U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
Subject:
FEDERAL INFORMATION SECURITY
MANAGEMENT ACT AUDIT
FY 2013
Report No. 4A-CI-00-13-021
Date: November 21, 2013
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Audit Report
U.S. OFFICE OF PERSONNEL MANAGEMENT
-------------------------------------------------------------
FEDERAL INFORMATION SECURITY
MANAGEMENT ACT AUDIT
FY 2013
--------------------------------
WASHINGTON, D.C.
Report No. 4A-CI-00-13-021
Date: November 21, 2013
Michael R. Esser
Assistant Inspector General
for Audits
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Executive Summary
U.S. OFFICE OF PERSONNEL MANAGEMENT
-------------------------------------------------------------
FEDERAL INFORMATION SECURITY
MANAGEMENT ACT AUDIT
FY 2013
--------------------------------
WASHINGTON, D.C.
Report No. 4A-CI-00-13-021
Date: November 21, 2013
This final audit report documents the Office of Personnel Management’s (OPM) continued
efforts to manage and secure its information resources.
Over the past several years, the Office of the Chief Information Officer (OCIO) made
noteworthy improvements to OPM’s IT security program. However, we are concerned that these
efforts have recently stalled due to resource limitations.
In the FY 2007 FISMA report, we noted a material weakness related to the lack of IT security
policies and procedures. In FY 2009, we expanded the material weakness to include the lack of
a centralized security management structure necessary to implement and enforce IT security
policies.
Little progress was made in the subsequent years to address these issues. However, in FY 2012,
the OPM Director issued a memo mandating the centralization of IT security duties to a team of
Information System Security Officers (ISSO) that report to the OCIO. This change was a major
milestone in addressing the material weakness.
i
However, as of the end of FY 2013, the centralized ISSO structure has only been partially
implemented. The OCIO had filled three ISSO positions and assigned security responsibility for
17 of the agency’s 47 information systems to these individuals. The OCIO has a plan to hire
enough ISSOs to manage the security of all 47 systems, but this plan continues to be hindered by
budget restrictions.
We acknowledge that the existing ISSOs are effectively performing security work for the limited
number of systems they manage, but there are still many OPM systems that have not been
assigned to an ISSO. The findings in this audit report highlight the fact that OPM’s
decentralized governance structure continues to result in many instances of non-compliance with
FISMA requirements. Therefore, we are again reporting this issue as a material weakness for FY
2013.
In addition to the issues described above, we noted the following controls in place and
opportunities for improvement:
• The Security Assessment and Authorization packages completed in FY 2013 appeared to be
an improvement over Authorizations completed in prior years, and the packages present a
more uniform approach to IT security.
• The OCIO has implemented risk management procedures at a system-specific level, but has
not developed an agency-wide risk management methodology.
• The OCIO has implemented an agency-wide information system configuration management
policy and has established configuration baselines for all operating platforms used by the
agency, with the exception of . In addition,
are not routinely scanned for compliance with configuration baselines.
• The OCIO routinely conducts vulnerability scans of production servers, and has improved its
capability to track outstanding vulnerabilities. However, the OCIO has not documented
accepted weaknesses for servers or databases.
• The OCIO has implemented a process to apply operating system patches on all devices
within OPM’s network on a weekly basis.
• The OCIO has developed thorough incident response capabilities, but does not have a
centralized network security operations center to continuously monitor security events.
• Our review of Plans of Action and Milestones (POA&M) indicated that many system owners
are not meeting the self-imposed remediation deadlines listed on the POA&Ms. In addition
we noted that the owners of 10 systems have not identified the resources needed to address
POA&M weaknesses, as required by OPM’s POA&M policy.
• The OCIO enforces the use of two-factor authentication for remote access, but Virtual
Private Network sessions do not , as required by
OPM’s Information Technology Security FISMA Procedures.
• OPM is not compliant with Office of Management and Budget Memorandum M-11-11, as no
OPM systems require two-factor authentication using PIV credentials.
• The OCIO has developed the ability to detect unauthorized devices connected to the OPM
network.
ii
• The OCIO has taken steps toward implementing a continuous monitoring program at OPM;
however, this project remains a work in progress.
• The IT security controls were adequately tested for only 34 of 47 information systems in
OPM’s inventory.
• The contingency plans were adequately tested for only 40 of 47 information systems in
OPM’s inventory.
• There is not a coordinated contingency plan/disaster recovery test between OPM’s various
general support systems.
• OPM maintains an adequate security capital planning and investment program for
information security.
• OPM is continuing its efforts to reduce the unnecessary use of Social Security Numbers.
iii
Contents
Page
Executive Summary ......................................................................................................................... i
Introduction ..................................................................................................................................... 1
Background ..................................................................................................................................... 1
Objectives ....................................................................................................................................... 1
Scope and Methodology ................................................................................................................. 2
Compliance with Laws and Regulations......................................................................................... 4
Results ............................................................................................................................................. 5
I. Information Security Governance .................................................................................... 5
II. Security Assessment and Authorization .......................................................................... 7
III. Risk Management ............................................................................................................ 8
IV. Configuration Management ............................................................................................. 9
V. Incident Response and Reporting .................................................................................. 12
VI. Security Training ........................................................................................................... 13
VII. Plan of Action and Milestones ....................................................................................... 14
VIII. Remote Access Management ......................................................................................... 16
IX. Identity and Access Management .................................................................................. 17
X. Continuous Monitoring Management ............................................................................ 18
XI. Contingency Planning .................................................................................................... 20
XII. Contractor Systems ........................................................................................................ 22
XIII. Security Capital Planning .............................................................................................. 23
XIV. Follow-up of Prior OIG Audit Recommendations......................................................... 23
Major Contributors to this Report ................................................................................................. 25
Appendix I: Status of Prior OIG Audit Recommendations
Appendix II: The Office of the Chief Information Officer’s October 16, 2013 comments on the
draft audit report, issued September 25, 2013.
Appendix III: FY 2013 Inspector General FISMA reporting metrics.
Introduction
On December 17, 2002, the President signed into law the E-Government Act (Public Law 107-
347), which includes Title III, the Federal Information Security Management Act (FISMA).
FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)
evaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of
IG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing
the material received from agencies. In accordance with FISMA, we conducted an evaluation of
OPM’s security program and practices. As part of our evaluation, we reviewed OPM’s FISMA
compliance strategy and documented the status of its compliance efforts.
Background
FISMA requirements pertain to all information systems supporting the operations and assets of
an agency, including those systems currently in place or planned. The requirements also pertain
to information technology (IT) resources owned and/or operated by a contractor supporting
agency systems.
FISMA reemphasizes the Chief Information Officer’s strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency’s Office of the Chief
Information Officer (OCIO). FISMA also clearly places responsibility on each agency program
office to develop, implement, and maintain a security program that assesses risk and provides
adequate security for the operations and assets of programs and systems under its control.
To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the
Department of Homeland Security (DHS) Office of Cybersecurity and Communication issued
the Fiscal Year (FY) 2013 Inspector General FISMA Reporting Instructions. This document
provides a consistent form and format for agencies to report FISMA audit results to DHS. It
identifies a series of reporting topics that relate to specific agency responsibilities outlined in
FISMA. Our audit and reporting strategies were designed in accordance with the above DHS
guidance.
Objectives
Our overall objective was to evaluate OPM’s security program and practices, as required by
FISMA. Specifically, we reviewed the status of the following areas of OPM’s IT security
program in accordance with DHS’s FISMA IG reporting requirements:
• Risk Management;
• Configuration Management;
• Incident Response and Reporting Program;
• Security Training Program;
• Plans of Action and Milestones (POA&M) Program;
• Remote Access Program;
• Identity and Access Management;
• Continuous Monitoring Program;
1
• Contingency Planning Program;
• Agency Program to Oversee Contractor Systems; and
• Agency Security Capital Planning Program.
In addition, we evaluated the status of OPM’s IT security governance structure, an area that has
represented a material weakness in OPM’s IT security program in prior FISMA audits.
We also audited the security controls of three major applications/systems at OPM (see Scope and
Methodology for details of these audits), and audited the OCIO’s use of a Common Security
Controls Catalog. We also followed-up on outstanding recommendations from prior FISMA
audits (see Appendix I).
Scope and Methodology
We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM’s
FISMA compliance efforts throughout FY 2013.
We reviewed OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s
guidance and the corresponding reporting instructions. We also performed information security
audits on:
• USA Staffing (Report No. 4A-HR-00-13-024, issued June 21, 2013);
• Personnel Investigations Processing System (Report No. 4A-IS-00-13-022, issued June 24,
2013);
• Serena Business Manager (Report No. 4A-CI-00-13-023, issued July 19, 2013); and
• Common Security Controls Catalog (report No. 4A-CI-00-13-036, issued October 10, 2013).
We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives. Accordingly, we obtained an understanding of the internal controls for these
various systems through interviews and observations, as well as inspection of various documents,
including information technology and other related organizational policies and procedures. This
understanding of these systems’ internal controls was used to evaluate the degree to which the
appropriate internal controls were designed and implemented. As appropriate, we conducted
compliance tests using judgmental sampling to determine the extent to which established
controls and procedures are functioning as required.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
2
achieve the audit objectives, and nothing came to our attention during our audit testing to cause
us to doubt its reliability.
Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.
The criteria used in conducting this audit include:
• DHS Office of Cybersecurity and Communications FY 2013 Inspector General Federal
Information Security Management Act Reporting Instructions;
• OPM Information Technology Security and Privacy Handbook;
• OPM Information Technology Security FISMA Procedures;
• OPM Security Assessment and Authorization Guide;
• OMB Circular A-130, Appendix III, Security of Federal Automated Information
Resources;
• OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
• OMB Memorandum M-11-11: Continued Implementation of Homeland Security Presidential
Directive 12;
• E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
Management Act of 2002;
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An
Introduction to Computer Security;
• NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
Systems;
• NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
• NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
• NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to
Federal Information Systems;
• NIST SP 800-39, Managing Information Security Risk;
• NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
Systems;
• NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to
Security Categories;
• NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities;
• Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
Categorization of Federal Information and Information Systems;
• FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and
• Other criteria as appropriate.
