U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Subject: FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2011 Report No. 4A-CI-00-11-009 Date: November 9, 2011 --CAUTION-- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General Audit Report U.S. OFFICE OF PERSONNEL MANAGEMENT ------------------------------------------------------------- FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2011 -------------------------------- WASHINGTON, D.C. Report No. 4A-CI-00-11-009 Date: November 9, 2011 Michael R. Esser Assistant Inspector General for Audits www.opm.gov www.usajobs.gov UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector General Executive Summary U.S. OFFICE OF PERSONNEL MANAGEMENT ------------------------------------------------------------- FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY 2011 -------------------------------- WASHINGTON, D.C. Report No. 4A-CI-00-11-009 Date: November 9, 2011 This audit report documents the Office of Personnel Management’s (OPM’s) continued efforts to manage and secure its information resources. We have significant ongoing concerns regarding the overall quality of the information security program at OPM. In fiscal year (FY) 2007 and FY 2008, we reported a material weakness in controls over the development and maintenance of OPM’s information technology (IT) security policies. In FY 2009, we issued a Flash Audit Alert to OPM’s Director highlighting our concerns with the agency’s IT security program. We also expanded the material weakness related to IT security policies to include concerns with the agency’s overall information security governance and its information security management structure. This material weakness was rolled forward through FY 2010. In FY 2011, OPM’s Office of the Chief Information Officer (OCIO) made progress in updating its IT security and privacy policies, procedures, and guidance. However, the OCIO continues to operate with a decentralized IT security structure and does not have the authority or the resources available to adequately implement the new policies. We continue to believe that information security governance represents a material weakness in OPM’s IT security program. i www.opm.gov www.usajobs.gov In FY 2010, we added a second material weakness related to the management of the Certification and Accreditation (C&A) process. We reported that there were, in our opinion, three root causes of OPM’s C&A issues: insufficient staffing in the IT Security and Privacy Group, a lack of policy and procedures, and the decentralized DSO model in place at OPM. In FY 2011, the OCIO improved the policy deficiencies by publishing updated procedures and templates designed to improve the overall C&A process (now referred to as Security Assessment and Authorization or Authorization process) and dedicating resources to facilitating the Authorization process. We observed an improvement in the Authorization packages completed under this new process, and believe that this improvement warrants reducing the material weakness related to C&As to a significant deficiency. Although no longer a material weakness, the Authorization process continues to be hindered by limited OCIO staffing resources and the decentralized DSO model. In addition to the material weaknesses described above, we noted the following controls in place and opportunities for improvement: • The OCIO has implemented risk management procedures at a system-specific level, but has not developed an agency-wide risk management methodology. • The IT security controls were adequately tested for only 36 of 48 information systems in OPM’s inventory. • The OCIO has implemented an agency-wide information system configuration management policy and has established configuration baselines for all operating platforms used by the agency. • The OCIO routinely conducts vulnerability scans of production servers, but does not have a formal process for tracking the status of weaknesses identified through the scanning. • The OCIO has developed thorough incident response and reporting capabilities. • The OCIO has implemented a process to provide annual IT security and privacy awareness training to all OPM employees and contractors. However, controls related to providing specialized security training to individuals with information security responsibility could be improved. • Plans of Action and Milestones are appropriately managed for all information systems in OPM’s inventory. The OCIO has the capability to use two-factor authentication for remote access, but this control was not enforced for all users in FY 2011. • We found that several OPM employees maintained network access after their termination date, and several users had multiple accounts. • The OCIO has taken steps toward implementing a continuous monitoring program at OPM; however, this project remains a work in progress. • The OCIO developed a catalog of information security controls that are shared (“common”) with all of the agency’s applications. However, the current version of the catalog is incomplete, as it does not account for the large number of technical controls that are common to applications residing on one of OPM’s several general support systems. As a result, the ii owner of each application residing on a support system must independently test the same controls. • The contingency plans were adequately tested for only 40 of 48 information systems in OPM’s inventory. • We noticed inconsistency in the quality of contingency plan testing documentation produced for various OPM systems. In September 2011, the OCIO issued detailed guidance to program offices on how to conduct a contingency plan test and create an after action report. As part of the FY 2012 FISMA audit, we will test the impact that this new guidance has on the quality of system level contingency plan tests. • Contingency plan/disaster recovery tests are not coordinated between OPM’s various general support systems. • OPM program offices appeared to provide an adequate level of oversight to contractor- operated systems. However, the techniques and quality of this oversight was inconsistent between program offices. • OPM maintains an adequate security capital planning and investment program for information security. iii Contents Page Executive Summary .................................................................................................................... i Introduction ................................................................................................................................ 1 Background ................................................................................................................................ 1 Objectives ................................................................................................................................... 1 Scope and Methodology ............................................................................................................. 2 Compliance with Laws and Regulations .................................................................................... 3 Results ........................................................................................................................................ 4 I. Information Security Governance .................................................................................... 4 II. Security Assessment and Authorization .......................................................................... 7 III. Risk Management ............................................................................................................ 9 IV. Configuration Management ........................................................................................... 12 V. Incident Response and Reporting .................................................................................. 14 VI. Security Training ........................................................................................................... 15 VII. Plan of Action and Milestones ....................................................................................... 16 VIII. Remote Access Management ......................................................................................... 17 IX. Identity and Access Management .................................................................................. 18 X. Continuous Monitoring Management ............................................................................ 20 XI. Contingency Planning .................................................................................................... 21 XII. Contractor Systems ........................................................................................................ 23 XIII. Security Capital Planning .............................................................................................. 24 XIV. Follow-up of Prior OIG Audit Recommendations......................................................... 24 Major Contributors to this Report ............................................................................................ 30 Appendix I: Status of Prior OIG Audit Recommendations Appendix II: Office of the Chief Information Officer’s October 21, 2011 response to the draft audit report, issued October 3, 2011. Appendix III: FY 2011 Inspector General FISMA reporting metrics. Introduction On December 17, 2002, the President signed into law the E-Government Act (Public Law 107- 347), which includes Title III, the Federal Information Security Management Act (FISMA). FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. In accordance with FISMA, we conducted an evaluation of OPM’s security program and practices. As part of our evaluation, we reviewed OPM’s FISMA compliance strategy and documented the status of its compliance efforts. Background FISMA requirements pertain to all information systems supporting the operations and assets of an agency, including those systems currently in place or planned. The requirements also pertain to information technology (IT) resources owned and/or operated by a contractor supporting agency systems. FISMA reemphasizes the Chief Information Officer’s strategic, agency-wide security responsibility. At OPM, security responsibility is assigned to the agency’s Office of the Chief Information Officer (OCIO). FISMA also clearly places responsibility on each agency program office to develop, implement, and maintain a security program that assesses risk and provides adequate security for the operations and assets of programs and systems under its control. To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the Department of Homeland Security (DHS) National Cyber Security Division issued the fiscal year (FY) 2011 Inspector General FISMA Reporting Instructions. This document provides a consistent form and format for agencies to report to DHS. It identifies a series of reporting topics that relate to specific agency responsibilities outlined in FISMA. Our audit and reporting strategies