were disclosed.

      According to OPM's C&A policy, ''all OPM divisions and offices must formally certify and
      accredit all major and minor applications and general support systems." It is the
      responsibility ofOPM's CIS to ensure that alllive/production systems at OPM are subject to



                                                  15 

     a complete C&A every three years, as required by FISMA. The FY 2008 OIG FISMA audit
     report stated that weaknesses in OPM's C&A process are a significant deficiency in the
     control structure ofthc agency's IT security program. We believe that this issue continues to
     be a significant deficiency in FY 2009.

     Reeommendation 16 (Rol/-Forward "om OIG Report 4A-CI-OO-08-022 

     Recommendation 9) 

     We recommend that all active systems in OPM's inventory have a complete and current
     C&A.

     CIS Response:
     "We agree with this recommendation. The IT Security and Privacy group would like to
     conduct a network assessment to map out the OPlli network and identify all systems and
     accountfor missing C and A's but we currently lack the resources to perform this task.
     The Offree ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
     neededfor the IT Security and Privacy program. We are tracking this effort under CIS
     POAM FY09-QI-CIS-9."

     Recommendation 17
     We recommend that the FIPS Publication 199 security categorization be updated for the
     inappropriately categorized system.

     CIS Response:
     "We agree with this recommendation. The Center for Information Services (CIS) security
     team will work with the DSO's to ensure the FIPS 199 reflect the appropriate rating.
     During the monthly October 2009 Information Technology Security Working Group
     (ITSWG) meeting, the writer and subject matter expert from NISTprovided a briefing on
     NIST 80()"60 (Guide for Mapping Types ofInformation and Information Systems to
     Security Categories) to the DSO's and CIS. We have created a CIS POA&M item to
     continue to track our progress (CIS POAM FY09-Q4-CIS-39}."

VII. Agency Privacy Program
     The OIG evaluated OPM's privacy program by conducting a qualitative assessment of the
     agency's privacy impact assessment (PIA) process and its progress in implementing the
     requirements of privacy-related OMB Memoranda.

     a) Privacy Impact Assessments

        The E-Governrnent Act of 2002, section 208, requires agencies to conduct privacy impact
        assessments (PIA) of infonnation systems that process personally identifiable
        information (PH). OMB Memorandum M-03-22 provides guidance on implementing the
        privacy.provisions of the E-Govemment Act of2002, including PlAs.




                                                16
OPM has developed a PIA Guide that outlines the process for conducting a PIA for
agency systems. However, the PIA Guide has not been updated in over three years, and
fails to address several requirements of OMB Memorandum M-03-22, including:
• 	 PIAs must identify what choices the agency made regarding an IT system or
    collection of information as a result of performing the PIA; and
• 	 PlAs for major applications should reflect more extensive analyses of:
    o 	 the consequences of collection and flow of information;
    o 	 the alternatives to collection and handling as designed;
    o 	 the appropriate measures to mitigate risks identified for each alternative; and
    o 	 the rationale for the final design choice or business process.

Although PIAs are only required for systems that collect or maintain information in
identifiable form about members of the general public, OMB encourages agencies to
conduct PIAs of systems that process sensitive information about government employees
and contractors. However, OPM's PIA Guide does not provide guidance for evaluating
which, if any, of these additional systems should be subject to a PIA.

The PIA Guide also states that each system owner must review their existing PIA
documentation on an annual basis, and submit evidence of the review to CIS by
September I of each year. However, the OIG has not received evidence that this review
has been completed for any OPM systems. In addition, one new system was placed into
production in FY 2009 without a PIA signed by the CIO.

Recommendation 18
We recommend that CIS update the PIA Guide to address all of the requirements of
OMB Memorandum M-03-22.

CIS Response:
"We agree with this recommendation. The privacy group is currently working on a
new PIA Guide and a new PIA Template. We have created a CIS POA&M item to
track our progress (CIS POAM FY09-Q4-CIS-40). "

Recommendation 19
We recommend that CIS conduct a new PIA survey to determine which OPM systems
require a PIA, including those systems that process sensitive information about
government employees and contractors.

CIS Response:
"We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to identify all PII information present on the OPM
network but we currently lack the resources to peiform this task. The network
assessment would be followed by a request to each office that owns the PII to conduct
privacy threshold analysis (PTA). The Office ofthe ChiefInformation Officer (OCIO)
is working on acquiring resources needed for the IT Security and Privacy program. We


                                         17 

  have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS­
  41}."

  Recommendation 20
  We recommend that a new PIA be conducted for the appropriate systems based on the
  updated PIA Guide.                  .

  CIS Response:
  "We agree with this recommendation. Conducting and reviewing PIAs require CIa as
  well as program office resources. Once the new PIA Guide and Template is approved
  and communicated, we will engage the DSO's so they can update their system privacy
  documentation. We have created a CIS POA&M item to track our progress (CIS
  POAM FY09-Q4-CIS-4Z). "

  Recommendation 21
  We recommend that each system owner annually review the existing PIA for their system
  to reevaluate current holdings ofPII, and that they submit evidence of the review to CIS.

   CIS Response:
  "We agree with this recommendation. Conducting and reviewing PTAslPIAs require
  CIO as well as program office resources. We plan on implementing a Privacy
  Threshold Analysis (PTA) process as part ofour Privacy activities. The PTA is the
  initial step in determining whether a PIA is necessary and as indicated in NIST-800­
  lZZ, an essential part ofthe Certifu:ation and Accreditation (C&A) process. The PTA
  will be reviewed annually or when a change occurs with the system and the document
  will become an artifact ased for reporting purposes. We have created a CIS POA&M
  item to track our progress (CIS POAM FY09-Q4-CIS-43).

  The Center for Information Services (CIS) security team has already began to share
  the evidence ofannual PIA reviews with the Privacy Office to reflect that the DSO's
  are reviewing their PIA's as part oftheir FY09 security controls testing. "

b) Compliance witb privacy-related OMB Memoranda

  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
  Personally Identifiable Information, requires all federal agencies to develop and
  implement a "breach notification policy." The memorandum also outlines the privacy
  requirements related to the protection of PI!, and reemphasizes the security requirements
  of OMB Memorandum M-06-16, Protection of Sensitive Agency Information. The
  following sections outline OPM's progress in implementing the requirements of these
  memoranda:




                                          18 

Implement a Breach Notification Process
OPM's Information Security and Privacy Policy Volume 2 contains limited instructions
regarding breach notification procedures. However, the policy references the Incident
Response and Reporting Guide, which contains a more detailed explanation of the
internal and external entities that must be notified when a security breach occurs.

Review Current Holdings
In 2007, OPM's IT security officer issued a "PH Questionnaire" to the designated
security oUicer for each of the Agency's major systems to determine whether the system
contained PlI. All new or significantly modified systems must complete an Initial
Screening Assessment to determine if a PIA is required. However, as mentioned above,
OPM's PIA process does not address all elements required by OMB, and system owners
have not armually reviewed their PIAs to reevaluate current holdings of PIT.

