oversight

Flash Audit Alert -Information Technology Security Program at the U.S. Office of Personnel Management

Published by the Office of Personnel Management, Office of Inspector General on 2009-05-27.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                              (




                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                Washington, DC 20415 



   Office of the
Inspector General

                                                   May 27, 2009

                                                                              Report No. 4A-CI-OO-09-053

        MEMORANDI~FOR~~~:ERRY 	                                                    ~~                                  

        FROM:                    PATRICKE.McFlI.RLAND
                                 Inspector General
                                                                dpi.
                                                                P~ 

                                                                                                   .

        SUBJECT:                 Flash Audit Alert - Information Technology Security Program at the
                                 U.S. Office of Personnel Management

                                                     Synopsis

        The Office of the Inspector General (OIG) at the U.S. Office ofPersonriel Management (OPM)
        is issuing this flash audit alert to bring to your immediate attention serious concerns that we have
        with OPM's infonnation technology (IT) security program. Specifically:
        • 	 OPM's Center for Information Services (CIS) misrepresented the status of the agency's IT
            security program in the FY 2009 second quarter Federal Infonnation Security Management
            Act (FISMA) report issued to the U.S. Office of Management and Budget (OMB).
        • 	 OPM's IT security policies and procedures continue to remain severely outdated.
        • 	 OPM's IT security program is understaffed, and the agency has operated without a
            permanent IT security officer (ITSO) for over 14 months. In addition several individuals
            within the IT security program do not have adequate independence from other aPM program
            offices.

        The impact of these concerns is two-fold. First, misrepresenting the status of any component of
        OPM's IT security structure could result in the loss of integrity and confidence in OPM's overall
        IT security program. Secondly, without current IT security policies and procedures, as well as a
        dedicated and experienced ITSO and support staff, OPM's IT security program will become
        ineffective, thereby compromising the confidentiality, integrity, and/or availability of
        infonnation being processed, stored, or transmitted by OPM's major applications and systems.
        We believe that this misrepresentation of the security status exemplifies the risk of operating an
        IT security program with outdated controls and without a pennanent ITSa for an extended
        period of time.

       We discussed these issues with OPM's Chief Infonnation Officer (CIO) and senior managers in
       the CIS program office, and considered their comments in the preparation of this report. In order
       to verify that the audit concerns are addressed in a timely manner, we ask that CIS respond



        www.opm.gov 	                                                                            WWW.us;:.ljntJs·aov
directly to the OIG within 60 days of the date of this report advising us of any progress made in
implementing the audit recommendations.

If we can be of assistance during the program office review of this report, the staff should contact
Michael Esser, Assistant Inspector General for Audits, on _ . Please call if I can be of
further assistance to you.

                                      Executive Summary

Our review of OPM's quarterly FISMA report for the second quarter of 2009 resulted in serious
concerns. This led to an in-depth audit of the FISMA reporting process and other areas related to
OPM's IT security program. As a result of this audit, we noted several critical issues related to
the FISMA quarterly reporting process, IT security policy, and the overall management of
OPM's IT security program.

OMB requires agencies to submit quarterly status reports on their plan of action and milestones
(POA&M) process, IT security performance measures, privacy, and the criteria for "maintaining
green" on the eOOV portion of the President's Management Agenda scorecard. OPM's FY 2009
second quarter report was submitted to OMB on March 1, 2009. Our audit of this report showed
that it significantly misrepresented OPM's IT security status regarding the POA&M process. In
addition, OPM's IT security program continues to operate with outdated policies and procedures
and without a permanent ITSO.

