oversight

Federal Information Security Management Act Audit FY 2014

Published by the Office of Personnel Management, Office of Inspector General on 2014-11-12.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

          U.S. OFFICE OFF PERSSONNEEL MA
                                       ANAGEMENNT
             OFFIC
             O CE OF THET    IN
                              NSPEC
                                  CTOR GENE
                                          ERAL
                      OFFFICE OF AU
                                  UDITSS




            Finaal Aud
                   A ditt Reepo
                              ortt

           Fedeeral Infformatiion Secu
                                     urity M
                                           Managem
                                                 ment A
                                                      Act Aud
                                                            dit
                                    FY
                                     Y 2014

                                              Repo
                                                 ort Numb
                                                        ber 4A-CII-00-14-0016
                                                    Novem
                                                        mber 12, 22014




                                                                -- CAUTION --
This audit report ha as been distributeed to Federal officcials who are resp
                                                                           ponsible for the a dministration off the audited program. This audit report may
contain proprietary data which is prrotected by Federral law (18 U.S.C    C. 1905). Therefofore, while this au
                                                                                                             udit report is avaailable under thee Freedom of
Infoormation Act and  d made availablee to the public on the OIG webp      page (http://www..opm.gov/our-insppector-general), caution needs to be exercised
befoore releasing the report to the geneeral public as it may contain proprietary informatiion that was redaacted from the pu ublicly distributed
                                                                                                                                                d copy.
                                        e	                                          e

                   EXECUTIVE SUMMARY 

                             Federal Information Security Management Act Audit - FY 2014

' U.•·pu11 '"· ~ \ c I 1111 I~ lilt.                                                                         ''"'·•nh,·r   1~. ~111-1


  Why Did We Conduct the Audit?                What Did We Find?

  Our overall objective was to evaluate        We determined that the Office of the Chieflnformation Officer (O CTO) bas
  OPM' s security program and                  made some improvements to the U.S. Office of Personnel Management's
                                               (OPM) information technology (IT) security program. However, some
  practices, as required by the Federal
                                               problem areas that had improved in past years have res urfaced. The
  Information Security Management
                                               fo llowing points summarize major improvements or areas of weakness:
  Act (FISMA). Specifically, we                • 	 The material weakness related to information secur ity governance has
  reviewed the status ofOPM ' s                      been upgraded to a significant deficiency due to the planned
  information technology security                    reorganization ofthe OCIO.
  program in accordance with DHS 's            • 	 Eleven major O PM information systems are operatin g without a valid
  FISMA Inspector General reporting                  A uthorization. This represents a material weakness in the internal
  instructions.                                      control structure ofOPM's IT security program.
                                               • 	 OPM has not fully established a Risk Executive Function.
                                               • 	 The OCIO bas implemented an agency-wide information system
  What Did We Audit?
                                                     configuration management policy; however, configuration baselines
                                                     have not been created for all operating platforms. Also, all operating
  The Office of the Inspector General                platfo rms are not routinely scanned for compliance with configuration
  (OIG) has completed a performance                  baselines.
  audit ofOPM's general FISMA                  • 	 OPM does not maintain a comprehensive inventory of servers,
  compliance efforts in the specific                 databases, and network devices. In addition, we are unable to
  areas defined in DHS's guidance and                independently attest that O PM has a mature vulnerability scanning
                                                     program.
  the corresponding reporting
                                               • 	 OPM has established an Enterprise Network Security Operations Center.
  instructions. Our audit was
                                                   However, a ll OPM systems are not adequately monitored.
  conducted from April through                 • 	 Program offices are not adequately incorporating known weaknesses
  September 2014 at OPM headquarters               into Plans ofAction and M ilestones (POA&M) and the majority of
  in Washington, D .C .                            systems contain POA&Ms that are over 120 days overdue.
                                               • 	 OPM continues to implement its continuous monitoring plan. However,
                                                   security controls for all O PM systems are not adequately tested in
                                                   accordance with OPM policy.
                                               • 	 Not all O PM systems have conducted contingency plan tests in FY
                                                   2014.
                                               • 	 Several information security agreements between OPM and contractor­
                                                   operated information systems have exp ired.
                                               • 	 Multi-factor authentication is not required to access OPM systems in
                                                   accordance with OMB memorandum M-1 1-l l.


