oversight

Federal Information Security Management Act Audit FY 2011

Published by the Office of Personnel Management, Office of Inspector General on 2011-11-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                           OFFICE OF THE INSPECTOR GENERAL
                                                                            OFFICE OF AUDITS




                                   Final Audit Report

    Subject:


                FEDERAL INFORMATION SECURITY
                   MANAGEMENT ACT AUDIT
                            FY 2011

                                           Report No. 4A-CI-00-11-009


                                           Date:              November 9, 2011




                                                          --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                               Washington, DC 20415


  Office of the
Inspector General




                                              Audit Report



                           U.S. OFFICE OF PERSONNEL MANAGEMENT
                            -------------------------------------------------------------

                    FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT
                                               FY 2011
                                    --------------------------------
                                      WASHINGTON, D.C.




                                    Report No. 4A-CI-00-11-009


                                    Date:          November 9, 2011




                                                                      Michael R. Esser
                                                                      Assistant Inspector General
                                                                        for Audits




      www.opm.gov                                                                           www.usajobs.gov
                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                                Washington, DC 20415


  Office of the
Inspector General



                                         Executive Summary



                            U.S. OFFICE OF PERSONNEL MANAGEMENT
                             -------------------------------------------------------------

                    FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT
                                               FY 2011
                                    --------------------------------
                                      WASHINGTON, D.C.




                                     Report No. 4A-CI-00-11-009


                                     Date:          November 9, 2011

      This audit report documents the Office of Personnel Management’s (OPM’s) continued efforts to
      manage and secure its information resources. We have significant ongoing concerns regarding
      the overall quality of the information security program at OPM.

      In fiscal year (FY) 2007 and FY 2008, we reported a material weakness in controls over the
      development and maintenance of OPM’s information technology (IT) security policies. In FY
      2009, we issued a Flash Audit Alert to OPM’s Director highlighting our concerns with the
      agency’s IT security program. We also expanded the material weakness related to IT security
      policies to include concerns with the agency’s overall information security governance and its
      information security management structure. This material weakness was rolled forward through
      FY 2010.

      In FY 2011, OPM’s Office of the Chief Information Officer (OCIO) made progress in updating
      its IT security and privacy policies, procedures, and guidance. However, the OCIO continues to
      operate with a decentralized IT security structure and does not have the authority or the resources
      available to adequately implement the new policies. We continue to believe that information
      security governance represents a material weakness in OPM’s IT security program.

                                                         i
      www.opm.gov                                                                            www.usajobs.gov
In FY 2010, we added a second material weakness related to the management of the Certification
and Accreditation (C&A) process. We reported that there were, in our opinion, three root causes
of OPM’s C&A issues: insufficient staffing in the IT Security and Privacy Group, a lack of
policy and procedures, and the decentralized DSO model in place at OPM.

In FY 2011, the OCIO improved the policy deficiencies by publishing updated procedures and
templates designed to improve the overall C&A process (now referred to as Security Assessment
and Authorization or Authorization process) and dedicating resources to facilitating the
Authorization process. We observed an improvement in the Authorization packages completed
under this new process, and believe that this improvement warrants reducing the material
weakness related to C&As to a significant deficiency. Although no longer a material weakness,
the Authorization process continues to be hindered by limited OCIO staffing resources and the
decentralized DSO model.

In addition to the material weaknesses described above, we noted the following controls in place
and opportunities for improvement:
•   The OCIO has implemented risk management procedures at a system-specific level, but has
    not developed an agency-wide risk management methodology.
•   The IT security controls were adequately tested for only 36 of 48 information systems in
    OPM’s inventory.
•   The OCIO has implemented an agency-wide information system configuration management
    policy and has established configuration baselines for all operating platforms used by the
    agency.
•   The OCIO routinely conducts vulnerability scans of production servers, but does not have a
    formal process for tracking the status of weaknesses identified through the scanning.
•   The OCIO has developed thorough incident response and reporting capabilities.
•   The OCIO has implemented a process to provide annual IT security and privacy awareness
    training to all OPM employees and contractors. However, controls related to providing
    specialized security training to individuals with information security responsibility could be
    improved.
•   Plans of Action and Milestones are appropriately managed for all information systems in
    OPM’s inventory. The OCIO has the capability to use two-factor authentication for remote
    access, but this control was not enforced for all users in FY 2011.
•   We found that several OPM employees maintained network access after their termination
    date, and several users had multiple accounts.
•   The OCIO has taken steps toward implementing a continuous monitoring program at OPM;
    however, this project remains a work in progress.
•   The OCIO developed a catalog of information security controls that are shared (“common”)
    with all of the agency’s applications. However, the current version of the catalog is
    incomplete, as it does not account for the large number of technical controls that are common
    to applications residing on one of OPM’s several general support systems. As a result, the



                                                 ii
    owner of each application residing on a support system must independently test the same
    controls.
•   The contingency plans were adequately tested for only 40 of 48 information systems in
    OPM’s inventory.
•   We noticed inconsistency in the quality of contingency plan testing documentation produced
    for various OPM systems. In September 2011, the OCIO issued detailed guidance to
    program offices on how to conduct a contingency plan test and create an after action report.
    As part of the FY 2012 FISMA audit, we will test the impact that this new guidance has on
    the quality of system level contingency plan tests.
•   Contingency plan/disaster recovery tests are not coordinated between OPM’s various general
    support systems.
•   OPM program offices appeared to provide an adequate level of oversight to contractor-
    operated systems. However, the techniques and quality of this oversight was inconsistent
    between program offices.
•   OPM maintains an adequate security capital planning and investment program for
    information security.




                                               iii
                                                                Contents
                                                                                                                                            Page


  Executive Summary .................................................................................................................... i
  Introduction ................................................................................................................................ 1
  Background ................................................................................................................................ 1
  Objectives ................................................................................................................................... 1
  Scope and Methodology ............................................................................................................. 2
  Compliance with Laws and Regulations .................................................................................... 3
  Results ........................................................................................................................................ 4
       I. Information Security Governance .................................................................................... 4
      II. Security Assessment and Authorization .......................................................................... 7
     III. Risk Management ............................................................................................................ 9
     IV. Configuration Management ........................................................................................... 12
      V. Incident Response and Reporting .................................................................................. 14
    VI. Security Training ........................................................................................................... 15
    VII. Plan of Action and Milestones ....................................................................................... 16
  VIII. Remote Access Management ......................................................................................... 17
     IX. Identity and Access Management .................................................................................. 18
      X. Continuous Monitoring Management ............................................................................ 20
    XI. Contingency Planning .................................................................................................... 21
    XII. Contractor Systems ........................................................................................................ 23
   XIII. Security Capital Planning .............................................................................................. 24
  XIV. Follow-up of Prior OIG Audit Recommendations......................................................... 24
  Major Contributors to this Report ............................................................................................ 30

Appendix I:         Status of Prior OIG Audit Recommendations

Appendix II: Office of the Chief Information Officer’s October 21, 2011 response to the draft
             audit report, issued October 3, 2011.
Appendix III: FY 2011 Inspector General FISMA reporting metrics.
                                         Introduction
On December 17, 2002, the President signed into law the E-Government Act (Public Law 107-
347), which includes Title III, the Federal Information Security Management Act (FISMA).
FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)
evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of
IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing
the material received from agencies. In accordance with FISMA, we conducted an evaluation of
OPM’s security program and practices. As part of our evaluation, we reviewed OPM’s FISMA
compliance strategy and documented the status of its compliance efforts.

                                         Background
FISMA requirements pertain to all information systems supporting the operations and assets of
an agency, including those systems currently in place or planned. The requirements also pertain
to information technology (IT) resources owned and/or operated by a contractor supporting
agency systems.

FISMA reemphasizes the Chief Information Officer’s strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency’s Office of the Chief
Information Officer (OCIO). FISMA also clearly places responsibility on each agency program
office to develop, implement, and maintain a security program that assesses risk and provides
adequate security for the operations and assets of programs and systems under its control.

To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the
Department of Homeland Security (DHS) National Cyber Security Division issued the fiscal year
(FY) 2011 Inspector General FISMA Reporting Instructions. This document provides a
consistent form and format for agencies to report to DHS. It identifies a series of reporting
topics that relate to specific agency responsibilities outlined in FISMA. Our audit and reporting
strategies were designed in accordance with the above DHS guidance.

                                          Objectives
Our overall objective was to evaluate OPM’s security program and practices, as required by
FISMA. Specifically, we reviewed the status of the following areas of OPM’s IT security
program in accordance with DHS’s FISMA IG reporting requirements:
   •   Risk Management;
   •   Security Configuration Management;
   •   Incident Response and Reporting Program;
   •   Security Training Program;
   •   Plans of Action and Milestones (POA&M) Program;
   •   Remote Access Program;
   •   Identity and Access Management;
   •   Continuous Monitoring Program;
   •   Contingency Planning Program;


                                                1
   •   Agency Program to Oversee Contractor Systems; and,
   •   Agency Security Capital Planning Program.