The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from May through September 2013 in OPM’s
Washington, D.C. office.
3
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether OPM’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM’s OCIO and other program offices were not in complete compliance with all standards, as
described in the “Results” section of this report.
4
Results
The sections below detail the results of our FY 2013 FISMA audit of OPM’s IT Security
Program. Many recommendations were issued in prior FISMA audits and are rolled forward
from the 2012 FISMA audit (Report No. 4A-CI-00-12-016).
I. Information Security Governance
Information security governance is the overall framework and supporting management
structure and processes that are the foundation of a successful information security
program. For many years, we have reported increasing concerns about the state of
OPM’s information security governance. In the FY 2007 FISMA report, we issued a
material weakness related to the lack of IT policies and procedures. In FY 2009, we
expanded the material weakness to include the lack of a centralized security management
structure necessary to implement and enforce IT policies.
We also have growing concerns about OPM’s ability to manage major system
development projects and the decentralized nature of the agency’s technical operating
environment.
The sections below provide additional details from the OIG’s review of IT security
governance at OPM.
a) Information security management structure
Information system security at OPM has historically been managed by individual
Designated Security Officers (DSO) that report to the various program offices that
own major computer systems. Many of these DSOs are not certified IT security
professionals, and are performing DSO duties as collateral responsibility to another
full-time position.
In FY 2011, the OCIO updated its IT security and privacy policies, but information
security was still managed by DSOs that were not qualified to implement the new
policies. In FY 2012, the OPM Director issued a memo mandating the transfer of IT
security duties from the decentralized program office DSOs to a centralized team of
Information System Security Officers (ISSO) that report to the OCIO. This change
was a major milestone in addressing the material weakness.
However, as of the end of FY 2013, the centralized ISSO structure has only been
partially implemented. The OCIO has filled three ISSO positions and assigned
security responsibility for 17 of the agency’s 47 information systems to these
individuals. The OCIO has a plan to hire enough ISSOs to manage the security of all
47 systems, but this plan continues to be hindered by budget restrictions.
The existing ISSOs are effectively performing security work for the limited number
of systems they manage, but there are still many OPM systems that have not been
5
assigned to an ISSO. The findings in this audit report highlight the fact that OPM’s
decentralized governance structure continues to result in many instances of non-
compliance with FISMA requirements. Specifically, the sections below related to
continuous monitoring, contingency planning, and POA&Ms all describe specific
weaknesses that could be improved with the full implementation of a centralized
security governance structure. Therefore, we are again classifying this issue as a
material weakness for FY 2013.
Recommendation 1 (Rolled-Forward from 2010)
We recommend that OPM implement a centralized information security governance
structure where all information security practitioners, including designated security
officers, report to the Chief Information Security Officer (CISO.) Adequate resources
should be assigned to the OCIO to create this structure. Existing designated security
officers who report to their program offices should return to their program office
duties. The new staff that reports to the CISO should consist of experienced
information security professionals.
OCIO Response:
“A CIO initiated Memo directing the centralization of the security responsibilities
of Designated Security Officers (DSO) in the Office of Chief Information Security
Officer (CISO) was issued by the OPM Director on August, 2012 with an effective
date of October 1, 2012. The CIO has already hired three Information System
Security Officers with professional IT security experience and certifications and
recruitment of an additional one is in progress for a total of four. The initial set of
systems has been transitioned to ISSOs for security management and we expect to
have all OPM systems under CISO security management once funding for
additional professional security staff becomes available.”
OIG Reply:
We acknowledge the progress that the OCIO has made in implementing a centralized
IT security structure, and will continue to monitor its effectiveness in FY 2014.
b) Systems development lifecycle methodology
OPM has a history of troubled system development projects. In our opinion, the root
cause of these issues relates to the lack of central policy and oversight of systems
development. Many system development projects at OPM have been initiated and
managed by program offices with limited oversight or interaction with the OCIO.
These program office managers do not always have the appropriate background in
project management or information technology systems development.
The OCIO has recently published a new system development lifecycle (SDLC)
policy, which is a significant first step in implementing a centralized SDLC
methodology at OPM. However, policy alone will not improve the historically weak
SDLC management capabilities of OPM.
6
The new policy is currently only applicable to OPM’s 11 major IT investments and is
not actively enforced on other IT projects. However, it is imperative that the OCIO
make it a priority to enforce this new policy to all system development projects. The
failure of OPM’s Service Credit system was an example of a system development
project that did not meet the criteria of a major investment, but when it failed there
were serious consequences for the agency – not financial, but impactful to
stakeholders and embarrassing in terms of media exposure and political scrutiny.
The new SDLC policy does incorporate several prior OIG recommendations related
to a centralized review process of system development projects. We also
recommended that the OCIO develop a team with the proper project management and
system development expertise to oversee new system development projects. Through
this avenue, the OCIO should review SDLC projects at predefined checkpoints, and
provide strict guidance to ensure that program office management is following
OPM’s SDLC policy and is employing proper project management techniques to
ensure a successful outcome for all new system development projects.
Recommendation 2
We recommend that the OCIO develop a plan and timeline to enforce the new SDLC
policy to all of OPM’s system development projects.
OCIO Response:
“The OPM SDLC is being applied to OPM’s major investment projects. In FY14, a
plan with timelines will be developed to enforce the SDLC policy for applicable
system development projects.”
OIG Reply:
We acknowledge the steps that the OCIO is taking to expand the enforcement of the
SDLC policy, and reiterate that we believe the policy should be enforced to all OPM
IT projects.
As part of the audit resolution process, we recommend that the OCIO provide OPM’s
Internal Oversight and Compliance Office with evidence that it has implemented the
audit recommendation. This statement applies to all subsequent recommendations in
this report where the OCIO agrees with the recommendation and intends to
implement a solution.
II. Security Assessment and Authorization
System certification is a comprehensive assessment that attests that a system’s security
controls are meeting the security requirements of that system, and accreditation is the
official management decision to authorize operation of an information system and accept
its risks. OPM’s process of certifying a system’s security controls is referred to as
Security Assessment and Authorization (Authorization.)
7
In FY 2011, the OCIO published updated procedures and templates designed to improve
the overall Authorization process and dedicated resources to facilitating system
Authorizations. The new process resulted in a noticeable improvement in the agency’s
Security Authorization packages and in FY 2012, we observed a continued improvement
in the Authorization packages completed under this new process. This improvement has
continued through FY 2013, and we believe this is due to the more rigorous review
process through which the OCIO is requiring program offices to comply with policies,
procedures, and the use of templates.
We reviewed the full Authorization packages of 15 systems that were subject to an
Authorization during FY 2013. The quality of all packages appeared to be an
improvement over Authorizations completed in prior years, and the packages present a
more uniform approach to IT security.
III. Risk Management
NIST SP 800-37 Revision 1 “Guide for Applying the Risk Management Framework to
Federal Information Systems” provides federal agencies with a framework for
implementing an agency-wide risk management methodology. The Guide suggests that
risk be assessed in relation to the agency’s goals and mission from a three-tiered
approach: Tier 1: Organization (Governance); Tier 2: Mission/Business Process
(Information and Information Flows); and Tier 3: Information System (Environment of
Operation). NIST SP 800-39 “Managing Information Security Risk – Organization,
Mission, and Information System View” provides additional details of this three-tiered
approach.
a) Agency-wide risk management
NIST SP 800-39 states that agencies should establish and implement “Governance
structures [that] provide oversight for the risk management activities conducted by
organizations and include:
(i) the establishment and implementation of a risk executive (function);
(ii) the establishment of the organization’s risk management strategy including the
determination of risk tolerance; and
(iii) the development and execution of organization-wide investment strategies for
information resources and information security.”
In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT
security professionals. However, as of the end of FY 2012, the 12 primary elements
of the Risk Executive Function as described in NIST SP 800-39 were not all fully
implemented. Key elements still missing from OPM’s approach to managing risk at
an agency-wide level include: conducting a risk assessment, maintaining a risk
registry, and communicating the agency-wide risks down to the system owners.
Although the OCIO improved in assessing risk at the individual system level (see
Security Assessment and Authorization section II, above), the OCIO was not fully
managing risk at an organization-wide level.
8
As of FY 2013, no further changes have been implemented to address organization-
wide risk.
Recommendation 3 (Rolled Forward from 2011)
We recommend that the OCIO continue to develop its Risk Executive Function to
meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk
Executive (Function).
OCIO Response:
“We will continue to assess the Risk Executive Function per NIST Special
Publication 800-39 and to explore and make suggestions for implementing this
function. The risk executive function will have agency wide authority and
responsibility for assessing risk across all OPM Program Offices and to advise
senior management on risk management strategies.”
b) System specific risk management and annual security controls testing
NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that
contains six primary steps, including “(i) the categorization of information and
information systems; (ii) the selection of security controls; (iii) the implementation of
security controls; (iv) the assessment of security control effectiveness; (v) the
authorization of the information system; and (vi) the ongoing monitoring of security
controls and the security state of the information system.”
The OCIO has implemented the six step RMF into its system-specific risk
management activities through the new Authorization process. In addition, OPM
policy requires each major information system to be subject to routine security
controls testing.
IV. Configuration Management
The sections below detail the controls that the OCIO has in place to manage the technical
configuration of OPM servers and workstations.
a) Agency-wide security configuration policy
OPM’s Information Security and Privacy Policy Handbook contains policies and
procedures related to agency-wide configuration management. The handbook
requires the establishment of secure baseline configurations and the monitoring and
documenting of all configuration changes.
b) Configuration baselines
In FY 2013, OPM put forth significant effort to document and implement new
baseline configurations for critical applications, servers, and workstations. At the
9
end of the fiscal year, the OCIO had established baselines and/or build sheets for the
following operating systems:
• Windows Internet Explorer 8,
• Windows XP,
• Windows 7, and
• Windows 2008 R2.