Reduce the Use o(Social Security Numbers
OMB Memorandum M-07-16 required federal agencies to eliminate the use of social
security numbers (SSNs) by the end ofFY 2009. Although OPM has made progress in
reducing the use of SSNs, the agency was unable to meet the timeline requirements of this
memorandum.

In September 2009, CIS developed a fonnal plan to reduce the use of SSNs at OPM. The
plan includes elements such as maintaining an inventory of OPM forms and validating
the need for SSNs on these forms, working with system owners to scrub existing
databases of SSNs, and providing guidance to system developers to mask SSN displays
on reports and computer screens. However, the plan does not address participation in
government-wide efforts to explore alternatives to agency use of SSNs, as required by OMB
Memorandum M-07-16.

Reeommendation 22 fRoll-Forward from OIG Report 4A-CI-OO-08-022
Recommendation 12)
We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs
in accordance with OMB Memorandum M-07 -16.

CIS Response:
"We agree with this recommendation. We are tracking this effort under CIS POAM
FY09-QI-CIS-12. However, the OCIO lacks the resources necessary to conduct the
detailed analysis needed to review all documentation (laws, policies, OPMforms and
other documents) that requires the use ofSSNs today. Furthermore, those resources
would be needed to establisJI and maintain the policies and procedures for an effective
program."

Recommendation 23
We recommend that OPM participate in government-wide efforts to explore alternatives to
agency use ofSSNs, as required by OMB Memorandum M-07-16.


                                         19
CIS Response:
"We agree with this recommendation."

Encryption
OMB Memorandum M-07-16 states that all data on mobile computers carrying sensitive
data must be encrypted. CIS recently developed a new standard laptop image that utilizes
software based full-disk encryption. We tested a sample laptop with this image and
verified that the data on the device was secure.

CIS facilitates the purchase of all new laptops at OPM and ensures that an image with
encryption capability is installed on each device. However, CIS was unable to provide
evidence ofhow many laptops issued to OPM employees and contractors contain the new
image with encryption capabilities.

Recommendation 24 (Roll-Forward from OIG Report 4A-CI-OO-08-022
Recommendation 13;
We recommend that CIS encrypt all data on all mobile computers containing sensitive
information.

CIS Response:
"We agree with this recommendation. OPM has implemented mandatory encryption
controls on OPM laptops, blackberries, and tape backups. OPM's IT Security and
Privacy Policy requires that any sensitive data be removed to removable media must be
encrypted. WinZip encryption has been provided to all OPM users to protect sensitive
data. The encryption policy and guidelines for WinZip are available on the OPM
Intranet site and are included in the annual security awareness training. We are
tracking this effort under CIS POAM FY09-QI-CIS-13."

Control Remote Access
OPM has implementcd a two-factor authentication requirement for controlling remote
access to its information systems. In order to access OPM's internal applications
remotely, users must connect to the OPM network through a Virtual Private Network
(VPN) connection that requires both a personal identification number and a token number
to authenticate.

Time-Out Function
OPM users remotely connected to the network through VPN must re-authenticate after 10
minutes of inactivity.

Log and Verify
In FY 2009, OPM developed a methodology for logging computer-readable data extracts
of personally identifiable information (PH). The agency uses Team Track software to



                                       20 

        track PH downloads and send an automatic notice to users 90 days after PH has been
        downloaded. When users receive this notification, they must either confinn PH data
        destruction or explain why the data has not been destroyed.

        Incident Reporting and Handling Requirements
        See section IX, Incident Reporting.

        Rules and Consequences
        OPM's IT Security and Privacy Policy Volume 2 outlines the consequences of violating
        OPM policies and procedures. The policy also outlines the penalties related to violations
        of the Privacy Act of 1974.

     The recommendations outlined in this" section indicate that OPM has not fully met the
     requirements ofOMB Memoranda dating back to 2003. In addition, OPM's privacy group is
     currently undergoing an organizational realignment, and there is no pennanent Privaey
     Program Manager in place. These conditions lcad us to believe that there is a significant
     deficiency in OPM's management of its privacy program.

VIII. Configuration Management

     This section details the controls OPM has in place regarding the technical configuration
     management of its major applications and user workstations.

     a) Agency-wide security configuration policy

        OPM has developed an agency-wide Security Configuration and Hardening Policy. This
        policy establishes standards for baseline configuration of the various operating platfonns
        used by the agency and references build sheets for each platform t11at provide specific
        technical configuration guidance. OPM has also developed policies related to mainframe
        configuration integrity, configuration change control management, patch management,
        and system monitoring. However, the Security Configuration and Hardening Policy has
        not been updated since November 2004, and the patch management and system
        monitoring policies have not been updated since August 2005. See section XII, IT
        Security Policies and Procedures.

        Recommendation 25
        We recommend that OPM develop an up-to-date Security Configuration and Hardening
        Policy, Patch Management Policy, and System Monitoring Policy.

        CIS Response:
        "We agree with this recommendation. Some progress has been made in these
        procedures but currently the IT security group lacks the resources necessary to finalize
        and maintain these procedures. The Office of/he ChiefInformation Officer (OCIO) is
        working on acquiring resources neededfor the IT Security and Privacy program. We



                                                21 

   ha.'e created CiS POA&Msfor each po/icy to track our progress (CIS POAM FY09·
   Q4-ClS-44, FY09-Q4-ClS-I5, FY09-Q4-CIS-46}."

b) Techniques for mODitoring compliance with policy

                                                                            to routinely run
                                                  cormguraltion g~~~~~~~~ also uses
                                                                ~       compliance.
                                                                         , which



c) Federal Desktop Core Configuration

   OPM has developed a Windows XP image that is gene.r(lily compliant wilh Federal
   Desktop Core Configuration (FDCC) standards. There are eight settings in this image
   that do not meet FOCC compliance; OPM has documented justification for these
   deviations.

   We conducted a test to verify that OPM's F'ID~~C~C~I\':~:i:=Sg~COmp1iant with VDCC
   settings. OPM has implemented its fDCC 0                       on a test workstaiion ill its
   LAN/WAN enviroruncnt. We                                                evaluate this
   workstation's compliance with                                       scan indicate that all
   settings on this workstati on IlrC FDCC compliant.

   However, as of September 30, 2009, OPM's FnCC compliant image has not been
   implemented Oil any production workstations, and OPM has not documented and justified
   FnCC deviations for the ~tandard image that is currenily implemented on OPM
   workstations.

   In addition, updated language from 48 CFR Part 39, Acquisition ofInfomlation
   Technology, has not been included in all contracts related to common security settings.

   Re(!ommendatioll 26    (Rol/~Forward    from OIG Reporl4A~('7-00-08-022
   Recommendatkm 16)
   We rcoorrlllcnd that OPM implement FDCe compliant images on all OPM workstations.

   CIS Response:
   "We agree willi this recommendalioll. We ure tracking this effort mld~r CIS POAM
   FY09-QI-ClS-16. "

   RetolDw"endation 27
   We recommend that OPM incorporate Federal Acquisition Regulation 2007~004             

   language in all contracts related to common security settings. 





