( UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General May 27, 2009 Report No. 4A-CI-OO-09-053 MEMORANDI~FOR~~~:ERRY ~~ FROM: PATRICKE.McFlI.RLAND Inspector General dpi. P~ . SUBJECT: Flash Audit Alert - Information Technology Security Program at the U.S. Office of Personnel Management Synopsis The Office of the Inspector General (OIG) at the U.S. Office ofPersonriel Management (OPM) is issuing this flash audit alert to bring to your immediate attention serious concerns that we have with OPM's infonnation technology (IT) security program. Specifically: • OPM's Center for Information Services (CIS) misrepresented the status of the agency's IT security program in the FY 2009 second quarter Federal Infonnation Security Management Act (FISMA) report issued to the U.S. Office of Management and Budget (OMB). • OPM's IT security policies and procedures continue to remain severely outdated. • OPM's IT security program is understaffed, and the agency has operated without a permanent IT security officer (ITSO) for over 14 months. In addition several individuals within the IT security program do not have adequate independence from other aPM program offices. The impact of these concerns is two-fold. First, misrepresenting the status of any component of OPM's IT security structure could result in the loss of integrity and confidence in OPM's overall IT security program. Secondly, without current IT security policies and procedures, as well as a dedicated and experienced ITSO and support staff, OPM's IT security program will become ineffective, thereby compromising the confidentiality, integrity, and/or availability of infonnation being processed, stored, or transmitted by OPM's major applications and systems. We believe that this misrepresentation of the security status exemplifies the risk of operating an IT security program with outdated controls and without a pennanent ITSa for an extended period of time. We discussed these issues with OPM's Chief Infonnation Officer (CIO) and senior managers in the CIS program office, and considered their comments in the preparation of this report. In order to verify that the audit concerns are addressed in a timely manner, we ask that CIS respond www.opm.gov WWW.us;:.ljntJs·aov directly to the OIG within 60 days of the date of this report advising us of any progress made in implementing the audit recommendations. If we can be of assistance during the program office review of this report, the staff should contact Michael Esser, Assistant Inspector General for Audits, on _ . Please call if I can be of further assistance to you. Executive Summary Our review of OPM's quarterly FISMA report for the second quarter of 2009 resulted in serious concerns. This led to an in-depth audit of the FISMA reporting process and other areas related to OPM's IT security program. As a result of this audit, we noted several critical issues related to the FISMA quarterly reporting process, IT security policy, and the overall management of OPM's IT security program. OMB requires agencies to submit quarterly status reports on their plan of action and milestones (POA&M) process, IT security performance measures, privacy, and the criteria for "maintaining green" on the eOOV portion of the President's Management Agenda scorecard. OPM's FY 2009 second quarter report was submitted to OMB on March 1, 2009. Our audit of this report showed that it significantly misrepresented OPM's IT security status regarding the POA&M process. In addition, OPM's IT security program continues to operate with outdated policies and procedures and without a permanent ITSO. This flash audit alert details the issues that were detected and recommendations for improvement. In summary: • Two major applications owned by the Human Resources Line of Business (HRLOB) program office were migrated to a new hosting provider in July 2008, which required out-of cycle certification and accreditation (C&A) of both systems. These systems are the Electronic Official Personnel Folder (eOPF) and the Enterprise Human Resources Integration (EHRI) Data Warehouse. o HRLOB believed that some of the overdue POA&M items for both systems should be closed because they were no longer relevant post-migration, and were working with CIS representatives to this end. o The program office submitted its FY 2009 second quarter POA&M reports for both systems to CIS on January 27,2009. The reports continued to itemize all existing weaknesses, including 48 that were more than 120 days overdue. CIS contractors, however, unilaterally and without discussing the approach with the program office, closed all POA&M items and used the POA&M reports that were created during the certification and accreditation process for both systems as supporting documentation for the FY 2009 second quarter FISMA report to OMB. • On the FY 2009 second quarter FISMA report to OMB, CIS inappropriately repocted the number ofPOA&M weaknesses with overdue corrective action rather than the number of systems where corrective action has been delayed (as required by OMB). 