U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
Subject:
AUDIT OF THE U.S. OFFICE OF PERSONNEL
MANAGEMENT’S
COMMON SECURITY CONTROLS COLLECTION
FY 2013
Report No. 4A-CI-00-13-036
10/10/13
Date:
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited
program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore,
while this audit report is available under the Freedom of Information Act and made available to the public on the OIG
webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary
information that was redacted from the publicly distributed copy.
Audit Report
U.S. OFFICE OF PERSONNEL MANAGEMENT
-------------------------------------------------------------
AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S
COMMON SECURITY CONTROL COLLECTION
FY 2013
--------------------------------
WASHINGTON, D.C.
Report No. 4A-IS-00-13-036
Date: 10/10/13
Michael R. Esser
Assistant Inspector General
for Audits
--CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited
program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore,
while this audit report is available under the Freedom of Information Act and made available to the public on the OIG
webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary
information that was redacted from the publicly distributed copy.
Executive Summary
U.S. OFFICE OF PERSONNEL MANAGEMENT
-------------------------------------------------------------
AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S
COMMON SECURITY CONTROL COLLECTION
FY 2013
--------------------------------
WASHINGTON, D.C.
Report No. 4A-IS-00-13-036
Date: 10/10/13
This final audit report discusses the results of our audit of the U.S. Office of Personnel
Management’s (OPM) Common Security Controls Collection (CSCC). Our conclusions are
detailed in the “Results” section of this report.
CSCC Policies and Procedures
We believe that OPM’s CSCC offers a conceptually comprehensive approach to effectively
utilizing and testing a set of common information security controls.
CSCC Implementation
The CSCC adequately reflects the common controls that are provided by agency-wide policies
and by physical facilities management. However, we do not believe that the CSCC accurately
reflects the common controls provided by the agency’s General Support Systems (GSS).
i
Use of the CSCC
The owners of OPM’s major applications residing on the GSSs labeled at least several security
controls as common that were not identified as common on the CSCC. As a result, these
controls were inappropriately omitted from testing by the application owner.
ii
Contents
Page
Executive Summary………………………………………………………………..………………i
Introduction and Background……………………………………………………………………...1
Objectives………………………………………………………………………………………….1
Scope and Methodology…………………………………………………………………………...1
Compliance with Laws and Regulations…………………………………………………………..2
Results……………………………………………………………………………………………..3
I. CSCC Policies and Procedures……………………………………………………………...3
II. CSCC Implementation………………………………………………………………………4
III. Use of the CSCC………………………………………………….…………………………5
Major Contributors to this Report………………………………………………….………….…..7
Appendix: The Office of the Chief Information Officer’s September 25, 2013 response to the
draft audit report, issued August 14, 2013
Introduction and Background
The Office of Personnel Management (OPM) operates approximately 50 major applications that
support the agency’s mission. This includes three general support systems (GSS) that host
several smaller systems that leverage the centralized hardware, software, and personnel resources
offered by the GSS. The GSSs are owned and operated by the Office of the Chief Information
Officer (OCIO).
The Federal Information Security Management Act requires that all major applications be subject
to routine security control testing. However, when a security control is provided by a GSS to all
of the applications that it hosts (referred to as a “common” control), the individual application
owners are not required to independently test this control, as that would be redundant of the
OCIO’s testing efforts.
In an effort to streamline the management of common controls, the OCIO created the Common
Security Controls Collection (CSCC). The CSCC is intended to be a shared resource for all
OPM security professionals and management to reduce duplicate efforts in the information
system security control testing process. In addition to the common controls provided by the
GSSs, the CSCC identifies the security controls that are addressed by agency-wide policies and
procedures and by facilities management and various OPM buildings.
The CSCC was formally distributed in September 2012, and has since been used by application
owners to facilitate their systems’ security control tests.
Objectives
The objectives of this audit were to assess the quality of the CSCC and to evaluate the
effectiveness of its use by information system owners. These objectives were met by:
• Meeting with OCIO personnel;
• Reviewing policies and guidance regarding the use of the CSCC; and
• Testing the CSCC elements for compliance with known regulations.