                                             22
         CIS Response:
         "We agru with this recommendation. We ha...·e created a CIS POA&Jt..J item to trock
         our progress (CIS POAM FY09-Q4-CIS47)."

      d) FoU.,w.ap on FY 2008 OIG _Recommendation

                          FlSMA audjt report, we recommended that in the e ....ent that.
                                   cannot be remediatcd due to a technical or business reason,


         ~
          ~~~~~SV;1iC1iTsowner should document the reason in the system's ISSP to
                      any associated risks. [n FY 2009, there remains o n e _
                   without a formally docmnented risk acceptance.

         Recommendation 28 tRnll-Fmwurd frtlm OIG Rewa 4A-C/~ (10...nIJ-022
         Rccommenduliou151
          We n..'Commcnd that in the event that an_vulnerability caMot be rcmediated due to
         R  technicru or business reason, the system's owner should document the reason in the
          system's ISSP and formany accept any associated risks.

         CIS RespOII.w::
         dWe agree with this recommendJJtiou.. We are tracking IhM' effort under CIS POAM
         FY09-QI-CIS-15. "

IX.   Incident Rcportine
      opr",1 has developed an "Incident Response and Reporting Policy" that outlines the
      responsibilities of OPM 's Computer fncident Response Team (CIR1) and documents
      procedures for reporting alllT secwjty events to the appropriate enlilie$, We evaluated the
      degree to which OPM .is following intemal procedures and FlSMA requirements for
      reporting ~ecurity incid.ents internally. to the Uni ted States Computer Emergency Read,iness
      Team (US-CERT), and to appropriate law enforcement authorities.

      a) Identifying and reporting incideots internally

         OPM"s Incident Response and Reporting Policy requires the users urthe agency's IT
         resources to immediately notify OPM's situation room when IT security incidents occur.
         During the past year, OPM has provided its employees with various forms of training
         related to the procedures to foUow in the event sensitive data is lost. In addition, OPM
         reiterates the information provided in the ]ncident Response and Reporting Policy in the
         annual IT security and privacy awareness training.

         OPM also notifies the OIG when security incidents occur by providing OIG investigators
         with a monthly report that tracks the security tickets related to tbe loss of sensitive data,




                                                  23 

      b) Reporting incidents to US-CERT

          OPM's Incident Response and Reporting policy states that OPM's CIRT is responsible
          for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT .
          within one hour of a reportable security incident occurrence. Notification and ongoing
          eorrespondence with US-CERT is tracked through "security tickets" maintained by
          OPM's help desk.

      c) Reporting incidents to law enforcement

          The Incident Response and Reporting policy states that seeurity incidents should also be
          reported to law enforcement authorities, where appropriate. Nothing came to the OIG's
          attention to indicate that this policy is not being followed.

x.    Security Awareness Training
      CIS has implemented a process to provide annual IT security and privacy awareness training
      to all OPM employees and contractors.

      The training is conducted through an interactive web-based course. The course
      introduces employees and contractors to the basic concepts ofIT security and privacy,
      including topics such as the importance of infonnation security, security threats and
      vulnerabilities, viruses and malicious codes, privacy training, peer-to-peer software, and the
      roles and responsibilities of users.

      Over 99 percent of OPM's employees and contractors completed the security awareness
      training course in FY 2009.

       In addition, 99 percent of OPM employees and contractors with IT security-related
      .responsibility completed specialized IT security training in FY 2009.

XI.   E-authentication Risk Assessments
      OMB Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies," states that
      it "applies to remote authentication of human users of Federal agency IT systems for the
      purposes of conducting government business electronically (or e-government)" and requires
      agencies to conduct an e-Authentication risk assessment of these systems.

      OPM's system inventory identifies 10 systems that CIS believes are subject to e­
      Authentication requirements. However, we believe that there are at least five additional
      systems at OPM that are subject to e-Authentication requirements.

      Recommendation 29
      We recommend that CIS dctennine which systems in its inventory are subject to e­
      Authentication requirements and complete e-Authentication risk assessments for each of
      these systems.


                                                  24
     C1S Response:
     "We agree with this recommendation. After meeting witl! your office on August 24,2009,
     the Center for Information Services (CIS) security team sent correspondence to the
     perspective DSO's that currently do not have an e-Authentication risk assessment but
     should have one. We are tracking tltis effort under CIS POAM FY09-QI-CIS-48. "

XlI. IT Security Policies and Procedures
     OPM's failure to adequately update its IT security policies and procedures has been
     highlighted in the past three OIG FISMA audit reports and has been identified as a material
     weakness in the IT security program in the FY 2007 and FY 2008 reports.

     In FY 2009, OPM published a new Certification and Accreditation Guide and an Information
     Security and Privacy Policy and deleted the majority of the outdated information from the
     agency's internal website (THEO). However, the policies deleted from THEO have not been
     replaced with current guidance on managing IT security at OPM.

     Volume 2 of the Information Security and Privacy Policy was posted to THEO in August
     2009. This policy outlines the IT security controls that should be in place for the major
     applications owned by the agency. However, the majority of the text in this policy is derived
     or copied directly from NIST SP 800-53 and has not been tailored to specifically address
     OPM's IT environment. Although this policy assigns responsibility for the management of
     various controls, it does not provide guidance on how these controls should be implemented
     and monitored. OPM's DSO community has repeatedly voiced concern (directly to the OIG
     and to CIS at monthly IT security working group meetings) that the lack of detailed IT
     security policies and procedures has negatively impacted their ability to secure the
     information systems they manage.

     The absence of the following policies, procedures, or guidance has directly led to OlG audit
     findings in FY 2009 (this is not intended to be a comprehensive list ofmissing policies at
     OPM):
     • 	 Procedures for DSOs to manage POA&Ms for agency systems;
     • 	 Procedures for CIS to review quarterly POA&Ms and report POA&M status to OMB;
     • 	 Guidance for developing contingency plans, procedures for routinely conducting
         contingency plan tests, and templates for reporting test results;
     • 	 Procedures for annually testing IT security controls and templates for recording test
         results;
     • 	 Policy and procedures related to oversight of systems operated by a contractor;
     • 	 Policy related to roles and responsibilities for the Independent Verification and
         Validation (IV &V) process and procedures for managing an IV &V; and
     • 	 Guidance for establishing agreements for interfacing systems.




                                                25 

In addition to the missing policies, the following OPM policies have not been updated in the
past 3 years:
•        Privacy Impact Assessment Guide (updated May 2006);
•        Security Configuration and Hardening Policy (updated November 2004);
•        Patch Management Policy (updated August 2005); and
•        System Monitoring Policy (updated August 2005).

Although OPM has taken several steps to improve and update the agency's IT policies, we
will continue to consider this condition a material weakness until adequate policies exist for
all aspects of IT security program management at OPM. See section I, Information Security
Governance.