    Michael R. Esser
   A ssistllntlnspector Genua/
   for A IUiits
                       ABBREVIATIONS

Authorization   Security Assessment and Authorization
CISO            Chief Information Security Officer
DHS             Department of Homeland Security
DSO             Designated Security Officer
ENSOC           Enterprise Network Security Operations Center
FIPS            Federal Information Processing Standards
FISMA           Federal Information Security Management Act
FY              Fiscal year
IOC             Internal Oversight and Compliance
ISA             Interconnection Security Agreements
ISSO            Information System Security Officer
IT              Information Technology
ITSP            Information Technology Security and Privacy Group
LAN             Local area network
MOU/A           Memorandum of Understanding/Agreement
NIST            National Institute for Standards and Technology
NMG             Network Management Group
OCIO            Office of the Chief Information Officer
OIG             Office of the Inspector General
OMB             Office of Management and Budget
OPM             Office of Personnel Management
POA&M           Plan of Action and Milestones
SDLC            System Development Life Cycle
SIEM            Security information and event management
SO              System Owner
SP              Special Publication
US-CERT         United States Computer Emergency Readiness Team
VPN             Virtual private network




                                      ii
                              TABLE OF CONTENTS 


                                                                                                                          Page 

       EXECUTIVE SUMMARY ......................................................................................... i 


       ABBREVIATIONS ..................................................................................................... ii 


I.     BACK GROUND .......................................................................................................... 1 


II.    OBJECT IVES, SCOPE, AND METHODOLOGY ..................................................2 


III.   AUDIT FINDINGS AND RECO MMENDATIONS.................................................5 

       1. lnf01mation Security Govem ance ................................................................. .......... 5 

       2. Security Assessment and Authorization ..................................................................9 

       3. Risk Managernent .................................................................................................. 12 

       4. Configm·ation Management ................................................................................... 13 

       5. Incident Response an d Rep01iing .......................................................................... 17 

       6. Secm·ity Training ................................................................................................... 19 

       7. Plan of Act ion and Milestones ...............................................................................20 

       8. Remote Access Management ................................................................................23 

       9. Identity an d Access Man agement ..........................................................................24 

       10. Continuous Monitoring Management ............................... ..................................... 25 

       11. Contingency Planning...................................................................... ......................27 

       12. Contractor SystelllS ................................................................................................29 

       13. Security Capital Planning ...................................................................... ................ 31 


IV.    MAJOR C ONTRIBUTORS TO TillS REPORT ..................................................33 


       APPENDIX I: Status of Prior OIG Audit Recommendations
       APPENDIX II: The Office of the Chieflnf01mation Officer 's October 21 , 2014 

                     response to the draft auditrepori, issued September 18,2014 . 

       APPENDIX III: FY 2014 Inspector General FISMA reporting metrics

       REPORT FRAUD, WAST E, AND MI SMANAGEMENT
                               I. BACKGROUND 



On December 17, 2002, the President signed into law the E-Govennnent Act (Public Law 107­
347), which includes Title III, the Federal Infonnation Security Management Act (FISMA).
FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)
evaluations, (3) agency rep01iing to the Office of Management and Budget (OMB) the results of
IG evaluations for unclassified systems, and (4) an annual OMB rep01i to Congress sunnnarizing
the material received from agencies. In accordance with FISMA, we conducted an evaluation of
OPM's security program and practices. As pali of our evaluation, we reviewed OPM's FISMA
compliance strategy and documented the status of its compliance efforts .

FISMA requirements petiain to all infonnation systems supp01i ing the operations and assets of
an agency, including those systems cmTently in place or planned. The requirements also petiain
to IT resources owned and/or operated by a contractor supp01iing agency systems.

