oversight

Audit of the U.S. Office of Personnel Management's Common Security Controls Collection FY 2013

Published by the Office of Personnel Management, Office of Inspector General on 2013-10-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                             U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                   OFFICE OF THE INSPECTOR GENERAL
                                                                    OFFICE OF AUDITS




                              Final Audit Report

Subject:


 AUDIT OF THE U.S. OFFICE OF PERSONNEL
            MANAGEMENT’S
COMMON SECURITY CONTROLS COLLECTION
                 FY 2013

                                     Report No. 4A-CI-00-13-036

                                                          10/10/13
                                     Date:




                                                       --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited
program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore,
while this audit report is available under the Freedom of Information Act and made available to the public on the OIG
webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary
information that was redacted from the publicly distributed copy.
                                               Audit Report

                          U.S. OFFICE OF PERSONNEL MANAGEMENT
                           -------------------------------------------------------------

             AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S
                   COMMON SECURITY CONTROL COLLECTION
                                          FY 2013
                               --------------------------------

                                            WASHINGTON, D.C.




                                     Report No. 4A-IS-00-13-036


                                     Date:               10/10/13




                                                                        Michael R. Esser
                                                                        Assistant Inspector General
                                                                          for Audits
                                                       --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited
program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore,
while this audit report is available under the Freedom of Information Act and made available to the public on the OIG
webpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary
information that was redacted from the publicly distributed copy.
                                   Executive Summary

                     U.S. OFFICE OF PERSONNEL MANAGEMENT
                      -------------------------------------------------------------

          AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S
                COMMON SECURITY CONTROL COLLECTION
                                       FY 2013
                            --------------------------------

                                      WASHINGTON, D.C.




                               Report No. 4A-IS-00-13-036


                               Date:             10/10/13



This final audit report discusses the results of our audit of the U.S. Office of Personnel
Management’s (OPM) Common Security Controls Collection (CSCC). Our conclusions are
detailed in the “Results” section of this report.

CSCC Policies and Procedures
We believe that OPM’s CSCC offers a conceptually comprehensive approach to effectively
utilizing and testing a set of common information security controls.

CSCC Implementation
The CSCC adequately reflects the common controls that are provided by agency-wide policies
and by physical facilities management. However, we do not believe that the CSCC accurately
reflects the common controls provided by the agency’s General Support Systems (GSS).

                                                   i
Use of the CSCC
The owners of OPM’s major applications residing on the GSSs labeled at least several security
controls as common that were not identified as common on the CSCC. As a result, these
controls were inappropriately omitted from testing by the application owner.




                                               ii
                                        Contents
                                                                                         Page

Executive Summary………………………………………………………………..………………i
Introduction and Background……………………………………………………………………...1
Objectives………………………………………………………………………………………….1
Scope and Methodology…………………………………………………………………………...1
Compliance with Laws and Regulations…………………………………………………………..2
Results……………………………………………………………………………………………..3
I.     CSCC Policies and Procedures……………………………………………………………...3
II.    CSCC Implementation………………………………………………………………………4
III.   Use of the CSCC………………………………………………….…………………………5
Major Contributors to this Report………………………………………………….………….…..7
Appendix: The Office of the Chief Information Officer’s September 25, 2013 response to the
          draft audit report, issued August 14, 2013
                           Introduction and Background
The Office of Personnel Management (OPM) operates approximately 50 major applications that
support the agency’s mission. This includes three general support systems (GSS) that host
several smaller systems that leverage the centralized hardware, software, and personnel resources
offered by the GSS. The GSSs are owned and operated by the Office of the Chief Information
Officer (OCIO).

The Federal Information Security Management Act requires that all major applications be subject
to routine security control testing. However, when a security control is provided by a GSS to all
of the applications that it hosts (referred to as a “common” control), the individual application
owners are not required to independently test this control, as that would be redundant of the
OCIO’s testing efforts.

In an effort to streamline the management of common controls, the OCIO created the Common
Security Controls Collection (CSCC). The CSCC is intended to be a shared resource for all
OPM security professionals and management to reduce duplicate efforts in the information
system security control testing process. In addition to the common controls provided by the
GSSs, the CSCC identifies the security controls that are addressed by agency-wide policies and
procedures and by facilities management and various OPM buildings.

The CSCC was formally distributed in September 2012, and has since been used by application
owners to facilitate their systems’ security control tests.