In addition, we evaluated the status of OPM’s IT security governance structure and its Security
Assessment and Authorization process. These two areas represented material weaknesses in
OPM’s IT security program in prior FISMA audits.

We also evaluated the security controls of four major applications/systems at OPM (see Scope
and Methodology for details of these audits). We also followed-up on outstanding
recommendations from prior FISMA audits (see Appendix I).

                                  Scope and Methodology
We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM’s
FISMA compliance efforts throughout FY 2011.

We reviewed OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s
guidance and the corresponding reporting instructions. We also evaluated the security controls
for the following major applications:
   •   Enterprise Server Infrastructure General Support System (OIG Report No. 4A-CI-00-11-
       016);
   •   Consolidated Business Information System (OIG Report No. 4A-CF-00-11-015);
   •   Presidential Management Fellows System (OIG Report No. 4A-HR-00-11-017); and,
   •   Center for Talent Services General Support System (OIG Report No. 4A-CI-00-11-043).

We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives. Accordingly, we obtained an understanding of the internal controls for these
various systems through interviews and observations, as well as inspection of various documents,
including information technology and other related organizational policies and procedures. This
understanding of these systems’ internal controls was used to evaluate the degree to which the
appropriate internal controls were designed and implemented. As appropriate, we conducted
compliance tests using judgmental sampling to determine the extent to which established
controls and procedures are functioning as required.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attention during our audit testing to cause
us to doubt its reliability.



                                                2
Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.

The criteria used in conducting this audit include:
•   DHS National Cyber Security Division FY 2011 Inspector General Federal Information
    Security Management Act Reporting Instructions;
•   OPM Information Technology Security and Privacy Policy Handbook;
•   OPM Information Technology Security FISMA Procedures;
•   OPM Security Assessment and Authorization Guide;
•   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;
•   OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
•   OMB Memorandum M-06-16, Protection of Sensitive Agency Information;
•   OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies;
•   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
    Management Act of 2002;
•   National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An
    Introduction to Computer Security;
•   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
    Systems;
•   NIST SP 800-30, Risk Management Guide for Information Technology Systems;
•   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
•   NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to
    Federal Information Systems;
•   NIST SP 800-39, Managing Information Security Risk;
•   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
    Systems;
•   NIST SP 800-60 Version 2.0 Volume II, Guide for Mapping Types of Information and
    Information Systems to Security Categories;
•   Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
    Categorization of Federal Information and Information Systems; and,
•   Other criteria as appropriate.

The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from May through September 2011 in OPM’s
Washington, D.C. office.

                        Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether OPM’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM’s OCIO and other program offices were not in complete compliance with all standards, as
described in the “Results” section of this report.


                                                 3
                                          Results
The sections below detail the results of our FY 2011 FISMA audit of OPM’s IT Security
Program. Several recommendations were issued in FY 2010 and are rolled forward from OIG
report no. 4A-CI-00-10-019, “Federal Information Security Management Act Audit – FY 2010.”

I.    Information Security Governance
      Over the past fiscal year OPM’s OCIO has made progress in updating its IT security and
      privacy policies, procedures, and guidance. However, the existence of policies alone
      cannot improve the agency’s IT security program. The OCIO continues to operate with a
      decentralized IT security structure and does not have the resources available to
      adequately implement the new policies. We continue to believe that information security
      governance represents a material weakness in OPM’s IT security program.

      The sections below outline the OIG’s review of IT security governance at OPM.

      a) IT Security Policies and Procedures

          OPM’s failure to adequately update its IT security and privacy policies and
          procedures was highlighted in the past five annual OIG FISMA audit reports, and was
          identified as a material weakness in the agency’s IT security program in the past four
          FISMA audit reports.

          In FY 2011, the OCIO created and published several new documents that provide a
          policy framework for OPM’s IT security program, including:
          •   Information Security and Privacy Policy Handbook (March 2011);
          •   Information Technology Security FISMA Procedures (May 2011); and,
          •   OPM Security Assessment and Authorization Guide (April 2011).

          These three documents address many of the policies and procedures that we had
          identified as missing or inadequate in prior FISMA audits. However, the creation of
          policies and procedures alone does not improve an IT security program. They must
          be fully adopted by the target audience, in this case the Designated Security Officer
          (DSO) community. Given the decentralized structure of OPM’s IT security program,
          it is questionable whether the DSOs have the skills and resources necessary to
          implement the new policies and procedures.

          The quantity of IT security deficiencies outlined in this audit report indicate that,
          despite the existence of policies, limited improvement has been made in the overall
          security program to date. It remains to be seen whether the new policy and procedure
          framework will lead to notable improvements in the future.

          While the majority of missing policies and procedures have now been created, we
          identified several specific areas where OPM continues to lack adequate IT policies,
          procedures, or guidance, including:


                                              4
   •   Policy and procedures related to oversight of systems operated by a contractor;
   •   Policy on agency-wide risk management (see Recommendation 5);
   •   Policy related to roles and responsibilities for the Independent Verification and
       Validation (IV&V) process and procedures for managing an IV&V; and,
   •   Policy or guidance for identifying and continuously monitoring high risk security
       controls.
   Recommendation 1
   We recommend that the OCIO develop policies to address oversight of contractor
   systems, agency-wide risk management, IV&V, and continuous monitoring of high
   risk security controls.

   OCIO Response:
   “The CIO partially concurs with this recommendation and offers clarifying
   remarks in order to present a more current interpretation. The policies in the IT
   Security Handbook dated March 31, 2011 apply to all OPM systems including those
   at contractor facilities and therefore a new policy for oversight of contractor
   systems is not necessary. The CIO believes that new policies for IV&V and
   continuous monitoring of high risk security controls should be developed and
   would be beneficial to the OPM security program.”

   OIG Reply:
   Although OPM’s IT Security Handbook may apply to contractors, we determined that
   the techniques and quality of oversight provided to contractor systems was
   inconsistent between program offices. This inconsistency is the result of OPM not
   having an agency-wide policy providing program offices guidance on overseeing the
   activities of contractors operating OPM systems. We continue to recommend that the
   OCIO develop policies to address oversight of contractor systems, IV&V, and
   continuous monitoring of high risk security controls.

b) Information Security Management Structure

   The FY 2010 FISMA report highlighted the fact that OPM had operated without a
   permanent Senior Agency Information Security Officer (SAISO) for over 18 months
   and that the SAISO’s Information Technology Security and Privacy Group (ITSPG)
   did not have the resources necessary to adequately manage OPM’s IT security
   program.

   The OCIO had a permanent SAISO throughout FY 2011 and also hired several new
   employees and contractors to work in the ITSPG. However, the quantity and variety
   of audit recommendations throughout this report indicates that the OCIO continues to
   lack the resources necessary to remediate long standing IT security weaknesses and
   fully implement the recently developed policies and procedures. In addition, 18 audit
   recommendations from FY 2010 were not adequately addressed in FY 2011. We
   believe that a major factor contributing to these problems is the OCIO’s lack of direct



                                        5
authority over the DSO community tasked with managing the security of OPM’s
major information systems.

OPM chose to implement a decentralized model in which the DSOs are typically
appointed by and report to the program offices that own major computer systems.
Very few of the DSOs have any background in information security, and most are
only managing their security responsibilities as a collateral duty to their primary job
function. The OCIO continues to provide guidance to the DSO community through
monthly Information Technology Security Working Group (ITSWG) meetings.
However, these meetings provide limited benefit because 1) the OCIO has no
authority over the DSOs and cannot mandate their attendance at the ITSWG
meetings, and 2) not all DSOs have the technological skills or the resources required
to implement the security concepts discussed at these meetings.

Several sections of this report exemplify the impact of the OCIO’s lack of authority
over DSOs, including:
•   The IT security controls of only 36 of 48 systems in OPM’s inventory were
    adequately tested in FY 2011 by the program offices owning the system (see
    section III, below).
•   The contingency plans were adequately tested for only 40 of 48 systems in
    OPM’s inventory (see section XI, below). Of the contingency plans that were
    tested, the quality varied greatly between tests conducted by various program
    offices.
•   Only 75% of personnel that the OCIO identified as having significant IT security
    responsibility received adequate training in FY 2011 (see section VI, below).

IT security is a shared responsibility between the OCIO and program offices. The
OCIO is responsible for overall information security governance while program
offices are responsible for the security of the systems that they own. There is a
balance that must be maintained between a consolidated and a distributed approach to
managing IT security. It is still our opinion that OPM’s approach is too
decentralized. OPM program offices should continue to be responsible for
maintaining security of the systems that they own, but the DSO responsibility for
documenting, testing, and monitoring system security should be centralized within the
OCIO.

Recommendation 2 (Rolled-Forward from 2010)
We recommend that OPM implement a centralized information security governance
structure where all information security practitioners, including designated security
officers, report to the SAISO. Adequate resources should be assigned to the OCIO to
create this structure. Existing designated security officers who report to their
program offices should return to their program office duties. The new staff that
reports to the SAISO should consist of experienced information security
professionals.