FISMA reemphasizes the Chief lnfonnation Officer's strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency' s Office of the Chief
Inf01mation Officer (OCIO). FISMA also clearly places responsibility on each agency prog~·am
offi ce to develop, implement, and maintain a security program that assesses risk and provides
adequate security for the operations and assets of prog~·ams and systems lmder its control.

To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the
Deprui ment of Homeland Security (DHS) Office ofCybersecurity and Commlmications issued
the Fiscal Yeru· (FY) 2014 Inspector General FISMA Rep01iing Instm ctions. This document
provides a consistent fonn and format for agencies to report FISMA audit results to DHS. It
identifies a series of rep01iing topics that relate to specific agency responsibilities outlined in
FISMA. Our audit and rep01iing strategies were designed in accordance with the above DHS
guidance.




                                                 1                           Rep01i No. 4A-CI-00-14-016
 II. OBJECTIVES, SCOPE, AND METHODOLOGY 



Objective
Our overall objective was to evaluate OPM's security program and practices, as required by
FISMA. Specifically, we reviewed the status ofthe following areas ofOPM's inf01mation
technology (IT) security program in accordance with DRS ' s FISMA IG rep01ting requirements:
   •   Security Assessment and Authorization;
   •   Risk Management;
   •   Configuration Management;
   •   Incident Response and Rep01ting Program;
   •   Security Training Program;
   •   Plans of Action and Milestones (POA&M) Program;
   •   Remote Access Program;
   •   Identity and Access Management;
   •   Continuous Monitoring Program;
   •   Contingency Planning Program;
   •   Agency Program to Oversee Contractor Systems; and,
   •   Agency Security Capital Planning Program.

In addition, we evaluated the status of OPM ' s IT security govemance stm cture, an area that has
represented a material weakness in OPM ' s IT security program in prior FISMA audits.

We also audited the security controls of five maj or applications/systems at OPM (see Scope and
Methodology for details of these audits), and followed-up on outstanding recommendations from
prior FISMA audits (see Appendix I).

Scope and Methodology
We conducted this perfonnance audit in accordance with generally accepted govemment
auditing standards. Those standards require that we plan and perf01m the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objectives. The audit covered OPM's
FISMA compliance eff01ts throughout FY 2014.

We reviewed OPM's general FISMA compliance eff01ts in the specific areas defmed in DRS's
guidance and the conesponding rep01t ing instructions. We also perf01med infonnation security




                                                2                           Rep01t No. 4A-CI-00-14-016
audits on the following major information systems:
    Investigations, Tracking, Assigning and Expediting System (Report No. 4A-IS-00-14-017,
     issued April 3, 2014);
    Services Online System (Report No. 4A-RI-00-14-018, issued April 3, 2014);
    Development Test Production General Support System (Report No. 4A-CI-00-14-015,
     issued June 6, 2014);
    BENEFEDS and Federal Long Term Care Insurance Program Information Systems
     (Report No. 4A-RI-00-14-036, issued August 19, 2014); and,
    Dashboard Management Reporting System (Report No. 4A-IS-00-14-064, final audit
     report not yet issued).

We considered the internal control structure for various OPM systems in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives. Accordingly, we obtained an understanding of the internal controls for these
various systems through interviews and observations, as well as inspection of various documents,
including information technology and other related organizational policies and procedures. This
understanding of these systems’ internal controls was used to evaluate the degree to which the
appropriate internal controls were designed and implemented. As appropriate, we conducted
compliance tests using judgmental sampling to determine the extent to which established
controls and procedures are functioning as required.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attention during our audit testing to cause
us to doubt its reliability.

Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.