Scope and Methodology
This performance audit was conducted by the Office of the Inspector General (OIG) in
accordance with Government Auditing Standards, issued by the Comptroller General of the
United States. Accordingly, the audit included an evaluation of related policies and procedures,
compliance tests, and other auditing procedures that we considered necessary. The audit
documented the controls in place for the CSCC as of July 2013.
We considered the nature of the CSCC and the internal control structure of the OCIO in planning
our audit procedures. These procedures were mainly substantive in nature, although we did gain
an understanding of the management procedures and controls to the extent necessary to achieve
our audit objectives.
1
Our audit evaluated the elements to create, attest, maintain, and utilize the CSCC. We looked at
the CSCC at the time of publication as well as the implementation and use of the CSCC over a
period of nine months since publication. We focused our review on the controls listed as
common to the agency and those of the general support systems and did not conduct a review of
the inherited controls or those controls attributable to physical locations.
In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe that the data was
sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in
accordance with generally accepted government auditing standards issued by the Comptroller
General of the United States.
Details of our audit findings and recommendations are located in the “Results” section of this
report. Since our audit would not necessarily disclose all significant matters related to the
CSCC, we do not express an opinion on the utilization of the CSCC as a whole, only the
elements reviewed as a part of this audit.
The audit was conducted from February through October of 2013 in OPM’s Washington, D.C.
headquarters building.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether OPM’s management of the
CSCC is consistent with applicable standards. Nothing came to our attention during this review
to indicate that OPM is in violation of relevant laws and regulations.
2
Results
The sections below provide a summary of our audit findings and recommendations related to the
creation and implementation of the CSCC.
I. CSCC Policies and Procedures
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-
53, “Recommended Security Controls for Federal Information Systems and Organizations,”
outlines a wide variety of information system security controls that should be implemented
on all major applications.
OPM has three major general support systems (GSS) that each hosts a variety of
independent applications supporting OPM’s mission. Due to the shared hardware,
software, and personnel resources maintained for each GSS, the applications residing on a
GSS inherit some of the information security controls implemented from its parent system.
Many OPM applications also obtain security controls provided by agency-wide policies
and procedures and by the physical controls implemented at various OPM buildings.
In September 2012, OPM’s OCIO published a catalog of agency-wide common security
controls along with a guidance document labeled “Use of Common Security Controls
Collection (CSCC).” The intent of the CSCC is to formally document the security controls
that each GSS provides to the applications that reside on that GSS. As a result, the
individual application owners will not have to routinely test those common security
controls that are provided by the GSS, as this work is performed by the GSS owners.
We reviewed the OCIO’s common controls documentation to verify that it provided
OPM’s security professionals and management adequate guidance to appropriately
leverage the common controls provided by a GSS.
The guide provides the following:
• The background and purpose of the CSCC;
• The four step CSCC process;
• The intended use of the CSCC;
• The validation process for common controls;
• An explanation of the difference between common and inherited controls; and
• Instructions for implementing the CSCC.
We believe that OPM’s CSCC offers a conceptually comprehensive approach to effectively
utilizing and testing a set of common information security controls. However, the sections
below detail several issues we detected in the actual implementation and use of the CSCC.
3
II. CSCC Implementation
While we believe that the CSCC adequately reflects the common controls that are provided
by agency-wide policies and by physical facilities management, we do not believe that the
CSCC accurately reflects the common controls provided by the agency’s GSSs.
OPM’s OCIO contracted with the Bureau of Public Debt (BPD) to determine which
information security controls are “common,” and to also independently test these controls.
Although it appears that the BPD performed some test work on all of the CSCC controls,
we do not believe that the BPD adequately verified that each of these controls are, in fact,
provided to every application that resides on each GSS.
As part of this audit we independently tested a sample of common controls, and found that
each tested control was adequately implemented for the specific GSS hosting that control.
However, our interviews with the GSS owners revealed that many of the controls listed as
“common” on the CSCC are not enforced and/or available for each of the applications
residing on the GSS. In other words, the CSCC labels certain controls as common that
really should have been implemented for each individual application (referred to as system-
specific controls).
NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
Systems, defines a common security control as having “the following properties: [i] The
development, implementation, and assessment of the control can be assigned to a
responsible official or organizational element (other than the information system
owners . . . ); and [ii] The results from the assessment of the control can be used to support
the security certification and accreditation processes of an agency information system
where that control has been applied.”