R~ommendation          30 (Roii-Forward {rom OIG Report 4A-CI-OO-08-022 Recommendation
l..21.
We recommend that CIS develop IIp-to-date and comprehensive IT security policies and
procedures, and publish these documents to THEO.

CIS Response:
 "We agree with this recommendation. With limited resources there was some progress
made over the last 12 months in the creation ofpolicies andprocedures. However, the IT
security group lacks the resources necessary to establish and maintain the IT security
policies and procedures needed for an effective IT Security and Privacy program. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed
for the IT Security and Privacy program. This effort is being tracked under CIS POAM
FY09-QI-CIS-19. "




                                             26 

                              Major Contributors to This Report 

This audit report was prepared by the U.S, Office of Personne1 Management, Office of Inspector
General, Infonnation Systems Audits Group. The following individuals participated in the audit
and the preparatjon of thi's report:

•	                    Group Chief

•                        Audilor-in-Charge

•                          lnformatiop Technology Auditor

•	                  Information Technology Auditor
•	                    lnformation Technology Auditor




                                              27 

                                             Appendix I

                     Follow-up of Prior OIG FISMA Audit Recommendations

Report 4A-OD-00-05-013: Audit ofthe Information Technology Security Controls ofthe
U.S. Office of Personnel Management's Enterprise Human Resources Integration (EHRI)
Data Warehouse, issued May 9, 2005.
 Rec#                       Orildnal Recommendation                       Current Status
        -
            We recommend that the Office of e-Government
            Initiatives (e-Gov) implement independent organization
   3                                                                         CLOSED
            segments for the development and migration of system
            programming changes to EHRl.


Report 4A-IS-OO-05-026: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Electronic Questionnaire for Investigations
Processing System (EQIP), issued June 16, 20OS.
r'-----··                             .....-
                                     ~-
                                                                     -
 Rec#                    Orieinal Recommendation                -.-­          Current Status __
          We recommend that each existing EQIP user
          (administrators, operators, and developers) sign a rules of
    6                                                                            CLOSED
          behavior document. The signed documents should be
          maintained by the system DSO.
          We recommend that the F ederallnvestigative Services               OPEN. FISD is
          Division (FISD) verify that only authorized users have            current! y updating
   18     access to EQIP and maintain authorization forms for               OPM form 1665 to
          users, including administrators, operators, and developers.           address this
                                                                       .'-­
                                                                             recommendation


Report 4A-IS-00-06-021: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Fingerprint Transaction System (ITS), issued
August 29, 2006.
 Rec#                  Original Recommendation                            Current Status
       We recommend that FISD document and maintain on file
       authorizations that specify the authorized privileges for
       each FTS user. In addition, we recommend that FISD
   4                                                                         CLOSED
       periodically verify that only authorized users have access 

       to FTS by reviewing user authorization forms and 

       comparing them to access lists. 

     -
       We recommend that FISD update the FTS contingency 

       plan to fully document the following information: 

   7        •   contact information,                                         CLOSED
            •   recovery goals/objectives,
            •   recovery procedures,
                                               -
,-----,---------------------------------------- --.-----------------,
         • original or new site restoration procedures,
         • concurrent processing procedures, and
         • responsible teams.


Report 4A-RI-00-08-023: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Employee Benefits Information System (EBIS),
issued April 10, 2008.
 Rec#                   Original Recommendation                      Current Status
         We recommend that the Center for Human Capital
         Management Services (HCMS) develop a formal business
     1                                                                 CLOSED
         impact analysis to determine the effect that EBIS system
         outages would have on HCMS, GRB, and EBIS users.
         The EBIS contingency plan should be improved to
         include the appropriate elements outlined in NIST SP
     2                                                                 CLOSED
         800-34, as determined by the results of the business
         impact analysis.


Report 4A-WR-00-08-024: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's Central Personnel Data File (CPDF), issued
April 17, 2008.
 Rec#                     Original Recommendation                    Current Status
         We recommend that the Strategic Human Resources
         Policy Division update its Business Contingency Plan to
     1   include all elements required by NIST SP 800-34. This         CLOSED
         should include detailed recovery procedures sufficient to
         test the restoration of all CPDF processes.


Report 4A-HR-00-08-058: Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management's USAJOBS System, issued September 5, 2008.
 Rec#                   Oril!inal Recommendation                     Current Status
         We recommend that the Human Resources Products and
         Services Division (HRPS) and Monster World Wide
     1                                                                 CLOSED
         (MWW) update, review, and test its contingency plan on
         an annual basis.
         We recommend that HRPSIMWW develop formal
         procedures for media sanitization and disposal in
     2                                                                 CLOSED
         accordance with NIST SP 800-53 Revision 1 control MP­
         6.
         We recommend that HRPS update the most current
     3   POA&M template to identifY and prioritize all security        CLOSED
-­
         weaknesses identified for USAJOBS.
Report 4A-MO·oo..OS..oS9: Audit of the Information Technology Security Controls of the
U.s. Office ofPersonncJ Management 's Executive Schedule C System (ESCS), issued
September 8, 2008.

                           the Human CapitaJ
        Merit System Accountability Division (HCLMSA) update
                                                                               CLOSED
        the ESCS contingency p1an to include the elements


                                                                               CLOSED

                                          update
        POA&M to include the weaknesses outlined in this audit
        report, and continue to update the POA&M with any
   4                                                                           CLOSED
        additional weaknesses discovered by the program ollice
        or an outside party conducting a security review of the



Report 4A-CI-OO-08-022: FY 2008 Federal Information Security MaDligement Act Audit,
issued September 23, 2008.
 Rec#                   Original Recommendation                             Current Status
                                                                         OPEN. Rolled fo,,~iiTd
        We recommend that OPM ensure that an annual test of
   J                                                                      as 4A-CI-OO-09-031
        security controls has been completed for all systems.
                                                                          Recommendation 6
                                                                         OPEN. Rolled forward
        We recommend that OPM's program offices test the '
   2                                                                      as 4A-CI-OO-09-03J
        contingency plans for each system on an annual basis.
                                                                          Recommendation 9
    .   We recommend that OPM update its system inventory to
   3    clearly identify the state of the system (active, su spended ~         CLOSED
        develovment, etc).
                                                                         OPEN. Rolled forward
        We recommend that tbe program offices incorporate all
   4                                                                      as 4A-CI-OO-09-03 I
        known security weaknesses into the POA&Ms.
                                                                          Recommendation 12
                                                                         OPEN. Rolled forward
        We recommend that an up-io.date POA&M exist for each
   5                                                                      as 4A-Cl-OO-09-031
        sy'!'1<.-'tl1 in orM's inventory,
                                                                          Recommendation 13
                                                                         OPEN. Rolled forward
        We reconunend that all program offices submit POA&Ms
   6                                                                      as 4A-CJ-OO-09-031
        to the CIS/CIO office on a quarterly basis.
                                                                          Recommendation 13
        We recommend that the CIS/CIO require each program
        office to provlde evidence (proof of closure) that
   7                                                                           CLOSED
        POA&M weaknesses have been resolved before allowing
        that item to be labeled "comp.J~te."
      We recommend that aU OIG recommendations be
8     included on POA&Ms and they not be removed until                        CLOSED
      evidence of proof of closure is provided to the CIS/CIO.
      We recommend that CIS take the appropriate steps to             OPEN. Rolled forward
9     ensure that all active systems in OPM's inventory have a         as 4A-CI-OO-09-031
      complete and current C&A.                                        Recommendation ]6
      We recommend that all elements required by fISMA and
10    relevant NIST guidance be in place before a system is                   CLOSED
      fom,allv c&A'd.
      We rewmmcnd that OPM issue its "Information Security
11    and Privacy Policy" to all agency employees ,md post a                  CLOSED
      copy to the !!,Eencis internal website.
      We recommend that aPM continue its efforts to reduce
                                                                      OPEN. Rolled forward
      the use of SSNs and develop a formal plan to eliminate
12                                                                     as 4A-CJ-OO-09-031
      the unnecessary coHeetlon and use ofSSNs within 18
                                                                       Recommendation 22
      months in accordance with OMB Memorandum M·07·16. 