The OCIO is currently developing new baselines for .
NIST SP 800-53 Revision 3 control CM-2 requires agencies to develop, document,
and maintain a current baseline configuration of the information system. A baseline
should serve as a formally approved standard outlining how to securely configure
various operating platforms. Without an approved baseline, there is no standard
against which actual configuration settings can be measured, increasing the risk that
insecure systems exist in the operating environment.
Recommendation 4
We recommend that the OCIO develop and implement a baseline configuration for
.
OCIO Response:
“We are working to standardize operating systems and applications throughout the
environment. Over the past year, all Windows and Linux operating systems, as well
as Microsoft SQL have been given approved baseline images. We will continue to
improve our processes and develop and implement configuration baselines for
.”
c) United States Government Computer Baseline Configuration
OPM user workstations are built with a standard image that is compliant with the
United States Government Baseline Configuration. Any deviations deemed necessary
by the agency from the configurations are documented within each operating
platform’s baseline configuration.
We conducted an automated scan of the Windows 7 standard image to independently
verify compliance with the appropriate guideline and OPM’s baseline. Nothing came
to our attention to indicate that there are weaknesses in OPM’s methodology to
securely configure user workstations.
d) Compliance with baselines
The OCIO uses automated scanning tools to conduct routine compliance audits on the
majority of operating platforms used in OPM’s server environment. These tools
compare the actual configuration of servers and workstations to the approved baseline
10
In FY 2013, the OCIO implemented a process to routinely scan
However these scans are not perf01med using an
because, as mentioned above,
,._,.w,.... v ............., are in development.
NIST SP 800-53 Revision 3 control CM-3 requires agencies to audit activities
associated with infonnation system configurations.
Recommendation 5
We recommend that the OCIO conduct routine compliance audits on
with the OPM baseline configuration once they have
approved.
OC/0 Response:
"We concur with this recommendation and will implement the recommendation on
the approved baseline configuration. "
e) Software and hardware change management
The OCIO has developed a Configuration Change Control Policy that outlines a
f01mal process to approve and document all computer software and hardware
changes. The OCIO utilizes a software application to manage and maintain all
computer software and hardware change control documentation.
We reviewed evidence indicating that the OCIO is adequately following this policy
and is thoroughly documenting all system changes. Nothing came to our attention to
indicate that there are weaknesses in OPM's change management process.
f) Vulnerability scanning
OPM ' s Network Management Group (NMG) perfonns monthly vulnerability scans of
all servers using automated scanning tools. A daily security advis01y rep01t is
generated that details the m ost vulnerable servers and workstations, and these rep01ts
ar e sent to system owners so they can remediate the identified weaknesses.
NMG has documented accepted weaknesses for OPM user workstations; however, it
has not fully documented weaknesses for servers or databases (i.e., vulnerability scan
findings that are justified by a business need). This recommendation remains open
from FY 2011 and is rolled f01ward in FY 2013.
Recommendation 6 (Rolled Fonvard from 2011)
We recommend that the OCIO document " accepted" weaknesses identified in
vulnerability scans.
11
OCIO Response:
“We concur with this recommendation and will implement the recommendation in
FY-14.”
g) Patch management
The OCIO has implemented a process to apply operating system patches on all
devices within OPM’s network on a weekly basis. In FY 2013, the OCIO began
utilizing a third party patching software management program to manage and
maintain all non-operating system software.
We conducted vulnerability scans on a sample of servers and determined that servers
are appropriately patched. Nothing came to our attention to indicate that there are
weaknesses in OPM’s patch management process.
V. Incident Response and Reporting
OPM’s “Incident Response and Reporting Guide” outlines the responsibilities of OPM’s
Situation Room and documents procedures for reporting all IT security events to the
appropriate entities. We evaluated the degree to which OPM is following internal
procedures and FISMA requirements for reporting security incidents internally, to the
United States Computer Emergency Readiness Team (US-CERT), and to appropriate law
enforcement authorities.
a) Identifying and reporting incidents internally
OPM’s Incident Response and Reporting Guide requires any user of the agency’s IT
resources to immediately notify OPM’s Situation Room when IT security incidents
occur. OPM reiterates the information provided in the Incident Response and
Reporting Guide in an annual mandatory IT security and privacy awareness training
course. In addition, OPM also uses three different software tools to prevent and
detect intrusions and malware in the agency’s network.
The OCIO has processes in place to quickly respond to all reported security incidents.
Our FY 2012 FISMA report indicated that there were several incidents in that fiscal
year that were not appropriately reported to the Situation Room. In response, the
OCIO provided documentation indicating that it had improved the annual incident
response training. This training appears to have improved incident response
reporting, as we are unaware of any incidents that were not appropriately reported in
FY 2013.
b) Reporting incidents to US-CERT and law enforcement
OPM’s Incident Response and Reporting policy states that OPM's Situation Room is
responsible for sending incident reports to US-CERT on security incidents. OPM
notifies US-CERT within one hour of a reportable security incident occurrence.
12
The Incident Response and Reporting policy also states that security incidents should
be reported to law enforcement authorities, where appropriate. The OIG’s Office of
Investigations is part of the incident response notification distribution list, and is
notified when security incidents occur.
c) Correlating and monitoring security incidents
OPM owns a software product with the technical ability to compare and correlate
security incidents over time. However, the correlation features of these tools are not
being fully utilized at this time. This tool receives event data from approximately 80
percent of all major OPM systems. Furthermore, OPM does not have a consistent and
unified process to monitor and analyze all security incidents. Some incidents cannot
be fully investigated due to inconsistent logging practices across systems, and
inefficiencies created by program offices running separate monitoring tools on their
systems.
The OCIO’s NMG is in the process of establishing an Enterprise Network Security
Operations Center (ENSOC) that will provide continuous centralized support for
OPM’s security incident prevention/management, performance analysis, fault
resolution, maintenance coordination, configuration management, security
management, system monitoring, network monitoring, alert escalation, problem
resolution bridge coordination, and incident response. Although we agree that the
proposed ENSOC will greatly improve OPM’s incident management capabilities and
overall security of the agency, the OCIO continues to face resource limitations that
hinder the full implementation of the ENSOC.
Recommendation 7 (Rolled Forward from 2012)
We recommend that the OCIO establish a centralized network security operations
center with the ability to monitor security events for all major OPM systems.
OCIO Response:
“A centralized monitoring center is established with first level alerting and
monitoring for the servers, and network appliances within the major OPM sites.
Work has begun on incorporating application and database monitoring and
compliance. We will continue to evaluate and look at cost effective ways to
implement this recommendation.”
VI. Security Training
FISMA requires all government employees and contractors to take IT security awareness
training on an annual basis. In addition, employees with IT security responsibility are
required to take additional specialized training.
13
a) IT security awareness training
The OCIO provides annual IT security and privacy awareness training to all OPM
employees through an interactive web-based course. The course introduces
employees and contractors to the basic concepts of IT security and privacy, including
topics such as the importance of information security, security threats and
vulnerabilities, viruses and malicious code, privacy training, peer-to-peer software,
and the roles and responsibilities of users.
Over 98 percent of OPM’s employees and over 99 percent of contractors completed
the security awareness training course in FY 2013.
b) Specialized IT security training
OPM employees with significant information security responsibilities are required to
take specialized security training in addition to the annual awareness training.
The OCIO has developed a table outlining the security training requirements for
specific job roles. The OCIO uses a spreadsheet to track the security training taken
by employees that have been identified as having security responsibility. Of
employees with significant security responsibilities, 96 percent completed specialized
IT security training in FY 2013.
VII. Plan of Action and Milestones
A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and
monitoring the progress of corrective efforts for IT security weaknesses. The sections
below detail OPM’s effectiveness in using POA&Ms to track the agency’s security
weaknesses.
a) POA&Ms incorporate all known IT security weaknesses
The OIG FY 2012 FISMA audit contained 18 audit recommendations; we verified
that all 18 recommendations were appropriately incorporated into the OCIO master
POA&M.
Although only 34 of OPM’s 47 major systems provided the OIG with annual security
controls tests (see section X, below), we were able to verify that all security
weaknesses identified during these tests were incorporated into the appropriate
system’s POA&M.
b) Prioritize Weaknesses
Each program office at OPM is required to prioritize the security weaknesses on their
POA&Ms to help ensure significant IT issues are addressed in a timely manner. We
14
verified the POA&Ms that were provided did identify and prioritize each security
weakness.
c) Effective remediation plans and adherence to remediation deadlines
All system owners are required to create action steps (milestones) to effectively
remediate specific weaknesses identified on POA&Ms. Our review of the POA&Ms
indicated that system owners are appropriately listing milestones and target
completion dates on their POA&Ms.
However, our review also indicated that many system owners are not meeting the
self-imposed remediation deadlines listed on the POA&Ms. Of OPM’s 47 major
systems, 22 have POA&M items that are greater than 120 days overdue. We issued
an audit recommendation in FY 2012 related to overdue POA&M items. The
recommendation was closed during this fiscal year because the OCIO provided
updated corrective action plans for multiple systems. However, we are re-issuing the
recommendation because overdue POA&M items now exist for nearly half of OPM
systems.
Recommendation 8
We recommend that the OCIO and system owners develop formal corrective action
plans to remediate all POA&M weaknesses that are over 120 days overdue.
OCIO Response:
“The CIO dedicated resources to this task and has successfully closed a majority of
POA&Ms that are over 120 days old and will continue to work with program offices
to reduce or close those that are outstanding and to develop formal Corrective
Action Plans. Most POA&Ms that are over 120 days have dependencies such as
funding that is not available or coordination issues with external entities who often
are not ready to implement the required changes.”