were designed in accordance with the above DHS guidance. Objectives Our overall objective was to evaluate OPM’s security program and practices, as required by FISMA. Specifically, we reviewed the status of the following areas of OPM’s IT security program in accordance with DHS’s FISMA IG reporting requirements: • Risk Management; • Security Configuration Management; • Incident Response and Reporting Program; • Security Training Program; • Plans of Action and Milestones (POA&M) Program; • Remote Access Program; • Identity and Access Management; • Continuous Monitoring Program; • Contingency Planning Program; 1 • Agency Program to Oversee Contractor Systems; and, • Agency Security Capital Planning Program. In addition, we evaluated the status of OPM’s IT security governance structure and its Security Assessment and Authorization process. These two areas represented material weaknesses in OPM’s IT security program in prior FISMA audits. We also evaluated the security controls of four major applications/systems at OPM (see Scope and Methodology for details of these audits). We also followed-up on outstanding recommendations from prior FISMA audits (see Appendix I). Scope and Methodology We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit covered OPM’s FISMA compliance efforts throughout FY 2011. We reviewed OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s guidance and the corresponding reporting instructions. We also evaluated the security controls for the following major applications: • Enterprise Server Infrastructure General Support System (OIG Report No. 4A-CI-00-11- 016); • Consolidated Business Information System (OIG Report No. 4A-CF-00-11-015); • Presidential Management Fellows System (OIG Report No. 4A-HR-00-11-017); and, • Center for Talent Services General Support System (OIG Report No. 4A-CI-00-11-043). We considered the internal control structure for various OPM systems in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. Accordingly, we obtained an understanding of the internal controls for these various systems through interviews and observations, as well as inspection of various documents, including information technology and other related organizational policies and procedures. This understanding of these systems’ internal controls was used to evaluate the degree to which the appropriate internal controls were designed and implemented. As appropriate, we conducted compliance tests using judgmental sampling to determine the extent to which established controls and procedures are functioning as required. In conducting our audit, we relied to varying degrees on computer-generated data provided by OPM. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, we believe that the data was sufficient to achieve the audit objectives, and nothing came to our attention during our audit testing to cause us to doubt its reliability. 2 Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the set of internal controls for these various systems taken as a whole. The criteria used in conducting this audit include: • DHS National Cyber Security Division FY 2011 Inspector General Federal Information Security Management Act Reporting Instructions; • OPM Information Technology Security and Privacy Policy Handbook; • OPM Information Technology Security FISMA Procedures; • OPM Security Assessment and Authorization Guide; • OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; • OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; • OMB Memorandum M-06-16, Protection of Sensitive Agency Information; • OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies; • E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; • National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security; • NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems; • NIST SP 800-30, Risk Management Guide for Information Technology Systems; • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems; • NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems; • NIST SP 800-39, Managing Information Security Risk; • NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems; • NIST SP 800-60 Version 2.0 Volume II, Guide for Mapping Types of Information and Information Systems to Security Categories; • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems; and, • Other criteria as appropriate. The audit was performed by the OIG at OPM, as established by the Inspector General Act of 1978, as amended. Our audit was conducted from May through September 2011 in OPM’s Washington, D.C. office. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether OPM’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, OPM’s OCIO and other program offices were not in complete compliance with all standards, as described in the “Results” section of this report. 3 Results The sections below detail the results of our FY 2011 FISMA audit of OPM’s IT Security Program. Several recommendations were issued in FY 2010 and are rolled forward from OIG report no. 4A-CI-00-10-019, “Federal Information Security Management Act Audit – FY 2010.” I. Information Security Governance Over the past fiscal year OPM’s OCIO has made progress in updating its IT security and privacy policies, procedures, and guidance. However, the existence of policies alone cannot improve the agency’s IT security program. The OCIO continues to operate with a decentralized IT security structure and does not have the resources available to adequately implement the new policies. We continue to believe that information security governance represents a material weakness in OPM’s IT security program. The sections below outline the OIG’s review of IT security governance at OPM. a) IT Security Policies and Procedures OPM’s failure to adequately update its IT security and privacy policies and procedures was highlighted in the past five annual OIG FISMA audit reports, and was identified as a material weakness in the agency’s IT security program in the past four FISMA audit reports. In FY 2011, the OCIO created and published several new documents that provide a policy framework for OPM’s IT security program, including: • Information Security and Privacy Policy Handbook (March 2011); • Information Technology Security FISMA Procedures (May 2011); and, • OPM Security Assessment and Authorization Guide (April 2011). These three documents address many of the policies and procedures that we had identified as missing or inadequate in prior FISMA audits. However, the creation of policies and procedures alone does not improve an IT security program. They must be fully adopted by the target audience, in this case the Designated Security Officer (DSO) community. Given the decentralized structure of OPM’s IT security program, it is questionable whether the DSOs have the skills and resources necessary to implement the new policies and procedures. The quantity of IT security deficiencies outlined in this audit report indicate that, despite the existence of policies, limited improvement has been made in the overall security program to date. It remains to be seen whether the new policy and procedure framework will lead to notable improvements in the future. While the majority of missing policies and procedures have now been created, we identified several specific areas where OPM continues to lack adequate IT policies, procedures, or guidance, including: 4 • Policy and procedures related to oversight of systems operated by a contractor; • Policy on agency-wide risk management (see Recommendation 5); • Policy related to roles and responsibilities for the Independent Verification and Validation (IV&V) process and procedures for managing an IV&V; and, • Policy or guidance for identifying and continuously monitoring high risk security controls. Recommendation 1 We recommend that the OCIO develop policies to address oversight of contractor systems, agency-wide risk management, IV&V, and continuous monitoring of high risk security controls. OCIO Response: “The CIO partially concurs with this recommendation and offers clarifying remarks in order to present a more current interpretation. The policies in the IT Security Handbook dated March 31, 2011 apply to all OPM systems including those at contractor facilities and therefore a new policy for oversight of contractor systems is not necessary. The CIO believes that new policies for IV&V and continuous monitoring of high risk security controls should be developed and would be beneficial to the OPM security program.” OIG Reply: Although OPM’s IT Security Handbook may apply to contractors, we determined that the techniques and quality of oversight provided to contractor systems was inconsistent between program offices. This inconsistency is the result of OPM not having an agency-wide policy providing program offices guidance on overseeing the activities of contractors operating OPM systems. We continue to recommend that the OCIO develop policies to address oversight of contractor systems, IV&V, and continuous monitoring of high risk security controls. b) Information Security Management Structure The FY 2010 FISMA report highlighted the fact that OPM had operated without a permanent Senior Agency Information Security Officer (SAISO) for over 18 months and that the SAISO’s Information Technology Security and Privacy Group (ITSPG) did not have the resources necessary to adequately manage OPM’s IT security program. The OCIO had a permanent SAISO throughout FY 2011 and also hired several new employees and contractors to work in the ITSPG. However, the quantity and variety of audit recommendations throughout this report indicates that the OCIO continues to lack the resources necessary to remediate long standing IT security weaknesses and fully implement the recently developed policies and procedures. In addition, 18 audit recommendations from FY 2010 were not adequately addressed in FY 2011. We believe that a major factor contributing to these problems is the OCIO’s lack of direct 5 authority over the DSO community tasked with managing the security of OPM’s major information systems. OPM chose to implement a decentralized model in which the DSOs are typically appointed by and report to the program offices that own major computer systems. Very few of the DSOs have any background in information security, and most are only managing their security responsibilities as a collateral duty to their primary job function. The OCIO continues to provide guidance to the DSO community through monthly Information Technology Security Working Group (ITSWG) meetings. However, these meetings provide limited benefit because 1) the OCIO has no authority over the DSOs and cannot mandate their attendance at the ITSWG meetings, and 2) not all DSOs have the technological skills or the resources required to implement the security concepts discussed at these meetings. Several sections of this report exemplify the impact of the OCIO’s lack of authority over DSOs, including: • The IT security controls of only 36 of 48 systems in OPM’s inventory