2 ( • OPM's IT security policies and procedures continue to remain severely outdated, as many have not been updated at all in at least three to six years. The OIG has reported this issue to the OPM Director for the past three years, and labeled it as a material weakness in the FY 2007 and FY 2008 FISMA reports to OMB. • OPM has operated without a permanent ITSO for over 14 months, and there have been 3 acting ITSO's during that time. In addition, the responsibilities assigned to the current acting ITSO create the appearance of a lack of independence in that he is responsible for managing OPM's network infrastructure and also responsible for oversight of its IT security compliance. Audit Results I. FY 2009 Second Quarter FISMA Report - POA&M Process The POA&M section of the quarterly report instructs agencies to list the number of systems where planned corrective action on security weaknesses is overdue. In OPM's FY 2009 second quarter report, we found two problems in the manner overdue items were reported. First, the CIS diq not report overdue corrective action for two OPM systems: eOPF and the EI-IRI Data Warehouse. Second, CIS reported the number of weaknesses with overdue corrective action rather than the number of systems where corrective action has been delayed. a) eOPF and EHRI Data Warehouse POA&M Weaknesses We noted significant discrepancies between the FY 2009 second quarter report to OMB and the POA&M reports that the HRLOB program office submitted to CIS for the eOPF and EHRI Data Warehouse systems. The OMB report showed no overdue weaknesses for the two systems, while the POA&M reports submitted by the I-IRLOB program manager on January 27,2009 showed that there were 19 items where corrective action was more than 120 days overdue for the eOPF system, and the EI-IRI Data Warehouse POA&M identified 29 security weaknesses with overdue corrective actions. We interviewed program office officials and CIS representatives, and reviewed associated documentation to determine the cause of this discrepancy. Our review demonstrated that the facts of the situation are as follows: Both eOPF and the EHRI Data Warehouse systems were migrated to a Denver, Colorado area hosting facility owned by the Department of the Interior. As a result of this change, an out-of-cycle C&A for both systems was triggered. These C&A's were completed during the summer and fall of 2008, and the official authority to operate for both systems was executed in November 2008 for the EHRI Data Warehouse and January 2009 for eOPF. Sometime after the system migration in June 2008, the HRLOB program office began discussions with CIS to close out certain POA&M items that it believed were no longer relevant. The program office requested that 24 of the 29 overdue items be closed on the EHRI Data Warehouse POA&M. These discussions continued, but there was no 3 ,i 1, ,.: definitive resolution of the status of these POA&M items, and they therefore remained as open and overdue weaknesses on the system'5 POA&M report. During this same timeframe, there were changes occurring in the CIS group responsible for managing the agency-wide POA&M process. Working tmder the Chief of CIS's Program Policy Group, a Federal employee and one or more contractors obtained quarterly POA&M reports for the 40 OPM major computer systems, reviewed corrective action and proof-of-closure documentation, and monitored quarterly metrics on a "POA&M Status Tracker" matrix. This team was responsible for recommending whether POA&M items should be closed or, if insufficient documentation was received, kept open. About five days before the FY 2009 second quarter report was due to be submitted to OMB, CIS management reassigned this process to several Network Management Group (NMG) network security contractors under the direction of a new acting ITSO. We were told that this change was put in place because of management concern over the high number of unresolved POA&M weaknesses; however, nothing came to our attention that would allow us to definitively conclude that this was the reason. The NMG contractors were directed to focus their efforts on reviewing the POA&M items where corrective action was more than 120 days overdue. Since a significant portion of these items was attributable to eOPF and the EHRI Data Warehouse, the contractors seemed to target these two systems for further review. There is one additional complication related to the eOPF POA&M. This system is a web based application that allows Federal employees and agency human resources professionals to view digital copies of official personnel documents. Although the infrastructure supporting the application is now hosted by the Department of Interior's National Business Center, there are two sub-systems involved in the process of digitizing the documents that were not directly affected by the system migration. The eOPF POA&M submitted by the HRLOB program office includes weaknesses related to the application as well as both sub-systems. However, the C&A process that occurred in the summer and fall of 2008 only covered the eOPF application itself and not the two sub-systems. One of the deJiverables resulting from this C&A, and the EHRI Data Warehouse C&A, was a document prepared in the standard POA&M format that included security weaknesses identified during the C&A process. This document did not include previously identified security weaknesses for eOPF (or its two sub-systems) or the EHRI Data Warehouse. Nevertheless, the NMG contractors who were assigned to manage the POA&M process used these documents as a basis for preparing OrM's FY 2009 second quarter FISMA report rather than the POA&M reports that had been submitted by the HRLOB program office. A memo dated February 15,2009 from one of the contractors to CIO Janet Barnes described the reasoning for relying on the C&A version of the POA&Ms, but it only addressed the eOPF application POA&M, and did not account for the items related 4 to the subsystems that were overlooked. We also interviewed the contractor to determine why the program office POA&Ms were not used as source documentation for the FY 2009 second quarter FISMA report. Based on the memo and on our interview, we understand