! / U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE lNSPECTOR GENERAL OFFICE OF AUDITS .Final Audit Report , , - , Subject: . .FEDEIU.cL INF0 Rl\1:A1'IONSE(]URI1'Y MANAGEMENT ACl'AUDIT . -. FY20()9 Report No, . 4A-CI.60c()<)-031 ,Date: November '. '5~ · _2 0'0 9 • -CAUTION·, iki£ audil rep(',1 hM bttll di$tt:ib\l Itd:_ I\)FflI~'nl olftdah who ,Ut rnp!)I!Pbit for thl atlmigj~lnlwa ullbtalldil(d p.-ognull, n~ ",.dil ~epQf1l\!la, (Ontain p'ovmtnyiblM whirh ~ protetkdby Fdt-rall~!,,'(U1 U.5.c, 1'05). - Ttit1"tft)rt~ w~ilt ihisilut;lJ1 rrylll"l b ",,~labte IIlIdtr the FreedQIIl oJJnforlHalioe At_' and lUit:d,(" avaibhlt I(Hbt publk ill! Ibi OJG~tbp.'f, f/l.,lmIlKf ,d sto bt turd. td bdQU relu>iltg 11i~ repllrllD Iht:'"' ....1PQblk liS it olltj (t)lIbin prOJirittal)' isformlilioo Ibllt wu redac l~d Imlll tilt; pm,lidy amri"ul¢!J ~OP)" . UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Offic~ of the Inspector General Audit Report lJ.S. OFFICE OF PERSONNEL MANAGEM~; NT FEDERAL INFORMA nON SECURITY MANAGEMENT ACT AUDIT FY2009 WASHINGTON, D.C. Report No. 4A-CI-OO-09-031 Date: November 5 , 2009 Michael R. Esser Assistant Inspector General for Audits ........... opm .•Dv \If... w.lIsaJobl.'o~ UNITED STATES OFFICE OF PERSONl'.'EL MANAGEMENT Washington, DC 204lS Offic.: of In:: Illspecwr Qenera! Executive Summary U.S. OFFICE O~' PERSONNEL MANAGEMENT FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2009 WASHINGTON, D.C. Report No. 4A-CI-OO-09-031 Date: Noyember 5. 2009 This final audit report documents the Office of Personnel Management's (OPM 's) continued efforts to manage and secure its infonnation resources. We have significant concerns regarding the overall quality of the infonnation security program at OPM. These concems are rooted in the lack of adequate information secnrity governance activities in accordance with legislative and regulatory requirements. Specifica11y~ the agency has not fully documented infonnation security poljcy and procedures or established appropriate roles and responsibilities. The lack ofpolicies and procedures was reported as a material weakness in the fiscal yeaI' (fY) 2007 and FY 2008 Federallnfonnation Security Management Act (FISMA) audit reports. While some progress was made in FY 2009, detailed guidance is stiU lacking. An updated Information Securily and Privacy Policy was finalized in August 2009. This policy outlines the infonnation technology (1T) security controls that should be in place for the major applications owned by the agency_ ~owever. the majority of the text in this policy is derived or copied directly from National Institute of Standards and Technology (NIS1) guidance and bas not been tailored to specifically address OPM's JT environment. In addition, detailed procedures and jmpiementjng guidance arc stiU missing. = =; - - - - - - - - -- -'-------------==.. ~- ",-wl".opm.&OY ",,,,,,,,.unJob$.gQY This year we are expanding the material weakness to include the agency's overall information security governance program and incorporating our concerns about the agency's information security management structure. As of late September 2009, there had been no permanent senior agency information security official (SAISO) in the agency for nearly 18 months. During this time, we observed a serious decline in the quality of the agency's information security program. In addition, there is no permanent Privacy Program Manager assigned to manage the agency's privacy program. As a result, there are many deficiencies in OPM's privacy program. The agency has recently appointed a new SAlSO; however, it remains to be seen whether it will commit the necessary resources and develop the appropriate functions required of this role. We will reevaluate this issue during the FY 2010 FISMA audit. The continuing weaknesses in OPM's information security program result directly from inadequate governance. Most, ifnot all, of the exceptions we noted this year resulted from a lack of necessary leadership, policy, and guidance. Our most notable observations include: • As noted above, OPM continues to lack adequate and up-to-date IT security policies and procedures. We continue to consider this to be a material weakness in OPM's IT security program. • One system on OPM's inventory was placed into production before a certification and accreditation (C&A) was completed, and the prior C&A for three systems has expired and a new C&A has not been completed. Weaknesses in OPM's C&A process continue to remain a significant deficiency in OPM's IT security program. • Weaknesses in OPM's privacy impact assessment (PIA) process and the agency's failure to meet privacy-related requirements from the Office of Management and Budget (OMB) lead us to believe that there is a significant deficiency in OPM's management of its privacy program. In addition to these weaknesses, the OIG noted the following controls in place and opportunities for improvement: • OPM's Center for Information Services (CIS) maintains a master inventory ofOPM's major systems. We generally agree with the number of systems listed in the inventory (42), but we identified at least one major application that does not appear on the system inventory and has not been subject to a C&A. In addition, OPM's system inventory does not identifY interfaces between internal and external systems. • A C&A has been completed and remains active for 38 of the 42 systems in OPM's inventory. • The IT security controls have been adequately tested for 40 ofOPM's 42 systems during FY 2009. • Four out ofOPM's 42 systems did not have an adequately documented and/or up-to-date contingency plan. In FY 2009, the contingency plans for 31 ofOPM's 42 systems were tested in full compliance with the requirements ofNIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems. II • Nothing has come to our attention to indicate that OPM program offices do not maintain oversight of systems operated by a contractor. • The Plan of Action and Milestones (POA&M) for three OPM systems did not contain aU security weaknesses identified during the annual security control tests of those systems. • POA&Ms are continuously managed for 40 of OPM's 42 systems; current POA&Ms were not submitted to CIS for two systems in the fourth quarter of 2009. • When dosing POA&M items. OPM program offices have provided adequate evidence to CIS that the weaknesses were corrected. • Five agency systems have POA&M weaknesses with remediation activities over 120 days old. • Two agency systems did not prioritize weaknesses on their POA&.i\.1s. • OPM"s PIA Guide has not been updated in over three years and fails to address several requirements of OMS Memorandum M-03-22. • The 01G has not received evjdence that system owners review their PIA documentation on an annual basis. • OPM has implemented a breach notification policy. • CIS developed a formal plan to reduce the use of social security numbers (SSNs) at OPM. However, the plan does not address participation in govemment-wide effort~ t() explore alternatives to agency usc of SSN~, us requircd by U.S. Office of Management and Budget Memorandum M-07-16. • OPM had developed a standard laptop image that utilizes software-based full-disk encryption. However, CIS was unable to provide evidence of how many laptops issued to OPM employees and contractors contain the new image with encryption capabilities. • OPM developed a methodology for logging computer-readable data extracts of personally identifiable infonnalion. • Several policies related to contiguration management have not been updated in over fottr years. • OPM has implemented several techniques for monitoring compliance with configuration management policies. • OPM has deve10ped a Windows XP image that is generally compliant with Federal Desktop Core Configuration standards. However, this image has not beeD implemented on any production workstations. • Language from 48 CFR Part 39, Acquisition ofInfonnation Technology, has not been included in all contracts relmed to common security settings. • One continu,osto run on an unsupported version o~ without It fonnally • OPM has developed an "Incident Response and Reporting Policy" that documents procedures for reporting alllT secttrity events to the appropriate entities. ill " CIS has implemented a process to provide annual1T security and privacy awareness training to all OPM employees and contractors. • OPM's system inventory does not identify all systems that are subject to e-Authentication requirements. IV Contents Executive Summary ..........................................................................................................................i Introduction ..................................................................................................................................... 1 Background...................................................................................................................................... 1 Objectives ......................................................................................................................................... 1 Scope and Methodology ..................................................................................................................2 Compliance with Laws and Regulations .......................................................................... _..............3 Results .............................................................................................................................................4 1. Infonnation Security Governance .................................................................................... .4 II. System Inventory ...............................................................................................................7 III. Certification and Accreditation, Security Controls Testing, and Contingency Planning .................................................................................................9 IV. Agency Oversight of Contractor Systems ....................................................................... 11 V. Agency Plan of Action and Milestones Process .............................................................. 12 VI. Certification and Accreditation Process .......................................................................... 15 VII. Agency Privacy Program ................................................................................................. 16 VIII. Configuration Management.. ........................................................................................... 21 IX. Incident Reporting ...........................................................................................................23 X. Security Awareness Training ..........................................................................................24 XI. E-authentication Risk Assessments .................................................................................24 XII. IT Security Policies and Procedures ................................................................................25 Major Contributors to this Report .................................................................................................27 Appendix I: Follow-up of Prior OIG FISMA Audit Recommendations Appendix II: Center for Infonnation Services' July 28, 2009 response to the OIG IT Security Flash Audit Alert, issued May 27, 2009 Appendix III: Center for Infonnation Services' October 20, 2009 response to the OIG's draft audit report, issued October 6, 2009 Appendix IV: OIG FISMA data submission to the U.S. Office of Management and Budget Introduction On December 17, 2002, the President signed into law the E-Govermnent Act (Public Law 107 347), which includes Title III, the Federal Information Security Management Act (FISMA). FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the resul.ts of IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. In aecordance with FISMA, we conducted an evaluation of OPM's security program and practices. As part of our evaluation, we reviewed OPM's FISMA compliance strategy and docmnented the status of its compliance efforts. Background FISMA requirements pertain to all information systems (national security and unclassified systems) supporting the operations and assets of an agency, including those systems currently in place or planned. The requirements also pertain to information technology (IT) resources owned andlor operated by a contractor supporting agency systems. FISMA reemphasizes the ChiefInformation Officer's (CIO) strategic, agency-wide security responsibility. At OPM, security responsibility is assigned to the agency's Center for Information Services (CIS), which is managed by the CIO. FISMA also clearly places responsibility on each agency program office to develop, implement, and maintain a security program that assesses risk and provides adequate security for the operations and assets of programs and systems under their control. To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, OMB issued memorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. This memorandmn provides a consistent form and format for agencies to report to OMB. It identifies a series of reporting topics that relate to specific agency responsibilities outlincd in FISMA. Our evaluation and reporting strategies were designed in accordance with the above OMB guidance. Objectives Our overall objective was to perform an evaluation ofOPM's security program and practices, as required by FISMA. Specifically, we reviewed the following areas of OPM's IT security program in accordance with OMB's FISMA IG reporting requirements: • Information Security Governance; • System Inventory; • Certification and Accreditation, Security Controls Testing, and Contingency Planning; • Agency Oversight of Contractor Systems; • Agency Plan of Action and Milestones Process; • Certification and Accreditation Process; • Agency Privacy Program; • Configuration Management; 1 • Incident Reporting; • Security Awareness Training; • E-authentication Risk Assessments; and • IT Security Policies and Procedures. In addition, we evaluated the security controls of three major applications/systems at OPM (see Scope and Methodology for details of these audits). We also followed-up on outstanding recommendations from prior FISMA audits (see Appendix I). Scope and Methodology This performance audit was conducted in accordance with Government Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the audit included an evaluation of related policies and procedures, compliance tests, and other auditing procedures that we considered necessary. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit covered OPM's FISMA compliance efforts throughout FY 2009. We considered the internal control structure for various OPM systems in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. In conducting our audit, we relied to varying degrees on computer-generated data provided by OPM. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, we believe that the data was sufficient to achieve the audit objectives, and nothing came to our attentiolliluring our audit testing to cause us to doubt its reliability. As appropriate, we conducted compliance tests using judgmental sampling to determine the extent to which established controls and procedures are functioning as intended. The results from tests performed on a sample basis were not projected to the universe of controls. We reviewed OPM's general FISMA compliance efforts in the specific areas defined in OMB's guidance and the corresponding reporting instructions. We also evaluated the security controls for the following three major applications: • Enterprise Human Resources Integration Data Warehouse (OIG Report No. 4A-HR-00-09 032) • Electronic Official Personnel File (OIG Report No. 4A-HR-OO-09-032) • Integrated Security Management System (OIG Report No. 4A-CI-00-09-052) In addition, in May 2009, the OlG issued a Flash Audit Alert (FAA) to OPM's Director highlighting our concerns with the agency's IT security program (report 4A-CI-00-09-053). As part of this audit, we followed up on OPM's progress in implementing recommendations from the FAA 2 Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the set of internal controls at OPM taken as a whole. The criteria used in conducting this audit include: • OPM Information Security and Privacy Policy Volume 2; • OMB Circular A-J30, Appendix III, Security of Federal Automated Information Resources; • OMB Memorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management; • OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; • OMB Memorandum M-06-16, Protection of Sensitive Agency Information; • OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies; • E-Govemment Act of2002 (P.L. 107-347), Title III, Federal Information Security Management Act of2002; • National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security; • NIST SP 800-18 Revision I, Guide for Developing Security Plans for Federal Information Systems; • NIST SP 800-30, Risk Management Guide for Information Technology Systems; • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems; • NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information Systems; • NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems; • NIST SP 800-60 Volume I Revision I, Guide for Mapping Types ofinformation and Information Systems to Security Categories; • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems; • FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and • Other criteria as appropriate. The audit was performed by the OIG at OPM, as established by the Inspector General Act of 1978, as amended. Our audit was conducted from May through September 2009 in OPM's Washington, D.C. office. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether OPM's practices were consistent with applicable standards. While generally compliant, with respect to the items tested, OPM's CIS and other program offices were not in complete compliance with all standards, as described in the "Results" section of this report. 3 Results The sections below detail the results of the OIG's audit ofOPM's FISMA compliance efforts. The results are formatted to be consistent with the questions outlined in the FY 2009 OMB Reporting Template for IGs. Throughout this report, we do not reference OPM systems by name, but we have already provided detailed documentation to CIS discussing our concerns and the specific systems involved. I. Information Security Governance In May 2009, the OIG issued a Flash Audit Alert (FAA) to OPM's Director highlighting our concerns with the agency's IT security program. An FAA is used when issues have been identified that require the immediate attention of the Director. The four primary issues outlined in the FAA were: • CIS misrepresented the status of the agency's IT security program in the FY 2009 second quarter FISMA report issued to aMB; • the agency's security policies and procedures continue to remain severely outdated; • the IT security program at aPM is understaffed; and, • the agency has operated without a senior agency information security official (SAlSa) for over 14 months (as of May 2009). In the interim, there has been limited progress in correcting these issues. The underlying cause, in our opinion, is that aPM has not established adequate information security governance activities in accordance with legislative and regulatory requirements. Specifically, the agency has not fully doeumented information security policy and procedures or established appropriate roles and responsibilities. The lack of policies and procedures was reported as a material weakness in the FY 2007 and I;Y 2008 FISMA audit reports. This year we are expanding the material weakness to include the agency's overall information security governance program and incorporating our concerns about the agency's information security management structure. As of late September 2009, there had been no permanent SAlSa in the agency for nearly 18 months. During this time, we observed a serious decline in the quality of the agency's information security program. In addition, there is no permanent Privacy Program Manager assigned to manage the agency's privacy program. As a result, there are many deficiencies in aPM's privacy program. See section VII of this report for details. The agency has recently appointed a new SAISO; however, it remains to be seen whether the agency will commit the necessary resources and develop the appropriate functions required of this role. We will reevaluate this issue during the FY 2010 FISMA audit. The following section discusses the original FAA recommendations, followed by the management response and current status: 4 a) Flash Audit Alert Recommendation 1 We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately reflect the status ofOPM's IT security position as of March 1,2009. CIS Response to FAA: "The Center for Information Services (CIS) security team acted on the best information they had at the time. . .. We agree with the recommendation that OPM report the number ofsystems with weaknesses more than 120 days overdue, instead ofthe number ofweaknesses. This was a mistake in our understanding ofthe reporting requirement. " Current Status We verified that CIS corrected and submitted the FY 2009 second quarter FISMA report. We also verified that the FY 2009 third quarter FISMA report accurately represented the status ofOPM's security program at that time. CIS Response: "The Centerfor Information Services (CIS) security team will continue to ensure the quarterly FISMA reports reflect correct and accurate information for OPlll's security program." b) Flash Audit Alert Recommendation 2 We recommend that CIS develop a comprehensive set of IT security policies and procedures, and a plan for updating it at least annually. CIS Response to FAA: "We agree with this recommendation and have been working for many months to complete needed updates. Work began as soon as funding was provided Many policies andprocedures have already been revised, with the remainder targeted for completion by 8131109. " Current Status OPM's IT security policies and procedures continue to lack adequate current guidance on managing IT security at the agency. See section XII ofthis report for details. CIS Response: "Please refer to section XIIfor our response to Recommendation 30 regarding the IT security policies and procedures. " c) Flash Audit Alert Recommendation 3 We recommend that the aPM Director ensure that CIS has adequate resources to properly staff its IT Security and Privacy Group. 5 CIS Response to FAA: "We agree with this recommendation. As we discussed with OIG staffon numerous occasions, CIS has been working with fiRfor more than a year /0 reorganize and elevate Ihe IT security function, to upgrade the level ofthe IT security officer from a GS-14 to a GS-15, and to add staJ! A new organizational alignment, grade structure and resources for the IT Security and Privacy Group were approved on March 4, 2009. Under this new structure, the IT security staffwill grow from 3 /0 6. We consider this recommendation to be closed" Current Status The organizational realignment ofOPM's IT security function remains incomplete, and we continue to believe that CIS lacks the resources needed to manage an adequate IT security program. Eleven ofthe 19 audit recommendations issued in the FY 2008 FISMA audit report have been rolled forward into this FY 2009 FISMA report, indicating that CIS does not have the resources needed to remediate identified security weaknesses. CIS Response: "We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain an effective security and privacy program. Tile new SAISO ••• that was hired in September 2009 has identified resources needed and his recommendations are under review with senior management. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-27). " d) Flash Audit Alert Recommendation 4 We recorrunend that CIS recruit a permanent Senior Agency Information Security Officer as soon as possible, and adequate staff to effectively manage the agency's IT security program. CIS Response to FAA: "We agree with this recommendation. Recruiting has been in progress since the reorganization was approved. We have made a couple ofoffers to fill the GS-15 and GS J 4 positions, which were declined. We have identified another excellent candidate for the GS-J5 position. We are currently in the process ofgetting ChiefofStaffapproval 10 extend an offer. We are targeting a report date in August. " Current Status CIS hired a permanent SAlSO in September 2009, However, the agency operated with an acting SAISO for over 11 months ofFY 2009. In addition, the organization of the staff reporting to the SAlSO has not been finalized. On a potentially positive note, the OPM Director has recently appointed a new Acting Chieflnformation Officer, who has 6 developed preliminary plans to expand and improve OPM's IT security program. We will reevaluate these developments during the FY 2010 FISMA audit. CIS Response: "We agree with this recommendation. Currently the IT security group lacks the resources and the organizational structure necessary to establish and maintain an effective security and privacy program. The new SAlSO • •• that was hired in September 2009 has developed an organizational chart, roles and responsibilities and resources needed. His recommendations are under review with senior management. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. As referenced in Flash Audit Alert Recommendation 3, we have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-27) regarding resources. " II. System Inventory OPM has identified 42 major applications/systems within 8 of its program offices. OPM's system inventory indicated that these 42 systems were comprised of the following FIPS Publication 199 system impact classifications: 7 high, 33 moderate, and 2 low. The inventory also indicated that 32 systems operated within the agency and 10 are operated at a eontractor facility. CIS continuously maintains a master inventory of OPM' s major systems, and sends monthly reminders to the various program offices askjng for updates on the status of systems included in the inventory. CIS also faeilitates the process of adding new systems to the inventory and removing decommissioned systems. The quality ofOPM's system inventory has greatly improved since it was reviewed during the OIG FY 2008 FISMA audit. Several fields have been added to the inventory spreadsheet to clearly identify the status of each system (production, development, planning) along with the name and contact information ofindividuals with security and ownership responsibility. In addition, a revision history has been added to the inventory to track specific updates and facilitate version control of the master inventory document. The OIG generally agrees with the total number of systems listed in the most recent system inventory (42) and agrees with the number ofsystems identified as operated by a contractor (l0). However, we identified at least one major application that does not appear on the system inventory and has not been certified and accredited (C&A). OPM's system inventory does not identify interfaces between intemal and extemal systems, and the agency does not have a policy related to security agreements between interfacing systems. OPM's Information Security and Privacy Policy Volume 2 states that "this policy applies to other agency's systems as delineated in memorandums of understanding (MODs) and interconnection security agreements (lSAs) with OPM." However, this policy does not provide any guidance outlining the appropriate use of MODs and ISAs (required elements of these agreements, when they are required, etc), 7 In addition, CIS identified 21 systems used by OPM but owned and maintained by another federal agency. However, this list was compiled at the request of the OIG in September 2009 and is not complete. . Recommendation 1 We recommend that CIS conduct a survey of OPM program offices (particularly the Benefits Systems Group) to identify any systems that exist but do not appear on the system inventory. The systems discovered during this survey should be promptly added to the system inventory and certified and accredited. CIS Response: "We agree with this recommendation. The IT Security and Privacy group will conduct a network assessment to map out the OPM network and identify all missing systems and created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-28)." Recommendation 2 We recommend that CIS develop and maintain an inventory of all system interfaces. CIS Response: "We agree with this recommendation. The IT Security and Privacy team will include system interface information on the OPM FISMA Master System Inventory going forward. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-29). Please note as stated in response to IG Information Request #24, system interface information is included within each System Security Plan for each system currently on the OPM FISMA Master System Inventory." Recommendation 3 We recommend that CIS develop a policy providing guidance on the development and appropriate use of MOUs and ISAs. CIS Response: "We agree with this recommendation. Currently the IT Security and Privacy group lacks the resources necessary to establish and maintain an effective security and privacy program. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-30)." Recommendation 4 We recommend that CIS conduct a survey to determine how many systems owned by another agency are used by OPM. 8 CIS Response: "We agree with this recommendation. We have made some progress with this task (please refer to IG Information request #24) but we lack the resources to conduct a complete network assessment to map out the OPM network and identify all systems. The Office of the ChiefInformation OffICer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-31)." III. Certification and Accreditation, Security Controls Testing, and Contingency Planning a) Number of systems certified and accredited A C&A has been completed and remains active for 38 of the 42 systems in OPM's inventory. See section VI below for details of the systems without a current C&A and a review of OPM's C&A process. b) Number of systems for which security controls have been tested in the past year NlST SP 800-53 Revision 2 outlines the security controls that should be implemented for federal information systems. FlSMA requires each agency to perform for all systems "Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually ...." An annual test of security controls provides a method for agency officials to determine the current status of tbeir information security programs and, where necessary, establish a target for improvement. Failure to complete a security controls test increases the risk that agency officials are unable to make informed judgments to appropriately mitigate risks to an acceptable level. We conducted a review of the documentation resulting from the test of security controls for each system in OPM's inventory. In addition, we judgmentally selected specific controls tested in FY 2009 from various systems and independently evaluated whether the controls have been implemented. Our evaluation indicated that the IT security controls had been adequately tested for 40 of OPM's 42 systems during FY 2009. The quality of the security control tests among OPM's systems varied significantly, and many different formats and templates were used to document the tests. We believe that this variance is a result ofOPM's lack of agency-wide policy or guidance on how to adequately test its systems' security controls. 9 Recommendation 5 We recommend that CIS develop a policy for adequately testing the security controls of OPM's systems, and provide training to thc Designated Security Officer (DSO) community related to proper security control testing. CIS Response: "We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain these policies and training program. The Office ofthe ChiefInformation OffICer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-32). " Recommendation 6 (Roll-Forward from OIG Report4A-CI-OO-OB-022 Recommendation 1) We recormnend that OPM ensure that an annual test of security controls has been completed for all systems. The IT security controls should be immediately tested for the two systems that were not subject to testing in FY 2009. CIS Response: "We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI-ClS-1. " c) Number of systems which have a contingency plan tested in accordance with policy FISMA requires that a contingency plan be in place for-each major application, and thai the contingency plan be tested on an annual basis. In addition, the OPM Certification and Accreditation Guide states that "To fully address system security throughout the certification and accreditation process, various security documents are required to be created and maintained throughout the life of the system." The Guide states that one of the required security documents is a contingency plan. Four out of OPM's 42 systems did not have an adequately documented and/or up-to-date contingency plan. One system was missing a contingency plan, one system did not have an updated contingency plan after going through a major infrastructure change, and two systems were placed into production before a contingency plan was developed. In FY 2009, the contingency plans for 31 of OPM's 42 systems were tested in full compliance with the requirements ofNIST SP 800-34, Contingency Planning Guide for Information Technology Systems. Of the remaining II systems, 4 were not subject to any form of contingency plan test in FY 2009, and 7 were tested, but not with a scenario based contingency plan test eonducted in accordance with NIST SP 800-34 requirements. OPM's Information Security and Privacy Policy Volume 2 states that each system owner must "Test the contingency plan for the information system at least annually to determine the plan's effectiveness and the system's readiness to execute the plan." However, this 10 policy does not provide instructions for conducting the contingency plan test in accordance with NIST guidance or a standard template for reporting the results. Effective contingency planning and testing establishes procedures and technical measures that enable a system to be recovered quickly and effectively from a service disruption or disaster. An incomplete or untested contingency plan increases the risk that a system could not recover from a service disruption in a timely manner. Recommendation 7 We recommend that OPM develop detailed guidance related to developing and testing the contingency plans of agency systems and provide training to the DSO community related to proper contingency planning and contingency plan testing. CIS Response: "We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain these policies and training program. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-33). " Recommendation 8 We recommend that up-to-date contingency plans be developed for all agency systems. CIS Response: "We agree with this recommendation. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-34). " Recommendation I} (Roll-Forward from OIG Report 4A-CI-OO-OB-021 Recommendation 1) We recommend that OPM's program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the I I systems that were not subject to testing in FY 2009. ('7S Response: "We agree with this recommendation. We are tracking this effort under CIS POAM JCl'09-Ql-l7/S-2." IV. Agency Oversight of Contractor Systems Ten of OPM's 42 systems are operated by a contractor, and each ofthese systems has been certified and accredited by OPM. Nothing has come to our attention to indicate that OPM program offices do not maintain oversight of systems operated by a contractor. However, the agency does not have a formal policy providing guidance on the appropriate oversight of contractors and contractor-run systems. Il Recommendation 10 We recommend that OPM develop a policy providing guidance on providing adequate oversight of contractor operated systems. CIS Response: "We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain these policies and provide the oversight needed. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-35)." V. Agency Plan of Action and Milestones Process A plan of action and milestones (POA&M) is a tool used to assist agencies in identii'ying, assessing, prioritizing, and monitoring the progress of corrective efforts for IT security weaknesses. The sections below detail several weaknesses related to the appropriate use of POA&Ms at OPM. These weaknesses consist of items that are the responsibility of both CIS and the various program offices owning the information systems. a) Policy for establishing a POA&M process for reporting IT security deficiencies and tracking the status of remediation efforts Although CIS has provided informal guidance to OPM program offices related to the POA&M process, they have not published a formal policy that documents how POA&Ms should be managed at the agency. OPM has developed a draft version of "Plan of Action and Milestone Standard Operating Procedures," but this. policy has not been published to OPM's internal website (THEO), and the agency's DSO community has not received training related to the new POA&M procedures. Recommendation 11 We recommend that CIS publish the Plan of Action and Milestone Standard Operating Procedure to THEO. Once the procedures have been published, CIS should work closely with the DSO community, providing training and information-sharing sessions, to implement the procedures and ensure that there is a clear understanding of the appropriate management ofPOA&Ms. CIS Response: "We agree with this recommendation. We have created a CIS POA&M item to document the. completion ofthis recommendation (CIS POAM FY09-Q4-CIS-36). The POA&M Guide has been published as ofSeptember 1009 on Theo http://theo.opm.gov/policies/ispplFINAL POAM Process SOP 093009.pdf' 12 OIGReply: We acknowledge the steps that CIS has taken to publish the POA&M Guide to THEO and continue to recommend that CIS work closely with the DSO community, providing training and information-sharing sessions, to implement the procedures and ensure that there is a clear understanding of the appropriate management ofPOA&Ms. b) POA&M as an agency-wide process incorporating all known IT security weaknesses In FY 2008, the OIG conducted audits of 4 OPM systems with a total of I3 audit recommendations. We found that all 13 recommendations were included in the appropriate system's POA&Ms. In addition, we verified that all of the recommendations made during the FY 2008 FISMA audit were incorporated into the CIS POA&M. However, we found that the POA&Ms for three OPM systems did not contain all security weaknesses identified during the annual security control tests of those systems. Recommendation 12 (Roll-Forward from OIG Report 4A-CI-00-08-022 Recommendation 41 We recommend that OPM program offices incorporate all known IT security weaknesses into POA&Ms. CIS Response: "We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI-CIS-4. Since the POA&M SOP was just recently published on Theo, we will continue to assist program offices through this process. " c) Management ofPOA&Ms by program offices OPM program offices are responsible for developing, implementing, and managing POA&Ms for each system that they own and operate. We were provided evidence that POA&Ms are continuously managed for 40 of OPM's 42 systems; current POA&Ms were not submitted to CIS for 2 systems in the fourth quarter of 2009. Recommendation 13 (Roll-Forward from OIG Report 4A-CI-00-08-022 Recommendations 5 and 6) We recommend that an up-to-date POA&M exist for each system in OPM's inventory, and that system owners submit updated POA&Ms to CIS on a quarterly basis. CIS Response: "We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI-CIS-5 and CIS POAM FY09-QI-CIS-6. The POA&M SOP has been published as ofSeptember 1009 which provides guidance to DSO's regarding POA&M submission. Please note that since OMB did not require any POA&M submissions for FY09 quarter 4, CIS did not continue to follow up with program offices to ensure submissions were provided to CISfor FY09 quarter 4." 13 d) Remediation of system deficiencies in a timely manner Each program office is required to place all security deficiencies on POA&Ms and for each deficiency must indicate when they expect the deficiency to be remediated. Although the majority of program offices remediated POA&M deficiencies in a timely manner, there are significantly overdue remediation efforts for several systems; see section (t), below. e) Effectiveness of deficiency remediation plans in correcting the security weakness When a POA&M item is remediated, the program offices are required to submit a work completion plan and evidence that the deficiency is corrected to CIS for review. We reviewed work completion plans for 10 systems and found that all 10 provided sufficient evidenee that the weakness was corrected. t) Compliance witb estimated dates for remediation We reviewed the POA&Ms for all OPM systems and determined that 5 agency systems have POA&M weaknesses with remediation activities over 120 days overdue. This indicates that CIS has not provided adequate leadership to ensure that program offices assign reasonable due dates and stay on track to meet those dates. Program offices are equally responsible for dedicating adequate resources to addressing POA&M weaknesses and meeting target objectives. Recommendation 14 We recommend that CIS develop a formal corrective action plan to immediately remediate all POA&M weaknesses that are over 120 days overdue. In addition, we .recommend that CIS take a lead role in the future and work closely with OPM program offices to ensure that POA&M completion dates are achieved. CIS Response: "We agree with this recommendation. The POA&M SOP has been published as of September 1009 which provides guidance to DSO's regarding POA&M management. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS 37) on supplemental guidance to the DSO's." g) Agency CIO centrally tracks, maintains, and reviews POA&M activities on a quarterly basis CIS requires program offices to provide the evidence, or "proof of closure," that security weaknesses have been resolved before closing the related POA&M. We selected POA&M items from 10 systems and reviewed the proof of closure documentation provided by the program offices when the POA&M items were closed. The 10 systems were seleeted from a universe of 42 systems and were judgmentally 14 chosen by OIG auditors. Although the results of the sample test were not projected to the entire population, nothing came to our attention to indicate that program offices are not providing adequate proof of closure to CIS when closing POA&M items. h) POA&M process prioritizes IT security weaknesses Each program office at OPM is required to prioritize IT security weaknesses on their POA&Ms to help ensure significant IT security weaknesses are addressed in a timely manner. However, we found that two agency systems did not prioritize weaknesses on their POA&Ms. Recommendation 15 We recommend that the program offices responsible for the two systems in question prioritize the system weaknesses listed on their POA&Ms. CIS Response: "We agree with this recommendation. The POA&M SOP has been published as of September 2009 which provides guidance to DSO's regarding prioritizing weaknesses. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS 38) on supplemental guidance to the DSO's." V1. Certification and Accreditation Process Certification is a comprehensive assessment that attests that a system's security controls are meeting the security requirements of that system, and accreditation is the official management decision to authorize operation of an information system and accept its risks. Each major application at OPM is subject to the certification and accreditation (C&A) process cvery three years. We reviewed the C&A documentation for all OPM systems subject to a C&A in FY 2009. During this review we found that OPM program offices generally adhered to the requirements of OPM's C&A guide, and presented the authorizing official with complete and reliable C&A information to facilitate an informed system authorization to operate. However, we discovered that one system on OPM's inventory was placed into production before a C&A was completed, and the prior C&A for three systems has expired and a new C&A has not been completed. In addition, the OIG disagrees with the security categorization of one system whose C&A was conducted in FY 2009. The system was categorized as "Low," but should have bcen classified as "Moderate" because the system contains personal identity information that could result in serious harm to individuals if it were disclosed. According to OPM's C&A policy, ''all OPM divisions and offices must formally certify and accredit all major and minor applications and general support systems." It is the responsibility ofOPM's CIS to ensure that alllive/production systems at OPM are subject to 15 a complete C&A every three years, as required by FISMA. The FY 2008 OIG FISMA audit report stated that weaknesses in OPM's C&A process are a significant deficiency in the control structure ofthc agency's IT security program. We believe that this issue continues to be a significant deficiency in FY 2009. Reeommendation 16 (Rol/-Forward "om OIG Report 4A-CI-OO-08-022 Recommendation 9) We recommend that all active systems in OPM's inventory have a complete and current C&A. CIS Response: "We agree with this recommendation. The IT Security and Privacy group would like to conduct a network assessment to map out the OPlli network and identify all systems and accountfor missing C and A's but we currently lack the resources to perform this task. The Offree ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We are tracking this effort under CIS POAM FY09-QI-CIS-9." Recommendation 17 We recommend that the FIPS Publication 199 security categorization be updated for the inappropriately categorized system. CIS Response: "We agree with this recommendation. The Center for Information Services (CIS) security team will work with the DSO's to ensure the FIPS 199 reflect the appropriate rating. During the monthly October 2009 Information Technology Security Working Group (ITSWG) meeting, the writer and subject matter expert from NISTprovided a briefing on NIST 80()"60 (Guide for Mapping Types ofInformation and Information Systems to Security Categories) to the DSO's and CIS. We have created a CIS POA&M item to continue to track our progress (CIS POAM FY09-Q4-CIS-39}." VII. Agency Privacy Program The OIG evaluated OPM's privacy program by conducting a qualitative assessment of the agency's privacy impact assessment (PIA) process and its progress in implementing the requirements of privacy-related OMB Memoranda. a) Privacy Impact Assessments The E-Governrnent Act of 2002, section 208, requires agencies to conduct privacy impact assessments (PIA) of infonnation systems that process personally identifiable information (PH). OMB Memorandum M-03-22 provides guidance on implementing the privacy.provisions of the E-Govemment Act of2002, including PlAs. 16 OPM has developed a PIA Guide that outlines the process for conducting a PIA for agency systems. However, the PIA Guide has not been updated in over three years, and fails to address several requirements of OMB Memorandum M-03-22, including: • PIAs must identify what choices the agency made regarding an IT system or collection of information as a result of performing the PIA; and • PlAs for major applications should reflect more extensive analyses of: o the consequences of collection and flow of information; o the alternatives to collection and handling as designed; o the appropriate measures to mitigate risks identified for each alternative; and o the rationale for the final design choice or business process. Although PIAs are only required for systems that collect or maintain information in identifiable form about members of the general public, OMB encourages agencies to conduct PIAs of systems that process sensitive information about government employees and contractors. However, OPM's PIA Guide does not provide guidance for evaluating which, if any, of these additional systems should be subject to a PIA. The PIA Guide also states that each system owner must review their existing PIA documentation on an annual basis, and submit evidence of the review to CIS by September I of each year. However, the OIG has not received evidence that this review has been completed for any OPM systems. In addition, one new system was placed into production in FY 2009 without a PIA signed by the CIO. Recommendation 18 We recommend that CIS update the PIA Guide to address all of the requirements of OMB Memorandum M-03-22. CIS Response: "We agree with this recommendation. The privacy group is currently working on a new PIA Guide and a new PIA Template. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-40). " Recommendation 19 We recommend that CIS conduct a new PIA survey to determine which OPM systems require a PIA, including those systems that process sensitive information about government employees and contractors. CIS Response: "We agree with this recommendation. The IT Security and Privacy group would like to conduct a network assessment to identify all PII information present on the OPM network but we currently lack the resources to peiform this task. The network assessment would be followed by a request to each office that owns the PII to conduct privacy threshold analysis (PTA). The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. We 17 have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS 41}." Recommendation 20 We recommend that a new PIA be conducted for the appropriate systems based on the updated PIA Guide. . CIS Response: "We agree with this recommendation. Conducting and reviewing PIAs require CIa as well as program office resources. Once the new PIA Guide and Template is approved and communicated, we will engage the DSO's so they can update their system privacy documentation. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-4Z). " Recommendation 21 We recommend that each system owner annually review the existing PIA for their system to reevaluate current holdings ofPII, and that they submit evidence of the review to CIS. CIS Response: "We agree with this recommendation. Conducting and reviewing PTAslPIAs require CIO as well as program office resources. We plan on implementing a Privacy Threshold Analysis (PTA) process as part ofour Privacy activities. The PTA is the initial step in determining whether a PIA is necessary and as indicated in NIST-800 lZZ, an essential part ofthe Certifu:ation and Accreditation (C&A) process. The PTA will be reviewed annually or when a change occurs with the system and the document will become an artifact ased for reporting purposes. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-43). The Center for Information Services (CIS) security team has already began to share the evidence ofannual PIA reviews with the Privacy Office to reflect that the DSO's are reviewing their PIA's as part oftheir FY09 security controls testing. " b) Compliance witb privacy-related OMB Memoranda OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, requires all federal agencies to develop and implement a "breach notification policy." The memorandum also outlines the privacy requirements related to the protection of PI!, and reemphasizes the security requirements of OMB Memorandum M-06-16, Protection of Sensitive Agency Information. The following sections outline OPM's progress in implementing the requirements of these memoranda: 18 Implement a Breach Notification Process OPM's Information Security and Privacy Policy Volume 2 contains limited instructions regarding breach notification procedures. However, the policy references the Incident Response and Reporting Guide, which contains a more detailed explanation of the internal and external entities that must be notified when a security breach occurs. Review Current Holdings In 2007, OPM's IT security officer issued a "PH Questionnaire" to the designated security oUicer for each of the Agency's major systems to determine whether the system contained PlI. All new or significantly modified systems must complete an Initial Screening Assessment to determine if a PIA is required. However, as mentioned above, OPM's PIA process does not address all elements required by OMB, and system owners have not armually reviewed their PIAs to reevaluate current holdings of PIT. Reduce the Use o(Social Security Numbers OMB Memorandum M-07-16 required federal agencies to eliminate the use of social security numbers (SSNs) by the end ofFY 2009. Although OPM has made progress in reducing the use of SSNs, the agency was unable to meet the timeline requirements of this memorandum. In September 2009, CIS developed a fonnal plan to reduce the use of SSNs at OPM. The plan includes elements such as maintaining an inventory of OPM forms and validating the need for SSNs on these forms, working with system owners to scrub existing databases of SSNs, and providing guidance to system developers to mask SSN displays on reports and computer screens. However, the plan does not address participation in government-wide efforts to explore alternatives to agency use of SSNs, as required by OMB Memorandum M-07-16. Reeommendation 22 fRoll-Forward from OIG Report 4A-CI-OO-08-022 Recommendation 12) We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in accordance with OMB Memorandum M-07 -16. CIS Response: "We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI-CIS-12. However, the OCIO lacks the resources necessary to conduct the detailed analysis needed to review all documentation (laws, policies, OPMforms and other documents) that requires the use ofSSNs today. Furthermore, those resources would be needed to establisJI and maintain the policies and procedures for an effective program." Recommendation 23 We recommend that OPM participate in government-wide efforts to explore alternatives to agency use ofSSNs, as required by OMB Memorandum M-07-16. 19 CIS Response: "We agree with this recommendation." Encryption OMB Memorandum M-07-16 states that all data on mobile computers carrying sensitive data must be encrypted. CIS recently developed a new standard laptop image that utilizes software based full-disk encryption. We tested a sample laptop with this image and verified that the data on the device was secure. CIS facilitates the purchase of all new laptops at OPM and ensures that an image with encryption capability is installed on each device. However, CIS was unable to provide evidence ofhow many laptops issued to OPM employees and contractors contain the new image with encryption capabilities. Recommendation 24 (Roll-Forward from OIG Report 4A-CI-OO-08-022 Recommendation 13; We recommend that CIS encrypt all data on all mobile computers containing sensitive information. CIS Response: "We agree with this recommendation. OPM has implemented mandatory encryption controls on OPM laptops, blackberries, and tape backups. OPM's IT Security and Privacy Policy requires that any sensitive data be removed to removable media must be encrypted. WinZip encryption has been provided to all OPM users to protect sensitive data. The encryption policy and guidelines for WinZip are available on the OPM Intranet site and are included in the annual security awareness training. We are tracking this effort under CIS POAM FY09-QI-CIS-13." Control Remote Access OPM has implementcd a two-factor authentication requirement for controlling remote access to its information systems. In order to access OPM's internal applications remotely, users must connect to the OPM network through a Virtual Private Network (VPN) connection that requires both a personal identification number and a token number to authenticate. Time-Out Function OPM users remotely connected to the network through VPN must re-authenticate after 10 minutes of inactivity. Log and Verify In FY 2009, OPM developed a methodology for logging computer-readable data extracts of personally identifiable information (PH). The agency uses Team Track software to 20 track PH downloads and send an automatic notice to users 90 days after PH has been downloaded. When users receive this notification, they must either confinn PH data destruction or explain why the data has not been destroyed. Incident Reporting and Handling Requirements See section IX, Incident Reporting. Rules and Consequences OPM's IT Security and Privacy Policy Volume 2 outlines the consequences of violating OPM policies and procedures. The policy also outlines the penalties related to violations of the Privacy Act of 1974. The recommendations outlined in this" section indicate that OPM has not fully met the requirements ofOMB Memoranda dating back to 2003. In addition, OPM's privacy group is currently undergoing an organizational realignment, and there is no pennanent Privaey Program Manager in place. These conditions lcad us to believe that there is a significant deficiency in OPM's management of its privacy program. VIII. Configuration Management This section details the controls OPM has in place regarding the technical configuration management of its major applications and user workstations. a) Agency-wide security configuration policy OPM has developed an agency-wide Security Configuration and Hardening Policy. This policy establishes standards for baseline configuration of the various operating platfonns used by the agency and references build sheets for each platform t11at provide specific technical configuration guidance. OPM has also developed policies related to mainframe configuration integrity, configuration change control management, patch management, and system monitoring. However, the Security Configuration and Hardening Policy has not been updated since November 2004, and the patch management and system monitoring policies have not been updated since August 2005. See section XII, IT Security Policies and Procedures. Recommendation 25 We recommend that OPM develop an up-to-date Security Configuration and Hardening Policy, Patch Management Policy, and System Monitoring Policy. CIS Response: "We agree with this recommendation. Some progress has been made in these procedures but currently the IT security group lacks the resources necessary to finalize and maintain these procedures. The Office of/he ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We 21 ha.'e created CiS POA&Msfor each po/icy to track our progress (CIS POAM FY09· Q4-ClS-44, FY09-Q4-ClS-I5, FY09-Q4-CIS-46}." b) Techniques for mODitoring compliance with policy to routinely run cormguraltion g~~~~~~~~ also uses ~ compliance. , which c) Federal Desktop Core Configuration OPM has developed a Windows XP image that is gene.r(lily compliant wilh Federal Desktop Core Configuration (FDCC) standards. There are eight settings in this image that do not meet FOCC compliance; OPM has documented justification for these deviations. We conducted a test to verify that OPM's F'ID~~C~C~I\':~:i:=Sg~COmp1iant with VDCC settings. OPM has implemented its fDCC 0 on a test workstaiion ill its LAN/WAN enviroruncnt. We evaluate this workstation's compliance with scan indicate that all settings on this workstati on IlrC FDCC compliant. However, as of September 30, 2009, OPM's FnCC compliant image has not been implemented Oil any production workstations, and OPM has not documented and justified FnCC deviations for the ~tandard image that is currenily implemented on OPM workstations. In addition, updated language from 48 CFR Part 39, Acquisition ofInfomlation Technology, has not been included in all contracts related to common security settings. Re(!ommendatioll 26 (Rol/~Forward from OIG Reporl4A~('7-00-08-022 Recommendatkm 16) We rcoorrlllcnd that OPM implement FDCe compliant images on all OPM workstations. CIS Response: "We agree willi this recommendalioll. We ure tracking this effort mld~r CIS POAM FY09-QI-ClS-16. " RetolDw"endation 27 We recommend that OPM incorporate Federal Acquisition Regulation 2007~004 language in all contracts related to common security settings. 22 CIS Response: "We agru with this recommendation. We ha...·e created a CIS POA&Jt..J item to trock our progress (CIS POAM FY09-Q4-CIS47)." d) FoU.,w.ap on FY 2008 OIG _Recommendation FlSMA audjt report, we recommended that in the e ....ent that. cannot be remediatcd due to a technical or business reason, ~ ~~~~~SV;1iC1iTsowner should document the reason in the system's ISSP to any associated risks. [n FY 2009, there remains o n e _ without a formally docmnented risk acceptance. Recommendation 28 tRnll-Fmwurd frtlm OIG Rewa 4A-C/~ (10...nIJ-022 Rccommenduliou151 We n..'Commcnd that in the event that an_vulnerability caMot be rcmediated due to R technicru or business reason, the system's owner should document the reason in the system's ISSP and formany accept any associated risks. CIS RespOII.w:: dWe agree with this recommendJJtiou.. We are tracking IhM' effort under CIS POAM FY09-QI-CIS-15. " IX. Incident Rcportine opr",1 has developed an "Incident Response and Reporting Policy" that outlines the responsibilities of OPM 's Computer fncident Response Team (CIR1) and documents procedures for reporting alllT secwjty events to the appropriate enlilie$, We evaluated the degree to which OPM .is following intemal procedures and FlSMA requirements for reporting ~ecurity incid.ents internally. to the Uni ted States Computer Emergency Read,iness Team (US-CERT), and to appropriate law enforcement authorities. a) Identifying and reporting incideots internally OPM"s Incident Response and Reporting Policy requires the users urthe agency's IT resources to immediately notify OPM's situation room when IT security incidents occur. During the past year, OPM has provided its employees with various forms of training related to the procedures to foUow in the event sensitive data is lost. In addition, OPM reiterates the information provided in the ]ncident Response and Reporting Policy in the annual IT security and privacy awareness training. OPM also notifies the OIG when security incidents occur by providing OIG investigators with a monthly report that tracks the security tickets related to tbe loss of sensitive data, 23 b) Reporting incidents to US-CERT OPM's Incident Response and Reporting policy states that OPM's CIRT is responsible for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT . within one hour of a reportable security incident occurrence. Notification and ongoing eorrespondence with US-CERT is tracked through "security tickets" maintained by OPM's help desk. c) Reporting incidents to law enforcement The Incident Response and Reporting policy states that seeurity incidents should also be reported to law enforcement authorities, where appropriate. Nothing came to the OIG's attention to indicate that this policy is not being followed. x. Security Awareness Training CIS has implemented a process to provide annual IT security and privacy awareness training to all OPM employees and contractors. The training is conducted through an interactive web-based course. The course introduces employees and contractors to the basic concepts ofIT security and privacy, including topics such as the importance of infonnation security, security threats and vulnerabilities, viruses and malicious codes, privacy training, peer-to-peer software, and the roles and responsibilities of users. Over 99 percent of OPM's employees and contractors completed the security awareness training course in FY 2009. In addition, 99 percent of OPM employees and contractors with IT security-related .responsibility completed specialized IT security training in FY 2009. XI. E-authentication Risk Assessments OMB Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies," states that it "applies to remote authentication of human users of Federal agency IT systems for the purposes of conducting government business electronically (or e-government)" and requires agencies to conduct an e-Authentication risk assessment of these systems. OPM's system inventory identifies 10 systems that CIS believes are subject to e Authentication requirements. However, we believe that there are at least five additional systems at OPM that are subject to e-Authentication requirements. Recommendation 29 We recommend that CIS dctennine which systems in its inventory are subject to e Authentication requirements and complete e-Authentication risk assessments for each of these systems. 