OIG Reply:
We acknowledge that resource limitations will often impact the amount of time
required to address a system weakness. However, the remediation deadlines on the
POA&M’s are self-imposed and should be reasonable to meet. Additional training
for systems owners on establishing appropriate POA&M deadlines may help resolve
this issue.
d) Identifying resources to remediate weaknesses
We noted that the owners of 10 systems have not identified the resources needed to
address POA&M weaknesses, as required by OPM’s POA&M policy.
15
Recommendation 9 (Rolled Forward from 2012)
We recommend that all POA&Ms list the specific resources required to address each
security weakness identified.
OCIO Response:
“This recommendation has been largely implemented for program offices with
open POA&Ms. We will continue to work with program offices to ensure that the
‘resources required’ for POA&Ms are identified and documented.”
e) OCIO tracking and reviewing POA&M activities on a quarterly basis
System owners are required to submit a POA&M to the OCIO on a quarterly basis.
In addition, the OCIO requires program offices to provide the evidence, or “proof of
closure,” that security weaknesses have been resolved before officially closing the
related POA&M. When the OCIO receives a proof of closure document from the
program offices for a POA&M item, an OCIO employee will judgmentally review
the documentation to determine whether or not the evidence provided was
appropriate.
We selected one closed POA&M item from each of 10 OPM systems and reviewed
the proof of closure documentation provided by the program offices. The 10 systems
were judgmentally selected from the 47 OPM systems. We determined that adequate
proof of closure was provided for all 10 systems tested. The results of the sample
test were not projected to the entire population.
VIII. Remote Access Management
OPM has implemented policies and procedures related to authorizing, monitoring, and
controlling all methods of accessing the agency’s network resources from a remote
location. In addition, OPM has issued agency-wide telecommuting policies and
procedures, and all employees are required to sign a Rules of Behavior document that
outlines their responsibility for the protection of sensitive information when working
remotely.
OPM utilizes a Virtual Private Network (VPN) client to facilitate secure remote access to
the agency’s network environment. The OPM VPN requires the use of an individual’s
PIV card and password authentication to uniquely identify users. The OIG has reviewed
the VPN access list to ensure that there are no shared accounts and that each user account
has been tied to an individual. The agency maintains logs of individuals who remotely
access the network, and the logs are reviewed on a monthly basis for unusual activity or
trends.
Although there are still a small portion of authorized network devices that are not
compliant with PIV cards (e.g., iPads), these devices still require multi-factor
16
authentication for remote access through the use of RSA tokens and password
authentication .
recJuureiJaerlt that a remote access session
We connected workstations to
neither VPN session was
1s m process of conducting research on
to mitigate this issue and believes this is a major flaw in the
vendor's design.
Recommendation 10 (Rolled Forward from 2012)
We recommend the OCIO configure the VPN servers to
OC/0 Response:
"All technological controls are in place and we believe there is a flaw in a vendor's
design that will require an out ofbandpatch to repair. We have na"owed the problem
to a fault within the UDP connection to the client and we are working with the vendor,
Cisco Systems to get this resolved. "
IX. Identity and Access Management
The following sections detail OPM's accmmt and identity m anagement program.
a) Policies for account and identity management
OPM m aintains policies and procedures for agency-wide account and identity
management within the OCIO Infotmation Security and Privacy Policy Handbook.
The policies contain procedures for creating user accounts with the appropriate level
of access as well as procedures for removing access for tetminated employees.
b) Terminated employees
OPM maintains policies related to management of user accounts for its local area
network (LAN) and its mainframe enviromnents. Both policies contain procedures
for creating user accounts with the appropriate level of access as well as procedures
for removing access for tetminated employees.
We conducted an access test comparing the cunent LAN active user list against a list
oftetminated employees from the past year. Nothing came to our attention to
indicate that there are weaknesses in OPM 's access tetmination management process.
17
c) Multi-factor authentication with PIV
OMB Memorandum M-11-11 requires all federal information systems to be upgraded
to use PIV credentials for multi-factor authentication by the beginning of FY 2012.
In addition, the memorandum stated that all new systems under development must be
PIV compliant prior to being made operational, and that agencies must be compliant
with the memorandum prior to using technology refresh funds to complete other
activities.
In FY 2012, the OCIO began an initiative to require PIV authentication to access the
agency’s network. As of the end of FY 2013, 30 percent of OPM workstations
require PIV authentication for access to the OPM network. However, none of the
agency’s 47 major applications require PIV authentication.
Recommendation 11 (Rolled Forward from 2012)
We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading
its major information systems to require multi-factor authentication using PIV
credentials.
OCIO Response:
“We have developed and are in the process of implementing plans for multi-factor
PIV authentication for compliance with OMB M-11-11. A major segment of the
users on our network infrastructure are using PIV authentication. In FY-14 we
will continue to work with program offices to implement PIV authentication for
major systems.”
d) Unauthenticated network devices
In prior FISMA audits, we have recommended that the OCIO implement an
automated process to detect non-approved devices connected to OPM’s network. The
OCIO has purchased a Network Access Controller (NAC) that will govern access to
network resources. The NAC has the ability to identify all devices on the network
and deny access to unauthenticated devices.
Nothing came to our attention to indicate that there are weaknesses in OPM’s controls
over unauthenticated devices.
X. Continuous Monitoring Management
The following sections detail OPM’s controls related to continuous monitoring of the
security state of its information systems.
18
a) Continuous monitoring policy and procedures
OPM’s Information Security and Privacy Policy Handbook states that the security
controls of all systems must be continuously monitored and assessed to ensure
continued effectiveness. In FY 2012, the OCIO published an addendum to the
Information Security and Privacy Policy which states that it is the ISSO/DSOs
responsibility to assess all security controls in an information system. The addendum
also states that continuous monitoring security reports must be provided to ITSP at least
semiannually.
As stated in section I above, the ISSO function has not been fully established at OPM.
Our FY 2012 FISMA report stated that many of the current DSOs do not have the
technical skills or the resources required to adequately monitor the information
security controls of their systems. Therefore, we continue to believe that OPM’s
continuous monitoring policies and procedures cannot be adequately implemented
until the agency’s centralized ISSO function has been fully established.
b) Continuous monitoring strategy
The OCIO developed a concept of operations document and a continuous monitoring
program implementation “roadmap” that describes the stages and timeline for
implementing a full continuous monitoring program at OPM. While the initial stages
of implementation began in FY 2012, full implementation of the plan is not scheduled
to be completed until FY 2015. The OCIO achieved the FY 2013 milestones outlined
in the roadmap which included semiannual reporting for all OPM-operated systems.
The next stage in the OCIO’s plan involves quarterly submissions for High impact
systems, more frequent controls testing for all systems, and further implementation of
automated tools. Implementation of this stage is scheduled to be completed during
FY 2014.
Recommendation 12
We recommend that the OCIO expand its continuous monitoring program to include
quarterly submissions for High impact systems, more frequent controls testing for all
systems, and further implementation of automated tools as outlined in the Information
Security Continuous Monitoring Roadmap.
OCIO Response:
“We have made significant progress implementing Continuous Monitoring at OPM
and will continue to expand the program over a 2 year period into FY-15 subject to
availability of funds. We plan to implement this specific set of recommendations
from the draft report.”
c) Annual assessment of security controls
OPM policy requires all OPM system owners to submit evidence of continuous
monitoring activities at least semiannually (in March and September).
19
We requested the security test results for all OPM-operated systems for both
submissions in order to review them for quality and consistency. However, we were
only provided testing documentation for 20 out of the 26 major OPM-operated
systems.
At this time, security controls testing for contractor-operated systems is still only
required annually. A review of contractor system security control testing (see section
XII, below) indicates that only 14 out of 21 contractor-operated systems were tested
in this fiscal year.
Between contractor- and agency-operated information systems, only 34 out of 47
systems were subject to adequate security controls testing in FY 2013.
Failure to continuously monitor and assess security controls increases the risk that
agency officials are unable to make informed judgments to appropriately mitigate
risks to an acceptable level.
It has been over six years since all OPM systems were subject to an adequate annual
security controls test. OPM’s decentralized approach to IT security has traditionally
placed responsibility on the various program offices to test the security controls of
their systems. The OCIO’s lack of authority over these program offices has
contributed to the inadequate security controls testing of the agency’s information
systems. We are optimistic that the quality and consistency of security controls tests
will improve with the full implementation of the OCIO’s centralized ISSO structure
and with the shift to semi-annual continuous monitoring submissions.
Recommendation 13 (Rolled Forward from 2008)
We recommend that OPM ensure that an annual test of security controls has been
completed for all systems.
OCIO Response:
“We continue to make progress with security controls testing in FY-2013 and
expect to have test plans and results for all systems in FY-2014. Security controls
testing will be a major part of our continuous monitoring program that is currently
being implemented.”
XI. Contingency Planning
OPM’s Information Security Privacy and Policy Handbook requires a contingency plan
to be in place for each information system and that each system’s contingency plan be
tested on an annual basis. The sections below detail our review of contingency planning
activity in FY 2013.
20
a) Documenting contingency plans of individual OPM systems
We verified that contingency plans exist for all 47 production systems on OPM’s
master system inventory.
In prior OIG FISMA audits, we noted that the quality and consistency of contingency
plans varied greatly between OPM’s various systems. As a result, the OCIO
developed a contingency plan template that all system owners are now required to
use. The new template closely follows the guidance of NIST SP 800-34,
Contingency Planning Guide for Federal Information Systems.
b) Testing contingency plans of individual OPM systems
OPM’s Information Security Privacy and Policy Handbook requires that the
contingency plan for each information system be tested at least annually using
information system specific tests and exercises. We received evidence that
contingency plans were tested for only 40 of 47 systems in FY 2013.
Of the contingency plan tests we did receive, we continue to notice inconsistency in
the quality of the documentation produced for various OPM systems. One of the
main areas of inconsistency relates to the analysis or “lessons learned” section of the
report. NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans
and Capabilities, states that an after action report should “include background
information about the exercise, documented observations made by the facilitator and
data collector, and recommendations for enhancing the IT plan that was exercised.”