were adequately tested in FY 2011 by the program offices owning the system (see section III, below). • The contingency plans were adequately tested for only 40 of 48 systems in OPM’s inventory (see section XI, below). Of the contingency plans that were tested, the quality varied greatly between tests conducted by various program offices. • Only 75% of personnel that the OCIO identified as having significant IT security responsibility received adequate training in FY 2011 (see section VI, below). IT security is a shared responsibility between the OCIO and program offices. The OCIO is responsible for overall information security governance while program offices are responsible for the security of the systems that they own. There is a balance that must be maintained between a consolidated and a distributed approach to managing IT security. It is still our opinion that OPM’s approach is too decentralized. OPM program offices should continue to be responsible for maintaining security of the systems that they own, but the DSO responsibility for documenting, testing, and monitoring system security should be centralized within the OCIO. Recommendation 2 (Rolled-Forward from 2010) We recommend that OPM implement a centralized information security governance structure where all information security practitioners, including designated security officers, report to the SAISO. Adequate resources should be assigned to the OCIO to create this structure. Existing designated security officers who report to their program offices should return to their program office duties. The new staff that reports to the SAISO should consist of experienced information security professionals. 6 OCIO Response: “The CIO concurs with this recommendation and offers the following remarks. The CIO’s budget does not contain funding to replace the Designated Security Officers with information security professionals. One possible suggestion is to require OPM program offices to provide funding for the CIO to hire information security professionals.” OIG Reply: We acknowledge the fact that the OCIO does not currently have funding to hire enough security professionals to manage all of OPM’s information systems. Migrating OPM to a more centralized IT security function will require the cooperation of the program offices that own the agency’s major applications. The OCIO should seek the assistance of the OPM Director in negotiating with program offices to transfer responsibility of some security functions to a centralized group reporting to the CIO. Although this initiative will take an extended amount of time, the OCIO should begin working with the owners of applications it determines to be high risk, such as financial systems and applications containing large amounts of sensitive data. II. Security Assessment and Authorization (formerly Certification and Accreditation) System certification is a comprehensive assessment that attests that a system’s security controls are meeting the security requirements of that system, and accreditation is the official management decision to authorize operation of an information system and accept its risks. OPM’s process of certifying a system’s security controls was formerly referred to as Certification and Accreditation (C&A), and is now referred to as Security Assessment and Authorization (Authorization). Our FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM’s C&A process were a significant deficiency in the internal control structure of the agency’s IT security program. The weaknesses cited related to inadequate management of the process and incomplete, inconsistent, and poor quality C&A products. In FY 2010, these longstanding conditions continued to degrade, and as a result, they were reported as a material weakness in OPM’s IT security program. We reported that there were, in our opinion, three root causes of OPM’s C&A issues: insufficient staffing in the IT Security and Privacy Group, a lack of policy and procedures, and the decentralized DSO model in place at OPM. In FY 2011, the OCIO improved the policy deficiencies by publishing updated procedures and templates designed to improve the overall Authorization process and dedicating resources to facilitating Authorizations. We observed an improvement in the Authorization packages completed under this new process, and believe that this improvement warrants reducing the material weakness related to C&As to a significant 7 deficiency. Although no longer a material weakness, the Authorization process continues to be hindered by limited OCIO staffing resources and the decentralized DSO model (see section I, above). The sections below provide a detailed evaluation of OPM’s Authorization process. a) Security Assessment and Authorization policy In January 2011, the OCIO published a Security Assessment and Authorization Guide and several other procedures and templates that provide guidance to program offices certifying the security controls of each system. The OCIO has created and published guidance for completing the following elements of an Authorization: • Information System Security Plan; • FIPS 199 Security Categorization; • Security Assessment Plan; • Contingency Plan; • Risk Assessment; • System Registration; • E-Authentication Assessment; • System Security Plan; and, • Interconnection Security Agreement. We believe that the Security Assessment and Authorization Guide provides adequate guidance for certifying the security controls of information systems. b) Quality and consistency of Authorization packages The OIG reviewed the full Authorization packages of five systems that were subject to an Authorization after the OCIO issued the updated Security Assessment and Authorization Guide. The quality of all five packages appeared to be an improvement over security certifications completed under the former C&A process. However, as noted with C&A packages completed in the last several years, we continued to observe a wide range in quality between Authorization packages completed by various program offices (the specific problems and inconsistencies were provided to the OCIO but will not be detailed in this report). The development of an Authorization package is the responsibility of the OPM program office that owns the system. Each program office assigns a DSO to manage the security of its systems. The decentralized nature of the DSO community at OPM means that individuals with varying skill sets are tasked with Authorization related responsibilities often as a collateral duty in addition to their normal job function. The existence of Authorization policies and procedures cannot be fully leveraged unless the individuals implementing them are consistently trained and dedicated to this function. 8 Recommendation 3 We recommend that the OCIO work with program offices to correct the specific errors that the OIG identified in the Authorization packages reviewed in FY 2011. OCIO Response: “The CIO Concurs with this recommendation and will take corrective action.” c) OCIO Management of the Authorization process The OCIO is responsible for assisting program offices in the development of Authorization packages for their systems. OPM’s Security Assessment and Authorization Guide also mandates OCIO involvement in all stages of the Authorization process for quality and completeness before recommending the system for authorization. In FY 2011, two full time resources were hired to review Authorization packages along with other IT security responsibilities. The most notable improvement made to the Authorization process was the implementation of three “decision points” at various steps of the Authorization process. At each decision point, representatives from the OCIO must review the work that has been completed and formally approve continuation of the Authorization process. While we recognize the progress the OCIO has made in managing the Authorization process, we believe that there is still room for improvement. With additional resources dedicated to the review of Authorization packages, the inconsistencies referenced above could have been detected before the Authorization process was complete. Recommendation 4 (Rolled-Forward from 2010) We recommend that the OCIO assign additional resources to facilitate the Authorization process to ensure the consistency and quality of Authorization packages developed by OPM program offices. OCIO Response: “The CIO concurs with this recommendation and believes that additional security resources could improve the security authorization process. However, funding is not allocated in the CIO budget to hire additional resources.” III. Risk Management NIST SP 800-37 Revision 1 “Guide for Applying the Risk Management Framework to Federal Information Systems” provides federal agencies with a framework for implementing an agency-wide risk management methodology. The Guide suggests that risk be assessed in relation to the agency’s goals and mission from a three tiered approach: Tier 1: Organization (Governance); Tier 2: Mission/Business Process (Information and Information Flows); and Tier 3: Information System (Environment of Operation). NIST SP 800-39 “Managing Information Security Risk – Organization, 9 Mission, and Information System View” provides additional details of this three-tiered approach. a) Agency-wide risk management NIST SP 800-39 states that agencies should establish and implement “Governance structures [that] provide oversight for the risk management activities conducted by organizations and include: (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s risk management strategy including the determination of risk tolerance; and (iii) the development and execution of organization-wide investment strategies for information resources and information security.” OPM’s decentralized approach to IT security increases the need for an agency-wide risk management methodology, as the agency’s mission is supported by multiple information systems owned by various program offices. Although the OCIO has made improvements in assessing risk at the individual system level (see Security Assessment and Authorization section II, above), the OCIO does not currently have a formal methodology for managing risk at an organization-wide level. In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security professionals. However, the 12 primary functions of the Risk Executive Function as explained in NIST SP 800-39 section 2.3.2, Risk Executive Function, are not all fully implemented. Recommendation 5 We recommend that the OCIO develop policies and procedures related to managing risk from an agency-wide perspective. OCIO Response: “The CIO does not concur with this recommendation and believes that adequate policies and procedures are in place to manage risk from an agency-wide perspective as documented in sections 3.1.9 and 3.1.7 of the IT Security Handbook dated March 31, 2011.” OIG Reply: The majority of the text in sections 3.1.7 and 3.1.9 of the IT Security Handbook is copied verbatim from NIST SP 800-53 Rev 3, and the handbook contains no guidance on agency-wide risk management specific to OPM. Among the limited original text in these sections of the Handbook is the statement “OPM shall: Develop a comprehensive strategy to manage risk to OPM operations and assets. . . .” However, the OIG has received no evidence that OPM has developed a risk management strategy or the associated policies and procedures. 