This flash audit alert details the issues that were detected and recommendations for
improvement. In summary:
• 	 Two major applications owned by the Human Resources Line of Business (HRLOB)
    program office were migrated to a new hosting provider in July 2008, which required out-of­
    cycle certification and accreditation (C&A) of both systems. These systems are the
    Electronic Official Personnel Folder (eOPF) and the Enterprise Human Resources Integration
    (EHRI) Data Warehouse.
    o	   HRLOB believed that some of the overdue POA&M items for both systems should be
         closed because they were no longer relevant post-migration, and were working with
         CIS representatives to this end.
    o	   The program office submitted its FY 2009 second quarter POA&M reports for both
         systems to CIS on January 27,2009. The reports continued to itemize all existing
         weaknesses, including 48 that were more than 120 days overdue. CIS contractors,
         however, unilaterally and without discussing the approach with the program office,
         closed all POA&M items and used the POA&M reports that were created during the
         certification and accreditation process for both systems as supporting documentation
         for the FY 2009 second quarter FISMA report to OMB.
• 	 On the FY 2009 second quarter FISMA report to OMB, CIS inappropriately repocted the
    number ofPOA&M weaknesses with overdue corrective action rather than the number of
    systems where corrective action has been delayed (as required by OMB).




                                                2

                                                                         (



• 	 OPM's IT security policies and procedures continue to remain severely outdated, as many
    have not been updated at all in at least three to six years. The OIG has reported this issue to
    the OPM Director for the past three years, and labeled it as a material weakness in the FY
    2007 and FY 2008 FISMA reports to OMB.
• 	 OPM has operated without a permanent ITSO for over 14 months, and there have been 3
    acting ITSO's during that time. In addition, the responsibilities assigned to the current acting
    ITSO create the appearance of a lack of independence in that he is responsible for managing
    OPM's network infrastructure and also responsible for oversight of its IT security
    compliance.

                                          Audit Results

I. 	 FY 2009 Second Quarter FISMA Report - POA&M Process

   The POA&M section of the quarterly report instructs agencies to list the number of systems
   where planned corrective action on security weaknesses is overdue. In OPM's FY 2009
   second quarter report, we found two problems in the manner overdue items were reported.
   First, the CIS diq not report overdue corrective action for two OPM systems: eOPF and the
   EI-IRI Data Warehouse. Second, CIS reported the number of weaknesses with overdue
   corrective action rather than the number of systems where corrective action has been delayed.

    a) 	 eOPF and EHRI Data Warehouse POA&M Weaknesses

       We noted significant discrepancies between the FY 2009 second quarter report to OMB
       and the POA&M reports that the HRLOB program office submitted to CIS for the eOPF
       and EHRI Data Warehouse systems. The OMB report showed no overdue weaknesses
       for the two systems, while the POA&M reports submitted by the I-IRLOB program
       manager on January 27,2009 showed that there were 19 items where corrective action
       was more than 120 days overdue for the eOPF system, and the EI-IRI Data Warehouse
       POA&M identified 29 security weaknesses with overdue corrective actions.

       We interviewed program office officials and CIS representatives, and reviewed
       associated documentation to determine the cause of this discrepancy. Our review
       demonstrated that the facts of the situation are as follows:

       Both eOPF and the EHRI Data Warehouse systems were migrated to a Denver, Colorado
       area hosting facility owned by the Department of the Interior. As a result of this change,
       an out-of-cycle C&A for both systems was triggered. These C&A's were completed
       during the summer and fall of 2008, and the official authority to operate for both systems
       was executed in November 2008 for the EHRI Data Warehouse and January 2009 for
       eOPF.

       Sometime after the system migration in June 2008, the HRLOB program office began
       discussions with CIS to close out certain POA&M items that it believed were no longer
       relevant. The program office requested that 24 of the 29 overdue items be closed on the
       EHRI Data Warehouse POA&M. These discussions continued, but there was no



                                                3

                                                               ,i
                                                               1, ,.:




definitive resolution of the status of these POA&M items, and they therefore remained as
open and overdue weaknesses on the system'5 POA&M report.

During this same timeframe, there were changes occurring in the CIS group responsible
for managing the agency-wide POA&M process. Working tmder the Chief of CIS's
Program Policy Group, a Federal employee and one or more contractors obtained
quarterly POA&M reports for the 40 OPM major computer systems, reviewed corrective
action and proof-of-closure documentation, and monitored quarterly metrics on a
"POA&M Status Tracker" matrix. This team was responsible for recommending whether
POA&M items should be closed or, if insufficient documentation was received, kept
open.