      We recommend that aPM contillue its effort.'i to 

                                                                      OPEN. Rolled forward
      implement a solution to automatically encrypt aU data on         as 4A-CI-OO-09-031
lJ
      mobile computers/devices carrying agency data unless the
                                                                       Recommendation 24
      data is detennincd not to be sensitive. 

      We recommend that OPM continue its efforts to develop 

      a methodology for logging comptltcr·readable data 

14                                                                            CLOSED
      extracts to determine whether sensitive data has been 

      erased after 90 days. 

      We recommend that OPM COnfigUr~                                 

      in a marmer consistent with OPM's             on figuration 

      Policy. Eacb of the vuJnerabilities outlined in the DIG's 

      audit inquiry should be formal ly documented, itemized, 
       OPEN. Rolled forward
1,5   and prioritized in a POA&M. In the event that a                  as 4A-CI-OO-09·031
      vulnerability cannot be remediated due to a technical or         Recommendation 28
      business reason, the supported system's owner should
      document the reason in the system's lSSP to fonnatly
      accept any associated risks.
                                                                  - OPEN.       Rolled fonvard
      We recommend that OPM continue its efforts to
16                                                                        as 4A-CJ-OO-09-031
      implement all required elements of the FDCC.
                                                                          Recommendation 2~_
      We recommend that aPM continue its efforts to ensure
      that all federal employees and contractors with access to
17                                                                            CLOSED
      OPM's IT resources complete IT security and privacy
      awareness training on an annual basis.
      We recommend that c-authentication risk assessments be 

18    completed for the required systems in accordance with 
                 CLOSED
      OMB Memorandum M-04-04.                                                      .
                                                                        OPEN. Rolled forward·
        We recommend that CIS promptly update OPM's IT
  19                                                                       as 4A-CI-OO-09-031
        security policies and publish them to THEO_._ _ _ _........l.-.CR:.:e.::.:c:.:o:.:;mm:.::;endation 30



Report 4A-CI-OO-09-053: Flash Audit Alert - Iuformation Technology Security Program
at the U.S. Office of Personnel Management, issued May 27, 2009.
 Rec#                   Oril!inal Recommendation                 _..-. Current Status
        We recommend that CIS correct the FY 2009 second
   I    quarter FlSMA report to accurately reflect the status of              CLOSED
        OPM's IT security position as of March 1,2009.
        We recommend that CIS develop a comprehensive set of OPEN. Rolled forward
   2    IT security policies and procedures, and a plan for            as 4A-CI-00-09-031
        updating it at least annually.                                Recommendation 30
        We recommend that the OPM Director ensure that CIS
   3    has adequate resources to properly staff its IT Security                   OPEN
        and Privacy Group.                                                 .... _._._ ...
                                                                      OPEN. OPM hired an
        We recommend that CIS recruit a permanent Senior
                                                                          ITSO, but the
        Agency Information Security Officer as soon as possible
   4                                                                    organization of the
        and adequate staff to effectively manage the agency's IT
                                                                       ITSO's staff has not
        security program.
                                                                          been finalized.
                                                  Appendix II




             UNITED STATts OFFl~8'"brPERsoNNEL MANAGEMENT
                                     .....'l,UIirlVQJI.. DC 2Q4J5




                                                                             JUU'$1009




Tho.4'.U·I"M.Oflke ofinspeclQr QcneraI(OIG)'r.eleasOO a f.4t';h Audit Alert'dated May va,
Zl)()9. wJ.Uch.outl~d :a","eral ~~dations. regiU'dirig the OPM rr SecUiitY Pr.bgnvtl.
l1}.ese ~1.iuJ)f ·arr.: ·n(J\ed bcll)W-iOOng Wi!.h-ttlll rt..'qlO1l5e.

      .Rr(o~j .. 'We ~~ tba1 CI.S ·corrcc.1 the.fY 2009 second
       iltwtetiiJ!MA t~ol1 iO' ~nf'rcly_ reflect ~·st.alu.'i uf OPM ' $ IT r.eci.lrity
      ~i~ a.<I' orM8I:C)t .~.2009. Thls would.inclUde reportJnS that eoJSf' and Ifle
       E.,.u Data Wartbouse sy5tems both imvc weaknesses mor~ thah 120 days
       overdUe, tmd dtaiiginB' 'tbe_rrn:tricSoD ihe entire rq;ort frQll') the nup':l~ (If
      ·OYerd~.,..el\_kne.-c;ses to t~ JlUfIlb!lT:oi;sysit;m:,-wnh overdue wcaknes.~es.

       114PDrP.e.: T~ Center for Infonnauon Serv~ (CIS) secll~ team llctcd O~ the
      'best 'infomlation.lhc),_had:at .'il1e time.in clo$ing.!!OPF _mx! eURJ D-oI~ WarchI'Ju:Je
      'wiakbesscs. 'In respOflSOto ~ ~em ,ra1sed~)' Old staffl~at' 21 ""~ clqsed
       ~ll8pPtQpna&tly ~'.(iiil ntit total of268.tOf,al prog,rMtl weUne,S8e!l · ClS ~ta
      'the OlG ' f4ti0JJ;31~ for why ~ 21 shouJdremain open (~(ju idBi1ce (ln 1hi$ is
       1).pt.~) ant) jigreed lo-re,.,opm them. -They me: been J:e~Qpene.;i wid). the
       orlginW '~:oom()let4m:date; -010 W3!:a1f\IJ~d <I.t'ibis.atti'on PPUf 10 Akl~
       Report.