Several after action reports we reviewed did not include summarized results or
lessons learned. Without a thoroughly documented after action report, system owners
will not know how to improve the contingency plan in order to be better prepared for
a disruptive event.
Recommendation 14 (Rolled Forward from 2008)
We recommend that OPM’s program offices test the contingency plans for each
system on an annual basis. The contingency plans should be tested for the systems
that were not subject to adequate testing in FY 2013 as soon as possible.
OCIO Response:
“We will continue making progress working with program offices on contingency
plan testing in FY-14. Due to the current shortage of funding for all ISSOs, the
CISO must still rely on decentralized DSOs for support to complete the testing.
This has caused delays in implementation and coordination.”
c) Testing contingency plans of OPM general support systems
Many OPM systems reside on one of the agency’s general support systems. The
OCIO typically conducts a full recovery test at the backup location of the Enterprise
21
Server Infrastructure general support system (i.e., the mainframe and associated
systems) on an annual basis. However, no test was performed in FY 2013 due to
planned major changes in OPM’s technical environment. OPM purchased a new
mainframe and successfully failed-over all production data and applications from the
old mainframe to the new one. However, the fail-over did not take place in the
backup location.
One of OPM’s other major general support system, the LAN/WAN general support
system, is not routinely subject to a full functional disaster recovery test. Only select
LAN/WAN systems that impact or interface with the mainframe environment are
tested annually in conjunction with the mainframe disaster recovery test. Other
critical applications such as the email server were successfully tested in FY 2013.
NIST SP 800-53 Revision 3 states that FIPS 199 “high” systems should be subject to
“a full recovery and reconstitution of the information system to a known state as part
of contingency plan testing.” Without full functional routine testing of all OPM
general support systems, there is a risk that OPM systems will not be successfully
recovered in the event of a disaster.
In the FY 2011 FISMA audit report we recommended that the OCIO implement a
centralized (agency-wide) approach to contingency plan testing. We were informed
that a single synchronized functional test is not feasible due to logistical and resource
limitations. However, the intent of the recommendation is to ensure that all elements
of the general support systems are subject to a full functional disaster recovery test
each year. This recommendation can be remediated if each general support system is
subject to a full functional test each year, even if it must be broken into a series of
smaller tests.
Recommendation 15 (Rolled Forward from 2011)
We recommend that the OCIO implement and document a centralized (agency-wide)
approach to contingency plan testing.
OCIO Response:
“We will continue efforts to centralize contingency plan testing in FY-14 with the
goal of implementing this recommendation.”
XII. Contractor Systems
We evaluated the methods that the OCIO and various program offices use to maintain
oversight of their systems operated by contractors on behalf of OPM.
1. Contractor system documentation
OPM’s master system inventory indicates that 21 of the agency’s 47 major
applications are operated by a contractor. The OCIO also maintains a separate
22
spreadsheet documenting interfaces between OPM and contractor-operated systems
and the related Interconnection Security Agreements.
2. Contractor system oversight
The OPM Information Security and Privacy Policy Addendum states that “It is the
responsibility of the OPM system owner to ensure systems or services hosted by non-
OPM organizations comply with OPM information security and privacy policies.”
The handbook addendum also states that “OPM System Owners must ensure that an
annual security controls assessment is performed by a government employee or an
independent third party at the site where contracted information technology services
are rendered.”
We requested the annual security control tests for contractor-operated systems in
order to review them for quality and consistency. However, we were only provided
testing documentation for 14 out of the 21 systems (see section X above for the
related recommendation. Failure to complete the annual security controls test
increases the risk that agency officials are unable to make informed judgments to
appropriately mitigate risks to an acceptable level.
XIII. Security Capital Planning
NIST SP 800-53 Revision 3, control SA-2, Allocation of Resources, states that an
organization needs to determine, document, and allocate the resources required to protect
information systems as part of its capital planning and investment control process.
OPM’s Information Security and Privacy Policy Handbook contains policies and
procedures to ensure that information security is addressed in the capital planning and
investment process. The OCIO uses the Integrated Data Collection, a replacement to the
Exhibit 53B, to record information security resources allocation and submits this
information annually to OMB.
Nothing came to our attention to indicate that OPM does not maintain an adequate capital
planning and investment program for information security.
XIV. Follow-up of Prior OIG Audit Recommendations
All open audit recommendations issued prior to 2012 were rolled forward into one of the
recommendations in the FY 2012 OIG FISMA audit report (Report 4A-CI-00-12-016)
FY 2012 recommendations that were not remediated by the end of FY 2013 are rolled
forward with a new recommendation number in this FY 2013 OIG FISMA audit report.
The prior sections of this report evaluate the current status of many 2012
recommendations. However, there is one additional 2012 recommendation that has not
yet been addressed in this report because the related topic was not part of the FY 2013
FISMA reporting instructions. The current status of this recommendation is below.
23
a) 4A-CI-00-12-016 Recommendation 16 (Rolled Forward from 2008)
We recommend that OPM continue its efforts to eliminate the unnecessary use of
SSNs in accordance with OMB Memorandum M-07-16.
FY 2013 Status
The OCIO has an ongoing plan to reduce and eventually eliminate the unnecessary
use of SSNs in its major information systems. However, resource limitations
prevented them from completing this task in FY 2013. This recommendation remains
open and is rolled forward in FY 2013.
Recommendation 16 (Rolled Forward from 2008)
We recommend that OPM continue its efforts to eliminate the unnecessary use of
SSNs in accordance with OMB Memorandum M-07-16.
OCIO Response:
“Significant work was done to eliminate the unnecessary use of social security
numbers (SSN) including development of a consolidated Action Plan and
eliminating them from USAJOBS and the PMF systems. In FY-14, the Privacy
Officer will update the action plan and schedule a pilot project with Retirement
Services to review business processes to determine how SSNs usage can be reduced.
Note that this recommendation requires funding for agency-wide implementation.”
24
Major Contributors to this Report
This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:
• Lewis F. Parker, Deputy Assistant Inspector General for Audits
• , Chief, Information Systems Audits Group
• Lead IT Auditor
• , IT Auditor
• , IT Auditor
• IT Auditor
25
Appendix I
Status of Prior OIG Audit Recommendations
The table below outlines the current status of prior audit recommendations issued in FY 2012 by the Office of the Inspector General.
Report No. 4A-CI-00-12-016: FY 2012 Federal Information Security Management Act Audit, issued November 5, 2012
Rec # Original Recommendation Recommendation History Current Status
We recommend that OPM implement a centralized information security
governance structure where all information security practitioners,
including designated security officers, report to the CISO. Adequate
resources should be assigned to the OCIO to create this structure. Roll-forward from OIG Reports:
OPEN: Rolled-forward as Report
1 Existing designated security officers who report to their program offices • 4A-CI-00-10-019 Recommendation 4 and 4A-CI-00-13-021 Recommendation 1
should return to their program office duties. The new staff that reports • 4A-CI-00-11-009 Recommendation 2
to the CISO should consist of experienced information security
professionals.
We recommend that the OCIO continue to develop its Risk Executive
Function to meet all of the intended requirements outlined in NIST SP Roll-Forward from OIG Report: OPEN: Rolled-forward as Report
2
800-39, section 2.3.2 Risk Executive (Function). • 4A-CI-00-11-009 Recommendation 6 4A-CI-00-13-021Recommendation 3
We recommend that the OCIO implement a process to routinely audit
for compliance with the approved OPM baseline Recommendation new in FY 2012
3 CLOSED: 6/20/2013
configuration.
We recommend that the OCIO document “accepted” weaknesses Roll-Forward from OIG Report: OPEN: Rolled-forward as Report
4 identified in vulnerability scans.
• 4A-CI-00-11-009 Recommendation 9 4A-CI-00-13-021Recommendation 6
We recommend that the OCIO implement a process to timely patch (or
Recommendation new in FY 2012
5 remove altogether) third party applications on its servers. CLOSED: 9/25/2013
We recommend that the OCIO establish a centralized network security
operations center with the ability to monitor security events for all OPEN: Rolled-forward as Report
6 Recommendation new in FY 2012
major OPM systems. 4A-CI-00-13-021Recommendation 7
We continue to recommend that the OCIO ensure that all employees Roll-Forward from OIG Reports:
with significant information security responsibility take meaningful and
7 • 4A-CI-00-10-019 Recommendation 16, and CLOSED 9/26/2013
appropriate specialized security training on an annual basis. • 4A-CI-00-11-009 Recommendation 10
We recommend that the OCIO and system owners develop formal
CLOSED: 2/26/2013
corrective action plans to remediate all POA&M weaknesses that are
8 Recommendation new in FY 2012 Reissued as 4A-CI-00-13-
over 120 days overdue.