that the NMG contractors believe that when a system undergoes a major change that requires an out-of-cycle certification and accreditation, a new POA&M is in order. The thought process is that a major change, especially one involving a new hosting provider, can involve new management, infrastructure, and staff, rendering the existing POA&M weaknesses irrelevant. While this may be true in some cases, it is not a universally valid concept. For example, there were 29 items on the EHRI Data Warehouse POA&Msubmitted by HRLOB that were over 120 days overdue. Of these, only 17 items related to the system migration. Even if CIS were justified in closing these items, they should have remained on the POA&M in a "closed" status for one year for tracking purposes. The remaining 12 overdue items do not appear to have a direct relationship with the system migration, but they were closed and reopened with future completion dates. In addition to the overdue weaknesses related to the eOPF subsystems that were overlooked, there were four POA&M items reported on the HRLOB POA&M submission that CIS inappropriately closed. These items related to security impact analysis, multifactor authentication, public key certification, and system output. These are items that would not be directly alleviated or become irrelevant as a result of a physical system migration, and should continue to be listed as weaknesses on post migration POA&Ms. These examples clearly demonstrate that some of the overdue POA&M items for these two systems should not have been closed. In fact, this was the nature of the discussions that occurred between CIS and HRLOB during the fall of2008. The CIS representatives who previously managed the POA&M process were working with program office officials to determine which POA&M items should be appropriately closed after the system migration of summer 2008. This process involved a careful review of each POA&M item and "proof of closure" submitted by the program office to support closing the items. However, the NMG contractors inappropriately closed all overdue POA&M items on both systems without discussing their status with the HRLOB program office. The memo to the CIO was written to justify this course of action, but no proof of closure was provided (although the memo referenced supporting documentation that was on file). When we interviewed HRLOB program office officials, they stated that they had no knowledge of the modified POA&Ms for the eOPF and EHRI Data Warehouse systems, and had no discussions with CIS after the reorganization occurred in late February 2009. Surprisingly though, CIS and HRLOB resumed discussions regarding the closure of POA&M items that were rendered obsolete by the summer 2008 system migration after 5 the POA&Ms had been modified by CIS and the FY 2009 second quarter FISMA report was submitted to OMB. When we asked CIS officials why there were discussions on this topic after the NMG contractors had already determined that all POA&M items were no longer relevant and should be closed, there was no reasonable response provided. OMB Memorandum M-04-25, Section B.I "Agency Plans of Action and Milestones Process" provides a sample POA&M and instructions on completing the various columns. The memo states "Once an agency has completed the initial POA&M, no changes should be made to the data in columns 1,4,5, and 7." The memo continues with specific descriptions for each column: • "Column 4 - Scheduled completion date for resolving the weakness. Please note that the initial date entered should not be changed. If a weakness is resolved before or after the originally scheduled completion date, the agency should note the actual completion date in Column 8, 'Status.' • "Column 5 - Key milestones with completion dates. A milestone will identify specific requirements to correct an identified weakness. Please note that the initial milestones and completion dates should not be altered.... • "Column 8 - Status. The agency should use one of the following tenus to report status of corrective actions: Ongoing or completed. 'Completed' should be used only when a weakness has been fully resolved and the corrective action has been tested. Include the date of completion...." In the Frequently Asked Questions section ofM-04-25, it states, "For how long do I report corrected weaknesses? "Weaknesses that are no longer undergoing correction and have been completely mitigated for over a year should no longer be reported in the agency POA&M." OMB Memorandum M-08-021 "FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management" also includes a Frequently Asked Questions section. Question 34 states, "Can a POA&M process be effective even when correcting identified weaknesses is untimely? "Yes. The purpose of a POA&M is to identify and track security weaknesses in one location. A POA&M permits agency officials and oversight authorities to identify when documented cOlTective actions are both timely and untimely. In either circumstance, the POA&M has served its intended purpose. Agency managers can use the POA&M process to focus resources to resolve delays." It is the clear intention of OMB that POA&M items are not to be modified, unless they are fully completed and tested. When items are resolved, it has been OPM's practice to mark them as "Completed" in the status column, shade the row with a green background, 6 and maintain these items on POA&M reports for one year after the completion date. CIS has been very outspoken regarding these requirements during monthly meetings of the Information Technology Security Working Group (ITSWG). Unresolved items that are