       We.:~wiih t!w m:ommt."¢ll!ioo that OPM report the mmiber of SYStem$ will!
       we~~innore than 120~Y!lovtidue. instead 6r-thC.nw'nber P~~
       ThiS was 3 oitstake.m ourUnd~- oflbe itpDrtijls I~~ It: sllonld
       btnrikd 1hanhis, mist:D:-e,~eth!! PPM melr:M$)ook '\l'or~ fhap ihey really
       ~ ...·so .'Po'e ~ most 'WilHog to ma,kc: {bis-dunge. As soon AJ'We eonfinned
       the OJ6!s .~tiQn was (;9ITCCI;-we:made the ebMtlp.e,·io time for the 3,;1 quru1er
       FlSMA n:porl 010 'Was. notified _o f the tomttiem prioILO the AJtrt Report. The
       ~ quarter rijJoithas·-.lSo .bc:~ updati:d 6lIil·Stlor lo 6MB. We consider thi,
       reconinie.il/illtiOll.to be _d01:Cd,
       Recommendtliion 2: We recommend !hat crs deve/Gpa COOIprehensiveset ofIT
       security policies and procedures, and a plan for updating them at leastatl11U1l11y,

       R€$J1(Jnse: We agree wlthtlliueeonunendati!>!l a.n4have been working for many
       months to £ompleleneeded .upQale~, Work began as ~OOl;l !IS funding wru;
       provided. Many policies and procedures have already been re.vised, with the
       remainder targeted f!>l' completion by 8!31109. We have k.epl OlG apprised of our
       efforts t.o comptete this work.

       Recommendidwn.J: We recommend that Ihe OPM Director ensure thst CIS has
       adequate fesources to properly starr its IT SecurtQiand Fnvacy Group.

       Response: We agree with thi$ leco1ll/ll<;l\dation. Ail VI<: discllllsed with DIG staff
       on numerous occasions, CIS has been working withHR for IPore'than a year to
       reorganize end elevate the IT """uril)' function, to upgrade the l.ve.1 of the IT
       secwily officer from a OS-]4 to a OS-15, and to!idd staff. A neworgaruzational
       alignment, gradestrnctllre lind tesource~ f!>:rtheTf SeellritylWd :Privacy Groll])
       were approved ol;l Maroh 4,2il09. Under this new struct)lre,the IT se;:uti\y sta:tr
       will grow from 3 to 6. We consider this recommendation to beclosea


       Recommendtliion; 4: We recommend that CIS recruit II petlllaMnI ~nior Agel;lcy
       lnform.won ~c\lrityOfficeras sOQn as P9ssibl., and adequate itlltf to :e:!fecIiYely
       manage the agency's IT security program.

       R£spt!l1st; We agree withthisrtC<!mmendation. Recruilinghasbeel;l in progreU
       sinoe thereorganiUltiol;l was approveq. We have made 1I ct!uple of.offers to.flll
       lb.. G('l-15l\1ld 08-14 posi\i!>/ll!; which were declined. We!laYe ide!lulled another
       excellent candidate fbr the 6s~ 15 position. We are eurrentl:r in the precess of
       getting ChiefofSta:trapprovai to eJderid an offer. Weare liitgetitJg.a.repOrt.date
       in Augu$t.

As you can see, aU of the OlG .issues with <:lUTsecurity program nored in the Alert R.eporI
have eitber been com])!eted or are well on lheir way to complelion. With lbe'exception of
the selection ofthe ITSO, which Is a very rtcent.decisJon, we have attempted to keep
OIG staff apprised pf our stalU$on thes.eiss.ues. Their recommendatiOns were seriously
considered, reviewed ;md acted upon'/lS appropxiate.
                                            Appendix IIJ 


                                           October 20, 2009 


                                                                          Report No. 4A-CI-00-09-03 I


MEMORANDUM FOR LEWIS F. PARKER, Jr. 

                           Chief, Information Systems Audit Group 


FROM: 

                                          Inf(,mlatiCln Officcr

SUBJECT:                   Fed~ral   Information Security Management Act Audit - FY 2009

Attached you wilJ find our responses to the draft Federallnformation Security Management Act
audit report. The protection oftbe Office of Personnel Management (OPM) network and
resources is criticaJ to the su!;:cess of the OPM mission. AJI OPM Components rely extensively
on infonnation technology (IT) assets and the OPM network to achieve mission objectives. For
that reason, we thank you and agree with the recommendations provided jn the draft rePQrt
identifying areas for improvement within the OPM IT security and privacy program. The Officc
of the ChiefInfonnation Officer (OCrO) is committed to ensuring an effective IT security and
privacy program_ Please note that we have created CIO POA&M entries for lhese findings and
will develop a plan to mitigate these as additional resources become available.

              an)! qlleSilior" regarding the responses in this cen,ort. please don 't hesitate to cont~ct
me                      or _            (ITSO)                     We look forward to continue to
      iQS;etli<:TiiO mop",V(; tile IT security             program al OPM ,

Attachmenf

cc;
                        Direct""lf E:xt,mai Affairs


                     nancial Officer & Policy and Internal Control Group


                      "off ,_"   Executive Secretarial
Current Status of Flash Audit Alert Recommendation 1
We verified that CIS corrected and submitted the FY 2009 second quarter FISMA report. We
also verified that the FY 2009 third quarter FISMA report accurately represented the status of
OPM's security program at that time.

CIS Replv 10120109
.The Centerfor Information Services (CIS) security team will continue to ensure the quarterly
FISMA reports reflect correct and accurate information for OPM's security program.

Current Status of Flash Audit Alert Recommendation 2
OPM's IT security policies and procedures continue to lack adequate current guidance on
managing IT security at the agency. See section XII of this report for details.

CIS Replv 10120109
Please refer to section XIIfor our response to Recommendation 30 regarding the IT security
policies and procedures.

Current Status of Flash Audit Alert Recommendation 3
We continue to believe that CIS lacks the resources needed to manage an adequate IT security
program. Eleven of the nineteen audit recommendations issued in the FY 2008 f'ISMA audit
report have been rolled forward into this FY 2009 FISMA report, indicating that CIS does not
have the resources needed to remediate identified security weaknesses.

CIS Replv 10120109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain an effective security and privacy program. .The new
SAISO (referred to as the ITSO) that was hired in September 2009 has identified resources
needed and his recommendations are under review with senior management. The Office ofthe
ChiefInformation Officer (OCIO) is working 011 acquirillg resources needed for the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-27).

Current Status of Flash Audit Alert Recommendation 4
CIS hired a permanent SAISO (referred to as the ITSO) in September 2009. However, the
agency operated with an acting IISO for over 11 months of FY 2009. In addition, the
organization of the staff reporting to the ITSO has not been finalized. On a potentially positive
note, the OPM Director has recently appointed a new Acting Chief Information Officer, who has
developed preliminary plans to expand and improve OPM's IT security program. We will re­
evaluate these developments during the FY 2010 FISMA audit.

CIS Replv 10120109
We agree with this recommendation. Currently the I.T security group lacks the resources and
the organizational structure necessary to establish and maintain all effective security and
privacy program. The new SAISO (referred to as the ITSO) that was hired in September 2009
has developed an organizational chart, roles and responsibilities and resources needed. His
recommendations are under review with senior management The Office ofthe Chief
Information Officer (OCIO) is working on acquiring resources needed for the IT Security and
Privacy program. As referenced in Flash Audit Alert Recommendation 3, we have created a
CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-27) regarding resources.