About five days before the FY 2009 second quarter report was due to be submitted to
OMB, CIS management reassigned this process to several Network Management Group
(NMG) network security contractors under the direction of a new acting ITSO. We were
told that this change was put in place because of management concern over the high
number of unresolved POA&M weaknesses; however, nothing came to our attention that
would allow us to definitively conclude that this was the reason.

The NMG contractors were directed to focus their efforts on reviewing the POA&M
items where corrective action was more than 120 days overdue. Since a significant
portion of these items was attributable to eOPF and the EHRI Data Warehouse, the
contractors seemed to target these two systems for further review.

There is one additional complication related to the eOPF POA&M. This system is a web­
based application that allows Federal employees and agency human resources
professionals to view digital copies of official personnel documents. Although the
infrastructure supporting the application is now hosted by the Department of Interior's
National Business Center, there are two sub-systems involved in the process of digitizing
the documents that were not directly affected by the system migration. The eOPF
POA&M submitted by the HRLOB program office includes weaknesses related to the
application as well as both sub-systems.

However, the C&A process that occurred in the summer and fall of 2008 only covered
the eOPF application itself and not the two sub-systems. One of the deJiverables
resulting from this C&A, and the EHRI Data Warehouse C&A, was a document prepared
in the standard POA&M format that included security weaknesses identified during the
C&A process. This document did not include previously identified security weaknesses
for eOPF (or its two sub-systems) or the EHRI Data Warehouse.

Nevertheless, the NMG contractors who were assigned to manage the POA&M process
used these documents as a basis for preparing OrM's FY 2009 second quarter FISMA
report rather than the POA&M reports that had been submitted by the HRLOB program
office. A memo dated February 15,2009 from one of the contractors to CIO Janet
Barnes described the reasoning for relying on the C&A version of the POA&Ms, but it
only addressed the eOPF application POA&M, and did not account for the items related



                                      4

to the subsystems that were overlooked. We also interviewed the contractor to determine
why the program office POA&Ms were not used as source documentation for the FY
2009 second quarter FISMA report.

Based on the memo and on our interview, we understand that the NMG contractors
believe that when a system undergoes a major change that requires an out-of-cycle
certification and accreditation, a new POA&M is in order. The thought process is that a
major change, especially one involving a new hosting provider, can involve new
management, infrastructure, and staff, rendering the existing POA&M weaknesses
irrelevant.

While this may be true in some cases, it is not a universally valid concept. For example,
there were 29 items on the EHRI Data Warehouse POA&Msubmitted by HRLOB that
were over 120 days overdue. Of these, only 17 items related to the system migration.
Even if CIS were justified in closing these items, they should have remained on the
POA&M in a "closed" status for one year for tracking purposes. The remaining 12
overdue items do not appear to have a direct relationship with the system migration, but
they were closed and reopened with future completion dates.

In addition to the overdue weaknesses related to the eOPF subsystems that were
overlooked, there were four POA&M items reported on the HRLOB POA&M
submission that CIS inappropriately closed. These items related to security impact
analysis, multifactor authentication, public key certification, and system output. These
are items that would not be directly alleviated or become irrelevant as a result of a
physical system migration, and should continue to be listed as weaknesses on post­
migration POA&Ms.

These examples clearly demonstrate that some of the overdue POA&M items for these
two systems should not have been closed. In fact, this was the nature of the discussions
that occurred between CIS and HRLOB during the fall of2008. The CIS representatives
who previously managed the POA&M process were working with program office
officials to determine which POA&M items should be appropriately closed after the
system migration of summer 2008. This process involved a careful review of each
POA&M item and "proof of closure" submitted by the program office to support closing
the items.

However, the NMG contractors inappropriately closed all overdue POA&M items on
both systems without discussing their status with the HRLOB program office. The memo
to the CIO was written to justify this course of action, but no proof of closure was
provided (although the memo referenced supporting documentation that was on file).
When we interviewed HRLOB program office officials, they stated that they had no
knowledge of the modified POA&Ms for the eOPF and EHRI Data Warehouse systems,
and had no discussions with CIS after the reorganization occurred in late February 2009.