                                     6
         OCIO Response:
         “The CIO concurs with this recommendation and offers the following remarks.
         The CIO’s budget does not contain funding to replace the Designated Security
         Officers with information security professionals. One possible suggestion is to
         require OPM program offices to provide funding for the CIO to hire information
         security professionals.”

         OIG Reply:
         We acknowledge the fact that the OCIO does not currently have funding to hire
         enough security professionals to manage all of OPM’s information systems.
         Migrating OPM to a more centralized IT security function will require the
         cooperation of the program offices that own the agency’s major applications. The
         OCIO should seek the assistance of the OPM Director in negotiating with program
         offices to transfer responsibility of some security functions to a centralized group
         reporting to the CIO. Although this initiative will take an extended amount of time,
         the OCIO should begin working with the owners of applications it determines to be
         high risk, such as financial systems and applications containing large amounts of
         sensitive data.

II.   Security Assessment and Authorization (formerly Certification and
      Accreditation)
      System certification is a comprehensive assessment that attests that a system’s security
      controls are meeting the security requirements of that system, and accreditation is the
      official management decision to authorize operation of an information system and accept
      its risks. OPM’s process of certifying a system’s security controls was formerly referred
      to as Certification and Accreditation (C&A), and is now referred to as Security
      Assessment and Authorization (Authorization).

      Our FY 2008 and FY 2009 FISMA audit reports stated that weaknesses in OPM’s C&A
      process were a significant deficiency in the internal control structure of the agency’s IT
      security program. The weaknesses cited related to inadequate management of the process
      and incomplete, inconsistent, and poor quality C&A products. In FY 2010, these
      longstanding conditions continued to degrade, and as a result, they were reported as a
      material weakness in OPM’s IT security program.

      We reported that there were, in our opinion, three root causes of OPM’s C&A issues:
      insufficient staffing in the IT Security and Privacy Group, a lack of policy and
      procedures, and the decentralized DSO model in place at OPM.

      In FY 2011, the OCIO improved the policy deficiencies by publishing updated
      procedures and templates designed to improve the overall Authorization process and
      dedicating resources to facilitating Authorizations. We observed an improvement in the
      Authorization packages completed under this new process, and believe that this
      improvement warrants reducing the material weakness related to C&As to a significant


                                              7
deficiency. Although no longer a material weakness, the Authorization process continues
to be hindered by limited OCIO staffing resources and the decentralized DSO model (see
section I, above).

The sections below provide a detailed evaluation of OPM’s Authorization process.

a) Security Assessment and Authorization policy

   In January 2011, the OCIO published a Security Assessment and Authorization Guide
   and several other procedures and templates that provide guidance to program offices
   certifying the security controls of each system. The OCIO has created and published
   guidance for completing the following elements of an Authorization:
   •   Information System Security Plan;
   •   FIPS 199 Security Categorization;
   •   Security Assessment Plan;
   •   Contingency Plan;
   •   Risk Assessment;
   •   System Registration;
   •   E-Authentication Assessment;
   •   System Security Plan; and,
   •   Interconnection Security Agreement.

   We believe that the Security Assessment and Authorization Guide provides adequate
   guidance for certifying the security controls of information systems.

b) Quality and consistency of Authorization packages

   The OIG reviewed the full Authorization packages of five systems that were subject
   to an Authorization after the OCIO issued the updated Security Assessment and
   Authorization Guide. The quality of all five packages appeared to be an improvement
   over security certifications completed under the former C&A process. However, as
   noted with C&A packages completed in the last several years, we continued to
   observe a wide range in quality between Authorization packages completed by
   various program offices (the specific problems and inconsistencies were provided to
   the OCIO but will not be detailed in this report).

   The development of an Authorization package is the responsibility of the OPM
   program office that owns the system. Each program office assigns a DSO to manage
   the security of its systems. The decentralized nature of the DSO community at OPM
   means that individuals with varying skill sets are tasked with Authorization related
   responsibilities often as a collateral duty in addition to their normal job function. The
   existence of Authorization policies and procedures cannot be fully leveraged unless
   the individuals implementing them are consistently trained and dedicated to this
   function.




                                         8
          Recommendation 3
          We recommend that the OCIO work with program offices to correct the specific
          errors that the OIG identified in the Authorization packages reviewed in FY 2011.

          OCIO Response:
          “The CIO Concurs with this recommendation and will take corrective action.”

       c) OCIO Management of the Authorization process

          The OCIO is responsible for assisting program offices in the development of
          Authorization packages for their systems. OPM’s Security Assessment and
          Authorization Guide also mandates OCIO involvement in all stages of the
          Authorization process for quality and completeness before recommending the system
          for authorization. In FY 2011, two full time resources were hired to review
          Authorization packages along with other IT security responsibilities. The most
          notable improvement made to the Authorization process was the implementation of
          three “decision points” at various steps of the Authorization process. At each
          decision point, representatives from the OCIO must review the work that has been
          completed and formally approve continuation of the Authorization process.

          While we recognize the progress the OCIO has made in managing the Authorization
          process, we believe that there is still room for improvement. With additional
          resources dedicated to the review of Authorization packages, the inconsistencies
          referenced above could have been detected before the Authorization process was
          complete.

          Recommendation 4 (Rolled-Forward from 2010)
          We recommend that the OCIO assign additional resources to facilitate the
          Authorization process to ensure the consistency and quality of Authorization
          packages developed by OPM program offices.

          OCIO Response:
          “The CIO concurs with this recommendation and believes that additional security
          resources could improve the security authorization process. However, funding is
          not allocated in the CIO budget to hire additional resources.”

III.   Risk Management
       NIST SP 800-37 Revision 1 “Guide for Applying the Risk Management Framework to
       Federal Information Systems” provides federal agencies with a framework for
       implementing an agency-wide risk management methodology. The Guide suggests that
       risk be assessed in relation to the agency’s goals and mission from a three tiered
       approach: Tier 1: Organization (Governance); Tier 2: Mission/Business Process
       (Information and Information Flows); and Tier 3: Information System (Environment of
       Operation). NIST SP 800-39 “Managing Information Security Risk – Organization,


                                              9
Mission, and Information System View” provides additional details of this three-tiered
approach.

a) Agency-wide risk management

   NIST SP 800-39 states that agencies should establish and implement “Governance
   structures [that] provide oversight for the risk management activities conducted by
   organizations and include:
   (i) the establishment and implementation of a risk executive (function);
   (ii) the establishment of the organization’s risk management strategy including the
         determination of risk tolerance; and
   (iii) the development and execution of organization-wide investment strategies for
         information resources and information security.”

   OPM’s decentralized approach to IT security increases the need for an agency-wide
   risk management methodology, as the agency’s mission is supported by multiple
   information systems owned by various program offices. Although the OCIO has
   made improvements in assessing risk at the individual system level (see Security
   Assessment and Authorization section II, above), the OCIO does not currently have a
   formal methodology for managing risk at an organization-wide level.

   In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT
   security professionals. However, the 12 primary functions of the Risk Executive
   Function as explained in NIST SP 800-39 section 2.3.2, Risk Executive Function, are
   not all fully implemented.

   Recommendation 5
   We recommend that the OCIO develop policies and procedures related to managing
   risk from an agency-wide perspective.

   OCIO Response:
   “The CIO does not concur with this recommendation and believes that adequate
   policies and procedures are in place to manage risk from an agency-wide
   perspective as documented in sections 3.1.9 and 3.1.7 of the IT Security Handbook
   dated March 31, 2011.”

   OIG Reply:
   The majority of the text in sections 3.1.7 and 3.1.9 of the IT Security Handbook is
   copied verbatim from NIST SP 800-53 Rev 3, and the handbook contains no guidance
   on agency-wide risk management specific to OPM.

   Among the limited original text in these sections of the Handbook is the statement
   “OPM shall: Develop a comprehensive strategy to manage risk to OPM operations and
   assets. . . .” However, the OIG has received no evidence that OPM has developed a risk
   management strategy or the associated policies and procedures.


                                       10
   We continue to recommend that the OCIO develop policies and procedures related to
   managing risk from an agency-wide perspective.

   Recommendation 6
   We recommend that the OCIO continue to develop its Risk Executive Function to
   meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk
   Executive (Function).

   OCIO Response:
   “The CIO concurs with this recommendation and will take the necessary corrective
   action.”

b) System specific risk management

   NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that
   contains six primary steps, including (i) the categorization of information and
   information systems; (ii) the selection of security controls; (iii) the implementation of
   security controls; (iv) the assessment of security control effectiveness; (v) the
   authorization of the information system; and, (vi) the ongoing monitoring of security
   controls and the security state of the information system.”

   The OCIO has implemented the six step RMF into its system-specific risk
   management activities through the new Authorization process; see section II above
   for a description of OPM’s Authorization methodology.

c) System security control testing

   Although a full Authorization package is required for each system every three years,
   the security controls of that system must be tested on an annual basis. An annual test
   of security controls provides a method for agency officials to determine the current
   status of their information security programs and, where necessary, establish a target
   for improvement.