overdue are shaded with a red background and bi-weekly status reports to the OPM Deputy Director are required until corrective action has been completed and tested. As stated in the OMB memorandum, the purpose of highlighting weaknesses where corrective action is significantly overdue is to focus management attention and necessary resources to resolve the items. The CIS approach to the eOPF and EHRI Data Warehouse POA&Ms appears to have violated the intention of both the OMB POA&M guidance and OPM's own internal practices. b) Reporting Total Number of Weaknesses instead of the Number of Systems with Weaknesses The instructions within the FISMA quarterly reporting template ask for the: "Number of High, Moderate and Not Categorized systems operating with one or more security weaknesses that are currently 90 to 120, or greater than 120 calendar days beyond the planned remediation date in the POA&M." This section contains two columns; one in which to enter the number of systems that have POAM weaknesses 90-120 days overdue, and one in which to enter the number of systems with POAM weaknesses over 120 days overdue. On the FY 2009 second quarter FISMA report to OMB, CIS reported the number of weaknesses with overdue corrective action rather than the number of systems where corrective action has been delayed. There are two factors that led to the ~IG's conclusion that CIS incorrectly completed this section of the FISMA reporting template: • CIS maintains an internal tracking spreadsheet that contains a detailed analysis of the POA&M status for each of the systems in OPM's inventory. This spreadsheet outlines the total number of delayed weaknesses for each system. The "totals" row for each program office lists the number of total overdue weaknesses for all systems owned by that program office. The numbers documented on the FY 2009 second quarter FISMA report match the total number of weaknesses outlined in this summary spreadsheet instead of the total number of systems containing any overdue weaknesses. • In some cases, the number reported on the FY 2009 second quarter FISMA report in the field "Number of. .. systems ... operating with one or more security weaknesses ... " was greater than the number of systems that exist in that program office. For example, it was reported that the Federal Investigative Services Division (FISD) had 5 systems with weaknesses 90-120 days overdue and 6 systems with weaknesses over 120 days overdue, for a total of 11 systems. However, FISD only owns a total of 5 systems. 7 c) Summary The POA&M section of the FY 2009 second quarter FISMA report understated weaknesses with corrective action overdue by more than 120 days. Additionally, CIS mistakenly reported the number of overdue weaknesses rather than the number of systems with overdue weaknesses. We believe that the factors that led to these conditions are, at least in part, related to outdated and incomplete IT security policies and long-standing weaknesses in OPM's IT security management structure. Both of these issues have been the subject ofOIG audit findings since FY 2006 (please see sections II and III of this Flash Audit Alert). As a result, the OPM Director and OMB were given an inaccurate representation of OPM's IT security position. The decision memorandum transmitting the FY 2009 second quarter FlSMA report to the OPM Director claimed a 53 percent improvement in POA&M corrective actions delayed past their scheduled completion date, and a 46 percent decrease in the number of 120-day old corrective actions from the first quarter. While it may be true that some of the overdue POA&M items for eOPF and the EHRI Data Warehouse would have eventually been closed following the migration to the new hosting facility, this process was not properly completed before the memorandum was sent. Also, if the POA&M items related to the two eOPF subsystems had been included, the number of overdue weaknesses would have actually increased in the second quarter. Therefore, the improvements claimed in the decision memorandum are not entirely accurate. Recommendation I We recommend that CIS correct the FY 2009 second quarter FISMA report to accurately reflect the status ofOPM's IT security position as of March 1,2009. This would include reporting that eOPF and the EHRI Data Warehouse systems both have weaknesses more than 120 days overdue, and changing the metrics on the entire report from the number of overdue weaknesses to the number of systems with overdue weaknesses. II. OPM IT Security Policy The CIS closely follows emerging IT security guidance, and disseminates this information to the agency's IT security personnel through monthly meetings of the ITSWG. However, OPM's IT security policies and procedures remain severely outdated. In fact, the majority of these documents have not been updated at all in at least three years. According to the decision memorandum that accompanied the FY 2009 second quarter FISMA report, CIS has developed guidance and training materials related to the POA&M process and is working on a set of comprehensive POA&M standard operating procedures. Although these would be welcome developments, the same effort needs to be directed toward developing a comprehensive set of OPM IT security policies and procedures that are updated at least annually. 