The criteria used in conducting this audit include:
    DHS Office of Cybersecurity and Communications FY 2014 Inspector General Federal
     Information Security Management Act Reporting Instructions;
    OPM Information Technology Security and Privacy Policy Handbook;
    OPM Information Technology Security FISMA Procedures;
    OPM Security Assessment and Authorization Guide;
    OPM Plan of Action and Milestone Standard Operating Procedures;


                                                 3                           Report No. 4A-CI-00-14-016
    OMB Circular A-130, Appendix III, Security of Federal Automated Information
     Resources;
    OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
     Personally Identifiable Information;
    OMB Memorandum M-11-11: Continued Implementation of Homeland Security
     Presidential Directive 12;
    E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
     Management Act of 2002;
    National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12,
     An Introduction to Computer Security;
    NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
     Systems; 

    NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments; 

    NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information 

     Systems;
    NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to
     Federal Information Systems;
    NIST SP 800-39, Managing Information Security Risk – Organization, Mission, and
     Information System View;
    NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems;
    NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information
     Systems and Organizations;
    NIST SP 800-60 Volume 2, Guide for Mapping Types of Information and Information
     Systems to Security Categories;
    Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
     Categorization of Federal Information and Information Systems; 

    FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and, 

    Other criteria as appropriate.


The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from April through September 2014 in OPM’s
Washington, D.C. office.

Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether OPM’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM’s OCIO and other program offices were not in complete compliance with all standards, as
described in section III of this report.




                                                4                           Report No. 4A-CI-00-14-016
  III. AUDIT FINDINGS AND RECOMMENDATIONS 



  The sections below detail the results of our FY 2014 FISMA audit ofOPM 's IT Security
  Program. Many recommendations were issued in prior FISMA audits and are rolled f01ward
  from the 2013 FISMA audit (Rep01i No. 4A-CI-00-13-021 , issued November 21 , 2013).

1. Information Security Governance

  lnf01mation security govemance is the overall framework and supp01iing management stmctu.re
  and processes that are the fmmdation of a successful infonnation security program. For many
  years, we have rep01ied increasing concems about the state ofOPM ' s inf01mation security
  govemance. In the FY 2007 FISMA report, we issued a material weakness related to the lack of
  IT policies and procedures. In FY 2009, we expanded the material weakness to include the lack
  of a centralized security management structure necessruy to implement and enforce IT policies.
  In FY 2013, we also had serious concems about OPM's ability to govem major system
  development projects.

  In FY 2014, significant changes have been approved related to inf01mation security govemance.
  Additional resources were allocated to implement a centr·alized lnf01mation System Security
  Officer (ISSO) security management structure, and steps were also taken to implement a
  centr·alized system development lifecycle (SDLC) methodology. As a result we ru·e upgrading
  the material weakness to a significant deficiency for FY 2014.

  The following sections provide additional details from the OIG's review ofiT security 

  govemance at OPM. 


  a) Information security management structure
     Inf01mation system security at OPM has historically been managed by Designated Security
     Officers (DSO) that report to the vru·ious program offices that own m aj or computer systems.
     Many of these DSOs ru·e not ce1iified IT security professionals, and ru·e perf01ming DSO
     duties in addition to the responsibilities of their full-time positions.

     In FY 2011 , the OCIO issued updated IT security and privacy policies, but inf01mation
     security was still managed by DSOs that were generally not qualified to implement the new
     policies. In FY 2012, the OPM Director issued a memo mandating the tr·ansfer ofiT security
     duties from the decentr·alized program office DSOs to a centr·alized team of ISSOs that report
     to the OCIO. This change was a major Inilestone in addressing the inf01mation security
     govemance material weakness. Through FY 2014, the centr·alized ISSO str11ctu.re was




                                              5                              Report No. 4A-CF-00-12-066
                               pruiially implemented, with 4 ISSOs assigned secm ity
  Material weakness            responsibility for 17 of th e agency's inf01mation systems.
  related to security
  governance upgraded          The existing ISSOs ar e effectively perfon ning secm ity work for
  to significant               the limited number of systems they manage, but there ru·e still
  deficiency.                  many OPM systems that have not been assigned an ISSO.

                                In FY 2014, OPM 's Director approved a plan to restm ctme the
 OCIO that includes funding for 10 additional ISSO positions, bringing the total to 14. After
 th ese positions have been filled, the ISSO 's secm ity responsibility will cover 100 percent of
 OPM inf01mation systems.