   We reviewed documentation resulting from the security controls tests for each system
   in OPM’s inventory. Our evaluation indicated that the IT security controls had been
   adequately tested for only 36 of OPM’s 48 systems during FY 2011. Failure to
   complete a security controls test increases the risk that agency officials are unable to
   make informed judgments to appropriately mitigate risks to an acceptable level.

   OPM’s decentralized approach to IT security places responsibility on the various
   program offices for testing the security controls of their systems. The OCIO’s lack of
   authority over these program offices has contributed to the inadequate security
   control testing of the agency’s information systems.




                                        11
         Recommendation 7 (Rolled-Forward from 2008)
         We recommend that OPM ensure that an annual test of security controls has been
         completed for all systems.

         OCIO Response:
         “The CIO concurs with this recommendation and offers the following clarifying
         remarks in order to present a more current interpretation. In FY2011 security
         controls testing was completed for 41 of 48 eligible systems resulting in an 85%
         compliance rate. In FY2012, we will continue to work with program offices to
         ensure that security controls are tested for all eligible systems.”

         OIG Reply:
         We disagree that 41 out of 48 eligible systems were subject to an adequate security
         controls test in FY 2011. The OCIO’s count of 41 includes 4 systems that were
         granted an extension and one system that does not have adequate support that a test
         was conducted. We do not believe that any extensions should be granted; every
         system must be subjected to a security controls test every fiscal year.

IV.   Configuration Management
      The sections below detail the controls OPM has in place regarding the technical
      configuration management of its major applications and user workstations.

      a) Agency-wide security configuration policy

         OPM’s OCIO has implemented an agency-wide Information Security and Privacy
         Policy Handbook that defines the requirements necessary to meet the fundamental
         security and privacy objectives of confidentiality, integrity, and availability. The
         handbook includes a section devoted to configuration management. The OCIO also
         maintains a comprehensive configuration management policy that outlines the
         process and procedures for maintaining a securely configured network environment.

      b) Standard baseline configurations

         The OCIO maintains standard baseline configurations and/or build sheets for all
         operating platforms used by OPM to support major applications, including:
         •   Windows Server 2000;
         •   Windows Server 2003;
         •   Windows Server 2008;
         •   Linux;
         •   Oracle; and,
         •   Microsoft SQL.



                                             12
   The OCIO uses vulnerability scanning tools to routinely scan servers to ensure
   compliance with configuration guides and baselines for these operating platforms.
   Nothing came to our attention during this review to indicate that there are weaknesses
   in OPM’s baseline configuration controls.

c) Vulnerability Scanning

   The OCIO performs scans of all production servers using automated vulnerability
   scanning tools. Although vulnerability scanning occurs on a continuous basis, the
   OCIO does not have a formal process to manage weaknesses identified in the
   scanning reports.

   Daily security advisory reports are sent to OCIO managers and a weekly roll-up
   report is generated to summarize weekly vulnerability scanning activity. Although
   we verified that these reports are routinely distributed, we were unable to determine
   what, if any, activity is done to review and analyze the vulnerabilities identified. At a
   minimum we recommend implementing a vulnerability tracking methodology that
   includes steps to:
   •   identify false positives in vulnerability scanning reports;
   •   identify and document vulnerabilities that the agency “accepts” and does not
       intend to fix; and,
   •   formally document and track the remaining vulnerabilities until they are
       remediated.

   Recommendation 8
   We recommend that the OCIO implement a process for tracking the status of
   weaknesses identified through vulnerability scanning.

   OCIO Response:
   “The CIO concurs with this recommendation and will implement the necessary
   corrective action.”

   Recommendation 9
   We recommend that the OCIO document “accepted” weaknesses identified in
   vulnerability scans.

   OCIO Response:
   “The CIO concurs with this recommendation and will implement the necessary
   corrective action.”

d) Management of hardware inventory

   The OCIO currently maintains a centralized agency-wide hardware inventory. The
   OCIO uses several automated tools to scan the network environment to track and


                                        13
        verify hardware inventories. They also maintain an inventory of all OPM owned user
        workstations. Each workstation is cataloged before being placed into service.

     e) Federal Desktop Core/United States Government Computer Baseline
        Configuration

        OPM has developed a Windows XP standard image that is generally compliant with
        Federal Desktop Core Configuration (FDCC) standards and has documented nine
        deviations between this image and FDCC requirements. OPM has also developed
        and tested a United States Government Baseline Configuration compliant image for
        all Windows 7 workstations. These images have been installed on all OPM
        workstations with this operating system.

V.   Incident Response and Reporting
     OPM’s “Incident Response and Reporting Guide” outlines the responsibilities of OPM’s
     Computer Incident Response Team (CIRT) and documents procedures for reporting all
     IT security events to the appropriate entities. We evaluated the degree to which OPM is
     following internal procedures and FISMA requirements for reporting security incidents
     internally, to the United States Computer Emergency Readiness Team (US-CERT), and
     to appropriate law enforcement authorities.

     a) Identifying and reporting incidents internally

        OPM’s Incident Response and Reporting Guide requires any user of the agency’s IT
        resources to immediately notify OPM’s Situation Room when IT security incidents
        occur. The agency also currently uses two distinct intrusion detection systems to
        monitor network traffic for abnormalities. In addition, OPM reiterates the
        information provided in the Incident Response and Reporting Guide in the annual IT
        security and privacy awareness training.

     b) Reporting incidents to US-CERT

        OPM’s Incident Response and Reporting policy states that OPM's CIRT is
        responsible for sending incident reports to US-CERT on security incidents. OPM
        notifies US-CERT within one hour of a reportable security incident occurrence.

     c) Reporting incidents to law enforcement

        The Incident Response and Reporting policy states that security incidents should also
        be reported to law enforcement authorities, where appropriate. OPM notifies the
        OIG’s Office of Investigations of security incidents with a monthly report outlining
        all incidents where sensitive data was lost.




                                            14
VI.   Security Training
      All OPM employees are required to take IT security awareness training on an annual
      basis. In addition, employees with IT security responsibility are required to take
      additional specialized training.

      a) IT security awareness training

         The OCIO provides annual IT security and privacy awareness training to all OPM
         employees through an interactive web-based course. The course introduces
         employees and contractors to the basic concepts of IT security and privacy, including
         topics such as the importance of information security, security threats and
         vulnerabilities, viruses and malicious code, privacy training, peer-to-peer software,
         and the roles and responsibilities of users.

         Over 99 percent of OPM’s employees and contractors completed the security
         awareness training course in FY 2011.

      b) Specialized IT security training

         Agency employees with significant information security responsibilities are required
         to take specialized security training in addition to the annual awareness training.

         The OCIO has developed a table outlining the security training requirements for
         specific job roles by groups. The OCIO uses a spreadsheet to track the security
         training taken by employees that have been identified as having security
         responsibility. Of those identified, only 75 percent have completed at least one hour
         of specialized security training in FY 2011.

         Recommendation 10 (Rolled-Forward from 2010)
         We continue to recommend that the OCIO ensure that all employees with significant
         information security responsibility take meaningful and appropriate specialized
         security training on an annual basis.

         OCIO Response:
         “The CIO concurs with this recommendation and offers the following clarifying
         remarks. In FY2011, we redesigned the OPM specialized security training program
         as part of our risk management strategy and to improve accuracy. We achieved a
         success rate of 75% and for the first time identified and required Executives and
         senior staff serving as Authorizing Officials and System Owners to complete the
         required training.”




                                             15
VII. Plan of Action and Milestones
     A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and
     monitoring the progress of corrective efforts for IT security weaknesses. In FY 2010, the
     OCIO developed a POA&M Guide that provides a template and instructions for system
     owners to use in managing known IT security weaknesses. The sections below detail
     OPM’s effectiveness in using POA&Ms to track the agency’s security weaknesses.

     a) POA&Ms incorporate all known IT security weaknesses

        In October 2010, we issued the FY 2010 FISMA audit report with 41 audit
        recommendations. We verified that all 41 of the recommendations were
        appropriately incorporated into the OCIO POA&M.

        We reviewed 14 system POA&Ms submitted to the OCIO in FY 2011 to determine if
        all known IT security weaknesses identified in the annual security controls tests were
        incorporated into the quarterly POA&Ms. Nothing came to our attention to indicate
        that program offices were not incorporating all known IT security weaknesses into
        system POA&Ms.

     b) Management of POA&Ms by program offices

        OPM program offices are responsible for developing, implementing, and managing
        POA&Ms for each system that they own and operate. We were provided evidence
        that up-to-date POA&Ms were submitted to the OCIO on a quarterly basis for all 48
        OPM systems.

     c) Remediation plans for correcting security weaknesses

        When a POA&M item is remediated, OPM program offices are required to submit a
        work completion plan (WCP) along with evidence that the deficiency was corrected
        to the OCIO for review. We reviewed WCPs for eight systems and found that the
        program offices provided sufficient evidence that the weaknesses were corrected.
        The 8 systems were selected from the 48 OPM systems and were judgmentally
        chosen by OIG auditors. The results of the sample test were not projected to the
        entire population.

     d) Compliance with estimated dates for remediation

        The POA&Ms for 10 OPM systems contain security weaknesses with remediation
        activities over 120 days overdue. In the 3rd quarter of 2011, OPM systems had a total
        of 36 POA&M items over 120 days overdue, an improvement from the 58 overdue
        items during the same time period in FY 2010.