Recommendation 1
We recommend that CIS conduct a survey ofOPM program offices (particularly the Benefits 

Systems Group) to identifY any systems that exist but do not appear on the system inventory. 

The systems discovered during this survey should be promptly added to the system inventory and 

certified and accredited. 


CIS Replv 10/20109
We agree with this recommendation. The IT Security and Privacy group will conduct a
network assessment to map out the OPM network and identify all missing systems and created
a CIS POA&M item to track Ollr progress (CIS POAM FY09-Q4-CIS-28).

Recommendation 2
We recommend that CIS develop and maintain an inventory of all system interfaces.

CIS Replv 10120109
We agree with this recommendation. The IT Security and Privacy team will include system
interface information on the OPM FISMA Master System Inventory going forward. We have
created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-29). Please
note as stated in response to IG Information Request #24, system interface information is
included within each System Security Plan for each system currently on the OPM FISMA
Master System Inventory.

Recommendation 3
We recommend that CIS develop a policy providing guidance on the development and
appropriate use of MOUs and ISAs.

CIS Replv 10/20109
We agree with this recommendation. Currently the IT Security and Privacy grollp lacks the
resources necessary to establish and maintain an effective security and privacy program. The
Office ofthe ChiefInformation OffICer (OCIO) is working on acquiring resources needed for
the IT Security and Privacy program. We have created a CIS POA&M item to track our
progress (CIS POAM FY09-Q4-CIS-30).

Recommendation 4
We recommend that CIS conduct a survey to determine how many systems owned by another
agency are used by OPM.
CIS Replv 10110109
We agree with this recommendation. We have made some progress witll this task (please refer
to IG Information request #24) but we lack the resources to conduct a complete network
assessment to map out the OPM network and identify all systems. The Office ofthe Chief
Information Officer (OClO) is working on acquiring resources needed for the IT Security and
Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM
FY09-Q4-ClS-3l).

Recommendation 5
We r",.commend that CIS develop a policy for adequately testing the security controls ofOPM's
systems, and provide training to the Designated Security Officer (DSO) community related to
proper security control testing.

CIS Reply 10110109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies and training program. The Office ofthe
ChiefInformation OffICer (OC70) is working on acquiring resources needed for the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-32).

Recommendation 6 (Roll-Forward from 01G Report 4A-CI-00-OB-022 Recommendation 1)
We recommend that OPM ensure that an annual test of security controls has been completed for
all systems.

CIS Reply 10110109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Q1­
CIS-I.

Recommendation 7
We recommend that OPM develop detailed guidance related to developing and testing the
contingency plans of agency systems, and provide training to the DSO community related to
proper contingency planning and contingency plan testing.

CIS Reply 10110109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies and training program. The Office ofthe
ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT
Security and Privacy program. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-33).

Recommendation 8 

We recommend that up-to-date contingency plans be developed for all agency systems. 


CIS Replv 10110109
We agree with this recommendation. We have created a CIS POA&M item to track our
progress (CIS POAM FY09-Q4-CIS-34).
Recommendation 9 (Rol/-Forward from OIG Report 4A-CI-00-08-022 Recommendation 2)
We recommend that OPM's program offices test the contingency plans for each system on an
annual basis.

CIS Reply 10120109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Q1­
CIS-2.

Recommendation 10
We recommend that OM develop a policy providing guidance on providing adequate oversight
of contractor operated systems.

CIS RepLv 10120109
We agree with this recommendation. Currently the IT security group lacks the resources
necessary to establish and maintain these policies andprovide the oversight needed. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for
the IT Security and Privacy program. We have created a CIS POA&M item to track our
progress (CIS POAM FY09-Q4-CIS-35).

Recommendation 11
We recommend that CIS publish the Plan of Action and Milestone Standard Operating Procedure
toTHEO.

CIS Reply 10/20109
We agree with this recommendation. We have created a CIS POA&M item 10 document the
completion ofthis recommendation (CIS POAM FY09-Q4-CIS-36). The POA&M Guide has
been published as ofSeptember 2009 on Theo­
hltp:lltheo.opm.govlpolicies/lSpplFlNAL POAM Process SOP 093009.pd{

Recommendation 12 (Roll-Forward from 016 Report 4A-CI-00-08-022 Recommendation 41
We recommend that OPM program offices incorporate all known IT security weaknesses into
POA&Ms.

CIS Reply 10120109 

We agree with this recommendation. We are tracking this effort under G1S POAM .FY09-Ql­
CIS-4. Since the POA&M SOP was just recently pubLished on Thea, we will continue to assist 

program offices through this process. 


Recommendation 13 (Roll-Forward from 016 Report 4A-CI-00-08-022 Recommendations 5
and 61
We recommend that an up-to-date POA&M exist for each system in OPM's inventory, and that
system owners submit updated POA&Ms to C1S on a quarterly basis.

CIS Reply 10/20109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI­
CIS-5 and CIS POAM FY09-QI-CIS-6. The POA&M SOP has been published as of
September 2009 which provides guidance to DSO's regarding POA&M submission. Please
note that since OMB did not require any POA&M submissions for FY09 quarter 4, CIS did
not continue to follow up with program offices to ensure submissions were provided to CISfor
FY09 quarter 4.

Recommendation 14
We recommend that CIS provide guidance to program offices to evaluate the resources and time
requirements needed to remediate security weaknesses so that reasonable remediation due dates
are established for all POA&M items.

CIS Replv 10120109
We agree with this recommendation. The POA&M SOP has been published as ofSeptember
2009 which provides guidance to DSO's regarding POA&M management. We have created a
CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-37) on supplemental
guidance to the DSO's.

Recommendation 15
We recommend that each program office prioritize the system weaknesses listed on their
POA&Ms.

CIS Reply /0120109
We agree with this recommendation. The POA&M SOP has been published as ofSeptember
2009 which provides guidance to DSO's regarding prioritizing weaknesses. We have created a
CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-38) on supplemental
guidance to the DSO's.

Recommendation 16 (Roll-Forward from OIG Report 4A-CI-00-08-022 Recommendation 91
We recommend that all active systems in OPM's inventory have a complete and current C&A.

CIS Reply 10120109
We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to map out the OPM network and identify all systems and
accountfor missing C and A's but we currently lack the resources to perform this task. The
Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for
the IT Security and Privacy program. We are tracking this effort under CIS POAM FY09-Q1­
CIS-9.

Recommendation 17
We recommend that the FIPS Publication 199 security categorization be updated for the
inappropriately categorized system.