10 We continue to recommend that the OCIO develop policies and procedures related to managing risk from an agency-wide perspective. Recommendation 6 We recommend that the OCIO continue to develop its Risk Executive Function to meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). OCIO Response: “The CIO concurs with this recommendation and will take the necessary corrective action.” b) System specific risk management NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that contains six primary steps, including (i) the categorization of information and information systems; (ii) the selection of security controls; (iii) the implementation of security controls; (iv) the assessment of security control effectiveness; (v) the authorization of the information system; and, (vi) the ongoing monitoring of security controls and the security state of the information system.” The OCIO has implemented the six step RMF into its system-specific risk management activities through the new Authorization process; see section II above for a description of OPM’s Authorization methodology. c) System security control testing Although a full Authorization package is required for each system every three years, the security controls of that system must be tested on an annual basis. An annual test of security controls provides a method for agency officials to determine the current status of their information security programs and, where necessary, establish a target for improvement. We reviewed documentation resulting from the security controls tests for each system in OPM’s inventory. Our evaluation indicated that the IT security controls had been adequately tested for only 36 of OPM’s 48 systems during FY 2011. Failure to complete a security controls test increases the risk that agency officials are unable to make informed judgments to appropriately mitigate risks to an acceptable level. OPM’s decentralized approach to IT security places responsibility on the various program offices for testing the security controls of their systems. The OCIO’s lack of authority over these program offices has contributed to the inadequate security control testing of the agency’s information systems. 11 Recommendation 7 (Rolled-Forward from 2008) We recommend that OPM ensure that an annual test of security controls has been completed for all systems. OCIO Response: “The CIO concurs with this recommendation and offers the following clarifying remarks in order to present a more current interpretation. In FY2011 security controls testing was completed for 41 of 48 eligible systems resulting in an 85% compliance rate. In FY2012, we will continue to work with program offices to ensure that security controls are tested for all eligible systems.” OIG Reply: We disagree that 41 out of 48 eligible systems were subject to an adequate security controls test in FY 2011. The OCIO’s count of 41 includes 4 systems that were granted an extension and one system that does not have adequate support that a test was conducted. We do not believe that any extensions should be granted; every system must be subjected to a security controls test every fiscal year. IV. Configuration Management The sections below detail the controls OPM has in place regarding the technical configuration management of its major applications and user workstations. a) Agency-wide security configuration policy OPM’s OCIO has implemented an agency-wide Information Security and Privacy Policy Handbook that defines the requirements necessary to meet the fundamental security and privacy objectives of confidentiality, integrity, and availability. The handbook includes a section devoted to configuration management. The OCIO also maintains a comprehensive configuration management policy that outlines the process and procedures for maintaining a securely configured network environment. b) Standard baseline configurations The OCIO maintains standard baseline configurations and/or build sheets for all operating platforms used by OPM to support major applications, including: • Windows Server 2000; • Windows Server 2003; • Windows Server 2008; • Linux; • Oracle; and, • Microsoft SQL. 12 The OCIO uses vulnerability scanning tools to routinely scan servers to ensure compliance with configuration guides and baselines for these operating platforms. Nothing came to our attention during this review to indicate that there are weaknesses in OPM’s baseline configuration controls. c) Vulnerability Scanning The OCIO performs scans of all production servers using automated vulnerability scanning tools. Although vulnerability scanning occurs on a continuous basis, the OCIO does not have a formal process to manage weaknesses identified in the scanning reports. Daily security advisory reports are sent to OCIO managers and a weekly roll-up report is generated to summarize weekly vulnerability scanning activity. Although we verified that these reports are routinely distributed, we were unable to determine what, if any, activity is done to review and analyze the vulnerabilities identified. At a minimum we recommend implementing a vulnerability tracking methodology that includes steps to: • identify false positives in vulnerability scanning reports; • identify and document vulnerabilities that the agency “accepts” and does not intend to fix; and, • formally document and track the remaining vulnerabilities until they are remediated. Recommendation 8 We recommend that the OCIO implement a process for tracking the status of weaknesses identified through vulnerability scanning. OCIO Response: “The CIO concurs with this recommendation and will implement the necessary corrective action.” Recommendation 9 We recommend that the OCIO document “accepted” weaknesses identified in vulnerability scans. OCIO Response: “The CIO concurs with this recommendation and will implement the necessary corrective action.” d) Management of hardware inventory The OCIO currently maintains a centralized agency-wide hardware inventory. The OCIO uses several automated tools to scan the network environment to track and 13 verify hardware inventories. They also maintain an inventory of all OPM owned user workstations. Each workstation is cataloged before being placed into service. e) Federal Desktop Core/United States Government Computer Baseline Configuration OPM has developed a Windows XP standard image that is generally compliant with Federal Desktop Core Configuration (FDCC) standards and has documented nine deviations between this image and FDCC requirements. OPM has also developed and tested a United States Government Baseline Configuration compliant image for all Windows 7 workstations. These images have been installed on all OPM workstations with this operating system. V. Incident Response and Reporting OPM’s “Incident Response and Reporting Guide” outlines the responsibilities of OPM’s Computer Incident Response Team (CIRT) and documents procedures for reporting all IT security events to the appropriate entities. We evaluated the degree to which OPM is following internal procedures and FISMA requirements for reporting security incidents internally, to the United States Computer Emergency Readiness Team (US-CERT), and to appropriate law enforcement authorities. a) Identifying and reporting incidents internally OPM’s Incident Response and Reporting Guide requires any user of the agency’s IT resources to immediately notify OPM’s Situation Room when IT security incidents occur. The agency also currently uses two distinct intrusion detection systems to monitor network traffic for abnormalities. In addition, OPM reiterates the information provided in the Incident Response and Reporting Guide in the annual IT security and privacy awareness training. b) Reporting incidents to US-CERT OPM’s Incident Response and Reporting policy states that OPM's CIRT is responsible for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT within one hour of a reportable security incident occurrence. c) Reporting incidents to law enforcement The Incident Response and Reporting policy states that security incidents should also be reported to law enforcement authorities, where appropriate. OPM notifies the OIG’s Office of Investigations of security incidents with a monthly report outlining all incidents where sensitive data was lost. 14 VI. Security Training All OPM employees are required to take IT security awareness training on an annual basis. In addition, employees with IT security responsibility are required to take additional specialized training. a) IT security awareness training The OCIO provides annual IT security and privacy awareness training to all OPM employees through an interactive web-based course. The course introduces employees and contractors to the basic concepts of IT security and privacy, including topics such as the importance of information security, security threats and vulnerabilities, viruses and malicious code, privacy training, peer-to-peer software, and the roles and responsibilities of users. Over 99 percent of OPM’s employees and contractors completed the security awareness training course in FY 2011. b) Specialized IT security training Agency employees with significant information security responsibilities are required to take specialized security training in addition to the annual awareness training. The OCIO has developed a table outlining the security training requirements for specific job roles by groups. The OCIO uses a spreadsheet to track the security training taken by employees that have been identified as having security responsibility. Of those identified, only 75 percent have completed at least one hour of specialized security training in FY 2011. Recommendation 10 (Rolled-Forward from 2010) We continue to recommend that the OCIO ensure that all employees with significant information security responsibility take meaningful and appropriate specialized security training on an annual basis. OCIO Response: “The CIO concurs with this recommendation and offers the following clarifying remarks. In FY2011, we redesigned the OPM specialized security training program as part of our risk management strategy and to improve accuracy. We achieved a success rate of 75% and for the first time identified and required Executives and senior staff serving as Authorizing Officials and System Owners to complete the required training.” 