Surprisingly though, CIS and HRLOB resumed discussions regarding the closure of
POA&M items that were rendered obsolete by the summer 2008 system migration after



                                       5

the POA&Ms had been modified by CIS and the FY 2009 second quarter FISMA report
was submitted to OMB. When we asked CIS officials why there were discussions on this
topic after the NMG contractors had already determined that all POA&M items were no
longer relevant and should be closed, there was no reasonable response provided.

OMB Memorandum M-04-25, Section B.I "Agency Plans of Action and Milestones
Process" provides a sample POA&M and instructions on completing the various
columns. The memo states "Once an agency has completed the initial POA&M, no
changes should be made to the data in columns 1,4,5, and 7."

The memo continues with specific descriptions for each column:
• 	 "Column 4 - Scheduled completion date for resolving the weakness. Please note that
    the initial date entered should not be changed. If a weakness is resolved before or
    after the originally scheduled completion date, the agency should note the actual
    completion date in Column 8, 'Status.'
• 	 "Column 5 - Key milestones with completion dates. A milestone will identify
    specific requirements to correct an identified weakness. Please note that the initial
    milestones and completion dates should not be altered....
• 	 "Column 8 - Status. The agency should use one of the following tenus to report
    status of corrective actions: Ongoing or completed. 'Completed' should be used only
    when a weakness has been fully resolved and the corrective action has been tested.
    Include the date of completion...."

In the Frequently Asked Questions section ofM-04-25, it states, "For how long do I
report corrected weaknesses?

"Weaknesses that are no longer undergoing correction and have been completely
mitigated for over a year should no longer be reported in the agency POA&M."

OMB Memorandum M-08-021 "FY 2008 Reporting Instructions for the Federal
Information Security Management Act and Agency Privacy Management" also includes a
Frequently Asked Questions section.

Question 34 states, "Can a POA&M process be effective even when correcting identified
weaknesses is untimely?

"Yes. The purpose of a POA&M is to identify and track security weaknesses in one
location. A POA&M permits agency officials and oversight authorities to identify when
documented cOlTective actions are both timely and untimely. In either circumstance, the
POA&M has served its intended purpose. Agency managers can use the POA&M
process to focus resources to resolve delays."

It is the clear intention of OMB that POA&M items are not to be modified, unless they
are fully completed and tested. When items are resolved, it has been OPM's practice to
mark them as "Completed" in the status column, shade the row with a green background,



                                        6

   and maintain these items on POA&M reports for one year after the completion date. CIS
   has been very outspoken regarding these requirements during monthly meetings of the
   Information Technology Security Working Group (ITSWG).

   Unresolved items that are overdue are shaded with a red background and bi-weekly status
   reports to the OPM Deputy Director are required until corrective action has been
   completed and tested. As stated in the OMB memorandum, the purpose of highlighting
   weaknesses where corrective action is significantly overdue is to focus management
   attention and necessary resources to resolve the items.

   The CIS approach to the eOPF and EHRI Data Warehouse POA&Ms appears to have
   violated the intention of both the OMB POA&M guidance and OPM's own internal
   practices.

b) 	 Reporting Total Number of Weaknesses instead of the Number of Systems with
     Weaknesses

   The instructions within the FISMA quarterly reporting template ask for the: "Number of
   High, Moderate and Not Categorized systems operating with one or more security
   weaknesses that are currently 90 to 120, or greater than 120 calendar days beyond the
   planned remediation date in the POA&M." This section contains two columns; one in
   which to enter the number of systems that have POAM weaknesses 90-120 days overdue,
   and one in which to enter the number of systems with POAM weaknesses over 120 days
   overdue.