                                         Objectives
The objectives of this audit were to assess the quality of the CSCC and to evaluate the
effectiveness of its use by information system owners. These objectives were met by:
•   Meeting with OCIO personnel;
•   Reviewing policies and guidance regarding the use of the CSCC; and
•   Testing the CSCC elements for compliance with known regulations.

                                Scope and Methodology
This performance audit was conducted by the Office of the Inspector General (OIG) in
accordance with Government Auditing Standards, issued by the Comptroller General of the
United States. Accordingly, the audit included an evaluation of related policies and procedures,
compliance tests, and other auditing procedures that we considered necessary. The audit
documented the controls in place for the CSCC as of July 2013.

We considered the nature of the CSCC and the internal control structure of the OCIO in planning
our audit procedures. These procedures were mainly substantive in nature, although we did gain
an understanding of the management procedures and controls to the extent necessary to achieve
our audit objectives.




                                                1
Our audit evaluated the elements to create, attest, maintain, and utilize the CSCC. We looked at
the CSCC at the time of publication as well as the implementation and use of the CSCC over a
period of nine months since publication. We focused our review on the controls listed as
common to the agency and those of the general support systems and did not conduct a review of
the inherited controls or those controls attributable to physical locations.

In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe that the data was
sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in
accordance with generally accepted government auditing standards issued by the Comptroller
General of the United States.

Details of our audit findings and recommendations are located in the “Results” section of this
report. Since our audit would not necessarily disclose all significant matters related to the
CSCC, we do not express an opinion on the utilization of the CSCC as a whole, only the
elements reviewed as a part of this audit.

The audit was conducted from February through October of 2013 in OPM’s Washington, D.C.
headquarters building.

                    Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether OPM’s management of the
CSCC is consistent with applicable standards. Nothing came to our attention during this review
to indicate that OPM is in violation of relevant laws and regulations.




                                                2
                                          Results
The sections below provide a summary of our audit findings and recommendations related to the
creation and implementation of the CSCC.

I.   CSCC Policies and Procedures
     The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-
     53, “Recommended Security Controls for Federal Information Systems and Organizations,”
     outlines a wide variety of information system security controls that should be implemented
     on all major applications.

     OPM has three major general support systems (GSS) that each hosts a variety of
     independent applications supporting OPM’s mission. Due to the shared hardware,
     software, and personnel resources maintained for each GSS, the applications residing on a
     GSS inherit some of the information security controls implemented from its parent system.
     Many OPM applications also obtain security controls provided by agency-wide policies
     and procedures and by the physical controls implemented at various OPM buildings.

     In September 2012, OPM’s OCIO published a catalog of agency-wide common security
     controls along with a guidance document labeled “Use of Common Security Controls
     Collection (CSCC).” The intent of the CSCC is to formally document the security controls
     that each GSS provides to the applications that reside on that GSS. As a result, the
     individual application owners will not have to routinely test those common security
     controls that are provided by the GSS, as this work is performed by the GSS owners.

     We reviewed the OCIO’s common controls documentation to verify that it provided
     OPM’s security professionals and management adequate guidance to appropriately
     leverage the common controls provided by a GSS.

     The guide provides the following:
      •     The background and purpose of the CSCC;
      •     The four step CSCC process;
      •     The intended use of the CSCC;
      •     The validation process for common controls;
      •     An explanation of the difference between common and inherited controls; and
      •     Instructions for implementing the CSCC.

     We believe that OPM’s CSCC offers a conceptually comprehensive approach to effectively
     utilizing and testing a set of common information security controls. However, the sections
     below detail several issues we detected in the actual implementation and use of the CSCC.




                                              3
II.   CSCC Implementation
      While we believe that the CSCC adequately reflects the common controls that are provided
      by agency-wide policies and by physical facilities management, we do not believe that the
      CSCC accurately reflects the common controls provided by the agency’s GSSs.
      OPM’s OCIO contracted with the Bureau of Public Debt (BPD) to determine which
      information security controls are “common,” and to also independently test these controls.
      Although it appears that the BPD performed some test work on all of the CSCC controls,
      we do not believe that the BPD adequately verified that each of these controls are, in fact,
      provided to every application that resides on each GSS.

      As part of this audit we independently tested a sample of common controls, and found that
      each tested control was adequately implemented for the specific GSS hosting that control.
      However, our interviews with the GSS owners revealed that many of the controls listed as
      “common” on the CSCC are not enforced and/or available for each of the applications
      residing on the GSS. In other words, the CSCC labels certain controls as common that
      really should have been implemented for each individual application (referred to as system-
      specific controls).

      NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
      Systems, defines a common security control as having “the following properties: [i] The
      development, implementation, and assessment of the control can be assigned to a
      responsible official or organizational element (other than the information system
      owners . . . ); and [ii] The results from the assessment of the control can be used to support
      the security certification and accreditation processes of an agency information system
      where that control has been applied.”

      Incorrectly labeling security controls as common increases the likelihood that these
      controls are not properly implemented and tested at the application level, which in turn
      increases the risk of sensitive data breaches.

      Recommendation 1
      We recommend that the OCIO meet with each GSS owner to determine which information
      security controls are provided to every application hosted by that GSS. The GSS owners
      should formally acknowledge this updated list of controls, and the results should be
      published in a new CSCC.

      OCIO Response:
      “The security staff will meet with General Support System providers to document and
      discuss the recommended changes. The Common Controls Procedures and Catalog will
      be updated and republished reflecting all changes.

      The CIO agrees that in some circumstances, depending on the implementation of the
      system and/or categorization the GSS cannot provide all the security objectives of a listed
      Security Control in the CSCC. For the instance where the GSS (LAN/WAN) has a lower
      categorization than the Major Application using the Security Control . . . the Assessor


                                                  4
       (BPD) was instructed to assess each of the control[s] at the HIGH Categorization
       implementation, thus alleviating any issue with Major Applications with a higher
       Categorization than that of the GSS. Some Major Applications may choose to implement
       Security Controls and Mechanisms that superimpose, complement or enhance those
       provided by the GSS, but these implementations are at the purview of the Major
       Application’s System Owner. The CIO agrees that there needs to be some collaboration
       on the part of the System Owners and the Control Provider (GSS) to assure that the
       controls that the System Owner is indicating as ‘inherited’ or ‘hybrid’ are applicable to
       their implementations and available from the Control Provider.”

       OIG Reply:
       As part of the audit resolution process for this recommendation and all subsequent
       recommendations to which OCIO agrees, please provide OPM’s Internal Oversight and
       Compliance (IOC) division with evidence supporting the corrective action taken.

       Recommendation 2
       We recommend that no OPM application rely on the general support system portion (LAN-
       WAN, ESI, Macon) of the current version of the CSCC when performing any form of
       security control testing. This recommendation is effective immediately, and should not be
       closed until Recommendation 1 is completely implemented.

       OCIO Response:
       “The CIO agrees that there needs to be better information relating to the assumption of
       ‘inherited’ and/or ‘hybrid’ controls from any of the Control Providers (LAN/WAN, ESI
       and MACON GSS). The security team will work with the GSS providers to update the
       necessary controls.”

III.   Use of the CSCC
       As stated above, the intent of the CSCC is to reduce duplicate efforts in the testing of
       information security controls. If a security control is provided by a GSS, then the
       applications residing on that GSS do not need to test that control.

       Section II describes our concern that the CSCC does not accurately reflect the security
       controls that are truly common to all systems residing on each GSS. That issue aside, we
       also determined that individual application owners are not appropriately using the current
       version of the CSCC.

       The Information System Security Plan (ISSP) of each major OPM application describes the
       security controls that are in place for that system. We examined the ISSP for each OPM
       application that resides on a GSS, and mapped the security controls detailed in the ISSP to
       the CSCC. Our review indicated that the owners of every one of these applications had
       labeled at least several security controls as common that were not identified as common on
       the CSCC. As a result, these controls were inappropriately omitted from testing by the
       application owner.



                                                  5
     We acknowledge that there are instances when an application can inherit a control from a
     GSS, even if that control is not a universal common control to all other applications on that
     GSS. However, in these instances the CSCC cannot be leveraged, and the application
     owners must work with the GSS owners to determine exactly which controls are provided
     by the GSS. We believe that formalizing this process will reduce the risk that controls will
     be mislabeled as common or inherited, and that every control will be tested either at the
     GSS or application level.

Recommendation 3
Once the new CSCC is published, we recommend that the owners of all applications residing on
a GSS update the system’s ISSP to identify and immediately test all controls that were
previously mislabeled as a common control.

OCIO Response:
“The CIO agrees that additional documentation and training on the use of the Common
Security Controls in the CSCC should be given and that additional scrutiny of System Security
Plans to include a review of Agency Common Controls is warranted.

The CIO will [be] republishing the CSCC to identify each Security Control, if any, that were
incorrectly identified as Common and appropriately notify each system owner with their
responsibility to assess each control and update their SSP respectively.

Controls that were mislabeled will be included in the assessment of controls under the
Information Security Continuous Monitoring (ISCM) Program.”