15 VII. Plan of Action and Milestones A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for IT security weaknesses. In FY 2010, the OCIO developed a POA&M Guide that provides a template and instructions for system owners to use in managing known IT security weaknesses. The sections below detail OPM’s effectiveness in using POA&Ms to track the agency’s security weaknesses. a) POA&Ms incorporate all known IT security weaknesses In October 2010, we issued the FY 2010 FISMA audit report with 41 audit recommendations. We verified that all 41 of the recommendations were appropriately incorporated into the OCIO POA&M. We reviewed 14 system POA&Ms submitted to the OCIO in FY 2011 to determine if all known IT security weaknesses identified in the annual security controls tests were incorporated into the quarterly POA&Ms. Nothing came to our attention to indicate that program offices were not incorporating all known IT security weaknesses into system POA&Ms. b) Management of POA&Ms by program offices OPM program offices are responsible for developing, implementing, and managing POA&Ms for each system that they own and operate. We were provided evidence that up-to-date POA&Ms were submitted to the OCIO on a quarterly basis for all 48 OPM systems. c) Remediation plans for correcting security weaknesses When a POA&M item is remediated, OPM program offices are required to submit a work completion plan (WCP) along with evidence that the deficiency was corrected to the OCIO for review. We reviewed WCPs for eight systems and found that the program offices provided sufficient evidence that the weaknesses were corrected. The 8 systems were selected from the 48 OPM systems and were judgmentally chosen by OIG auditors. The results of the sample test were not projected to the entire population. d) Compliance with estimated dates for remediation The POA&Ms for 10 OPM systems contain security weaknesses with remediation activities over 120 days overdue. In the 3rd quarter of 2011, OPM systems had a total of 36 POA&M items over 120 days overdue, an improvement from the 58 overdue items during the same time period in FY 2010. Program offices are responsible for dedicating adequate resources to addressing POA&M weaknesses and meeting target objectives. In FY 2011, the OCIO provided 16 improved guidance to ensure that program offices assign reasonable POA&M due dates and stay on track to meet those dates. e) POA&M process prioritizes IT security weaknesses Each program office at OPM is required to prioritize IT security weaknesses on their POA&Ms to help ensure significant IT security weaknesses are addressed in a timely manner. The POA&Ms for all systems in OPM’s inventory adequately prioritized security weaknesses. VIII. Remote Access Management The OIG evaluated OPM’s remote access and telecommuting policies and procedures and its progress in implementing the requirements of NIST SP 800-46 Revision 1, “Guide to Enterprise Telework and Remote Access Security.” In FY 2011, the OCIO developed an updated remote access policy. The new policy contains all of the critical elements required by the NIST guide. We also evaluated OPM’s progress in enforcing two-factor authentication for remote users. a) Authentication requirements OPM utilizes a Virtual Private Network (VPN) client to provide remote users with secure access to the agency’s network environment. The VPN requires users to uniquely identify and authenticate themselves, and the OCIO maintains logs of individuals who remotely access the network. The logs are reviewed on a monthly basis for unusual activity or trends. In FY 2009, OPM required two-factor authentication for remote access in the form of RSA token devices in combination with a password. However, the agency stopped enforcing two-factor authentication in FY 2010 and users were able to authenticate with only a password. In FY 2011, the OCIO implemented the capability of using Personal Identity Verification (PIV) cards along with a password for two-factor authentication. However, there is still a subset of users who can access the network remotely using only a static password. Recommendation 11 (Rolled-Forward from 2010) We recommend that CIO enforce two-factor authentication with PIV cards for all remote access to its network environment. OCIO Response: “The CIO concurs with this recommendation and offers the following clarification remarks. The OPM network is now configured for two factor authentication with PIV cards and most remote users are using PIV cards for authentication. In 17 FY2012, we will continue to work on having the remaining users who are not using PIV cards for authentication to comply with this requirement.” IX. Identity and Access Management The sections below detail OPM’s account and identity management program. a) Account management OPM maintains policies related to management of user accounts for its local area network (LAN) and its mainframe environments. Both policies contain procedures for creating user accounts with the appropriate level of access as well as procedures for removing access for terminated employees. The OIG compared a list of recently terminated OPM employees to a list of active LAN and mainframe users. We found that 17 employees maintained LAN access after their termination date, and 7 users had multiple accounts. We found no issues of mainframe users maintaining access after their termination. OPM’s human resources department is responsible for creating and distributing a weekly list of terminated employees. This list is e-mailed directly to the mainframe team. However, nobody from the LAN team is copied on the distribution. We were not informed of any audits/reviews conducted on user accounts by the LAN team. However, any audit activity is not sufficient as evidenced by the account violations detected during our review. Failure to promptly remove LAN access for terminated employees increases the risk that individuals could gain unauthorized access to sensitive data stored on OPM’s network environment. Recommendation 12 We recommend that all LAN accounts assigned to terminated employees be disabled. OCIO Response: “The CIO concurs with this recommendation and offers the following clarification. Currently, LAN accounts assigned to terminated employees are disabled once the information is provided to the Help Desk. However, there are occasions when the help desk does not always receive timely notification of terminated employees.” Recommendation 13 We recommend that all unnecessary duplicate user accounts be disabled. OCIO Response: “The CIO concurs with this recommendation and will take the necessary corrective action.” 18 Recommendation 14 We recommend that the human resources employee termination list be distributed to all information system owners. OCIO Response: “There is concurrence with this recommendation. [OPM Human Resources (OPMHR)] has no objection in principle to supplying the separation list that is currently distributed to some system owners to all system owners as identified by the CIO; however, a quick review of the list shows some significant ownership issues. 1. OPMHR will review the ownership list in its’ entirety and reserves the right to make adjustments either based on its’ personal knowledge of the system and its’ ownership or after consultation with the listed owner. 2. There are multiple versions of the separation report. Due to the additional number of recipients, OPMHR will work with the system owners to develop a generic report to minimize the workload impact.” OIG Reply: We acknowledge the fact that OPMHR agrees to provide the termination list. In order to fully address this recommendation, the OCIO must provide OPMHR with a list of appropriate recipients. Recommendation 15 We recommend that the OCIO implement a process to routinely audit all active user accounts to search for terminated employees or duplicate accounts. OCIO Response: “The CIO concurs with this recommendation and will take the necessary corrective action.” b) Unauthenticated network devices The OCIO maintains an inventory of user workstations and servers connected to the OPM network environment. In FY 2010, the OCIO tested an automated tool that would scan the network for rogue devices not associated with authenticated users. The OCIO stated that “An automated process to detect unauthenticated network devices has been procured and is expected to be in place and operational in the third quarter FY 2011.” However, this control has not yet been implemented. Recommendation 16 (Rolled-Forward from 2010) We recommend that the OCIO implement an automated process to detect unauthenticated network devices. 19 OCIO Response: “The CIO concurs with this recommendation and will take the necessary corrective action.” X. Continuous Monitoring Management The following sections detail OPM’s controls related to continuous monitoring of the security state of its information systems. a) Continuous monitoring policy and procedures OPM’s Information Security and Privacy Policy Handbook states that the security controls of all systems must be continuously monitored and assessed annually to ensure continued effectiveness. In FY 2011, the OCIO developed a Continuous Monitoring Working Group tasked with implementing a continuous monitoring program at the agency. The working group has developed a Concept of Operations (CONOPS) document that outlines the framework for the planned continuous monitoring program. Although the creation of the working group and the CONOPS indicates that the OCIO has taken steps toward implementing a continuous monitoring program at OPM, this project remains a work in progress. Recommendation 17 (Rolled-Forward from 2010) We recommend OPM develop a Continuous Monitoring Policy that outlines a strategy for identifying information security controls that need continuous monitoring as well as procedures for conducting the tests. OCIO Response: “The CIO concurs with this recommendation and work is already underway to develop an OPM Continuous Monitoring program which will include policies and procedures.” b) Common security controls In FY 2011, the OCIO developed a catalog of information security controls that are shared (“common”) with all of the agency’s applications. Common security controls do not need to be tested for individual applications “inheriting” these controls, as they have already been certified at an agency-wide level. The existence of the common controls catalog saves time and resources by eliminating the need for these controls to be tested multiple times by each application that inherits them. The current common controls catalog indicates that approximately 25% of the security controls outlined in NIST SP 800-53 Revision 3, “Recommended Security 20 Controls for Federal Information Systems,” are common to all agency applications. However, the vast majority of these common controls are related to policy or program management. The current version of the catalog is incomplete, as it does not account for the large number of technical controls that are common to applications residing on one of OPM’s several general support systems. The OCIO indicated that it intends to update the catalog with additional common controls. Recommendation 18 (Rolled-Forward from 