Incorrectly labeling security controls as common increases the likelihood that these
controls are not properly implemented and tested at the application level, which in turn
increases the risk of sensitive data breaches.
Recommendation 1
We recommend that the OCIO meet with each GSS owner to determine which information
security controls are provided to every application hosted by that GSS. The GSS owners
should formally acknowledge this updated list of controls, and the results should be
published in a new CSCC.
OCIO Response:
“The security staff will meet with General Support System providers to document and
discuss the recommended changes. The Common Controls Procedures and Catalog will
be updated and republished reflecting all changes.
The CIO agrees that in some circumstances, depending on the implementation of the
system and/or categorization the GSS cannot provide all the security objectives of a listed
Security Control in the CSCC. For the instance where the GSS (LAN/WAN) has a lower
categorization than the Major Application using the Security Control . . . the Assessor
4
(BPD) was instructed to assess each of the control[s] at the HIGH Categorization
implementation, thus alleviating any issue with Major Applications with a higher
Categorization than that of the GSS. Some Major Applications may choose to implement
Security Controls and Mechanisms that superimpose, complement or enhance those
provided by the GSS, but these implementations are at the purview of the Major
Application’s System Owner. The CIO agrees that there needs to be some collaboration
on the part of the System Owners and the Control Provider (GSS) to assure that the
controls that the System Owner is indicating as ‘inherited’ or ‘hybrid’ are applicable to
their implementations and available from the Control Provider.”
OIG Reply:
As part of the audit resolution process for this recommendation and all subsequent
recommendations to which OCIO agrees, please provide OPM’s Internal Oversight and
Compliance (IOC) division with evidence supporting the corrective action taken.
Recommendation 2
We recommend that no OPM application rely on the general support system portion (LAN-
WAN, ESI, Macon) of the current version of the CSCC when performing any form of
security control testing. This recommendation is effective immediately, and should not be
closed until Recommendation 1 is completely implemented.
OCIO Response:
“The CIO agrees that there needs to be better information relating to the assumption of
‘inherited’ and/or ‘hybrid’ controls from any of the Control Providers (LAN/WAN, ESI
and MACON GSS). The security team will work with the GSS providers to update the
necessary controls.”
III. Use of the CSCC
As stated above, the intent of the CSCC is to reduce duplicate efforts in the testing of
information security controls. If a security control is provided by a GSS, then the
applications residing on that GSS do not need to test that control.
Section II describes our concern that the CSCC does not accurately reflect the security
controls that are truly common to all systems residing on each GSS. That issue aside, we
also determined that individual application owners are not appropriately using the current
version of the CSCC.
The Information System Security Plan (ISSP) of each major OPM application describes the
security controls that are in place for that system. We examined the ISSP for each OPM
application that resides on a GSS, and mapped the security controls detailed in the ISSP to
the CSCC. Our review indicated that the owners of every one of these applications had
labeled at least several security controls as common that were not identified as common on
the CSCC. As a result, these controls were inappropriately omitted from testing by the
application owner.
5
We acknowledge that there are instances when an application can inherit a control from a
GSS, even if that control is not a universal common control to all other applications on that
GSS. However, in these instances the CSCC cannot be leveraged, and the application
owners must work with the GSS owners to determine exactly which controls are provided
by the GSS. We believe that formalizing this process will reduce the risk that controls will
be mislabeled as common or inherited, and that every control will be tested either at the
GSS or application level.
Recommendation 3
Once the new CSCC is published, we recommend that the owners of all applications residing on
a GSS update the system’s ISSP to identify and immediately test all controls that were
previously mislabeled as a common control.
OCIO Response:
“The CIO agrees that additional documentation and training on the use of the Common
Security Controls in the CSCC should be given and that additional scrutiny of System Security
Plans to include a review of Agency Common Controls is warranted.
The CIO will [be] republishing the CSCC to identify each Security Control, if any, that were
incorrectly identified as Common and appropriately notify each system owner with their
responsibility to assess each control and update their SSP respectively.
Controls that were mislabeled will be included in the assessment of controls under the
Information Security Continuous Monitoring (ISCM) Program.”
Recommendation 4
We recommend that OCIO update the CSCC procedures to require application owners to seek
formal acknowledgement from GSS owners when inheriting security controls from that GSS that
are not common to all other applications. This process should require the use of a template that
is signed by the GSS owner as their acknowledgement that the controls are provided to that
application.