CIS Replv 10120109
We agree with this recommendation. The Center for In/ormation Services (CIS) security leam
will work with the DSO's to ensure the FIPS 199 reflect the appropriate rating. During the
monthly October 2009 Information Technology Security Working Group (1TSWG) meeting,
the writer and subject matter expert from NIST provided a briefing on N1ST 800-60 (Guide for
Mapping Types ofInformation and Information Systems to Security Categories) to the DSO's
and CIS. We have created a CIS POA&M item to continue to track our progress (CIS POAM
FY09-Q4-CIS-39).
Recommendation 18
We recommend that CIS update the PIA Guide to address all of the requirements ofOMB
Memorandum M-03-22.

CIS Replv 10120109
We agree with this recommendation. The privacy group is currently working on a new PIA
Guide and a new PIA Template. We have created a CIS POA&M item to track our progress
(CIS POAM FY09-Q4-CIS-40).

Recommendation 19
We recommend that CIS conduct a new PIA survey to determine which OPM systems require a
PIA, including those systems that process sensitive information about government employees
and eontractors.

 CIS Replv 10120109
 We agree with this recommendation. The IT Security and Privacy group would like to
conduct a network assessment to identify all PII information present on the OPM network but
 we currently lack the resources to perform this task. The network assessment would be
followed by a request to each offue that owns the PII to conduct privacy threshold analysis
 (PTA). The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources
neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track
 our progress (CIS POAM FY09-Q4-CIS-41).

Recommendation 20
We recommend that a new PIA be conducted for the appropriate systems based on the updated
PIA Guide.

CIS Reply 10120/09
We agree with this recommendation. Conducting and reviewing PIAs require CI0 as well as
program office resources. Once the new PIA Guide and Template is approved and
communicated, we will engage the DSO's so they can update their system privacy
documentation. We have created a CIS POA&M item to track our progress (CIS POAM
FY09-Q4-CIS-42).

Recommendation 21
We recommend that each system owner annually review the existing PIA for their system to
reevaluate current holdings of PH, and that they submit evidence of the review to CIS.

CIS Replv 10120/09
We agree with this recommendation. Conducting and reviewing PTAslPIAs require CIO as
well as program office resources. We plan on implementing a Privacy Threshold Analysis
(PTA) process as part ofour Privacy activities. The PTA is the initial step in determining
whether a PIA is necessary and as indicated in NIST-SOO-122, an essential part ofthe
Certification and Accreditation (C&A) process. The PTA will be reviewed annually or when a
change occurs with the system and the document will become an artifact used for reporting
purposes. We have created a CIS POA&M item to track ourprogress (CIS POAM FY09-Q4­
CIS-43).
The Center for Information Services (CIS) security team has already began to share the
evidence ofannual PIA reviews with the Privacy Office to reflect that the DSO's are reviewing
their PIA's as part oftheir FY09 security controls testing.

Recommendation 22 (Roll-Forward from OIG Report 4A-CI-00-OS-022 Recommendation 12)
We recommend that OPM continue its efforts to eliminate the unnecessary use ofSSNs
accordance with OMB Memorandum M-07 -16.

CIS Reply 10120109
We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Ql­
CIS-l2. However, the OCIO lacks the resources necessary to conduct the detailed analysis
needed to review all documentation (laws, policies, OPMforms and other documents) that
requires the use ofSSNs today. Furthermore, those resources would be needed to establish
and maintain the policies and procedures for an effective program.

Recommendation 23
We recommend that OPM participate in government-wide efforts to explore altematives to
agency use ofSSNs, as required by OMB Memorandum M-07-16.

CIS Reply 10/20/09
We agree with this recommendation..

Recommendation 24 (Roll-Forward from OIG Report 4A-CI-00-OS-022 Recommendation 13)
We recommend that CIS encrypt all data on all mobile computers containing sensitive
information.

CIS Replv 10120109
We agree with this recommendation. OPM has implemented mandatory encryption controls
on OPM laptops, blackberries, and tape backups. OPM's IT Security and Privacy Policy
requires that any sensitive data be removed to removable media must be encrypted. WinZip
encryption has been provided to all OPM users to protect sensitive data. The encryption policy
and guidelines for WinZip are available on the OPM intranet site and are included in the
annual security awareness training. We are tracking this effort under CIS POAM FY09-Ql­
CIS-13.

Reeommendation 25
We recommend that OPM develop an up-to-date Security Configuration and Hardening Policy,
Patch Management Policy, and System Monitoring Policy.

CIS Reply 10/20109
 We agree with this recommendation. Some progress has been made in these procedures but
currently the IT security group lacks the resources necessary to finalize and maintain these
procedures. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring
resources neededfor the IT Security and Privacy program. We have created CIS POA&111s
for each policy to track our progress (CIS POAM FY09-Q4-CIS-44, FY09-Q4-CIS-45, FY09­
Q4-CIS-46).
Recommendatioll 26 tRoll-Forward from OIG Report 4A.-CI-OO-08..Q21 ReMmmendnfit>n J6~
We recommend that OPM implcmcllt FDCC compliant images on all OPM workstations.

CIS Replv 10110109
We agree with 'his recommendation. We are tracking fhi.f; effort under CIS POAM FY09~Ql­
CIS-16.

Recommendation 27
We recommend that OPM incorporate Federal Acquisition Regulation 2007-004 Janguage in aU
contracts related to common security settings,

CIS Reple 10110109
We agree with this recommem/ution. We have created a       as POA&M item to track mu
progress (CIS POAM FY09-Q4-CIS-47).

Recommendation 28 (Roll-Forward from DIG Report 4A-CJ-OO-OB-022 Recommendation 15)
We recommend that in the event that                           cannot be remediated due to a
te<:hnical or business reason, the sys"e,n', owner should doculnen' the reason in the system's
lSSP and fomlally accept any associated risks.

CIS lIeP/y 10110109
We agree with Ihis recommendation. We are tracking this effort under CIS POA.M FY09-Ql­
ClS-l5.

Recommelldation 29 

We recommend that CIS detcmllne which systems in its inventory are subject to e­ 

Atlthelltication requirements and complete e-Autl}entication risk assessments for each of these 

systems, 


CIS Reply 10110109
We agree with this recommendation. After meeting with your office on August 24, 2009, the
Centerfor Information Service... (CIS) security team sent correspondenu to the perspective
])SO'!j' that currently do not have an e-Authentication risk assessment but should have one.
We are tracking this effort under CIS POAM FY09-QI-CIS-/8.

Recommendation 30 (Roll-Forwgrd from OIG Report 4A-CI-OO-OB-022 Recommendation 19)
We recommend that CIS develop up-to-date and comprehensive IT security policies and
procedures, and publish these documents to THEO,

CIS Reply 10120109
We agree wilh Ihis recommenflation. With IimiJed resources there was some progre1'.f; mllde
over the last 12 months in the creation a/policies amI procedures. However, the IT security
group lacks the u ..\'ources necessary to establish and /nailltain the IT security policies Dud
procedures "teded/or an effective IT Security and PtilJocy program. The Office of the Chief
Information Officer (OCIO) is working on acquiring resources neededfor the IT Security and
Privacy program. This effort is being tracked under CIS POAM FY09-QI-CIS-I9.