2010) We recommend that OPM create a comprehensive list of common security controls and distribute this information to OPM program offices responsible for testing individual applications. OCIO Response: “The CIO does not concur with this recommendation and offers the following clarifying remarks. In FY2011, over 50 common controls were identified by the CISO and independently tested by the Bureau of Public Debt [BPD]. These common security controls were published August 2011 on THEO and is available to all OPM program offices. In FY2012, we will identify and independently test additional security controls that are candidates for common control status.” OIG Reply: The majority of controls contained within OPM’s catalog are related to policies and procedures. We continue to assert that the current version of the catalog is incomplete, as it does not account for the large number of technical controls that are common to applications residing on one of OPM’s several general support systems. The current OPM common controls catalog adds minimal value to the main objective of a comprehensive catalog: saving time and resources by eliminating the need for these controls to be tested multiple times by each application that inherits them. We continue to recommend that OPM create a comprehensive list of common security controls and distribute this information to OPM program offices responsible for testing individual applications. We will consider this recommendation to be implemented when the common controls catalog contains the technical controls provided by OPM general support systems. XI. Contingency Planning OPM’s Information Security Privacy and Policy Handbook requires a contingency plan to be in place for each federal information system. We verified that contingency plans exist for all 48 production systems on OPM’s master system inventory. In prior OIG FISMA audits, we noted that the quality and consistency of contingency plans varied greatly between OPM’s various systems. As a result, the OCIO developed a contingency plan template that all system owners are now required to use. The new template closely follows the guidance of NIST SP 800-34, Contingency Planning Guide 21 for Information Technology Systems. Use of the new template is required for all systems that start the security authorization process after January 2011. As of August 2011, only six systems have conducted an authorization using the new guidance. The quality and consistency of the contingency plans appears to be improving with the use of the new template. a) Testing contingency plans of individual OPM systems OPM’s Information Security Privacy and Policy Handbook requires that “The contingency plan for the information system is tested and/or exercised at least annually using OPM defined and information system specific tests and exercises. . . .” We received evidence that contingency plans were tested for only 40 of 48 systems in FY 2011. Of the contingency plan tests we did receive, we continue to notice inconsistency in the quality of the documentation produced for various OPM systems. One of the main areas of inconsistency relates to the contingency plan test after action report. NIST SP 800-34 states that following a contingency plan test, “results and lessons learned should be documented and reviewed by test participants and other personnel as appropriate. Information collected during the test and post-test reviews that improve plan effectiveness should be incorporated into the contingency plan.” Several after action reports we reviewed did not include summarized results or lessons learned. Without a thoroughly documented after action report, system owners will not know how to improve the contingency plan in order to be better prepared for a disruptive event. These inconsistencies were the result of the program offices not having adequate guidance for conducting contingency plan tests at the time the tests were completed. The OCIO recently issued detailed guidance to program offices on how to conduct a contingency plan test and create an after action report. As part of the FY 2012 FISMA audit, we will test the impact that this new guidance has on the quality of system level contingency plan tests. Recommendation 19 (Rolled-Forward from 2008) We recommend that OPM’s program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the 8 systems that were not subject to adequate testing in FY 2011. OCIO Response: “The CIO concurs with this recommendation.” b) Agency-wide coordination of contingency plan testing Many OPM systems reside on one of the agency’s general support systems. While the contingency plans for these general support systems are tested on an individual basis, there is no coordinated contingency plan or disaster recovery test. A 22 coordinated test is critical because there are several applications that have elements or modules spread across multiple general support systems. Without some form of centralized approach to contingency plan testing there is a risk that OPM systems will not be successfully recovered in the event of a disaster. The agency has also not completed an agency-wide business impact analysis (BIA). OPM’s Security Assessment and Authorization Guide states that “In order to properly develop a [Contingency Plan], a Business Impact Analysis must first be conducted. The BIA provides the necessary risk determinations to develop the system contingency plan.” OPM is in the process of creating an agency-wide BIA, but this was not completed in FY 2011. Without a BIA, the agency cannot adequately prioritize the recovery of agency systems to facilitate a successful disaster recovery process. Recommendation 20 We recommend that the OCIO conduct an agency-wide Business Impact Analysis. OCIO Response: “The CIO concurs with this recommendation and will take the necessary corrective action.” Recommendation 21 We recommend that the OCIO implement and document a centralized (agency-wide) approach to contingency plan testing. OCIO Response: “The CIO concurs with this recommendation but seeks clarifying information from the OIG on this recommendation.” OIG Reply: We will provide the OCIO additional information on this recommendation, but the details will not be contained within this audit report. XII. Contractor Systems OPM’s master system inventory indicates that 16 of the agency’s 48 major applications are operated by a contractor. We evaluated the methods that various program offices use to maintain oversight of their systems run by contractors. In response to a FY 2010 FISMA audit recommendation regarding oversight of contractor-operated systems, the OCIO created a Site Survey Assessment form that program offices had to complete for all contractor-operated systems. The survey asked the program office to comment on the security controls in place at the contractor facilities. The survey was a positive step in providing oversight 23 over contractor-operated systems. Although the program offices appeared to provide an adequate level of oversight to contractor-operated systems, the techniques and quality of this oversight was inconsistent between program offices. This inconsistency is the result of OPM not having an agency-wide policy related to oversight of contractor systems. Recommendation 22 We recommend that, in addition to the Site Survey Assessment Form, OPM develop a policy providing guidance on adequate oversight of contractor-operated systems. OCIO Response: “The CIO partially concurs with this recommendation and believes that existing security policy also applies to contractor systems as documented under the Federal Information Security Management Act of 2002. However, the CIO believes that additional policy clarifications would be beneficial to improving security for OPM contractor systems and will update policy accordingly.” OIG Reply: Although OPM’s IT Security Handbook may apply to contractors, we determined that the techniques and quality of oversight provided to contractor systems was inconsistent between program offices. This inconsistency is the result of OPM not having an agency- wide policy providing program offices guidance on overseeing the activities of contractors operating OPM systems. We continue to recommend that the OCIO develop policies to address oversight of contractor systems. XIII. Security Capital Planning NIST SP 800-53 section SA-2, Allocation of Resources, states that an organization needs to determine, document, and allocate the resources required to protect information systems as part of its capital planning and investment control process. OPM’s Information Security and Privacy Policy Handbook contains policies and procedures to ensure that information security is addressed in the capital planning and investment process. The OCIO uses Exhibit 53B to record information security resources allocation and submits this information annually to OMB. Nothing came to our attention to indicate that OPM does not maintain an adequate capital planning and investment program for information security. XIV. Follow-up of Prior OIG Audit Recommendations All audit recommendations issued prior to 2010 were rolled forward into one of the recommendations in the FY 2010 OIG FISMA audit report (Report 4A-CI-00-10-019). FY 2010 recommendations that were not remediated by the end of FY 2011 are rolled forward with a new recommendation number in this FY 2011 OIG FISMA audit report. 24 The prior sections of this report evaluate the current status of many 2010 recommendations. However, there are several recommendations that have not yet been addressed because the related topics were not part of the FY 2011 FISMA reporting instructions. These remaining recommendations are addressed in the sections below. Note - Audit recommendations issued prior to FY 2010 reference OPM’s Center for Information Services (CIS) as the program office responsible for the agency’s IT security program. After an organizational realignment, this group is now referred to as the Office of the Chief Information Officer (OCIO). Follow-up on recommendations issued in OIG Audit Report 4A-CI-00-10-019, “Federal Information Security Management Act Audit – FY 2010” a) 4A-CI-00-10-019 Recommendation 3 We recommend that the OCIO develop and implement an active strategy to maintain up-to-date information regarding OPM’s master system inventory. FY 2011 Status The OCIO conducted an inventory survey of OPM program offices in FY 2010. However, one program office has not yet responded to the survey. This recommendation remains open and is rolled forward in FY 2011. Recommendation 23 (Rolled-Forward from 2010) We recommend that the OCIO develop and implement an active strategy to maintain up-to-date information regarding OPM’s master system inventory. OCIO Response: “The CIO does not concur with this recommendation and believes that existing methods for maintaining the OPM master systems inventory are adequate. These methods consist of requiring DSOs to provide monthly system inventory updates to the CISO and the CISO conducts an annual survey to identify systems at contractor facilities, other Federal agencies or internal to OPM.” OIG Reply: One OPM program office has not responded to the OCIO’s survey regarding information system inventory. Without full participation from OPM program offices, the OCIO’s approach of identifying information systems via surveys is not adequate. b) 4A-CI-00-10-019 Recommendation 33 (Roll-forward from OIG Report 4A-CI-00-09- 031 Recommendation 1) We recommend that CIS conduct a survey of OPM program offices (particularly the Benefits Systems Group) to identify any systems that exist but do not appear on the system inventory. The systems discovered during this survey should be promptly added to the system inventory and certified and accredited. 