OCIO Response:
“The CSCC Process currently has a process to have the Major Application verify that controls
that are marked as ‘Inherited’ in the CSCC must be verified with the GSS System Owner for
their use. The security team will develop a template for GSS owners to acknowledge
inheritable controls.”
6
Major Contributors to this Report
This audit report was prepared by the U.S. Office of Personnel Management, Office of the
Inspector General, Information Systems Audits Group. The following individuals participated in
the audit and the preparation of this report:
• Lewis F. Parker, Deputy Assistant Inspector General for Audits
• Senior Team Leader
• , Lead IT Auditor In Charge
• , IT Auditor
7
Appendix
9/25/13
MEMORANDUM FOR LEWIS F. PARKER, JR
DEPUTY ASSISTANT INSPECTOR GENERAL
FOR AUDITS
FROM: CHARLES R. SIMPSON
ACTING, CHIEF INFORMATION OFFICER
Subject: CIO Responses to OIG Audit 4A-CI-00-13-036
Recommendation 1
We recommend that the OCIO meet with each GSS owner to determine which information
security controls are provided to every application hosted by that GSS. The GSS owners should
formally acknowledge this updated list of controls, and the results should be published in a new
CSCC.
CIO Response:
The security staff will meet with General Support System providers to document and discuss
the recommended changes. The Common Controls Procedures and Catalog will be updated
and republished reflecting all changes.
The CIO agrees that in some circumstances, depending on the implementation of the system
and/or categorization the GSS cannot provide all the security objectives of a listed Security
Control in the CSCC. For the instance where the GSS (LAN/WAN) has a lower
categorization than the Major Application using the Security Control. In this circumstance
the Assessor (BPD) was instructed to assess each of the control at the HIGH Categorization
implementation, thus alleviating any issue with Major Applications with a higher
Categorization than that of the GSS. Some Major Applications may choose to implement
Security Controls and Mechanisms that superimpose, complement or enhance those provided
by the GSS, but these implementations are at the purview of the Major Application’s System
Owner. The CIO agrees that there needs to be some collaboration on the part of the System
Owner and the Control Provider (GSS) to assure that the controls that the System Owner is
indicating as “inherited” or “hybrid” are applicable to their implementations and available
from the Control Provider.
Recommendation 2
We recommend that no OPM application rely on the general support system portion (LAN-
WAN, ESI, Macon) of the current version of the CSCC when performing any form of security
control testing. This recommendation is effective immediately, and should not be closed until
Recommendation 1 is completely implemented.
1
CIO Response:
The CIO agrees that there needs to be better information relating to the assumption of
“inherited” and/or “hybrid” controls from any of the Control Providers (LAN/WAN, ESI and
MACON GSS). The security team will work with the GSS providers to update the necessary
controls.
Recommendation 3
Once the new CSCC is published, we recommend that the owners of all applications residing on
a GSS update the system's ISSP to identify and immediately test all controls that were previously
mislabeled as a common control.
CIO Response:
The CIO agrees that additional documentation and training on the use of the Common
Security Controls in the CSCC should be given and that additional scrutiny of System
Security Plans to include a review of Agency Common Controls is warranted.
The CIO will republishing the CSCC to identify each Security Control, if any, that were
incorrectly identified as Common and appropriately notify each system owner with their
responsibility to assess each control and update their SSP respectively.
Controls that were mislabeled will be included in the assessment of controls under the
Information Security Continuous Monitoring (ISCM) Program.
Recommendation 4
We recommend that OCIO updated the CSCC procedures to require application owners to seek
formal acknowledgement from GSS owners when inheriting security controls from that GSS that
are not common to all other applications. This process should require the use of a template that
is signed by the GSS owner as their acknowledgement that the controls are provided to that
application.
CIO Response:
The CSCC Process currently has a process to have the Major Application verify that
controls that are marked as “Inherited” in the CSCC must be verified with the GSS
System Owner for their use. The security team will develop a template for GSS owners to
acknowledge inheritable controls.
2
Audit of the U.S. Office of Personnel Management's Common Security Controls Collection FY 2013
Published by the Office of Personnel Management, Office of Inspector General on 2013-10-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)