021Recommendation 8
We recommend that all POA&Ms list the specific resources required to
OPEN: Rolled-forward as Report
9 address each security weakness identified. Recommendation new in FY 2012
4A-CI-00-13-021Recommendation 9
We recommend the OCIO configure the VPN servers to terminate VPN
OPEN: Rolled-forward as Report
10 sessions after 30 minutes of inactivity. Recommendation new in FY 2012
4A-CI-00-13-021Recommendation 10
We recommend that the OCIO meet the requirements of OMB M-11-11
by upgrading its major information systems to require multi-factor OPEN: Rolled-forward as Report
11 Recommendation new in FY 2012
authentication using PIV credentials. 4A-CI-00-13-021Recommendation 11
We recommend that the OCIO implement an automated process to Roll-Forward from OIG Reports:
12 detect unauthenticated network devices. • 4A-CI-00-10-019 Recommendation 25, and CLOSED: 9/25/2013
• 4A-CI-00-11-009 Recommendation 16
We recommend that the OCIO expand its continuous monitoring
program to include a reporting process at the system‐level, and
13 implement automated tools and metric reporting for OPM as outlined in Recommendation new in FY 2012 CLOSED: 9/25/2013
the Information Security Continuous Monitoring Roadmap
Roll-forward from OIG Reports:
We recommend that OPM ensure that an annual test of security controls • 4A-CI-00-08-022 Recommendation 1,
OPEN: Rolled-forward as Report
14 has been completed for all systems. • 4A-CI-00-09-031 Recommendation 6,
4A-CI-00-13-021Recommendation 13
• 4A-CI-00-10-019 Recommendation 10, and
• 4A-CI-00-11-009 Recommendation 11
15 We recommend that OPM’s program offices test the contingency plans Roll-forward from OIG Reports:
for each system on an annual basis. The contingency plans should be • 4A-CI-00-08-022 Recommendation 2,
OPEN: Rolled-forward as Report
immediately tested for the eight systems that were not subject to • 4A-CI-00-09-031 Recommendation 9,
4A-CI-00-13-021Recommendation 14
adequate testing in FY 2012. • 4A-CI-00-10-019 Recommendation 30, and
• 4A-CI-00-11-009 Recommendation 19
16 We recommend that the OCIO implement and document a centralized Roll-Forward from OIG Report: OPEN: Rolled-forward as Report
(agency-wide) approach to contingency plan testing. • 4A-CI-00-11-009 Recommendation 21 4A-CI-00-13-021Recommendation 15
17 We recommend that the OPM Information Technology Security and
Privacy Handbook be updated to explicitly require contractor-operated
systems to be subject to an annual security controls test performed by a Recommendation new in FY 2012 CLOSED: 2/27/2013
government employee or an independent third party. The security
controls tests should be documented using OPM’s standard templates.
18 We recommend that OPM continue its efforts to eliminate the Roll-forward from OIG Reports:
unnecessary use of SSNs in accordance with OMB Memorandum M- • 4A-CI-00-08-022 Recommendation 12,
OPEN: Rolled-forward as Report
07-16. • 4A-CI-00-09-031 Recommendation 22,
4A-CI-00-13-021Recommendation 16
• 4A-CI-00-10-019 Recommendation 39, and
• 4A-CI-00-11-009 Recommendation 28
f ' • t
Appendix II
UNJTED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Chief Infonnntlon
Officer
Jl'lv {I
MEMORANDUM FOR:
• J
... • '1111 • • SYSTEMS AUDIT GROUP I,.., ~ t)
10 b •
FROM: CHUCK SIMPSON
ACTING, CHIEF INFORMATION OFFICER(J'J'
~~l
Subject : Response to the Federal Information Security Management Act Audit
FY2013, Report NO. 4A-CI-00-13-021
Thank you for the opportunity to comment on the subject report. The results provided in the draft report
consist of a number of recommendations. The recommendations are valuable to our program
improvement efforts and most of them are generally consistent with our plan. We plan to continue
making improvements in our security risk management strategy and the OPM IT security program.
In reviewing the draft report, we noticed that recommendation #8 which covers specialized security
training was reissued . Additional information was submitted since the draft report was issued showing a
specialized training participation rate of94%. We asked for consideration in having recommendation #8
removed from the final audit report.
The CIO's responses to the FY-13 Draft FISMA Audit Report are documented below:
Recommendation 1 !Rolled-Forward from 2010)
We r«ommend that OPM implement tentralized information security governance
structure where all information security practitioners, including designated security
officers, report to the CISO. Adequate resources should be assigned to the OCIO to
create this structure. Existing designated security offiters who report to their
program offices should return to their program office duties. The new staff that
reports to the CJSO should consist of experienced information security professionals.
CIO Resoonse:
A CIO initiated Memo directing the centralization of the security responsibilities of Designated Security
Officers (DSO) in the Office of Chief Information Security Officer (CISO) was issued by the OPM
Director on August, 2012 with an effective date of October 1, 2012. The CIO has already hired three
Infonnation System Security Officers with professional IT security experience and certifications and
recruitment of an additional one is in progress for a total of four. The initial set ofsystems has been
transition to ISSOs for security management and we expect to have all OPM systems under CISO
security management once funding for additional professional security staff becomes available.
R ecrui t. Retain and Honor a World-Class Worlcforce to Serve the American People - .usajobs.gov
Reeommendation 2
We recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all
of OPM's system development projects.
CIO Re~ponse :
The OPM SDLC is being applied to OPM's major investment projects. In FY14, a plan with timelines
will be developed to enforce the SDLC policy for applicable system development projects.
Recommendation 3 (Rolled-Forward from 20/J)
We recommend that the OCIO continue to develop its Risk Executive Function to
meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk
Exeeutive (Function).
CIO Response :
We will continue to assess the Risk Executive Function per NIST Special Publication 800-39 and to
explore and make suggestions for implementing this function . The risk executive function will have
agency wide authority and responsibility for assessing risk across all OPM Program Offices and to
advise senior management on risk management strategies.
Recommendation 4
We recommend that the OCIO develop and implement a baseline configuration for -
CIO Response:
We are working to standardize operating systems and applications throughout the environment. Over the
past year, all Windows and Linux operating systems, as well as Microsoft SQL have been given
approved baseline images. We will continue to and develop and implement
configuration baselines for
Resommendation 5
We recommend that the OCIO conduct routine compliance audits
- with the OPM baseline configuration once they bave been review'ed.
approved.
CIO Response:
We concur with this recommendation and will implement the recommendation on the approved baseline
configuration.
Recommendation 6 (Rolled-Forward from 2011)
We recommend that the OCIO document "accepted" weaknesses identified in
Vulnerability scans.
CIO Response:
We concur with this recommendation and will implement the recommendation in FY-14 .
Recommendation 7
We recommend that the OCIO establish a centralized network security operations
center with the ability to monitor security events for all major OPM systems.
CIO Response :
A centralized monitoring center is established with first level alerting and monitoring for the servers, and
network appliances within the major OPM sites. Work has begun on incorporating application and
database monitoring and compliance. We will continue to evaluate and look at cost effective ways to
implement this recommendation.
Recommendation 8 <Rolled-Forward from 2010)
We continue to recommend that the OCIO ensure that all employees with significant
information security responsibility take meaningful and appropriate specialized
security training on an annual basis.
CIO Response:
We have successfully implemented this recommendation and significant improvements were achieved
this year with a completion rate ofover 94 percent. Additional information was submitted after the draft
report was pubJished that reflects the most current data.
Recommendation 9
We recommend that the OCIO and system owners develop formal corrective action
plans to immediately remediate all POA&M weaknesses that are over 120 days
overdue.
CIO Response:
The CIO dedicated resources to this task and has successfully closed a majority of POA&Ms that are
over 120 days old and will continue to work with program offices to reduce or close those that are
outstanding and to develop fonnal Corrective Action Plans. Most POA&Ms that are over 120 days have
dependencies such as funding that is not available or coordination issues with external entities who often
are not ready to implement the required changes. It is suggested that the word "immediate" be removed
from recommendation 9 since immediate resolution is not feasible.
Recommendation 10
We recommend that all POA&Ms list the specific resources required to address each
security weakness identified.
CIO Response:
This recommendation has been largely implemented for program offices with open POA&Ms. We wilJ
continue to work with program offices to ensure that the "resources required" for POA&Ms are
identified and documented.
3
..
Recommendation 11
We recommend that system owners submit a POA&M to the OCIO for every system on a
quarterly basis.
CIO Response:
This recommendation has been implemented and program offices with open POA&Ms have been
updating their POA&Ms in the Trusted Agent system on at least a quarterly basis. High system updates
are perfonned monthly. The POA&M management process has been automated and we no longer
require submission s, instead program offices update their POA&Ms in the Trusted Agent Systems under
oversight and guidance from the CISO. Program offices that do not have open POA&Ms are not
required to perform POA&M updates. Please let us know if you wish to have a discussion on the
POA&M automation process.
Recommendation 12CRolled-Fonvard from 2012)
We recommend the OCIO configure the VPN servers to
CIO Response:
All technological controls are in place and we believe there is a flaw in a vendor's design that will
require an out of band patch to repair. We have nanowed the problem to a fault within the UDP
connection to the client and we are working with the vendor, Cisco Systems to get this resolved.
Recommendation 13 <RoUed-Forward 2012)
We recommend that the OCIO meet the requirements ofOMB M-11-11 by upgradidg
its major information systems to require multi-factor authentication using PIV
credentials.
CIO Response:
We have developed and are in the process of implementing plans for multi-factor PIV authentication for
compliance with OMB M-11-11. A major segment ofthe users on our network infrastructure are using
PIV authentication. In FY-14 we will continue to work with program offices to implement PIV
authentication for major systems.
Recommendation 14
We recommend that the OCIO expand its continuous monitoring program to include quarterly
submissions for High impact systems, more frequent controls testing for all systems, and further
implementation of automated tools as outlined in the Information Security Continuous
Monitoring Roadmap.
CIO Resoonse;
We have made significant progress implementing Continuous Monitoring at OPM and will continue to
expand the program over a 2 year period into FY-15 subject to availability of funds. We plan to
implement this specific set of recommendations from the draft report.
.. .
Recommendation 15 <Rolled forward from 2008)
We recommend that OPM ensure that an annual test ofsecurity controls has been completed for all
systems.
CIO Response:
We continue to make progress with security controls testing in FY-2013 and expect to have test plans
and results for all systems in FY-2014. Security controls testing will be a major part ofour continuous
monitoring program that is currently being implemented.
Recommendation 16 <Rolled-Forward from 2008)
We recommend that OPM's program offices test the contingency plans for each system on an
annual basis. The contingency plans should be immediately tested for the eight systems that were
not subjed to adequate testing in FY 2013.
CIO Response:
We will continue making progress working with program offices on contingency plan testing in FY-14.