Recommendation 4
We recommend that OCIO update the CSCC procedures to require application owners to seek
formal acknowledgement from GSS owners when inheriting security controls from that GSS that
are not common to all other applications. This process should require the use of a template that
is signed by the GSS owner as their acknowledgement that the controls are provided to that
application.

OCIO Response:
“The CSCC Process currently has a process to have the Major Application verify that controls
that are marked as ‘Inherited’ in the CSCC must be verified with the GSS System Owner for
their use. The security team will develop a template for GSS owners to acknowledge
inheritable controls.”




                                                6
                          Major Contributors to this Report

This audit report was prepared by the U.S. Office of Personnel Management, Office of the
Inspector General, Information Systems Audits Group. The following individuals participated in
the audit and the preparation of this report:

     •   Lewis F. Parker, Deputy Assistant Inspector General for Audits
     •                       Senior Team Leader
     •                , Lead IT Auditor In Charge
     •                  , IT Auditor




                                              7
                                          Appendix
                                                                                         9/25/13

MEMORANDUM FOR LEWIS F. PARKER, JR
               DEPUTY ASSISTANT INSPECTOR GENERAL
                FOR AUDITS

FROM:                    CHARLES R. SIMPSON
                         ACTING, CHIEF INFORMATION OFFICER

Subject:                 CIO Responses to OIG Audit 4A-CI-00-13-036

Recommendation 1

We recommend that the OCIO meet with each GSS owner to determine which information
security controls are provided to every application hosted by that GSS. The GSS owners should
formally acknowledge this updated list of controls, and the results should be published in a new
CSCC.

CIO Response:

   The security staff will meet with General Support System providers to document and discuss
   the recommended changes. The Common Controls Procedures and Catalog will be updated
   and republished reflecting all changes.

   The CIO agrees that in some circumstances, depending on the implementation of the system
   and/or categorization the GSS cannot provide all the security objectives of a listed Security
   Control in the CSCC. For the instance where the GSS (LAN/WAN) has a lower
   categorization than the Major Application using the Security Control. In this circumstance
   the Assessor (BPD) was instructed to assess each of the control at the HIGH Categorization
   implementation, thus alleviating any issue with Major Applications with a higher
   Categorization than that of the GSS. Some Major Applications may choose to implement
   Security Controls and Mechanisms that superimpose, complement or enhance those provided
   by the GSS, but these implementations are at the purview of the Major Application’s System
   Owner. The CIO agrees that there needs to be some collaboration on the part of the System
   Owner and the Control Provider (GSS) to assure that the controls that the System Owner is
   indicating as “inherited” or “hybrid” are applicable to their implementations and available
   from the Control Provider.

Recommendation 2

We recommend that no OPM application rely on the general support system portion (LAN-
WAN, ESI, Macon) of the current version of the CSCC when performing any form of security
control testing. This recommendation is effective immediately, and should not be closed until
Recommendation 1 is completely implemented.




                                                1
CIO Response:

   The CIO agrees that there needs to be better information relating to the assumption of
   “inherited” and/or “hybrid” controls from any of the Control Providers (LAN/WAN, ESI and
   MACON GSS). The security team will work with the GSS providers to update the necessary
   controls.

Recommendation 3

Once the new CSCC is published, we recommend that the owners of all applications residing on
a GSS update the system's ISSP to identify and immediately test all controls that were previously
mislabeled as a common control.

CIO Response:

       The CIO agrees that additional documentation and training on the use of the Common
       Security Controls in the CSCC should be given and that additional scrutiny of System
       Security Plans to include a review of Agency Common Controls is warranted.

       The CIO will republishing the CSCC to identify each Security Control, if any, that were
       incorrectly identified as Common and appropriately notify each system owner with their
       responsibility to assess each control and update their SSP respectively.

       Controls that were mislabeled will be included in the assessment of controls under the
       Information Security Continuous Monitoring (ISCM) Program.

Recommendation 4

We recommend that OCIO updated the CSCC procedures to require application owners to seek
formal acknowledgement from GSS owners when inheriting security controls from that GSS that
are not common to all other applications. This process should require the use of a template that
is signed by the GSS owner as their acknowledgement that the controls are provided to that
application.

CIO Response:

       The CSCC Process currently has a process to have the Major Application verify that
       controls that are marked as “Inherited” in the CSCC must be verified with the GSS
       System Owner for their use. The security team will develop a template for GSS owners to
       acknowledge inheritable controls.




                                                2