        Program offices are responsible for dedicating adequate resources to addressing
        POA&M weaknesses and meeting target objectives. In FY 2011, the OCIO provided


                                            16
        improved guidance to ensure that program offices assign reasonable POA&M due
        dates and stay on track to meet those dates.

     e) POA&M process prioritizes IT security weaknesses

        Each program office at OPM is required to prioritize IT security weaknesses on their
        POA&Ms to help ensure significant IT security weaknesses are addressed in a timely
        manner. The POA&Ms for all systems in OPM’s inventory adequately prioritized
        security weaknesses.

VIII. Remote Access Management
     The OIG evaluated OPM’s remote access and telecommuting policies and procedures and
     its progress in implementing the requirements of NIST SP 800-46 Revision 1, “Guide to
     Enterprise Telework and Remote Access Security.” In FY 2011, the OCIO developed an
     updated remote access policy. The new policy contains all of the critical elements
     required by the NIST guide.

     We also evaluated OPM’s progress in enforcing two-factor authentication for remote
     users.

     a) Authentication requirements

        OPM utilizes a Virtual Private Network (VPN) client to provide remote users with
        secure access to the agency’s network environment. The VPN requires users to
        uniquely identify and authenticate themselves, and the OCIO maintains logs of
        individuals who remotely access the network. The logs are reviewed on a monthly
        basis for unusual activity or trends.

        In FY 2009, OPM required two-factor authentication for remote access in the form of
        RSA token devices in combination with a password. However, the agency stopped
        enforcing two-factor authentication in FY 2010 and users were able to authenticate
        with only a password. In FY 2011, the OCIO implemented the capability of using
        Personal Identity Verification (PIV) cards along with a password for two-factor
        authentication. However, there is still a subset of users who can access the network
        remotely using only a static password.

        Recommendation 11 (Rolled-Forward from 2010)
        We recommend that CIO enforce two-factor authentication with PIV cards for all
        remote access to its network environment.

        OCIO Response:
        “The CIO concurs with this recommendation and offers the following clarification
        remarks. The OPM network is now configured for two factor authentication with
        PIV cards and most remote users are using PIV cards for authentication. In



                                           17
         FY2012, we will continue to work on having the remaining users who are not using
         PIV cards for authentication to comply with this requirement.”

IX.   Identity and Access Management
      The sections below detail OPM’s account and identity management program.

      a) Account management

         OPM maintains policies related to management of user accounts for its local area
         network (LAN) and its mainframe environments. Both policies contain procedures
         for creating user accounts with the appropriate level of access as well as procedures
         for removing access for terminated employees.

         The OIG compared a list of recently terminated OPM employees to a list of active
         LAN and mainframe users. We found that 17 employees maintained LAN access
         after their termination date, and 7 users had multiple accounts. We found no issues of
         mainframe users maintaining access after their termination.

         OPM’s human resources department is responsible for creating and distributing a
         weekly list of terminated employees. This list is e-mailed directly to the mainframe
         team. However, nobody from the LAN team is copied on the distribution. We were
         not informed of any audits/reviews conducted on user accounts by the LAN team.
         However, any audit activity is not sufficient as evidenced by the account violations
         detected during our review.

         Failure to promptly remove LAN access for terminated employees increases the risk
         that individuals could gain unauthorized access to sensitive data stored on OPM’s
         network environment.

         Recommendation 12
         We recommend that all LAN accounts assigned to terminated employees be disabled.

         OCIO Response:
         “The CIO concurs with this recommendation and offers the following clarification.
         Currently, LAN accounts assigned to terminated employees are disabled once the
         information is provided to the Help Desk. However, there are occasions when the
         help desk does not always receive timely notification of terminated employees.”

         Recommendation 13
         We recommend that all unnecessary duplicate user accounts be disabled.

         OCIO Response:
         “The CIO concurs with this recommendation and will take the necessary corrective
         action.”


                                             18
   Recommendation 14
   We recommend that the human resources employee termination list be distributed to
   all information system owners.

   OCIO Response:
   “There is concurrence with this recommendation. [OPM Human Resources
   (OPMHR)] has no objection in principle to supplying the separation list that is
   currently distributed to some system owners to all system owners as identified by the
   CIO; however, a quick review of the list shows some significant ownership issues.

   1. OPMHR will review the ownership list in its’ entirety and reserves the right to
      make adjustments either based on its’ personal knowledge of the system and its’
      ownership or after consultation with the listed owner.
   2. There are multiple versions of the separation report. Due to the additional
      number of recipients, OPMHR will work with the system owners to develop a
      generic report to minimize the workload impact.”

   OIG Reply:
   We acknowledge the fact that OPMHR agrees to provide the termination list. In
   order to fully address this recommendation, the OCIO must provide OPMHR with a
   list of appropriate recipients.

   Recommendation 15
   We recommend that the OCIO implement a process to routinely audit all active user
   accounts to search for terminated employees or duplicate accounts.

   OCIO Response:
   “The CIO concurs with this recommendation and will take the necessary corrective
   action.”

b) Unauthenticated network devices

   The OCIO maintains an inventory of user workstations and servers connected to the
   OPM network environment. In FY 2010, the OCIO tested an automated tool that
   would scan the network for rogue devices not associated with authenticated users.
   The OCIO stated that “An automated process to detect unauthenticated network
   devices has been procured and is expected to be in place and operational in the third
   quarter FY 2011.” However, this control has not yet been implemented.

   Recommendation 16 (Rolled-Forward from 2010)
   We recommend that the OCIO implement an automated process to detect
   unauthenticated network devices.




                                       19
        OCIO Response:
        “The CIO concurs with this recommendation and will take the necessary corrective
        action.”

X.   Continuous Monitoring Management
     The following sections detail OPM’s controls related to continuous monitoring of the
     security state of its information systems.

     a) Continuous monitoring policy and procedures

        OPM’s Information Security and Privacy Policy Handbook states that the security
        controls of all systems must be continuously monitored and assessed annually to
        ensure continued effectiveness.

        In FY 2011, the OCIO developed a Continuous Monitoring Working Group tasked with
        implementing a continuous monitoring program at the agency. The working group has
        developed a Concept of Operations (CONOPS) document that outlines the framework for
        the planned continuous monitoring program.

        Although the creation of the working group and the CONOPS indicates that the OCIO
        has taken steps toward implementing a continuous monitoring program at OPM, this
        project remains a work in progress.

        Recommendation 17 (Rolled-Forward from 2010)
        We recommend OPM develop a Continuous Monitoring Policy that outlines a
        strategy for identifying information security controls that need continuous monitoring
        as well as procedures for conducting the tests.

        OCIO Response:
        “The CIO concurs with this recommendation and work is already underway to
        develop an OPM Continuous Monitoring program which will include policies and
        procedures.”

     b) Common security controls

        In FY 2011, the OCIO developed a catalog of information security controls that are
        shared (“common”) with all of the agency’s applications. Common security controls
        do not need to be tested for individual applications “inheriting” these controls, as they
        have already been certified at an agency-wide level. The existence of the common
        controls catalog saves time and resources by eliminating the need for these controls to
        be tested multiple times by each application that inherits them.

        The current common controls catalog indicates that approximately 25% of the
        security controls outlined in NIST SP 800-53 Revision 3, “Recommended Security


                                             20
         Controls for Federal Information Systems,” are common to all agency applications.
         However, the vast majority of these common controls are related to policy or program
         management. The current version of the catalog is incomplete, as it does not account
         for the large number of technical controls that are common to applications residing on
         one of OPM’s several general support systems. The OCIO indicated that it intends to
         update the catalog with additional common controls.

         Recommendation 18 (Rolled-Forward from 2010)
         We recommend that OPM create a comprehensive list of common security controls
         and distribute this information to OPM program offices responsible for testing
         individual applications.

         OCIO Response:
         “The CIO does not concur with this recommendation and offers the following
         clarifying remarks. In FY2011, over 50 common controls were identified by the
         CISO and independently tested by the Bureau of Public Debt [BPD]. These
         common security controls were published August 2011 on THEO and is available
         to all OPM program offices. In FY2012, we will identify and independently test
         additional security controls that are candidates for common control status.”

         OIG Reply:
         The majority of controls contained within OPM’s catalog are related to policies and
         procedures. We continue to assert that the current version of the catalog is
         incomplete, as it does not account for the large number of technical controls that are
         common to applications residing on one of OPM’s several general support systems.
         The current OPM common controls catalog adds minimal value to the main objective
         of a comprehensive catalog: saving time and resources by eliminating the need for
         these controls to be tested multiple times by each application that inherits them.