   On the FY 2009 second quarter FISMA report to OMB, CIS reported the number of
   weaknesses with overdue corrective action rather than the number of systems where
   corrective action has been delayed. There are two factors that led to the ~IG's
   conclusion that CIS incorrectly completed this section of the FISMA reporting template:
   • 	 CIS maintains an internal tracking spreadsheet that contains a detailed analysis of the
       POA&M status for each of the systems in OPM's inventory. This spreadsheet
       outlines the total number of delayed weaknesses for each system. The "totals" row
       for each program office lists the number of total overdue weaknesses for all systems
       owned by that program office. The numbers documented on the FY 2009 second
       quarter FISMA report match the total number of weaknesses outlined in this summary
       spreadsheet instead of the total number of systems containing any overdue
       weaknesses.
   • 	 In some cases, the number reported on the FY 2009 second quarter FISMA report in
       the field "Number of. .. systems ... operating with one or more security weaknesses ... "
       was greater than the number of systems that exist in that program office. For
       example, it was reported that the Federal Investigative Services Division (FISD) had
       5 systems with weaknesses 90-120 days overdue and 6 systems with weaknesses over
       120 days overdue, for a total of 11 systems. However, FISD only owns a total of 5
       systems.




                                            7

   c) Summary

      The POA&M section of the FY 2009 second quarter FISMA report understated
      weaknesses with corrective action overdue by more than 120 days. Additionally, CIS
      mistakenly reported the number of overdue weaknesses rather than the number of
      systems with overdue weaknesses.

      We believe that the factors that led to these conditions are, at least in part, related to
      outdated and incomplete IT security policies and long-standing weaknesses in OPM's IT
      security management structure. Both of these issues have been the subject ofOIG audit
      findings since FY 2006 (please see sections II and III of this Flash Audit Alert).

      As a result, the OPM Director and OMB were given an inaccurate representation of
      OPM's IT security position. The decision memorandum transmitting the FY 2009
      second quarter FlSMA report to the OPM Director claimed a 53 percent improvement in
      POA&M corrective actions delayed past their scheduled completion date, and a 46
      percent decrease in the number of 120-day old corrective actions from the first quarter.
      While it may be true that some of the overdue POA&M items for eOPF and the EHRI
      Data Warehouse would have eventually been closed following the migration to the new
      hosting facility, this process was not properly completed before the memorandum was
      sent. Also, if the POA&M items related to the two eOPF subsystems had been included,
      the number of overdue weaknesses would have actually increased in the second quarter.
      Therefore, the improvements claimed in the decision memorandum are not entirely
      accurate.

   Recommendation I
   We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately
   reflect the status ofOPM's IT security position as of March 1,2009. This would include
   reporting that eOPF and the EHRI Data Warehouse systems both have weaknesses more than
   120 days overdue, and changing the metrics on the entire report from the number of overdue
   weaknesses to the number of systems with overdue weaknesses.

II. OPM IT Security Policy

   The CIS closely follows emerging IT security guidance, and disseminates this information to
   the agency's IT security personnel through monthly meetings of the ITSWG. However,
   OPM's IT security policies and procedures remain severely outdated. In fact, the majority of
   these documents have not been updated at all in at least three years.

   According to the decision memorandum that accompanied the FY 2009 second quarter
   FISMA report, CIS has developed guidance and training materials related to the POA&M
   process and is working on a set of comprehensive POA&M standard operating procedures.
   Although these would be welcome developments, the same effort needs to be directed toward
   developing a comprehensive set of OPM IT security policies and procedures that are updated
   at least annually.




                                              8

  National Institute of Standards and Technology Special Publication (NIST SP) 800-100,
  Information Security Handbook: A Guide for Managers, states that "An effective information
  security governance program requires constant review. Agencies should monitor the status
  of their programs to ensure that ... Policies and procedures are current and aligned with
  evolving technologies, if appropriate ... Over time, policies and procedures may become
  inadequate because of changes in agency mission and operational requirements, threats,
  environment, deterioration in the degree of compliance, changes in technology or
  infrastructure, or business processes."