25 FY 2011 Status The OCIO conducted an inventory survey of OPM program offices in FY 2010. However, one program office has not yet responded to the survey. This recommendation remains open and is rolled forward in FY 2011. Recommendation 24 (Rolled-Forward from 2009) We recommend that CIS conduct a survey of OPM program offices to identify any systems that exist but do not appear on the system inventory. The systems discovered during this survey should be promptly added to the system inventory and certified and accredited. OCIO Response: “The CIO concurs with this recommendation and offers the following clarifying remarks. In FY2011, we conducted a survey of OPM program offices to identify systems that should be added to the system inventory. In FY2012, we plan to conduct another survey and identified systems will be added to the system inventory.” OIG Reply: If the OCIO does not receive full participation by OPM program offices to the 2012 survey, we recommend that they develop a new methodology for identifying information systems owned by the agency. c) 4A-CI-00-10-019 Recommendation 35 (Roll-forward from OIG Report 4A-CI-00-09- 031 Recommendation 4) We recommend that CIS conduct a survey to determine how many systems owned by another agency are used by OPM. FY 2011 Status The OCIO conducted an inventory survey of OPM program offices in FY 2010. We discovered that one program office did not respond to the survey. This recommendation remains open and is rolled forward in FY 2011. Recommendation 25 (Rolled-Forward from 2009) We recommend that CIS conduct a survey to determine how many systems owned by another agency are used by OPM. OCIO Response: “The CIO concurs with this recommendation and offers the following clarifying remarks. In FY2011, we conducted a survey of OPM program offices to identify systems owned by another agency and used by OPM. In FY2012, we plan to conduct another survey and identified systems will be added to the system inventory.” 26 OIG Reply: If the OCIO does not receive full participation by OPM program offices to the 2012 survey, we recommend that they develop a new methodology for identifying information systems owned by the agency. d) 4A-CI-00-10-019 Recommendation 37 (Roll-forward from OIG Report 4A-CI-00-09- 031 Recommendation 20) We recommend that a new PIA be conducted for the appropriate systems based on the updated PIA Guide. FY 2011 Status All agency systems have not completed a PIA using the new format. This recommendation remains open and is rolled forward in FY 2011. Recommendation 26 (Rolled-Forward from 2009) We recommend that a new PIA be conducted for the appropriate systems based on the updated PIA Guide. OCIO Response: “The CIO concurs with this recommendation and offers the following remarks. All PIAs with the exception of four were updated to reflect the new PIA Guide. We will take corrective action to ensure that the remaining four are updated.” e) 4A-CI-00-10-019 Recommendation 38 (Roll-forward from OIG Report 4A-CI-00-09- 031 Recommendation 21 We recommend that each system owner annually review the existing PIA for their system to reevaluate current holdings of PII, and that they submit evidence of the review to the OCIO. FY 2011 Status All agency systems have not completed a PIA using the new format and therefore cannot adequately reevaluate their current holdings of PII. This recommendation remains open and is rolled forward in FY 2011. Recommendation 27 (Rolled-Forward from 2009) We recommend that each system owner annually review the existing PIA for their system to reevaluate current holdings of PII, and that they submit evidence of the review to the OCIO. OCIO Response: “The CIO does not concur with this recommendation and believes that all PIAs were reviewed by system owners in FY2011.” 27 OIG Reply: Four systems do not have current PIAs; therefore all PIAs were not reviewed by system owners in FY 2011. f) 4A-CI-00-10-019 Recommendation 39 (Roll-Forward from OIG Reports 4A-CI-00- 09-031 Recommendation 22 and 4A-CI-00-08-022 Recommendation 12) We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in accordance with OMB Memorandum M-07-16. FY 2011 Status The OCIO has an ongoing plan to reduce and eventually eliminate the unnecessary use of SSNs. However, resource limitations prevented them from completing this task in FY 2011. This recommendation remains open and is rolled forward in FY 2011. Recommendation 28 (Rolled-Forward from 2008) We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in accordance with OMB Memorandum M-07-16. OCIO Response: “The CIO concurs with this recommendation and offers the following clarifying remarks. OPM currently does not have the funding to effectively pursue the elimination of unnecessary use of SSN's as stated in OMB memorandum M-07-16. Efforts are made when the unnecessary use of SSN is discovered in PTA and PIA documentation and efforts are explored with the program office for alternatives. OPM does comply with the requirement to meet regularly with other federal agencies on this effort.” g) 4A-CI-00-10-019 Recommendation 40 (Roll-Forward from OIG Report 4A-CI-00- 09-031 Recommendation 27) We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all contracts related to common security settings. FY 2011 Status The OCIO is in the process of incorporating Federal Acquisition Regulation 2007- 004 language in all contracts related to common security settings. However, they did not finish this process in FY 2011. This recommendation remains open and is rolled forward in FY 2011. Recommendation 29 (Rolled-Forward from 2009) We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all contracts related to common security settings. 28 OCIO Response: “The CIO concurs with this recommendation and will take the necessary corrective action.” 29 Major Contributors to this Report This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector General, Information Systems Audits Group. The following individuals participated in the audit and the preparation of this report: • , Group Chief • , Senior Team Leader • IT Auditor • , IT Auditor • , IT Auditor 30 UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Wa:-lhingtol1, DC 20415 Chief Information Officer MEMORANDUM FOR CHIEF INFORMAT ION SYSTEMS AUDIT GROUP t!2 FROM: MATrHEW E. PERRY ~?;~ CHIEF INFORMATION OFFICE~~ I s» f; Subject: Response to the Federal Information Security Managemen t Act Audit - FY201 I, Report NO. 4A-CI-00- I 1-009 Tha nk you for the opportunity to commen t on thc subject report. The results prov ided in thc draft report consist of a number of recommendations. The recommendations arc valuable to our program improve ment efforts and most of them are generally consistent with our plan. We plan to continue making improvements in our security risk management strategy and thc OpM IT security progra m. O IG Reco mmendations: Recommend a tion 1 We recom me nd that the OCIO deve lop policies to ad dress oversight of contractor syste ms, IV & V, and conti nnons monito r ing of high risk secnr ity controls. The CIa partially concurs with this recommendation and offers clarifying remarks in order to present a more current interpretation . The policies in the IT Security Handbook dated March 3 1, 20 I I apply to all OpM systems including those at contractor facilities and therefore a new policy for oversight of contractor systems is not necessary. The CIa believes that new policies for IV& V and continuous monitoring of high risk security controls should be developed and would be beneficia l to the OpM security program. Recommendat ion 2 (Ro lled-Forward fro", 2010) We rec omme nd th at OPl\I impleme nt a cent ra lized informa tion security governance struct ure whe re all informa tion secur ity pra ctition ers, including designated security officers, re port to th e SAISO . Adeq uate resources should be ass igned to th e OCIO to create this struct ure. Ex isti ng designat ed security officers who re port to their pro gram offices should return to their program office duties. The new staff that re ports to the SAISO should consist of expe rienced iuformation security pro fessionals. The Clf) concurs with this recommendation and offers the following remarks. The CIa's budget does not contain funding to replace the Designated Security Officers with informat ion security ww wopm.qcv Recrui t. Retain and Honor a World-Class Workforce In Serve the Am erican Peopl e www.usajobs.go\l professionals. One possible suggestion is to require OPM program offices to provide funding for the CIO to hire information security professionals. Recommendation 3 We recommend that the OCIO work with program offices to correct the specific errors that the OIG identified in the Authorization packages reviewed in FY 2011. The CIO Concurs with this recommendation and will take corrective action. Recommendation 4 (Rolled-Forward (rom 2010) We recommend that the OCIO assign additional resources to facilitate the Authorization process to ensure the consistency and quality of Authorization packages developed by OPM program offices. The CIO concurs with this recommendation and believes that additional security resources could improve the security authorization process. However, funding is not allocated in the CIa budget to hire additional resources. Recommendation 5 We recommend that the OCIO develop policies and procedures related to managing risk from an agency-wide perspective. The CIa does not concur with this recommendation and believes that adequate policies and procedures are in place to manage risk from an agency-wide perspective as documented in sections 3.1.9 and 3.1.7 of the IT Security Handbook dated March 31, 2011. Recommendation 6 We recommend that the OCIO continue to develop its Risk Executive Function to meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). The CIa concurs with this recommendation and will take the necessary corrective action. Recommendation 7 (Rolled-Forward (rom 2008) We recommend that OPM ensure that an annual test of security controls has been completed for all systems. The CIO concurs with this recommendation and offers the following clarifying remarks in order to present a more current interpretation. In FY2011 security controls testing was completed for 41 of 48 eligible systems resulting in an 85% compliance rate. In FY2012, we will continue to work with program offices to ensure that security controls are tested for all eligible systems. Recommendation 8 We recommend that OCIO implement a process for tracking the status of weaknesses identified through vulnerability scanning. 