24 C1S Response: "We agree with this recommendation. After meeting witl! your office on August 24,2009, the Center for Information Services (CIS) security team sent correspondence to the perspective DSO's that currently do not have an e-Authentication risk assessment but should have one. We are tracking tltis effort under CIS POAM FY09-QI-CIS-48. " XlI. IT Security Policies and Procedures OPM's failure to adequately update its IT security policies and procedures has been highlighted in the past three OIG FISMA audit reports and has been identified as a material weakness in the IT security program in the FY 2007 and FY 2008 reports. In FY 2009, OPM published a new Certification and Accreditation Guide and an Information Security and Privacy Policy and deleted the majority of the outdated information from the agency's internal website (THEO). However, the policies deleted from THEO have not been replaced with current guidance on managing IT security at OPM. Volume 2 of the Information Security and Privacy Policy was posted to THEO in August 2009. This policy outlines the IT security controls that should be in place for the major applications owned by the agency. However, the majority of the text in this policy is derived or copied directly from NIST SP 800-53 and has not been tailored to specifically address OPM's IT environment. Although this policy assigns responsibility for the management of various controls, it does not provide guidance on how these controls should be implemented and monitored. OPM's DSO community has repeatedly voiced concern (directly to the OIG and to CIS at monthly IT security working group meetings) that the lack of detailed IT security policies and procedures has negatively impacted their ability to secure the information systems they manage. The absence of the following policies, procedures, or guidance has directly led to OlG audit findings in FY 2009 (this is not intended to be a comprehensive list ofmissing policies at OPM): • Procedures for DSOs to manage POA&Ms for agency systems; • Procedures for CIS to review quarterly POA&Ms and report POA&M status to OMB; • Guidance for developing contingency plans, procedures for routinely conducting contingency plan tests, and templates for reporting test results; • Procedures for annually testing IT security controls and templates for recording test results; • Policy and procedures related to oversight of systems operated by a contractor; • Policy related to roles and responsibilities for the Independent Verification and Validation (IV &V) process and procedures for managing an IV &V; and • Guidance for establishing agreements for interfacing systems. 25 In addition to the missing policies, the following OPM policies have not been updated in the past 3 years: • Privacy Impact Assessment Guide (updated May 2006); • Security Configuration and Hardening Policy (updated November 2004); • Patch Management Policy (updated August 2005); and • System Monitoring Policy (updated August 2005). Although OPM has taken several steps to improve and update the agency's IT policies, we will continue to consider this condition a material weakness until adequate policies exist for all aspects of IT security program management at OPM. See section I, Information Security Governance. R~ommendation 30 (Roii-Forward {rom OIG Report 4A-CI-OO-08-022 Recommendation l..21. We recommend that CIS develop IIp-to-date and comprehensive IT security policies and procedures, and publish these documents to THEO. CIS Response: "We agree with this recommendation. With limited resources there was some progress made over the last 12 months in the creation ofpolicies andprocedures. However, the IT security group lacks the resources necessary to establish and maintain the IT security policies and procedures needed for an effective IT Security and Privacy program. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. This effort is being tracked under CIS POAM FY09-QI-CIS-19. " 26 Major Contributors to This Report This audit report was prepared by the U.S, Office of Personne1 Management, Office of Inspector General, Infonnation Systems Audits Group. The following individuals participated in the audit and the preparatjon of thi's report: • Group Chief • Audilor-in-Charge • lnformatiop Technology Auditor • Information Technology Auditor • lnformation Technology Auditor 27 Appendix I Follow-up of Prior OIG FISMA Audit Recommendations Report 4A-OD-00-05-013: Audit ofthe Information Technology Security Controls ofthe U.S. Office of Personnel Management's Enterprise Human Resources Integration (EHRI) Data Warehouse, issued May 9, 2005. Rec# Orildnal Recommendation Current Status - We recommend that the Office of e-Government Initiatives (e-Gov) implement independent organization 3 CLOSED segments for the development and migration of system programming changes to EHRl. Report 4A-IS-OO-05-026: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Electronic Questionnaire for Investigations Processing System (EQIP), issued June 16, 20OS. r'-----·· .....- ~- - Rec# Orieinal Recommendation -.- Current Status __ We recommend that each existing EQIP user (administrators, operators, and developers) sign a rules of 6 CLOSED behavior document. The signed documents should be maintained by the system DSO. We recommend that the F ederallnvestigative Services OPEN. FISD is Division (FISD) verify that only authorized users have current! y updating 18 access to EQIP and maintain authorization forms for OPM form 1665 to users, including administrators, operators, and developers. address this .'- recommendation Report 4A-IS-00-06-021: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Fingerprint Transaction System (ITS), issued August 29, 2006. Rec# Original Recommendation Current Status We recommend that FISD document and maintain on file authorizations that specify the authorized privileges for each FTS user. In addition, we recommend that FISD 4 CLOSED periodically verify that only authorized users have access to FTS by reviewing user authorization forms and comparing them to access lists. - We recommend that FISD update the FTS contingency plan to fully document the following information: 7 • contact information, CLOSED • recovery goals/objectives, • recovery procedures, - ,-----,---------------------------------------- --.-----------------, • original or new site restoration procedures, • concurrent processing procedures, and • responsible teams. Report 4A-RI-00-08-023: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Employee Benefits Information System (EBIS), issued April 10, 2008. Rec# Original Recommendation Current Status We recommend that the Center for Human Capital Management Services (HCMS) develop a formal business 1 CLOSED impact analysis to determine the effect that EBIS system outages would have on HCMS, GRB, and EBIS users. The EBIS contingency plan should be improved to include the appropriate elements outlined in NIST SP 2 CLOSED 800-34, as determined by the results of the business impact analysis. Report 4A-WR-00-08-024: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Central Personnel Data File (CPDF), issued April 17, 2008. Rec# Original Recommendation Current Status We recommend that the Strategic Human Resources Policy Division update its Business Contingency Plan to 1 include all elements required by NIST SP 800-34. This CLOSED should include detailed recovery procedures sufficient to test the restoration of all CPDF processes. Report 4A-HR-00-08-058: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's USAJOBS System, issued September 5, 2008. Rec# Oril!inal Recommendation Current Status We recommend that the Human Resources Products and Services Division (HRPS) and Monster World Wide 1 CLOSED (MWW) update, review, and test its contingency plan on an annual basis. We recommend that HRPSIMWW develop formal procedures for media sanitization and disposal in 2 CLOSED accordance with NIST SP 800-53 Revision 1 control MP 6. We recommend that HRPS update the most current 3 POA&M template to identifY and prioritize all security CLOSED - weaknesses identified for USAJOBS. Report 4A-MO·oo..OS..oS9: Audit of the Information Technology Security Controls of the U.s. Office ofPersonncJ Management 's Executive Schedule C System (ESCS), issued September 8, 2008. the Human CapitaJ Merit System Accountability Division (HCLMSA) update CLOSED the ESCS contingency p1an to include the elements CLOSED update POA&M to include the weaknesses outlined in this audit report, and continue to update the POA&M with any 4 CLOSED additional weaknesses discovered by the program ollice or an outside party conducting a security review of the Report 4A-CI-OO-08-022: FY 2008 Federal Information Security MaDligement Act Audit, issued September 23, 2008. Rec# Original Recommendation Current Status OPEN. Rolled fo,,~iiTd We recommend that OPM ensure that an annual test of J as 4A-CI-OO-09-031 security controls has been completed for all systems. Recommendation 6 OPEN. Rolled forward We recommend that OPM's program offices test the ' 2 as 4A-CI-OO-09-03J contingency plans for each system on an annual basis. Recommendation 9 . We recommend that OPM update its system inventory to 3 clearly identify the state of the system (active, su spended ~ CLOSED develovment, etc). OPEN. Rolled forward We recommend that tbe program offices incorporate all 4 as 4A-CI-OO-09-03 I known security weaknesses into the POA&Ms. Recommendation 12 OPEN. Rolled forward We recommend that an up-io.date POA&M exist for each 5 as 4A-Cl-OO-09-031 sy'!'1<.-'tl1 in orM's inventory, Recommendation 13 OPEN. Rolled forward We reconunend that all program offices submit POA&Ms 6 as 4A-CJ-OO-09-031 to the CIS/CIO office on a quarterly basis. Recommendation 13 We recommend that the CIS/CIO require each program office to provlde evidence (proof of closure) that 7 CLOSED POA&M weaknesses have been resolved before allowing that item to be labeled "comp.J~te." We recommend that aU OIG recommendations be 8 included on POA&Ms and they not be removed until CLOSED evidence of proof of closure is provided to the CIS/CIO. We recommend that CIS take the appropriate steps to OPEN. Rolled forward 9 ensure that all active systems in OPM's inventory have a as 4A-CI-OO-09-031 complete and current C&A. Recommendation ]6 We recommend that all elements required by fISMA and 10 relevant NIST guidance be in place before a system is CLOSED fom,allv c&A'd. We rewmmcnd that OPM issue its "Information Security 11 and Privacy Policy" to all agency employees ,md post a CLOSED copy to the !!,Eencis internal website. We recommend that aPM continue its efforts to reduce OPEN. Rolled forward the use of SSNs and develop a formal plan to eliminate 12 as 4A-CJ-OO-09-031 the unnecessary coHeetlon and use ofSSNs within 18 Recommendation 22 months in accordance with OMB Memorandum M·07·16. We recommend that aPM contillue its effort.'i to OPEN. Rolled forward implement a solution to automatically encrypt aU data on as 4A-CI-OO-09-031 lJ mobile computers/devices carrying agency data unless the Recommendation 24 data is detennincd not to be sensitive. We recommend that OPM continue its efforts to develop a methodology for logging comptltcr·readable data 14 CLOSED extracts to determine whether sensitive data has been erased after 90 days. We recommend that OPM COnfigUr~ in a marmer consistent with OPM's on figuration Policy. Eacb of the vuJnerabilities outlined in the DIG's audit inquiry should be formal ly documented, itemized, OPEN. Rolled forward 1,5 and prioritized in a POA&M. In the event that a as 4A-CI-OO-09·031 vulnerability cannot be remediated due to a technical or Recommendation 28 business reason, the supported system's owner should document the reason in the system's lSSP to fonnatly accept any associated risks. - OPEN. Rolled fonvard We recommend that OPM continue its efforts to 16 as 4A-CJ-OO-09-031 implement all required elements of the FDCC. Recommendation 2~_ We recommend that aPM continue its efforts to ensure that all federal employees and contractors with access to 17 CLOSED OPM's IT resources complete IT security and privacy awareness training on an annual basis. We recommend that c-authentication risk assessments be 18 completed for the required systems in accordance with CLOSED OMB Memorandum M-04-04. . OPEN. Rolled forward· We recommend that CIS promptly update OPM's IT 19 as 4A-CI-OO-09-031 security policies and publish them to THEO_._ _ _ _........l.