         We continue to recommend that OPM create a comprehensive list of common
         security controls and distribute this information to OPM program offices responsible
         for testing individual applications. We will consider this recommendation to be
         implemented when the common controls catalog contains the technical controls
         provided by OPM general support systems.

XI.   Contingency Planning
      OPM’s Information Security Privacy and Policy Handbook requires a contingency plan
      to be in place for each federal information system. We verified that contingency plans
      exist for all 48 production systems on OPM’s master system inventory.

      In prior OIG FISMA audits, we noted that the quality and consistency of contingency
      plans varied greatly between OPM’s various systems. As a result, the OCIO developed a
      contingency plan template that all system owners are now required to use. The new
      template closely follows the guidance of NIST SP 800-34, Contingency Planning Guide


                                             21
for Information Technology Systems. Use of the new template is required for all systems
that start the security authorization process after January 2011. As of August 2011, only
six systems have conducted an authorization using the new guidance. The quality and
consistency of the contingency plans appears to be improving with the use of the new
template.

a) Testing contingency plans of individual OPM systems

   OPM’s Information Security Privacy and Policy Handbook requires that “The
   contingency plan for the information system is tested and/or exercised at least
   annually using OPM defined and information system specific tests and exercises. . . .”
   We received evidence that contingency plans were tested for only 40 of 48 systems in
   FY 2011.

   Of the contingency plan tests we did receive, we continue to notice inconsistency in
   the quality of the documentation produced for various OPM systems. One of the
   main areas of inconsistency relates to the contingency plan test after action report.
   NIST SP 800-34 states that following a contingency plan test, “results and lessons
   learned should be documented and reviewed by test participants and other personnel
   as appropriate. Information collected during the test and post-test reviews that
   improve plan effectiveness should be incorporated into the contingency plan.”
   Several after action reports we reviewed did not include summarized results or
   lessons learned. Without a thoroughly documented after action report, system owners
   will not know how to improve the contingency plan in order to be better prepared for
   a disruptive event.

   These inconsistencies were the result of the program offices not having adequate
   guidance for conducting contingency plan tests at the time the tests were completed.
   The OCIO recently issued detailed guidance to program offices on how to conduct a
   contingency plan test and create an after action report. As part of the FY 2012
   FISMA audit, we will test the impact that this new guidance has on the quality of
   system level contingency plan tests.

   Recommendation 19 (Rolled-Forward from 2008)
   We recommend that OPM’s program offices test the contingency plans for each
   system on an annual basis. The contingency plans should be immediately tested for
   the 8 systems that were not subject to adequate testing in FY 2011.

   OCIO Response:
   “The CIO concurs with this recommendation.”

b) Agency-wide coordination of contingency plan testing

   Many OPM systems reside on one of the agency’s general support systems. While
   the contingency plans for these general support systems are tested on an individual
   basis, there is no coordinated contingency plan or disaster recovery test. A


                                       22
        coordinated test is critical because there are several applications that have elements or
        modules spread across multiple general support systems. Without some form of
        centralized approach to contingency plan testing there is a risk that OPM systems will
        not be successfully recovered in the event of a disaster.

        The agency has also not completed an agency-wide business impact analysis (BIA).
        OPM’s Security Assessment and Authorization Guide states that “In order to properly
        develop a [Contingency Plan], a Business Impact Analysis must first be conducted.
        The BIA provides the necessary risk determinations to develop the system
        contingency plan.” OPM is in the process of creating an agency-wide BIA, but this
        was not completed in FY 2011. Without a BIA, the agency cannot adequately
        prioritize the recovery of agency systems to facilitate a successful disaster recovery
        process.

        Recommendation 20
        We recommend that the OCIO conduct an agency-wide Business Impact Analysis.

        OCIO Response:
        “The CIO concurs with this recommendation and will take the necessary corrective
        action.”

        Recommendation 21
        We recommend that the OCIO implement and document a centralized (agency-wide)
        approach to contingency plan testing.

        OCIO Response:
        “The CIO concurs with this recommendation but seeks clarifying information from
        the OIG on this recommendation.”

        OIG Reply:
        We will provide the OCIO additional information on this recommendation, but the
        details will not be contained within this audit report.

XII. Contractor Systems
     OPM’s master system inventory indicates that 16 of the agency’s 48 major applications
     are operated by a contractor.

     We evaluated the methods that various program offices use to maintain oversight of their
     systems run by contractors. In response to a FY 2010 FISMA audit recommendation
     regarding oversight of contractor-operated systems, the OCIO created a Site Survey
     Assessment form that program offices had to complete for all contractor-operated
     systems. The survey asked the program office to comment on the security controls in
     place at the contractor facilities. The survey was a positive step in providing oversight


                                             23
     over contractor-operated systems. Although the program offices appeared to provide an
     adequate level of oversight to contractor-operated systems, the techniques and quality of
     this oversight was inconsistent between program offices. This inconsistency is the result
     of OPM not having an agency-wide policy related to oversight of contractor systems.

     Recommendation 22
     We recommend that, in addition to the Site Survey Assessment Form, OPM develop a
     policy providing guidance on adequate oversight of contractor-operated systems.

     OCIO Response:
     “The CIO partially concurs with this recommendation and believes that existing
     security policy also applies to contractor systems as documented under the Federal
     Information Security Management Act of 2002. However, the CIO believes that
     additional policy clarifications would be beneficial to improving security for OPM
     contractor systems and will update policy accordingly.”

     OIG Reply:
     Although OPM’s IT Security Handbook may apply to contractors, we determined that the
     techniques and quality of oversight provided to contractor systems was inconsistent
     between program offices. This inconsistency is the result of OPM not having an agency-
     wide policy providing program offices guidance on overseeing the activities of
     contractors operating OPM systems. We continue to recommend that the OCIO develop
     policies to address oversight of contractor systems.

XIII. Security Capital Planning
     NIST SP 800-53 section SA-2, Allocation of Resources, states that an organization needs
     to determine, document, and allocate the resources required to protect information
     systems as part of its capital planning and investment control process.

     OPM’s Information Security and Privacy Policy Handbook contains policies and
     procedures to ensure that information security is addressed in the capital planning and
     investment process. The OCIO uses Exhibit 53B to record information security resources
     allocation and submits this information annually to OMB.

     Nothing came to our attention to indicate that OPM does not maintain an adequate capital
     planning and investment program for information security.

XIV. Follow-up of Prior OIG Audit Recommendations

     All audit recommendations issued prior to 2010 were rolled forward into one of the
     recommendations in the FY 2010 OIG FISMA audit report (Report 4A-CI-00-10-019).
     FY 2010 recommendations that were not remediated by the end of FY 2011 are rolled
     forward with a new recommendation number in this FY 2011 OIG FISMA audit report.



                                             24
The prior sections of this report evaluate the current status of many 2010
recommendations. However, there are several recommendations that have not yet been
addressed because the related topics were not part of the FY 2011 FISMA reporting
instructions. These remaining recommendations are addressed in the sections below.

Note - Audit recommendations issued prior to FY 2010 reference OPM’s Center for
Information Services (CIS) as the program office responsible for the agency’s IT security
program. After an organizational realignment, this group is now referred to as the Office
of the Chief Information Officer (OCIO).

Follow-up on recommendations issued in OIG Audit Report 4A-CI-00-10-019,
“Federal Information Security Management Act Audit – FY 2010”

a) 4A-CI-00-10-019 Recommendation 3
   We recommend that the OCIO develop and implement an active strategy to maintain
   up-to-date information regarding OPM’s master system inventory.

   FY 2011 Status
   The OCIO conducted an inventory survey of OPM program offices in FY 2010.
   However, one program office has not yet responded to the survey. This
   recommendation remains open and is rolled forward in FY 2011.

   Recommendation 23 (Rolled-Forward from 2010)
   We recommend that the OCIO develop and implement an active strategy to maintain
   up-to-date information regarding OPM’s master system inventory.

   OCIO Response:
   “The CIO does not concur with this recommendation and believes that existing
   methods for maintaining the OPM master systems inventory are adequate. These
   methods consist of requiring DSOs to provide monthly system inventory updates to
   the CISO and the CISO conducts an annual survey to identify systems at contractor
   facilities, other Federal agencies or internal to OPM.”

   OIG Reply:
   One OPM program office has not responded to the OCIO’s survey regarding
   information system inventory. Without full participation from OPM program offices,
   the OCIO’s approach of identifying information systems via surveys is not adequate.

b) 4A-CI-00-10-019 Recommendation 33 (Roll-forward from OIG Report 4A-CI-00-09-
   031 Recommendation 1)
   We recommend that CIS conduct a survey of OPM program offices (particularly the
   Benefits Systems Group) to identify any systems that exist but do not appear on the
   system inventory. The systems discovered during this survey should be promptly
   added to the system inventory and certified and accredited.




                                       25
   FY 2011 Status
   The OCIO conducted an inventory survey of OPM program offices in FY 2010.
   However, one program office has not yet responded to the survey. This
   recommendation remains open and is rolled forward in FY 2011.