2 The CIO concurs with this recommendation and will implement the necessary corrective action. Recommendation 9 We recommend that OCIO document "accepted" weaknesses identified in vulnerability scans. The CIO concurs with this recommendation and will implement the necessary corrective action. Recommendation 10 (Rolled-Forward (rom 2010) We continue to recommend that the OCIO ensure that all employees with significant information security responsibility take meaningful and appropriate specialized security training on an annual basis. The CIO concurs with this recommendation and offers the following clarifying remarks. In FY20 11, we redesigned the OPM specialized security training program as part of our risk management strategy and to improve accuracy. We achieved a success rate of75% and for the first time identified and required Executives and senior staff serving as Authorizing Officials and System Owners to complete the required training. Recommendation 11 (Rolled-Forward (rom 2010) We recommend that CIO enforce two-factor authentication with PIV cards for all remote access to its network environment. The CIO concurs with this recommendation and offers the following clarification remarks. The OPM network is now configured for two factor authentication with PIV cards and most remote users are using PIV cards for authentication. In FY2012, we will continue to work on having the remaining users who are not using PIV cards for authentication to comply with this requirement. Recommendation 12 We recommend that all LAN accounts assigned to terminated employees be disabled. The CIO concurs with this recommendation and offers the following clarification. Currently, LAN accounts assigned to terminated employees are disabled once the information is provided to the Help Desk. However, there are occasions when the help desk does not always receive timely notification of terminated employees. Recommendation 13 We recommend that all unnecessary duplicate user accounts be disabled. The CIa concurs with this recommendation and will take the necessary corrective action. Recommendation 14 We recommend that the human resources employee termination list be distributed to all information system owners. 3 There is concurrence with this recommendation. OPMHR has no objection in principle to supplying the separation list that is currently distributed to some system owners to all system owners as identified by the CIO; however, a quick review of the list shows some significant ownership issues. 1. OPMHR will review the ownership list in its' entirety and reserves the right to make adjustments either based on its' personal knowledge of the system and its' ownership or after consultation with the listed owner. 2. There are multiple versions of the separation report. Due to the additional number of recipients, OPMHR will work with the system owners to develop a generic report to minimize the workload impact. We wish to state that receipt of this report may not facilitate the earliest termination of network accounts for the following reasons: 1. HR relies on individual organizations to submit separation actions for their employees. We do not know when someone leaves the agency until we receive that notification. 2. In the case of employees who transfer to another agency, published government-wide guidance states that the employee cannot be removed from the rolls until positive evidence of the transfer from the gaining agency is received. In those cases we are at the mercy of the other agency to notify us. It is not unusual for it to take months to receive this notification. Several years ago the agency's Exit Clearance Process was reviewed and revised based on this very issue. An agency-wide working group was pulled together to review the process and come up with a workable solution. The responsibility for clearing an employee from the building rested with the employee's supervisor and they were responsible for making sure that any equipment was returned as well as their employee ID was turned it. You might want to think about revisiting that process at this time. Recommendation 15 We recommend that the OCIO implement a process to routinely audit all active user accounts to search for terminated employees or duplicate accounts. The CIa concurs with this recommendation and will take the necessary corrective action. Recommendation 16 (Rolled-Forward (rom 2010) We recommend that the OCIO implement an automated process to detect unauthenticated network devices. The CIO concurs with this recommendation and will take the necessary corrective action. 4 Recommendation 17 (Rolled-Forward (rom 2010) We recommend OPM develop a Continuous Monitoring Policy that outlines a strategy for identifying information security controls that need continuous monitoring as well as procedures for conducting the tests. The CIa concurs with this recommendation and work is already underway to develop an aPM Continuous Monitoring program which will include policies and procedures. Recommendation 18 (Rolled-Forward (rom 2010) We recommend OPM create a list of common security controls and distribute this information to OPM program offices responsible for testing individual applications. The CIa does not concur with this recommendation and offers the following clarifying remarks. In FY2011, over 50 common controls were identified by the CISa and independently tested by the Bureau of Public Debt. These common security controls were published August 2011 on THEa and is available to all aPM program offices. In FY2012, we will identify and independently test additional security controls that are candidates for common control status. Recommendation 19 (Rolled-Forward (rom 2008) We recommend that OPM's program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the 28 systems that were not subject to adequate testing in FY 2011. The CIa concurs with this recommendation and offers the following clarifying remarks in order to present a more current interpretation. In FY2011 contingency plan testing was completed for 40 of 48 eligible systems resulting in an 83% compliance rate. In FY2012, we will continue to work with program offices to ensure that contingency plan testing is conducted for all eligible systems. Recommendation 20 We recommend that the OCIO conduct an agency-wide Business Impact Analysis. The CIa concurs with this recommendation and will take the necessary corrective action Recommendation 21 We recommend that OCIO implement and document a centralized (agency-wide) approach to contingency plan testing. The CIa concurs with this recommendation but seeks clarifying information from the aIG on this recommendation. Recommendation 22 We recommend that, in addition to the Site Survey Assessment Form, OPM develop a policy providing guidance on adequate oversight of contractor-operated systems. 5 The CIO partially concurs with this recommendation and believes that existing security policy also applies to contractor systems as documented under the Federal Information Security Management Act of 2002. However, the CIO believes that additional policy clarifications would be beneficial to improving security for OPM contractor systems and will update policy accordingly. Recommendation 23 (Rolled-Forward (rom 2010) We recommend that the OCIO develop and implement an active strategy to maintain up to-date information regarding OPM's master system inventory. The CIO does not concur with this recommendation and believes that existing methods for maintaining the OPM master systems inventory are adequate. These methods consist of requiring DSOs to provide monthly system inventory updates to the CISO and the CISO conducts an annual survey to identify systems at contractor facilities, other Federal agencies or internal to OPM. Recommendation 24 (Rolled-Forward (rom 2009) We recommend that CIS conduct a survey of OPM program offices to identify any systems that exist but do not appear on the system inventory. The systems discovered during this survey should be promptly added to the system inventory and certified and accredited. The CIO concurs with this recommendation and offers the following clarifying remarks. In FY2011, we conducted a survey ofOPM program offices to identify systems that should be added to the system inventory. In FY2012, we plan to conduct another survey and identified systems will be added to the system inventory. Recommendation 25 (Rolled-Forward (rom 2009) We recommend that CIS conduct a survey to determine how many systems owned by another agency are used by OPM. The CIO concurs with this recommendation and offers the following clarifying remarks. In FY2011, we conducted a survey ofOPM program offices to identify systems owned by another agency and used by OPM. In FY2012, we plan to conduct another survey and identified systems will be added to the system inventory. Recommendation 26 (Rolled-Forward (rom 2009) We recommend that a new PIA be conducted for the appropriate systems based on the updated PIA Guide. The CIO concurs with this recommendation and offers the following remarks. All PIAs with the exception of four were updated to reflect the new PIA Guide. We will take corrective action to ensure that the remaining four are updated. Recommendation 27 (Rolled-Forward (rom 2009) 6 We recommend that each system owner annually review the existing PIA for their system to reevaluate current holdings of PH, and that they submit evidence of the review to the OCIO. The CIa does not concur with this recommendation and believes that all PIAs were reviewed by system owners in FY20II. Recommendation 28 (Rolled-Forward (rom 2008) We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in accordance with OMB Memorandum M-07-16. The CIO concurs with this recommendation and offers the following clarifying remarks. OPM currently does not have the funding to effectively pursue the elimination of unnecessary use of SSN's as stated in aMB memorandum M-07-I6. Efforts are made when the unnecessary use of SSN is discovered in PTA and PIA documentation and efforts are explored with the program office for alternatives. OPM does comply with the requirement to meet regularly with other federal agencies on this effort. Recommendation 29 (Rolled-Forward (rom 2009) We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all contracts related to common security settings. The CIa concurs with this recommendation and will take the necessary corrective action. 7
Federal Information Security Management Act Audit FY 2011
Published by the Office of Personnel Management, Office of Inspector General on 2011-11-09.
Below is a raw (and likely hideous) rendition of the original report. (PDF)