 The fmdings in this audit rep01i (as highlighted in the chart below) indicate that OPM's
 decentralized govem an ce stm cture continues to result in many instances of non-compliance
 with FISMA requirements . We believe that these issues could be improved with the full
 implem entation of a centralized secm ity govem ance stru cture.




                   Compliance with FISMA Requirements
                                    • Percent of Syst ems Compliant

100

90

80

70

60

so
40

30

20

 10


      Systems with Valid POA&M Remed iation   Security Controls   Cont ingency Planning   Contingency Plan
        Authorizations      Time liness         Assessments                                    Test ing




                                                6                               Rep01i No. 4A-CI-00-14-016
   While limited tangible improvements have been made to the security management structure
   in FY 2014, the ISSO positions that have been planned, approved and funded represent
   significant improvements over prior years. Therefore, we are upgrading the material
   weakness to a significant deficiency for FY 2014 due to the imminently planned
   improvements. However, we will reinstate the material weakness in FY 2015, if the OCIO
   fails to adequately implement the approved changes.

   The audit recommendation related to information security governance will remain open until
   the planned improvements have been fully implemented.

   Recommendation 1 (Rolled-Forward from 2010)
   We recommend that OPM implement a centralized information security governance structure
   where all information security practitioners, including designated security officers, report to
   the Chief Information Security Officer (CISO). Adequate resources should be assigned to
   the OCIO to create this structure. Existing designated security officers who report to their
   program offices should return to their program office duties. The new staff that reports to the
   CISO should consist of experienced information security professionals.

   OCIO Response:
   “A CIO memo directing the centralization of the security responsibilities of Designated
   Security Officers (DSO) into the Chief Information Security Officer (CISO) organization
   was issued by the OPM Director on August, 2012 with an effective date of October 1, 2012.
   The CIO has already hired the first complement of staff with professional IT security
   experience and certifications, consisting of seven Information Systems Security Officers
   (ISSO) with an additional four going through the OPM hiring process. The initial set of
   systems has been transitioned to ISSOs for security management, and we expect to have all
   OPM systems under ISSO security management in FY15.”

   OIG Reply:
   We acknowledge the progress that the OCIO has made in implementing a centralized IT
   security structure, and will continue to monitor its effectiveness in FY 2015.

b) Systems development lifecycle methodology
   OPM has a history of troubled system development projects. In our opinion, the root causes
   of these issues have been related to the lack of centralized oversight of systems
   development. Many system development projects at OPM have been initiated and managed
   by program offices with limited oversight or interaction with the OCIO. These program
   office managers do not always have the appropriate background in project management or
   information technology systems development.


                                                7                           Report No. 4A-CI-00-14-016
At the end of FY 2013, the OCIO published a new SDLC policy, which was a significant
first step in implementing a centralized SDLC methodology at OPM. The new SDLC policy
incorporated several prior OIG recommendations related to a centralized review process of
system development projects. However, policy alone will not improve the historically weak
SDLC management capabilities of OPM.

We also recommended that the OCIO develop a team with the proper project management
and system development expertise to oversee new system development projects. Through
this avenue, the OCIO should review SDLC projects at predefined checkpoints, and provide
strict guidance to ensure that program office management is following OPM’s SDLC policy
and is employing proper project management techniques to ensure a successful outcome for
all new system development projects.

To date, the SDLC is still only applicable to major investment projects, and is not actively
enforced for all IT projects in the agency. The OCIO acknowledges the need to enforce the
SDLC policy to 100 percent of OPM’s IT portfolio, and is currently implementing a
reorganization to address this issue by assigning OCIO IT project managers to each of the
agency’s program offices. However, the staff necessary to properly enforce and oversee the
SDLC process for all OPM systems is not in place at this time. In the interim, the OCIO
continues to provide training to existing project managers through a Project Management
Community of Practice designed to provide guidance on best practices in systems
development.

Recommendation 2 (Rolled Forward from FY 2013)
We continue to recommend that the OCIO develop a plan and timeline to enforce the new
SDLC policy to all of OPM’s system development projects.