   Recommendation 24 (Rolled-Forward from 2009)
   We recommend that CIS conduct a survey of OPM program offices to identify any
   systems that exist but do not appear on the system inventory. The systems discovered
   during this survey should be promptly added to the system inventory and certified and
   accredited.

   OCIO Response:
   “The CIO concurs with this recommendation and offers the following clarifying
   remarks. In FY2011, we conducted a survey of OPM program offices to identify
   systems that should be added to the system inventory. In FY2012, we plan to
   conduct another survey and identified systems will be added to the system
   inventory.”

   OIG Reply:
   If the OCIO does not receive full participation by OPM program offices to the 2012
   survey, we recommend that they develop a new methodology for identifying
   information systems owned by the agency.

c) 4A-CI-00-10-019 Recommendation 35 (Roll-forward from OIG Report 4A-CI-00-09-
   031 Recommendation 4)
   We recommend that CIS conduct a survey to determine how many systems owned by
   another agency are used by OPM.

   FY 2011 Status
   The OCIO conducted an inventory survey of OPM program offices in FY 2010. We
   discovered that one program office did not respond to the survey. This
   recommendation remains open and is rolled forward in FY 2011.

   Recommendation 25 (Rolled-Forward from 2009)
   We recommend that CIS conduct a survey to determine how many systems owned by
   another agency are used by OPM.

   OCIO Response:
   “The CIO concurs with this recommendation and offers the following clarifying
   remarks. In FY2011, we conducted a survey of OPM program offices to identify
   systems owned by another agency and used by OPM. In FY2012, we plan to
   conduct another survey and identified systems will be added to the system
   inventory.”




                                      26
   OIG Reply:
   If the OCIO does not receive full participation by OPM program offices to the 2012
   survey, we recommend that they develop a new methodology for identifying
   information systems owned by the agency.

d) 4A-CI-00-10-019 Recommendation 37 (Roll-forward from OIG Report 4A-CI-00-09-
   031 Recommendation 20)
   We recommend that a new PIA be conducted for the appropriate systems based on the
   updated PIA Guide.

   FY 2011 Status
   All agency systems have not completed a PIA using the new format. This
   recommendation remains open and is rolled forward in FY 2011.

   Recommendation 26 (Rolled-Forward from 2009)
   We recommend that a new PIA be conducted for the appropriate systems based on the
   updated PIA Guide.

   OCIO Response:
   “The CIO concurs with this recommendation and offers the following remarks. All
   PIAs with the exception of four were updated to reflect the new PIA Guide. We will
   take corrective action to ensure that the remaining four are updated.”

e) 4A-CI-00-10-019 Recommendation 38 (Roll-forward from OIG Report 4A-CI-00-09-
   031 Recommendation 21
   We recommend that each system owner annually review the existing PIA for their
   system to reevaluate current holdings of PII, and that they submit evidence of the
   review to the OCIO.

   FY 2011 Status
   All agency systems have not completed a PIA using the new format and therefore
   cannot adequately reevaluate their current holdings of PII. This recommendation
   remains open and is rolled forward in FY 2011.

   Recommendation 27 (Rolled-Forward from 2009)
   We recommend that each system owner annually review the existing PIA for their
   system to reevaluate current holdings of PII, and that they submit evidence of the
   review to the OCIO.

   OCIO Response:
   “The CIO does not concur with this recommendation and believes that all PIAs
   were reviewed by system owners in FY2011.”




                                       27
   OIG Reply:
   Four systems do not have current PIAs; therefore all PIAs were not reviewed by
   system owners in FY 2011.

f) 4A-CI-00-10-019 Recommendation 39 (Roll-Forward from OIG Reports 4A-CI-00-
   09-031 Recommendation 22 and 4A-CI-00-08-022 Recommendation 12)
   We recommend that OPM continue its efforts to eliminate the unnecessary use of
   SSNs in accordance with OMB Memorandum M-07-16.

   FY 2011 Status
   The OCIO has an ongoing plan to reduce and eventually eliminate the unnecessary
   use of SSNs. However, resource limitations prevented them from completing this
   task in FY 2011. This recommendation remains open and is rolled forward in FY
   2011.

   Recommendation 28 (Rolled-Forward from 2008)
   We recommend that OPM continue its efforts to eliminate the unnecessary use of
   SSNs in accordance with OMB Memorandum M-07-16.

   OCIO Response:
   “The CIO concurs with this recommendation and offers the following clarifying
   remarks. OPM currently does not have the funding to effectively pursue the
   elimination of unnecessary use of SSN's as stated in OMB memorandum M-07-16.
   Efforts are made when the unnecessary use of SSN is discovered in PTA and PIA
   documentation and efforts are explored with the program office for alternatives.
   OPM does comply with the requirement to meet regularly with other federal
   agencies on this effort.”

g) 4A-CI-00-10-019 Recommendation 40 (Roll-Forward from OIG Report 4A-CI-00-
   09-031 Recommendation 27)
   We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language
   in all contracts related to common security settings.

   FY 2011 Status
   The OCIO is in the process of incorporating Federal Acquisition Regulation 2007-
   004 language in all contracts related to common security settings. However, they did
   not finish this process in FY 2011. This recommendation remains open and is rolled
   forward in FY 2011.

   Recommendation 29 (Rolled-Forward from 2009)
   We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language
   in all contracts related to common security settings.




                                      28
OCIO Response:
“The CIO concurs with this recommendation and will take the necessary corrective
action.”




                                 29
                                Major Contributors to this Report
This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:

•                  , Group Chief
•                    , Senior Team Leader
•                 IT Auditor
•                    , IT Auditor
•                , IT Auditor




                                              30
                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

                                                      Wa:-lhingtol1, DC 20415



Chief Information
     Officer



        MEMORANDUM FOR
                                   CHIEF
                                   INFORMAT ION SYSTEMS AUDIT GROUP
                                                                                                          t!2
        FROM:	                     MATrHEW E. PERRY                                 ~?;~
                                   CHIEF INFORMATION                 OFFICE~~ I s» f;
        Subject:	                  Response to the Federal Information Security Managemen t Act
                                   Audit - FY201 I, Report NO. 4A-CI-00- I 1-009

        Tha nk you for the opportunity to commen t on thc subject report. The results prov ided in thc
        draft report consist of a number of recommendations. The recommendations arc valuable to our
        program improve ment efforts and most of them are generally consistent with our plan. We plan
        to continue making improvements in our security risk management strategy and thc OpM IT
        security progra m.

        O IG Reco mmendations:

        Recommend a tion 1
        We recom me nd that the OCIO deve lop policies to ad dress oversight of contractor syste ms,
        IV & V, and conti nnons monito r ing of high risk secnr ity controls.

        The CIa partially concurs with this recommendation and offers clarifying remarks in order to
        present a more current interpretation . The policies in the IT Security Handbook dated March 3 1,
        20 I I apply to all OpM systems including those at contractor facilities and therefore a new policy
        for oversight of contractor systems is not necessary. The CIa believes that new policies for
        IV& V and continuous monitoring of high risk security controls should be developed and would
        be beneficia l to the OpM security program.

        Recommendat ion 2 (Ro lled-Forward fro", 2010)
        We rec omme nd th at OPl\I impleme nt a cent ra lized informa tion security governance
        struct ure whe re all informa tion secur ity pra ctition ers, including designated security
        officers, re port to th e SAISO . Adeq uate resources should be ass igned to th e OCIO to
        create this struct ure. Ex isti ng designat ed security officers who re port to their pro gram
        offices should return to their program office duties. The new staff that re ports to the
        SAISO should consist of expe rienced iuformation security pro fessionals.

        The Clf) concurs with this recommendation and offers the following remarks. The CIa's budget
        does not contain funding to replace the Designated Security Officers with informat ion security




        ww wopm.qcv       Recrui t. Retain and Honor a World-Class Workforce In Serve the Am erican Peopl e   www.usajobs.go\l
professionals. One possible suggestion is to require OPM program offices to provide funding for
the CIO to hire information security professionals.

Recommendation 3
We recommend that the OCIO work with program offices to correct the specific errors
that the OIG identified in the Authorization packages reviewed in FY 2011.

The CIO Concurs with this recommendation and will take corrective action.

Recommendation 4 (Rolled-Forward (rom 2010)

We recommend that the OCIO assign additional resources to facilitate the Authorization

process to ensure the consistency and quality of Authorization packages developed by OPM

program offices.


The CIO concurs with this recommendation and believes that additional security resources could
improve the security authorization process. However, funding is not allocated in the CIa budget
to hire additional resources.

Recommendation 5
We recommend that the OCIO develop policies and procedures related to managing risk
from an agency-wide perspective.

The CIa does not concur with this recommendation and believes that adequate policies and
procedures are in place to manage risk from an agency-wide perspective as documented in
sections 3.1.9 and 3.1.7 of the IT Security Handbook dated March 31, 2011.

Recommendation 6
We recommend that the OCIO continue to develop its Risk Executive Function to meet all
of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive
(Function).

The CIa concurs with this recommendation and will take the necessary corrective action.