8 National Institute of Standards and Technology Special Publication (NIST SP) 800-100, Information Security Handbook: A Guide for Managers, states that "An effective information security governance program requires constant review. Agencies should monitor the status of their programs to ensure that ... Policies and procedures are current and aligned with evolving technologies, if appropriate ... Over time, policies and procedures may become inadequate because of changes in agency mission and operational requirements, threats, environment, deterioration in the degree of compliance, changes in technology or infrastructure, or business processes." We acknowledge the steps that OPM has taken in working toward updating policies, and we understand the impact that limited resources can have on the ability to conduct this type of ongoing maintenance. However, OPM's failure to adequately update IT security policies and procedures has been highlighted in the past three DIG FISMA audit reports, and was characterized as a material weakness in the FY 2007 and FY 2008 FISMA reports. CIS must address this underlying weakness in information security governance, or there will likely be repeated occurrences of the problems that occurred with the FY 2009 second quarter FISMA report. In this situation, there was new staff attempting to understand the POA&M and C&A processes, but there was the no formal guidance that they could use as a reference. . Recommendation 2 We recommend that CIS develop a comprehensive set oflT security policies and procedures, and a plan for updating it at least annually. III.OPM IT Security Management While we believe that CIS is committed to developing and maintaining strong IT security controls, it is clear that there are opportunities for improvement in the overall leadership and management of the IT security program. The agency has operated without a permanent ITSO for over 14 months, and there have been 3 acting ITSO's during tpat time. This is a position that requires an independent, long-term, and committed incumbent to manage the complexities of an environment that includes constantly shifting guidance and a group of program office representatives with a wide range of IT security experience. Adequate support staff is also needed to effectively manage the agency's IT security program. In contrast, the new acting ITSO and recently-assigned staff are not independent. The acting ITSO is also the Director of the Network Management Group, a program office that manages one of the two major IT infrastructure elements at OPM. The staff includes two NMG network security contractors. There are also two federal employees. This situation creates the appearance of a lack of independence in that officials who are responsible for one of the largest and highest-risk major systems are now also responsible for oversight of the IT security compliance of that system. We have learned that the acting ITSO 9 will not be responsible for accreditation decisions related to any systems under his purview, and that the CIO will take on that role in these·cases. This appears to be an attempt to mitigate conflict of interest cone ems that have already been raised; however, we do not believe this to be a workable solution. In our view, the CIO has far too many responsibilities to be involved at the level of detail required to make informed decisions in these matters. We have recently learned that the fonner OPM Acting Director approved a reorganization in CIS that creates an IT Security and Privacy Group reporting to the agency's CIO. This is a positive development; however, the ITSO position is still vacant and it is not clear how the· group will be staffed. NIST SP 800~37 states, 'The senior agency information security officer is the agency official responsible for: (i) carrying out the Chief Information Officer responsibilities under FISMA; (ii) possessing professional qualifications, including training and experience, required to administer the information security program f-unctions; (iii) having information security duties as that official's primary duty [emphasis added]; and (iv) heading an office with the mission and resources to assist in ensuring agency compliance with FISMA." There are a number of underlying causes that have contributed to preventing OPM from adequately staffing an IT security program, including a lack of resources, budgeting issues, and especially difficulties related to the federal hiring process. However, CIS management must resolve these issues and correct this long-standing weakness. Without strong infonnation security governance, OPM cannot implement appropriate and cost-effective information security controls (beginning with current and comprehensive policies and procedures) or manage evolving information security risks. The problems that occurred with the FY 2009 second quarter FISMA report are an example of what can occur without strong information security governance. Recommendation 3 We recommend that the OPM Director ensure that CIS has adequate resources to properly staff its IT Security and Privacy Group. Recommendation 4 We recommend that CIS recruit a permanent Senior Agency Information Security Officer as soon as possible, and adequate staff to effectively manage the agency's IT security program. cc: Elizabeth A. Montoya Chief of Staff and Director of External Affairs Richard B. Lowe Deputy Chief of Staff and Executive Secretariat 10 Ronald C. Flom Associate Director, Management Services Division and Chief Human Capital Officer Janet L. Barnes Deputy Associate Director Center for Information Services and Chief Information Officer David M. Cushing Deputy Chief Financial Officer 11
Flash Audit Alert -Information Technology Security Program at the U.S. Office of Personnel Management
Published by the Office of Personnel Management, Office of Inspector General on 2009-05-27.
Below is a raw (and likely hideous) rendition of the original report. (PDF)