OCIO Response: 

“The OPM SDLC is being applied to OPM’s major investment projects. In FY15, a plan 

with timelines will be developed to enforce the SDLC policy for all applicable system

development projects.”


OIG Reply:
We acknowledge the steps that the OCIO is taking to expand the enforcement of the
SDLC policy and reiterate that we believe the policy should be enforced to all OPM
IT projects.

As part of the audit resolution process, we recommend that the OCIO provide OPM's Internal
Oversight and Compliance Office (IOC) with evidence that it has implemented the audit




                                            8                          Report No. 4A-CI-00-14-016
     recommendation . This statement applies to all subsequent recommendations in this rep01i
     where the OCIO agrees with the recoilllllendation and intends to implem ent a solution .

2. Security Assessment and Authorization

  System ce1iification is a comprehensive assessment that attests that a system 's secm ity controls
  are meeting the security requir ements of that system, an d accreditation is the official
  management decision to auth orize operation of an inf01m ation system an d accept its risks.
  OPM's process of ce1iifying a system 's security controls is refen ed to as Secm ity Assessment
  and Auth orization (Authorization .)

  Our FY 2010 FISMA audit rep01i stated that weaknesses in OPM's Authorization process
  represented a material weakness in the agency's IT security program. These weaknesses related
  to incomplete, inconsistent, and poor quality Authorization packages. In FY 2011 , the OCIO
  published updated policies, procedures, and templates designed to improve the overall
  Authorization process. The OCIO also dedicated resources to oversee OPM prog~·am office
  activity related to system Auth orizations. These new controls resulted in a significant
  improvement in the agency's Authorization packages. The material weakness was lowered to a
  significant deficiency in FY 2011, and after continued improvem ent, completely removed as an
  audit concem in the FY 2012 FISMA rep01i.
                                                                        OPM systems operating
  The Authorization packages reviewed as pa1i of this FY 2014 audit     without an active
  generally maintained th e same satisfact01y level of quality that had Authorization represent
  been observed in recent years. However, of th e 21 OPM systems        a material weakness in
  due for Auth orization in FY 2014, 11 were not completed on time      the internal control
  and are cmTently operating without a valid Authorization (re­         structure of the agency's
  Authorization is required eve1y three years for major inf01m ation    IT security program.
  systems). The drastic increase in the number of systems operating
  without a valid Authorization is alanning, an d represents a
  systelnic issue of inadequate planning by OPM prog~·am offices to authorize the inf01m ation
  systems th at th ey own .

  The OCIO's Infon nation Technology Security an d Privacy Group (ITSP) continuously provides
  OPM prog~·am offices with adequate guidance and support to facilitate a timely Authorization
  process. However, many prog~·am offices do not initiate the Authorization process early enough
  to meet its deadlines, do not adequately budget for the contractor supp01i that is needed to
  complete the process, and/or do not adhere to OPM policies an d templates related to the a1iifacts
  required for Authorization . Each of these issues contributes to delays in finalizing system
  Authorizations.




                                                   9                           Rep01i No. 4A-CI-00-14-016
We believe that one of the core causes of these frequent delays is the fact that there are currently
no consequences for OPM systems that do not have a valid Authorization to operate. OMB
Circular A-130, Appendix III mandates that all Federal information systems have a valid
Authorization. We believe that the most effective way to reduce delays is to introduce
administrative sanctions for non-compliance with FISMA requirements. We recommend that the
performance standards of all OPM major system owners be modified to include a requirement
related to FISMA compliance for the systems they own. Furthermore, according to OMB,
information systems should not be operating in a production environment without an
Authorization. We therefore also recommend that OPM consider shutting down systems that do
not have a current and valid Authorization.

We acknowledge that OMB now allows agencies to make ongoing Authorization decisions for
information systems based on the continuous monitoring of security controls – rather than
enforcing a static, three-year re-Authorization process. However, as discussed in section 10,
below, OPM has not yet developed a mature continuous monitoring program. Until such a
program is in place, we continue to expect OPM to re-authorize all of its information systems
every three years.