Due to the current shortage of funding for all ISSOs, the CISO must still rely on decentralized DSOs for
support to complete the testing. This has caused delays in implementation and coordination. We ask that
the wording in this recommendation be changed from requesting Contingency Plans to be "immediately
tested" to tested as soon as possible.
Recommendation 17 (rolled forward from 2011)
We recommend that the OCIO implement and document a centralized (agencyMwide) approach to
contingency plan testing.
CIO Response:
We will continue efforts to centralize contingency plan testing in FY-14 with the goal of implementing
this recommendation.
Recommendation 18 (Rolled-Forward from 2008)
We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in
accordance with OMB Memorandum M-07M16.
CIO Response:
Significant work was done to eliminate the unnecessary use of social security numbers (SSN) including
development of a consolidated Action Plan and eliminating them from USAJOBS and the PMF systems.
In FY-14, the Privacy Officer wilJ update the action plan and schedule a pilot project with Retirement
Services to review business processes to detennine how SSNs usage can be reduced. Note that this
recommendation requires funding for agency-wide implementation.
s
Appendix III
Inspector General 2013
Annual FISMA
Report
Section Report
Office of Personnel Management
Section 1: Continuous Monitoring Management
1.1 Has the organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems
that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may
have been identified by the OIG, does the program include the following attributes?
Yes
Comments: The OCIO developed a concept of operations document and a continuous monitoring program implementation “roadmap” that
describes the stages and timeline for implementing a full continuous monitoring program at OPM. While the initial stages of
implementation began in FY 2012, full implementation of the plan is not scheduled to be completed until FY 2015.
1.1.1 Documented policies and procedures for continuous monitoring (NIST SP 800-53: CA-7).
Yes
1.1.2 Documented strategy and plans for continuous monitoring (NIST SP 800-37 Rev 1, Appendix G).
Yes
1.1.3 Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved
continuous monitoring plans (NIST SP 800-53, NIST 800-53A).
No
Comments: OPM policy requires all owners of OPM-operated systems to submit evidence of continuous monitoring activities at least
semiannually, and owners of contractor-operated systems to submit evidence of security control testing annually. Between
contractor and agency-operated information systems, only 34 out of 47 systems were subject to adequate security controls
testing in FY 2013.
1.1.4 Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security
assessment reports, as well as a common and consistent POA&M program that is updated with the frequency defined in the strategy
and/or plans (NIST SP 800-53, 800-53A).
Yes
1.2 Please provide any additional information on the effectiveness of the organization’s Continuous Monitoring Management Program that was
not noted in the questions above.
No Current Entries
Comments: It has been over six years since all OPM systems were subject to an adequate annual security controls test. OPM’s decentralized
approach to IT security has traditionally placed responsibility on the various program offices to test the security controls of their
systems. We are optimistic that the quality and consistency of security controls tests will improve with the full implementation of the
OCIO’s centralized security structure and with the shift to semi-annual continuous monitoring submissions.
OIG Report - Annual 2013 Page 1 of 16
For Official Use Only
Section 2: Configuration Management
2.1.6 Documented proposed or actual changes to hardware and software configurations.
Yes
2.1.7 Process for timely and secure installation of software patches.
Yes
2.1.8 Software assessing (scanning) capabilities are fully implemented (NIST SP 800-53: RA-5, SI-2).
Yes
2.1.9 Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner, as specified in organization
policy or standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)
Yes
2.1.10 Patch management process is fully developed, as specified in organization policy or standards. (NIST SP 800-53: CM-3, SI-2).
Yes
2.2 Please provide any additional information on the effectiveness of the organization’s Configuration Management Program that was not noted in
the questions above.
No Current Entries
Section 3: Identity and Access Management
3.1 Has the organization established an identity and access management program that is consistent with FISMA requirements, OMB policy, and
applicable NIST guidelines and which identifies users and network devices? Besides the improvement opportunities that have been identified
by the OIG, does the program include the following attributes?
Yes
3.1.1 Documented policies and procedures for account and identity management (NIST SP 800-53: AC-1).
Yes
3.1.2 Identifies all users, including Federal employees, contractors, and others who access organization systems (NIST SP 800-53, AC-2).
Yes
3.1.3 Identifies when special access requirements (e.g., multi-factor authentication) are necessary.
Yes
OIG Report - Annual 2013 Page 3 of 16
For Official Use Only
Section 3: Identity and Access Management
3.1.4 If multi-factor authentication is in use, it is linked to the organization's PIV program where appropriate (NIST SP 800-53, IA-2).
No
Comments: See note in 3.1.5.
3.1.5 Organization has planned for implementation of PIV for logical access in accordance with government policies (HSPD 12, FIPS 201,
OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).
No
Comments: In FY 2012, the OCIO began an initiative to require PIV authentication to access the agency’s network. As of the end of
FY 2013, 30 percent of OPM workstations require PIV authentication for access to the OPM network. However, none of
the agency’s 47 major applications require PIV authentication.
3.1.6 Organization has adequately planned for implementation of PIV for physical access in accordance with government policies (HSPD 12,
FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).
Yes
3.1.7 Ensures that the users are granted access based on needs and separation-of-duties principles.
Yes
3.1.8 Identifies devices with IP addresses that are attached to the network and distinguishes these devices from users (For example: IP
phones, faxes, printers are examples of devices attached to the network that are distinguishable from desktops, laptops or servers that
have user accounts).
Yes
3.1.9 Identifies all user and non-user accounts. (Refers to user accounts that are on a system. Data user accounts are created to pull generic
information from a database or a guest/anonymous account for generic login purposes. They are not associated with a single user or a
specific group of users.)
Yes
3.1.10 Ensures that accounts are terminated or deactivated once access is no longer required.
Yes
3.1.11 Identifies and controls use of shared accounts.
Yes
OIG Report - Annual 2013 Page 4 of 16
For Official Use Only
Section 3: Identity and Access Management
3.2 Please provide any additional information on the effectiveness of the organization’s Identity and Access Management Program that was not
noted in the questions above.
No Current Entries
Section 4: Incident Response and Reporting
4.1 Has the organization established an incident response and reporting program that is consistent with FISMA requirements, OMB policy, and
applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the
following attributes?
Yes
4.1.1 Documented policies and procedures for detecting, responding to, and reporting incidents (NIST SP 800-53: IR-1).
Yes
4.1.2 Comprehensive analysis, validation and documentation of incidents.
Yes
4.1.3 When applicable, reports to US-CERT within established timeframes (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).
Yes
4.1.4 When applicable, reports to law enforcement within established timeframes (NIST SP 800-61).
Yes
4.1.5 Responds to and resolves incidents in a timely manner, as specified in organization policy or standards, to minimize further damage
(NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).
Yes
4.1.6 Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.
Yes
Comments: OPM has incident response policies and procedures that govern all systems, including those that reside in a cloud.
However, OPM's master system inventory does not document which systems reside in a cloud.
OIG Report - Annual 2013 Page 5 of 16
For Official Use Only
Section 4: Incident Response and Reporting
4.1.7 Is capable of correlating incidents.
No
Comments: OPM owns a software product with the technical ability to compare and correlate security incidents over time. However,
the correlation features of these tools are not being fully utilized at this time. This tool receives event data from approximately
80 percent of all major OPM systems. Furthermore, OPM does not have a consistent and unified process to monitor and
analyze all security incidents. Some incidents cannot be fully investigated due to inconsistent logging practices across
systems, and inefficiencies created by program offices running separate monitoring tools on their systems.
4.1.8 Has sufficient incident monitoring and detection coverage in accordance with government policies (NIST SP 800-53, 800-61; OMB
M-07-16, M-06-19).
Yes
4.2 Please provide any additional information on the effectiveness of the organization’s Incident Management Program that was not noted in the
questions above.
No Current Entries
Section 5: Risk Management
5.1 Has the organization established a risk management program that is consistent with FISMA requirements, OMB policy, and applicable NIST
guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following
attributes?
No
Comments: In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security professionals. However, as of the end
of FY 2012, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 were not all fully implemented.
Key elements still missing from OPM’s approach to managing risk at an agency-wide level include: conducting a risk assessment,
maintaining a risk registry, and communicating the agency-wide risks down to the system owners. Although the OCIO improved in
assessing risk at the individual system level (see Security Assessment and Authorization section II, above), the OCIO was not fully
managing risk at an organization-wide level. As of FY 2013, no further changes have been implemented to address organization-wide
risk.
5.1.1 Documented policies and procedures for risk management, including descriptions of the roles and responsibilities of participants in this
process.
Yes
OIG Report - Annual 2013 Page 6 of 16
For Official Use Only
Section 5: Risk Management
5.1.2 Addresses risk from an organization perspective with the development of a comprehensive governance structure and organization-wide
risk management strategy as described in NIST SP 800-37, Rev.1.
No
Comments: See comment in 5.1.
5.1.3 Addresses risk from a mission and business process perspective and is guided by the risk decisions from an organizational
perspective, as described in NIST SP 800-37, Rev. 1.
Yes
5.1.4 Addresses risk from an information system perspective and is guided by the risk decisions from an organizational perspective and the
mission and business perspective, as described in NIST SP 800-37, Rev. 1.
Yes
5.1.5 Has an up-to-date system inventory.
Yes
5.1.6 Categorizes information systems in accordance with government policies.
Yes
5.1.7 Selects an appropriately tailored set of baseline security controls.
Yes
5.1.8 Implements the tailored set of baseline security controls and describes how the controls are employed within the information system
and its environment of operation.
Yes
5.1.9 Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for
the system.
No
Comments: The information security controls were adequately assessed for only 34 of OPM's 47 major systems in FY 2013.
5.1.10 Authorizes information system operation based on a determination of the risk to organizational operations and assets, individuals,
other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
Yes
OIG Report - Annual 2013 Page 7 of 16
For Official Use Only
Section 5: Risk Management
5.1.11 Ensures information security controls are monitored on an ongoing basis including assessing control effectiveness, documenting
changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting
the security state of the system to designated organizational officials.