-.CR:.:e.::.:c:.:o:.:;mm:.::;endation 30 Report 4A-CI-OO-09-053: Flash Audit Alert - Iuformation Technology Security Program at the U.S. Office of Personnel Management, issued May 27, 2009. Rec# Oril!inal Recommendation _..-. Current Status We recommend that CIS correct the FY 2009 second I quarter FlSMA report to accurately reflect the status of CLOSED OPM's IT security position as of March 1,2009. We recommend that CIS develop a comprehensive set of OPEN. Rolled forward 2 IT security policies and procedures, and a plan for as 4A-CI-00-09-031 updating it at least annually. Recommendation 30 We recommend that the OPM Director ensure that CIS 3 has adequate resources to properly staff its IT Security OPEN and Privacy Group. .... _._._ ... OPEN. OPM hired an We recommend that CIS recruit a permanent Senior ITSO, but the Agency Information Security Officer as soon as possible 4 organization of the and adequate staff to effectively manage the agency's IT ITSO's staff has not security program. been finalized. Appendix II UNITED STATts OFFl~8'"brPERsoNNEL MANAGEMENT .....'l,UIirlVQJI.. DC 2Q4J5 JUU'$1009 Tho.4'.U·I"M.Oflke ofinspeclQr QcneraI(OIG)'r.eleasOO a f.4t';h Audit Alert'dated May va, Zl)()9. wJ.Uch.outl~d :a","eral ~~dations. regiU'dirig the OPM rr SecUiitY Pr.bgnvtl. l1}.ese ~1.iuJ)f ·arr.: ·n(J\ed bcll)W-iOOng Wi!.h-ttlll rt..'qlO1l5e. .Rr(o~j .. 'We ~~ tba1 CI.S ·corrcc.1 the.fY 2009 second iltwtetiiJ!MA t~ol1 iO' ~nf'rcly_ reflect ~·st.alu.'i uf OPM ' $ IT r.eci.lrity ~i~ a.<I' orM8I:C)t .~.2009. Thls would.inclUde reportJnS that eoJSf' and Ifle E.,.u Data Wartbouse sy5tems both imvc weaknesses mor~ thah 120 days overdUe, tmd dtaiiginB' 'tbe_rrn:tricSoD ihe entire rq;ort frQll') the nup':l~ (If ·OYerd~.,..el\_kne.-c;ses to t~ JlUfIlb!lT:oi;sysit;m:,-wnh overdue wcaknes.~es. 114PDrP.e.: T~ Center for Infonnauon Serv~ (CIS) secll~ team llctcd O~ the 'best 'infomlation.lhc),_had:at .'il1e time.in clo$ing.!!OPF _mx! eURJ D-oI~ WarchI'Ju:Je 'wiakbesscs. 'In respOflSOto ~ ~em ,ra1sed~)' Old staffl~at' 21 ""~ clqsed ~ll8pPtQpna&tly ~'.(iiil ntit total of268.tOf,al prog,rMtl weUne,S8e!l · ClS ~ta 'the OlG ' f4ti0JJ;31~ for why ~ 21 shouJdremain open (~(ju idBi1ce (ln 1hi$ is 1).pt.~) ant) jigreed lo-re,.,opm them. -They me: been J:e~Qpene.;i wid). the orlginW '~:oom()let4m:date; -010 W3!:a1f\IJ~d <I.t'ibis.atti'on PPUf 10 Akl~ Report. We.:~wiih t!w m:ommt."¢ll!ioo that OPM report the mmiber of SYStem$ will! we~~innore than 120~Y!lovtidue. instead 6r-thC.nw'nber P~~ ThiS was 3 oitstake.m ourUnd~- oflbe itpDrtijls I~~ It: sllonld btnrikd 1hanhis, mist:D:-e,~eth!! PPM melr:M$)ook '\l'or~ fhap ihey really ~ ...·so .'Po'e ~ most 'WilHog to ma,kc: {bis-dunge. As soon AJ'We eonfinned the OJ6!s .~tiQn was (;9ITCCI;-we:made the ebMtlp.e,·io time for the 3,;1 quru1er FlSMA n:porl 010 'Was. notified _o f the tomttiem prioILO the AJtrt Report. The ~ quarter rijJoithas·-.lSo .bc:~ updati:d 6lIil·Stlor lo 6MB. We consider thi, reconinie.il/illtiOll.to be _d01:Cd, Recommendtliion 2: We recommend !hat crs deve/Gpa COOIprehensiveset ofIT security policies and procedures, and a plan for updating them at leastatl11U1l11y, R€$J1(Jnse: We agree wlthtlliueeonunendati!>!l a.n4have been working for many months to £ompleleneeded .upQale~, Work began as ~OOl;l !IS funding wru; provided. Many policies and procedures have already been re.vised, with the remainder targeted f!>l' completion by 8!31109. We have k.epl OlG apprised of our efforts t.o comptete this work. Recommendidwn.J: We recommend that Ihe OPM Director ensure thst CIS has adequate fesources to properly starr its IT SecurtQiand Fnvacy Group. Response: We agree with thi$ leco1ll/ll<;l\dation. Ail VI<: discllllsed with DIG staff on numerous occasions, CIS has been working withHR for IPore'than a year to reorganize end elevate the IT """uril)' function, to upgrade the l.ve.1 of the IT secwily officer from a OS-]4 to a OS-15, and to!idd staff. A neworgaruzational alignment, gradestrnctllre lind tesource~ f!>:rtheTf SeellritylWd :Privacy Groll]) were approved ol;l Maroh 4,2il09. Under this new struct)lre,the IT se;:uti\y sta:tr will grow from 3 to 6. We consider this recommendation to beclosea Recommendtliion; 4: We recommend that CIS recruit II petlllaMnI ~nior Agel;lcy lnform.won ~c\lrityOfficeras sOQn as P9ssibl., and adequate itlltf to :e:!fecIiYely manage the agency's IT security program. R£spt!l1st; We agree withthisrtC<!mmendation. Recruilinghasbeel;l in progreU sinoe thereorganiUltiol;l was approveq. We have made 1I ct!uple of.offers to.flll lb.. G('l-15l\1ld 08-14 posi\i!>/ll!; which were declined. We!laYe ide!lulled another excellent candidate fbr the 6s~ 15 position. We are eurrentl:r in the precess of getting ChiefofSta:trapprovai to eJderid an offer. Weare liitgetitJg.a.repOrt.date in Augu$t. As you can see, aU of the OlG .issues with <:lUTsecurity program nored in the Alert R.eporI have eitber been com])!eted or are well on lheir way to complelion. With lbe'exception of the selection ofthe ITSO, which Is a very rtcent.decisJon, we have attempted to keep OIG staff apprised pf our stalU$on thes.eiss.ues. Their recommendatiOns were seriously considered, reviewed ;md acted upon'/lS appropxiate. Appendix IIJ October 20, 2009 Report No. 4A-CI-00-09-03 I MEMORANDUM FOR LEWIS F. PARKER, Jr. Chief, Information Systems Audit Group FROM: Inf(,mlatiCln Officcr SUBJECT: Fed~ral Information Security Management Act Audit - FY 2009 Attached you wilJ find our responses to the draft Federallnformation Security Management Act audit report. The protection oftbe Office of Personnel Management (OPM) network and resources is criticaJ to the su!;:cess of the OPM mission. AJI OPM Components rely extensively on infonnation technology (IT) assets and the OPM network to achieve mission objectives. For that reason, we thank you and agree with the recommendations provided jn the draft rePQrt identifying areas for improvement within the OPM IT security and privacy program. The Officc of the ChiefInfonnation Officer (OCrO) is committed to ensuring an effective IT security and privacy program_ Please note that we have created CIO POA&M entries for lhese findings and will develop a plan to mitigate these as additional resources become available. an)! qlleSilior" regarding the responses in this cen,ort. please don 't hesitate to cont~ct me or _ (ITSO) We look forward to continue to iQS;etli<:TiiO mop",V(; tile IT security program al OPM , Attachmenf cc; Direct""lf E:xt,mai Affairs nancial Officer & Policy and Internal Control Group "off ,_" Executive Secretarial Current Status of Flash Audit Alert Recommendation 1 We verified that CIS corrected and submitted the FY 2009 second quarter FISMA report. We also verified that the FY 2009 third quarter FISMA report accurately represented the status of OPM's security program at that time. CIS Replv 10120109 .The Centerfor Information Services (CIS) security team will continue to ensure the quarterly FISMA reports reflect correct and accurate information for OPM's security program. Current Status of Flash Audit Alert Recommendation 2 OPM's IT security policies and procedures continue to lack adequate current guidance on managing IT security at the agency. See section XII of this report for details. CIS Replv 10120109 Please refer to section XIIfor our response to Recommendation 30 regarding the IT security policies and procedures. Current Status of Flash Audit Alert Recommendation 3 We continue to believe that CIS lacks the resources needed to manage an adequate IT security program. Eleven of the nineteen audit recommendations issued in the FY 2008 f'ISMA audit report have been rolled forward into this FY 2009 FISMA report, indicating that CIS does not have the resources needed to remediate identified security weaknesses. CIS Replv 10120109 We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain an effective security and privacy program. .The new SAISO (referred to as the ITSO) that was hired in September 2009 has identified resources needed and his recommendations are under review with senior management. The Office ofthe ChiefInformation Officer (OCIO) is working 011 acquirillg resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-27). Current Status of Flash Audit Alert Recommendation 4 CIS hired a permanent SAISO (referred to as the ITSO) in September 2009. However, the agency operated with an acting IISO for over 11 months of FY 2009. In addition, the organization of the staff reporting to the ITSO has not been finalized. On a potentially positive note, the OPM Director has recently appointed a new Acting Chief Information Officer, who has developed preliminary plans to expand and improve OPM's IT security program. We will re evaluate these developments during the FY 2010 FISMA audit. CIS Replv 10120109 We agree with this recommendation. Currently the I.T security group lacks the resources and the organizational structure necessary to establish and maintain all effective security and privacy program. The new SAISO (referred to as the ITSO) that was hired in September 2009 has developed an organizational chart, roles and responsibilities and resources needed. His recommendations are under review with senior management The Office ofthe Chief Information Officer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. As referenced in Flash Audit Alert Recommendation 3, we have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-27) regarding resources. Recommendation 1 We recommend that CIS conduct a survey ofOPM program offices (particularly the Benefits Systems Group) to identifY any systems that exist but do not appear on the system inventory. The systems discovered during this survey should be promptly added to the system inventory and certified and accredited. CIS Replv 10/20109 We agree with this recommendation. The IT Security and Privacy group will conduct a network assessment to map out the OPM network and identify all missing systems and created a CIS POA&M item to track Ollr progress (CIS POAM FY09-Q4-CIS-28). Recommendation 2 We recommend that CIS develop and maintain an inventory of all system interfaces. CIS Replv 10120109 We agree with this recommendation. The IT Security and Privacy team will include system interface information on the OPM FISMA Master System Inventory going forward. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-29). Please note as stated in response to IG Information Request #24, system interface information is included within each System Security Plan for each system currently on the OPM FISMA Master System Inventory. Recommendation 3 We recommend that CIS develop a policy providing guidance on the development and appropriate use of MOUs and ISAs. CIS Replv 10/20109 We agree with this recommendation. Currently the IT Security and Privacy grollp lacks the resources necessary to establish and maintain an effective security and privacy program. The Office ofthe ChiefInformation OffICer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-30). Recommendation 4 We recommend that CIS conduct a survey to determine how many systems owned by another agency are used by OPM. CIS Replv 10110109 We agree with this recommendation. We have made some progress witll this task (please refer to IG Information request #24) but we lack the resources to conduct a complete network assessment to map out the OPM network and identify all systems. The Office ofthe Chief Information Officer (OClO) is working on acquiring resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-ClS-3l). Recommendation 5 We r",.commend that CIS develop a policy for adequately testing the security controls ofOPM's systems, and provide training to the Designated Security Officer (DSO) community related to proper security control testing. CIS Reply 10110109 We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain these policies and training program. The Office ofthe ChiefInformation OffICer (OC70) is working on acquiring resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-32). Recommendation 6 (Roll-Forward from 01G Report 4A-CI-00-OB-022 Recommendation 1) We recommend that OPM ensure that an annual test of security controls has been completed for all systems. CIS Reply 10110109 We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Q1 CIS-I. Recommendation 7 We recommend that OPM develop detailed guidance related to developing and testing the contingency plans of agency systems, and provide training to the DSO community related to proper contingency planning and contingency plan testing. CIS Reply 10110109 We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain these policies and training program. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-33). Recommendation 8 We recommend that up-to-date contingency plans be developed for all agency systems. CIS Replv 10110109 We agree with this recommendation. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-34). Recommendation 9 (Rol/-Forward from OIG Report 4A-CI-00-08-022 Recommendation 2) We recommend that OPM's program offices test the contingency plans for each system on an annual basis. CIS Reply 10120109 We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Q1 CIS-2. Recommendation 10 We recommend that OM develop a policy providing guidance on providing adequate oversight of contractor operated systems. CIS RepLv 10120109 We agree with this recommendation. Currently the IT security group lacks the resources necessary to establish and maintain these policies andprovide the oversight needed. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-35). Recommendation 11 We recommend that CIS publish the Plan of Action and Milestone Standard Operating Procedure toTHEO. CIS Reply 10/20109 We agree with this recommendation. We have created a CIS POA&M item 10 document the completion ofthis recommendation (CIS POAM FY09-Q4-CIS-36). The POA&M Guide has been published as ofSeptember 2009 on Theo hltp:lltheo.opm.govlpolicies/lSpplFlNAL POAM Process SOP 093009.pd{ Recommendation 12 (Roll-Forward from 016 Report 4A-CI-00-08-022 Recommendation 41 We recommend that OPM program offices incorporate all known IT security weaknesses into POA&Ms. CIS Reply 10120109 We agree with this recommendation. We are tracking this effort under G1S POAM .FY09-Ql CIS-4. Since the POA&M SOP was just recently pubLished on Thea, we will continue to assist program offices through this process. Recommendation 13 (Roll-Forward from 016 Report 4A-CI-00-08-022 Recommendations 5 and 61 We recommend that an up-to-date POA&M exist for each system in OPM's inventory, and that system owners submit updated POA&Ms to C1S on a quarterly basis. CIS Reply 10/20109 We agree with this recommendation. We are tracking this effort under CIS POAM FY09-QI CIS-5 and CIS POAM FY09-QI-CIS-6. The POA&M SOP has been published as of September 2009 which provides guidance to DSO's regarding POA&M submission. Please note that since OMB did not require any POA&M submissions for FY09 quarter 4, CIS did not continue to follow up with program offices to ensure submissions were provided to CISfor FY09 quarter 4. Recommendation 14 We recommend that CIS provide guidance to program offices to evaluate the resources and time requirements needed to remediate security weaknesses so that reasonable remediation due dates are established for all POA&M items. CIS Replv 10120109 We agree with this recommendation. The POA&M SOP has been published as ofSeptember 2009 which provides guidance to DSO's regarding POA&M management. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-37) on supplemental guidance to the DSO's. Recommendation 15 We recommend that each program office prioritize the system weaknesses listed on their POA&Ms. CIS Reply /0120109 We agree with this recommendation. The POA&M SOP has been published as ofSeptember 2009 which provides guidance to DSO's regarding prioritizing weaknesses. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-38) on supplemental guidance to the DSO's. Recommendation 16 (Roll-Forward from OIG Report 4A-CI-00-08-022 Recommendation 91 We recommend that all active systems in OPM's inventory have a complete and current C&A. CIS Reply 10120109 We agree with this recommendation. The IT Security and Privacy group would like to conduct a network assessment to map out the OPM network and identify all systems and accountfor missing C and A's but we currently lack the resources to perform this task. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources needed for the IT Security and Privacy program. We are tracking this effort under CIS POAM FY09-Q1 CIS-9. Recommendation 17 We recommend that the FIPS Publication 199 security categorization be updated for the inappropriately categorized system. CIS Replv 10120109 We agree with this recommendation. The Center for In/ormation Services (CIS) security leam will work with the DSO's to ensure the FIPS 199 reflect the appropriate rating. During the monthly October 2009 Information Technology Security Working Group (1TSWG) meeting, the writer and subject matter expert from NIST provided a briefing on N1ST 800-60 (Guide for Mapping Types ofInformation and Information Systems to Security Categories) to the DSO's and CIS. We have created a CIS POA&M item to continue to track our progress (CIS POAM FY09-Q4-CIS-39). Recommendation 18 We recommend that CIS update the PIA Guide to address all of the requirements ofOMB Memorandum M-03-22. CIS Replv 10120109 We agree with this recommendation. The privacy group is currently working on a new PIA Guide and a new PIA Template. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-40). Recommendation 19 We recommend that CIS conduct a new PIA survey to determine which OPM systems require a PIA, including those systems that process sensitive information about government employees and eontractors. CIS Replv 10120109 We agree with this recommendation. The IT Security and Privacy group would like to conduct a network assessment to identify all PII information present on the OPM network but we currently lack the resources to perform this task. The network assessment would be followed by a request to each offue that owns the PII to conduct privacy threshold analysis (PTA). The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-41). Recommendation 20 We recommend that a new PIA be conducted for the appropriate systems based on the updated PIA Guide. CIS Reply 10120/09 We agree with this recommendation. Conducting and reviewing PIAs require CI0 as well as program office resources. Once the new PIA Guide and Template is approved and communicated, we will engage the DSO's so they can update their system privacy documentation. We have created a CIS POA&M item to track our progress (CIS POAM FY09-Q4-CIS-42). Recommendation 21 We recommend that each system owner annually review the existing PIA for their system to reevaluate current holdings of PH, and that they submit evidence of the review to CIS. CIS Replv 10120/09 We agree with this recommendation. Conducting and reviewing PTAslPIAs require CIO as well as program office resources. We plan on implementing a Privacy Threshold Analysis (PTA) process as part ofour Privacy activities. The PTA is the initial step in determining whether a PIA is necessary and as indicated in NIST-SOO-122, an essential part ofthe Certification and Accreditation (C&A) process. The PTA will be reviewed annually or when a change occurs with the system and the document will become an artifact used for reporting purposes. We have created a CIS POA&M item to track ourprogress (CIS POAM FY09-Q4 CIS-43). The Center for Information Services (CIS) security team has already began to share the evidence ofannual PIA reviews with the Privacy Office to reflect that the DSO's are reviewing their PIA's as part oftheir FY09 security controls testing. Recommendation 22 (Roll-Forward from OIG Report 4A-CI-00-OS-022 Recommendation 12) We recommend that OPM continue its efforts to eliminate the unnecessary use ofSSNs accordance with OMB Memorandum M-07 -16. CIS Reply 10120109 We agree with this recommendation. We are tracking this effort under CIS POAM FY09-Ql CIS-l2. However, the OCIO lacks the resources necessary to conduct the detailed analysis needed to review all documentation (laws, policies, OPMforms and other documents) that requires the use ofSSNs today. Furthermore, those resources would be needed to establish and maintain the policies and procedures for an effective program. Recommendation 23 We recommend that OPM participate in government-wide efforts to explore altematives to agency use ofSSNs, as required by OMB Memorandum M-07-16. CIS Reply 10/20/09 We agree with this recommendation.. Recommendation 24 (Roll-Forward from OIG Report 4A-CI-00-OS-022 Recommendation 13) We recommend that CIS encrypt all data on all mobile computers containing sensitive information. CIS Replv 10120109 We agree with this recommendation. OPM has implemented mandatory encryption controls on OPM laptops, blackberries, and tape backups. OPM's IT Security and Privacy Policy requires that any sensitive data be removed to removable media must be encrypted. WinZip encryption has been provided to all OPM users to protect sensitive data. The encryption policy and guidelines for WinZip are available on the OPM intranet site and are included in the annual security awareness training. We are tracking this effort under CIS POAM FY09-Ql CIS-13. Reeommendation 25 We recommend that OPM develop an up-to-date Security Configuration and Hardening Policy, Patch Management Policy, and System Monitoring Policy. CIS Reply 10/20109 We agree with this recommendation. Some progress has been made in these procedures but currently the IT security group lacks the resources necessary to finalize and maintain these procedures. The Office ofthe ChiefInformation Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. We have created CIS POA&111s for each policy to track our progress (CIS POAM FY09-Q4-CIS-44, FY09-Q4-CIS-45, FY09 Q4-CIS-46). Recommendatioll 26 tRoll-Forward from OIG Report 4A.-CI-OO-08..Q21 ReMmmendnfit>n J6~ We recommend that OPM implcmcllt FDCC compliant images on all OPM workstations. CIS Replv 10110109 We agree with 'his recommendation. We are tracking fhi.f; effort under CIS POAM FY09~Ql CIS-16. Recommendation 27 We recommend that OPM incorporate Federal Acquisition Regulation 2007-004 Janguage in aU contracts related to common security settings, CIS Reple 10110109 We agree with this recommem/ution. We have created a as POA&M item to track mu progress (CIS POAM FY09-Q4-CIS-47). Recommendation 28 (Roll-Forward from DIG Report 4A-CJ-OO-OB-022 Recommendation 15) We recommend that in the event that cannot be remediated due to a te<:hnical or business reason, the sys"e,n', owner should doculnen' the reason in the system's lSSP and fomlally accept any associated risks. CIS lIeP/y 10110109 We agree with Ihis recommendation. We are tracking this effort under CIS POA.M FY09-Ql ClS-l5. Recommelldation 29 We recommend that CIS detcmllne which systems in its inventory are subject to e Atlthelltication requirements and complete e-Autl}entication risk assessments for each of these systems, CIS Reply 10110109 We agree with this recommendation. After meeting with your office on August 24, 2009, the Centerfor Information Service... (CIS) security team sent correspondenu to the perspective ])SO'!j' that currently do not have an e-Authentication risk assessment but should have one. We are tracking this effort under CIS POAM FY09-QI-CIS-/8. Recommendation 30 (Roll-Forwgrd from OIG Report 4A-CI-OO-OB-022 Recommendation 19) We recommend that CIS develop up-to-date and comprehensive IT security policies and procedures, and publish these documents to THEO, CIS Reply 10120109 We agree wilh Ihis recommenflation. With IimiJed resources there was some progre1'.f; mllde over the last 12 months in the creation a/policies amI procedures. However, the IT security group lacks the u ..\'ources necessary to establish and /nailltain the IT security policies Dud procedures "teded/or an effective IT Security and PtilJocy program. The Office of the Chief Information Officer (OCIO) is working on acquiring resources neededfor the IT Security and Privacy program. This effort is being tracked under CIS POAM FY09-QI-CIS-I9.
Federal Information Security Management Act Audit FY 2009
Published by the Office of Personnel Management, Office of Inspector General on 2009-11-05.
Below is a raw (and likely hideous) rendition of the original report. (PDF)