The following program offices own one or more systems currently operating without a valid
Authorization:
      Office of the Chief Information Officer (five systems);
      Federal Investigative Services (two systems);
      Human Resources Solutions (two systems);
      Office of the Inspector General (one system); and,
      Office of the Chief Financial Officer (one system).

Not only is a large volume (11 out of 47 systems; 23 percent) of OPM’s systems operating
without a valid Authorization, but several of these systems are amongst the most critical and
sensitive applications owned by the agency.

Two of the OCIO systems without an Authorization are general support systems that host a
variety of other major applications. Over 65 percent of all systems operated by OPM (not
including contractor operated systems) reside on one of these two support systems, and are
therefore subject to any security risks that exist on the support systems. Furthermore, two
additional systems without Authorizations are owned by OPM’s Federal Investigative Services,
which is responsible for facilitating background investigations for suitability and security
clearance determinations. Any weaknesses in the information systems supporting this program
office could potentially have national security implications.




                                                10                           Report No. 4A-CI-00-14-016
Maintaining active Authorizations for all information systems is a critical element of a Federal
information security program, and failure to thoroughly assess and address a system’s security
weaknesses increases the risk of a security breach. We believe that the volume and sensitivity of
OPM systems that are operating without an active Authorization represents a material weakness
in the internal control structure of the agency’s IT security program.

Recommendation 3
We recommend that all active systems in OPM’s inventory have a complete and current
Authorization.

OCIO Response:
“As part of the FY15 CIO reorganization, IT Program Managers will work with ISSOs to plan
for Security Authorization of systems before existing ATOs expire. However, ATO extensions
may be required in a limited number of situations such as the rebuilding of OPM’s network
where we would need to maintain the existing system and initiate Authorization work after the
new design is completed and the rebuilding is underway. We agree that it is important to
maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises
to the level of a Material Weakness.”

OIG Reply:
The Authorization process is intended to be a comprehensive assessment of the security controls
of a major information system, and is a critical step toward preventing security breaches and data
loss. Considering the well-publicized data breaches that occurred at OPM in FY 2014, we
believe that this is an extremely critical and time sensitive issue. We continue to classify
weaknesses in the Authorization process as a material weakness to ensure that the necessary
attention and resources are dedicated to this issue.

Recommendation 4
We recommend that the performance standards of all OPM system owners be modified to
include a requirement related to FISMA compliance for the information systems they own. At a
minimum, system owners should be required to ensure that their systems have valid
Authorizations.

OCIO Response: 

This recommendation was added after the draft report was issued; the OCIO has not yet had 

the opportunity to respond. 


Recommendation 5
We recommend that the OPM Director consider shutting down information systems that do not
have a current and valid Authorization.



                                               11                           Report No. 4A-CI-00-14-016
  OCIO Response: 

  “The IT Program Managers will work with ISSOs to ensure that OPM systems maintain 

  current ATOs and that there are no interruptions to OPM’s mission and operations.” 


3. Risk Management

  NIST SP 800-37 Revision 1 “Guide for Applying the Risk Management Framework to Federal
  Information Systems” (Guide) provides Federal agencies with a framework for implementing an
  agency-wide risk management methodology. The Guide suggests that risk be assessed in
  relation to the agency’s goals and mission from a three-tiered approach:
      Tier 1: Organization (Governance); 

      Tier 2: Mission/Business Process (Information and Information Flows); and, 

      Tier 3: Information System (Environment of Operation). NIST SP 800-39 “Managing 

       Information Security Risk – Organization, Mission, and Information System View”
       provides additional details of this three-tiered approach.

  a) Agency-wide risk management
     NIST SP 800-39 states that agencies should establish and implement “Governance structures
     [that] provide oversight for the risk management activities conducted by organizations and
     include:
         (i)	 the establishment and implementation of a risk executive (function);
         (ii)	 the establishment of the organization’s risk management strategy including the
               determination of risk tolerance; and,
         (iii) the development and execution of organization-wide investment strategies for
               information resources and information security.”