No
Comments: OPM's continuous monitoring program is not scheduled for full implementation until FY 2015.
5.1.12 Information-system-specific risks (tactical), mission/business-specific risks, and organizational-level (strategic) risks are
communicated to appropriate levels of the organization.
Yes
5.1.13 Senior officials are briefed on threat activity on a regular basis by appropriate personnel (e.g., CISO).
Yes
5.1.14 Prescribes the active involvement of information system owners and common control providers, chief information officers, senior
information security officers, authorizing officials, and other roles as applicable in the ongoing management of information
system-related security risks.
Yes
5.1.15 Security authorization package contains system security plan, security assessment report, and POA&M in accordance with
government policies. (NIST SP 800-18, 800-37).
Yes
5.1.16 Security authorization package contains accreditation boundaries, defined in accordance with government policies, for organization
information systems.
Yes
5.2 Please provide any additional information on the effectiveness of the organization’s Risk Management Program that was not noted in the
questions above.
No Current Entries
Section 6: Security Training
OIG Report - Annual 2013 Page 8 of 16
For Official Use Only
Section 6: Security Training
6.1 Has the organization established a security training program that is consistent with FISMA requirements, OMB policy, and applicable NIST
guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following
attributes?
Yes
6.1.1 Documented policies and procedures for security awareness training (NIST SP 800-53: AT-1).
Yes
6.1.2 Documented policies and procedures for specialized training for users with significant information security responsibilities.
Yes
6.1.3 Security training content based on the organization and roles, as specified in organization policy or standards.
Yes
6.1.4 Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and other
organization users) with access privileges that require security awareness training.
Yes
6.1.5 Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other
organization users) with significant information security responsibilities that require specialized training.
Yes
6.1.6 Training material for security awareness training contains appropriate content for the organization (NIST SP 800-50, 800-53).
Yes
6.2 Please provide any additional information on the effectiveness of the organization’s Security Training Program that was not noted in the
questions above.
No Current Entries
Section 7: Plan Of Action & Milestones (POA&M)
7.1 Has the organization established a POA&M program that is consistent with FISMA requirements, OMB policy, and applicable NIST
guidelines and tracks and monitors known information security weaknesses? Besides the improvement opportunities that may have been
identified by the OIG, does the program include the following attributes?
Yes
OIG Report - Annual 2013 Page 9 of 16
For Official Use Only
Section 7: Plan Of Action & Milestones (POA&M)
7.1.1 Documented policies and procedures for managing IT security weaknesses discovered during security control assessments and that
require remediation.
Yes
7.1.2 Tracks, prioritizes and remediates weaknesses.
Yes
7.1.3 Ensures remediation plans are effective for correcting weaknesses.
No
Comments: See comments in 7.1.4.
7.1.4 Establishes and adheres to milestone remediation dates.
No
Comments: Our review indicated that many system owners are not meeting the self-imposed remediation deadlines listed on the
POA&Ms. Of OPM’s 47 major systems, 22 have POA&M items that are greater than 120 days overdue. We believe that
this indicates that POA&M remediation plans are not effective for correcting weaknesses.
7.1.5 Ensures resources and ownership are provided for correcting weaknesses.
No
Comments: We interviewed the system owners of five OPM systems with overdue POA&M items. Each owner stated that although
they have identified the resources required to address the POA&M items, these resources are not currently available.
7.1.6 POA&Ms include security weaknesses discovered during assessments of security controls and that require remediation (do not need
to include security weakness due to a risk-based decision to not implement a security control) (OMB M-04-25).
Yes
7.1.7 Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25).
No
Comments: We noted that the owners of 10 out of OPM's 47 systems have not identified the resources needed to address POA&M
weaknesses, as required by OPM’s POA&M policy.
OIG Report - Annual 2013 Page 10 of 16
For Official Use Only
Section 7: Plan Of Action & Milestones (POA&M)
7.1.8 Program officials report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO centrally tracks, maintains,
and independently reviews/validates the POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5; OMB
M-04-25).
Yes
7.2 Please provide any additional information on the effectiveness of the organization’s POA&M Program that was not noted in the questions
above.
No Current Entries
Section 8: Remote Access Management
8.1 Has the organization established a remote access program that is consistent with FISMA requirements, OMB policy, and applicable NIST
guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following
attributes?
Yes
8.1.1 Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access (NIST SP 800-53: AC-1,
AC-17).
Yes
8.1.2 Protects against unauthorized connections or subversion of authorized connections.
Yes
8.1.3 Users are uniquely identified and authenticated for all access (NIST SP 800-46, Section 4.2, Section 5.1).
Yes
8.1.4 Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1).
Yes
8.1.5 If applicable, multi-factor authentication is required for remote access (NIST SP 800-46, Section 2.2, Section 3.3).
Yes
8.1.6 Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including strength
mechanisms.
Yes
OIG Report - Annual 2013 Page 11 of 16
For Official Use Only
Section 9: Contingency Planning
9.1.1 Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact of a
disruptive event or disaster (NIST SP 800-53: CP-1).
Yes
9.1.2 The organization has incorporated the results of its system’s Business Impact Analysis (BIA) into the analysis and strategy
development efforts for the organization’s Continuity of Operations Plan (COOP), Business Continuity Plan (BCP), and Disaster
Recovery Plan (DRP) (NIST SP 800-34).
Yes
9.1.3 Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures (NIST SP
800-34).
Yes
9.1.4 Testing of system specific contingency plans.
No
Comments: We received evidence that contingency plans were tested for only 40 of 47 systems in FY 2013. Of the contingency plan
tests we did receive, we continue to notice inconsistency in the quality of the documentation produced for various OPM
systems.
9.1.5 The documented BCP and DRP are in place and can be implemented when necessary (FCD1, NIST SP 800-34).
Yes
9.1.6 Development of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST SP 800-53).
Yes
9.1.7 Testing or exercising of BCP and DRP to determine effectiveness and to maintain current plans.
No
Comments: Many OPM systems reside on one of the agency’s general support systems. However, two of these general support
systems were not adequately tested in FY 2013. In the FY 2011 FISMA audit report we recommended that the OCIO
implement a centralized (agency-wide) approach to contingency plan testing. We were informed that a single synchronized
functional test is not feasible due to logistical and resource limitations. However, the intent of the recommendation is to
ensure that all elements of the general support systems are subject to a full functional disaster recovery test each year. This
recommendation can be remediated if each general support system is subject to a full functional test each year, even if it must
be broken into a series of smaller tests.
OIG Report - Annual 2013 Page 13 of 16
For Official Use Only
Section 9: Contingency Planning
9.1.8 After-action report that addresses issues identified during contingency/disaster recovery exercises (FCD1, NIST SP 800-34).
No
Comments: As mentioned in 9.1.4, seven systems were not subject to contingency plan testing in FY 2013, and therefore no after action
report was developed.
9.1.9 Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).
Yes
9.1.10 Alternate processing sites are not subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-53).
Yes
9.1.11 Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53).
Yes
9.1.12 Contingency planning that considers supply chain threats.
Yes
9.2 Please provide any additional information on the effectiveness of the organization’s Contingency Planning Program that was not noted in the
questions above.
No Current Entries
Section 10: Contractor Systems
10.1 Has the organization established a program to oversee systems operated on its behalf by contractors or other entities, including organization
systems and services residing in the cloud external to the organization? Besides the improvement opportunities that may have been identified
by the OIG, does the program includes the following attributes?
Yes
10.1.1 Documented policies and procedures for information security oversight of systems operated on the organization’s behalf by
contractors or other entities, including organization systems and services residing in a public cloud.
Yes
OIG Report - Annual 2013 Page 14 of 16
For Official Use Only
Section 10: Contractor Systems
10.1.2 The organization obtains sufficient assurance that security controls of such systems and services are effectively implemented and
comply with Federal and organization guidelines (NIST SP 800-53: CA-2).
No
Comments: OPM policy states that system owners must ensure that an annual security controls test is performed for contractor-operated
systems by a government employee or an independent third party at the site where contracted information technology
services are rendered. However, only 14 of 21 contractor operated systems were adequately tested in FY 2013.
10.1.3 A complete inventory of systems operated on the organization’s behalf by contractors or other entities, including organization systems
and services residing in a public cloud.
Yes
10.1.4 The inventory identifies interfaces between these systems and organization-operated systems (NIST SP 800-53: PM-5).
Yes
10.1.5 The organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces
between these systems and those that it owns and operates.
Yes
10.1.6 The inventory of contractor systems is updated at least annually.
Yes
10.1.7 Systems that are owned or operated by contractors or entities, including organization systems and services residing in a public cloud,
are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.
Yes
10.2 Please provide any additional information on the effectiveness of the organization’s Contractor Systems Program that was not noted in the
questions above.
No Current Entries
Section 11: Security Capital Planning
11.1 Has the organization established a security capital planning and investment program for information security? Besides the improvement
opportunities that may have been identified by the OIG, does the program include the following attributes?
Yes
OIG Report - Annual 2013 Page 15 of 16
For Official Use Only
Section 11: Security Capital Planning
11.1.1 Documented policies and procedures to address information security in the capital planning and investment control (CPIC) process.
Yes
11.1.2 Includes information security requirements as part of the capital planning and investment process.
Yes
11.1.3 Establishes a discrete line item for information security in organizational programming and documentation (NIST SP 800-53: SA-2).
Yes
11.1.4 Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required (NIST SP 800-53: PM-3).
Yes
11.1.5 Ensures that information security resources are available for expenditure as planned.
Yes
11.2 Please provide any additional information on the effectiveness of the organization’s Security Capital Planning Program that was not noted in
the questions above.
No Current Entries
OIG Report - Annual 2013 Page 16 of 16
For Official Use Only
Federal Information Security Management Act Audit FY 2013
Published by the Office of Personnel Management, Office of Inspector General on 2013-11-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)