Recommendation 7 (Rolled-Forward (rom 2008)

We recommend that OPM ensure that an annual test of security controls has been

completed for all systems.


The CIO concurs with this recommendation and offers the following clarifying remarks in order
to present a more current interpretation. In FY2011 security controls testing was completed for
41 of 48 eligible systems resulting in an 85% compliance rate. In FY2012, we will continue to
work with program offices to ensure that security controls are tested for all eligible systems.

Recommendation 8
We recommend that OCIO implement a process for tracking the status of weaknesses
identified through vulnerability scanning.


                                               2
The CIO concurs with this recommendation and will implement the necessary corrective action.

Recommendation 9
We recommend that OCIO document "accepted" weaknesses identified in vulnerability
scans.

The CIO concurs with this recommendation and will implement the necessary corrective action.

Recommendation 10 (Rolled-Forward (rom 2010)

We continue to recommend that the OCIO ensure that all employees with significant

information security responsibility take meaningful and appropriate specialized security

training on an annual basis.


The CIO concurs with this recommendation and offers the following clarifying remarks. In
FY20 11, we redesigned the OPM specialized security training program as part of our risk
management strategy and to improve accuracy. We achieved a success rate of75% and for the
first time identified and required Executives and senior staff serving as Authorizing Officials and
System Owners to complete the required training.

Recommendation 11 (Rolled-Forward (rom 2010)

We recommend that CIO enforce two-factor authentication with PIV cards for all remote

access to its network environment.


The CIO concurs with this recommendation and offers the following clarification remarks. The
OPM network is now configured for two factor authentication with PIV cards and most remote
users are using PIV cards for authentication. In FY2012, we will continue to work on having the
remaining users who are not using PIV cards for authentication to comply with this requirement.

Recommendation 12

We recommend that all LAN accounts assigned to terminated employees be disabled.


The CIO concurs with this recommendation and offers the following clarification. Currently,
LAN accounts assigned to terminated employees are disabled once the information is provided to
the Help Desk. However, there are occasions when the help desk does not always receive timely
notification of terminated employees.

Recommendation 13

We recommend that all unnecessary duplicate user accounts be disabled.


The CIa concurs with this recommendation and will take the necessary corrective action.

Recommendation 14
We recommend that the human resources employee termination list be distributed to all
information system owners.


                                                 3
There is concurrence with this recommendation. OPMHR has no objection in principle to
supplying the separation list that is currently distributed to some system owners to all system
owners as identified by the CIO; however, a quick review of the list shows some significant
ownership issues.

    1.	   OPMHR will review the ownership list in its' entirety and reserves the right to make
       adjustments either based on its' personal knowledge of the system and its' ownership or
       after consultation with the listed owner.
   2.	    There are multiple versions of the separation report. Due to the additional number of
       recipients, OPMHR will work with the system owners to develop a generic report to
       minimize the workload impact.


We wish to state that receipt of this report may not facilitate the earliest termination of network
accounts for the following reasons:

    1.	    HR relies on individual organizations to submit separation actions for their
       employees. We do not know when someone leaves the agency until we receive that
       notification.
   2.	    In the case of employees who transfer to another agency, published government-wide
       guidance states that the employee cannot be removed from the rolls until positive
       evidence of the transfer from the gaining agency is received. In those cases we are at the
       mercy of the other agency to notify us. It is not unusual for it to take months to receive
       this notification.

Several years ago the agency's Exit Clearance Process was reviewed and revised based on this

very issue. An agency-wide working group was pulled together to review the process and come

up with a workable solution. The responsibility for clearing an employee from the building

rested with the employee's supervisor and they were responsible for making sure that any

equipment was returned as well as their employee ID was turned it. You might want to think

about revisiting that process at this time.


Recommendation 15

We recommend that the OCIO implement a process to routinely audit all active user

accounts to search for terminated employees or duplicate accounts.


The CIa concurs with this recommendation and will take the necessary corrective action.


Recommendation 16 (Rolled-Forward (rom 2010)

We recommend that the OCIO implement an automated process to detect unauthenticated

network devices.


The CIO concurs with this recommendation and will take the necessary corrective action.





                                                  4

Recommendation 17 (Rolled-Forward (rom 2010)

We recommend OPM develop a Continuous Monitoring Policy that outlines a strategy for

identifying information security controls that need continuous monitoring as well as

procedures for conducting the tests.


The CIa concurs with this recommendation and work is already underway to develop an aPM
Continuous Monitoring program which will include policies and procedures.

Recommendation 18 (Rolled-Forward (rom 2010)

We recommend OPM create a list of common security controls and distribute this

information to OPM program offices responsible for testing individual applications.


The CIa does not concur with this recommendation and offers the following clarifying remarks.
In FY2011, over 50 common controls were identified by the CISa and independently tested by
the Bureau of Public Debt. These common security controls were published August 2011 on
THEa and is available to all aPM program offices. In FY2012, we will identify and
independently test additional security controls that are candidates for common control status.

Recommendation 19 (Rolled-Forward (rom 2008)

We recommend that OPM's program offices test the contingency plans for each system on

an annual basis. The contingency plans should be immediately tested for the 28 systems

that were not subject to adequate testing in FY 2011.


The CIa concurs with this recommendation and offers the following clarifying remarks in order
to present a more current interpretation. In FY2011 contingency plan testing was completed for
40 of 48 eligible systems resulting in an 83% compliance rate. In FY2012, we will continue to
work with program offices to ensure that contingency plan testing is conducted for all eligible
systems.

Recommendation 20

We recommend that the OCIO conduct an agency-wide Business Impact Analysis.


The CIa concurs with this recommendation and will take the necessary corrective action

Recommendation 21
We recommend that OCIO implement and document a centralized (agency-wide) approach
to contingency plan testing.

The CIa concurs with this recommendation but seeks clarifying information from the aIG on
this recommendation.


Recommendation 22
We recommend that, in addition to the Site Survey Assessment Form, OPM develop a
policy providing guidance on adequate oversight of contractor-operated systems.


                                                5

The CIO partially concurs with this recommendation and believes that existing security policy
also applies to contractor systems as documented under the Federal Information Security
Management Act of 2002. However, the CIO believes that additional policy clarifications would
be beneficial to improving security for OPM contractor systems and will update policy
accordingly.

Recommendation 23 (Rolled-Forward (rom 2010)

We recommend that the OCIO develop and implement an active strategy to maintain up­

to-date information regarding OPM's master system inventory.


The CIO does not concur with this recommendation and believes that existing methods for
maintaining the OPM master systems inventory are adequate. These methods consist of
requiring DSOs to provide monthly system inventory updates to the CISO and the CISO
conducts an annual survey to identify systems at contractor facilities, other Federal agencies or
internal to OPM.

Recommendation 24 (Rolled-Forward (rom 2009)

We recommend that CIS conduct a survey of OPM program offices to identify any systems

that exist but do not appear on the system inventory. The systems discovered during this

survey should be promptly added to the system inventory and certified and accredited.


The CIO concurs with this recommendation and offers the following clarifying remarks. In
FY2011, we conducted a survey ofOPM program offices to identify systems that should be
added to the system inventory. In FY2012, we plan to conduct another survey and identified
systems will be added to the system inventory.

Recommendation 25 (Rolled-Forward (rom 2009)

We recommend that CIS conduct a survey to determine how many systems owned by

another agency are used by OPM.


The CIO concurs with this recommendation and offers the following clarifying remarks. In

FY2011, we conducted a survey ofOPM program offices to identify systems owned by another

agency and used by OPM. In FY2012, we plan to conduct another survey and identified systems

will be added to the system inventory.


Recommendation 26 (Rolled-Forward (rom 2009)

We recommend that a new PIA be conducted for the appropriate systems based on the

updated PIA Guide.

The CIO concurs with this recommendation and offers the following remarks. All PIAs with the

exception of four were updated to reflect the new PIA Guide. We will take corrective action to

ensure that the remaining four are updated.


Recommendation 27 (Rolled-Forward (rom 2009)




                                                 6

We recommend that each system owner annually review the existing PIA for their system
to reevaluate current holdings of PH, and that they submit evidence of the review to the
OCIO.

The CIa does not concur with this recommendation and believes that all PIAs were reviewed by
system owners in FY20II.

Recommendation 28 (Rolled-Forward (rom 2008)

We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in

accordance with OMB Memorandum M-07-16.


The CIO concurs with this recommendation and offers the following clarifying remarks. OPM
currently does not have the funding to effectively pursue the elimination of unnecessary use of
SSN's as stated in aMB memorandum M-07-I6. Efforts are made when the unnecessary use of
SSN is discovered in PTA and PIA documentation and efforts are explored with the program
office for alternatives. OPM does comply with the requirement to meet regularly with other
federal agencies on this effort.

Recommendation 29 (Rolled-Forward (rom 2009)

We recommend OPM incorporate Federal Acquisition Regulation 2007-004 language in all

contracts related to common security settings.


The CIa concurs with this recommendation and will take the necessary corrective action.




                                               7