  We acknowledge the steps that OPM has taken in working toward updating policies, and we
  understand the impact that limited resources can have on the ability to conduct this type of
  ongoing maintenance. However, OPM's failure to adequately update IT security policies and
  procedures has been highlighted in the past three DIG FISMA audit reports, and was
  characterized as a material weakness in the FY 2007 and FY 2008 FISMA reports.

  CIS must address this underlying weakness in information security governance, or there will
  likely be repeated occurrences of the problems that occurred with the FY 2009 second
  quarter FISMA report. In this situation, there was new staff attempting to understand the
  POA&M and C&A processes, but there was the no formal guidance that they could use as a
  reference.                                    .

  Recommendation 2
   We recommend that CIS develop a comprehensive set oflT security policies and procedures,
   and a plan for updating it at least annually.

III.OPM IT Security Management

  While we believe that CIS is committed to developing and maintaining strong IT security
  controls, it is clear that there are opportunities for improvement in the overall leadership and
  management of the IT security program. The agency has operated without a permanent
  ITSO for over 14 months, and there have been 3 acting ITSO's during tpat time.

   This is a position that requires an independent, long-term, and committed incumbent to
   manage the complexities of an environment that includes constantly shifting guidance and a
   group of program office representatives with a wide range of IT security experience.
   Adequate support staff is also needed to effectively manage the agency's IT security
   program.

   In contrast, the new acting ITSO and recently-assigned staff are not independent. The acting
   ITSO is also the Director of the Network Management Group, a program office that manages
   one of the two major IT infrastructure elements at OPM. The staff includes two NMG
   network security contractors. There are also two federal employees.

  This situation creates the appearance of a lack of independence in that officials who are
  responsible for one of the largest and highest-risk major systems are now also responsible for
  oversight of the IT security compliance of that system. We have learned that the acting ITSO



                                              9

    will not be responsible for accreditation decisions related to any systems under his purview,
    and that the CIO will take on that role in these·cases. This appears to be an attempt to
    mitigate conflict of interest cone ems that have already been raised; however, we do not
    believe this to be a workable solution. In our view, the CIO has far too many responsibilities
    to be involved at the level of detail required to make informed decisions in these matters.

    We have recently learned that the fonner OPM Acting Director approved a reorganization in
    CIS that creates an IT Security and Privacy Group reporting to the agency's CIO. This is a
    positive development; however, the ITSO position is still vacant and it is not clear how the·
    group will be staffed.

    NIST SP 800~37 states, 'The senior agency information security officer is the agency official
    responsible for: (i) carrying out the Chief Information Officer responsibilities under FISMA;
    (ii) possessing professional qualifications, including training and experience, required to
    administer the information security program f-unctions; (iii) having information security
    duties as that official's primary duty [emphasis added]; and (iv) heading an office with the
    mission and resources to assist in ensuring agency compliance with FISMA."

    There are a number of underlying causes that have contributed to preventing OPM from
    adequately staffing an IT security program, including a lack of resources, budgeting issues,
    and especially difficulties related to the federal hiring process. However, CIS management
    must resolve these issues and correct this long-standing weakness.

    Without strong infonnation security governance, OPM cannot implement appropriate and
    cost-effective information security controls (beginning with current and comprehensive
    policies and procedures) or manage evolving information security risks. The problems that
    occurred with the FY 2009 second quarter FISMA report are an example of what can occur
    without strong information security governance.

    Recommendation 3
    We recommend that the OPM Director ensure that CIS has adequate resources to properly
    staff its IT Security and Privacy Group.

    Recommendation 4
    We recommend that CIS recruit a permanent Senior Agency Information Security Officer as
    soon as possible, and adequate staff to effectively manage the agency's IT security program.


cc: 	   Elizabeth A. Montoya
        Chief of Staff and Director of External Affairs

        Richard B. Lowe 

        Deputy Chief 

         of Staff and Executive Secretariat 





                                                10 

Ronald C. Flom
Associate Director, Management Services Division and
Chief Human Capital Officer

Janet L. Barnes
Deputy Associate Director
Center for Information Services and Chief Information Officer

David M. Cushing
Deputy Chief Financial Officer




                                      11