     In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security
     professionals. However, as of the end of FY 2014, the 12 primary elements of the Risk
     Executive Function as described in NIST SP 800-39 were not all fully implemented. Key
     elements still missing from OPM’s approach to managing risk at an agency-wide level
     include: conducting a risk assessment, maintaining a risk registry, and communicating the
     agency-wide risks down to the system owners.

     Recommendation 6 (Rolled Forward from 2011)
     We recommend that the OCIO continue to develop its Risk Executive Function to meet all of
     the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive
     (Function).




                                               12 	                        Report No. 4A-CI-00-14-016
     OCIO Response:
     “In FY14, a number of steps were taken to establish and implement the Risk Executive
     Function per NIST Special Publication 800-39. A proposed Risk Executive Charter and
     Risk Registry Template were developed and discussed with the Chief Operating Officer
     who has agreed to serve as the OPM Risk Executive. Additional discussions will be held
     with the Chief Operating Officer on implementation plans and strategies.”

  b) System specific risk management and annual security controls testing
     NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that contains six
     primary steps, including “(i) the categorization of information and information systems; (ii)
     the selection of security controls; (iii) the implementation of security controls; (iv) the
     assessment of security control effectiveness; (v) the authorization of the information system;
     and (vi) the ongoing monitoring of security controls and the security state of the information
     system.”

     The OCIO has implemented the six-step RMF into its system-specific risk management
     activities through the Authorization process. In addition, OPM policy requires each major
     information system to be subject to routine security controls testing though a continuous
     monitoring program (see Continuous Monitoring section 10).

4. Configuration Management

  The sections below detail the controls that the OCIO has in place to manage the technical 

  configuration of OPM servers, databases, and workstations. 


  a) Agency-wide security configuration policy
     OPM’s Information Security and Privacy Policy Handbook contains policies and procedures
     related to agency-wide configuration management. The handbook requires the establishment
     of secure baseline configurations and the monitoring and documenting of all configuration
     changes.

  b) Configuration baselines
     In FY 2014, OPM has continued its efforts toward formalizing baseline configurations for
     critical applications, servers, and workstations. At the end of the fiscal year, the OCIO had
     established baselines and/or build sheets for the following operating systems:
                         

                               

                  ; and, 

                    



                                                 13                           Report No. 4A-CI-00-14-016
   However, several additional operating platforms in OPM’s network environment do not have
   baseline configurations documented including, but not limited to,                              ,
   and
   NIST SP 800-53 Revision 4, control CM-2, requires agencies to develop, document, and
   maintain a current baseline configuration of the information system. A baseline should serve
   as a formally approved standard outlining how to securely configure various operating
   platforms. Without an approved baseline, there is no standard against which actual
   configuration settings can be measured, increasing the risk that insecure systems exist in the
   operating environment.

   Recommendation 7
   We recommend that the OCIO develop and implement a baseline configuration for all
   operating platforms in use by OPM including, but not limited to,
   and

   OCIO Response:
   “We are working to standardize operating systems and applications throughout the OPM
   environment. Over the past year, we have established approved baselines for all
              operating systems, as well as              . We will continue to improve our
   processes and develop and implement configuration baselines for all operating platforms
   in use by OPM.”

c) United States Government Computer Baseline Configuration
   OPM user workstations are built with a standard image that is compliant with the United
   States Government Baseline Configuration. Any deviations deemed necessary by the agency
   from the configurations are documented within each operating platform’s baseline
   configuration.

   We conducted an automated scan of the           standard image to independently verify
   compliance with OPM’s baseline. Nothing came to our attention to indicate that there are
   weaknesses in OPM’s methodology to securely configure user workstations.

d) Compliance with baselines
   The OCIO uses automated scanning tools to conduct routine compliance audits on the
   majority of operating platforms used in OPM’s server environment. These tools compare the
   actual configuration of servers and workstations to the approved baseline configuration.
   However, as mentioned above, there are several operating platforms used by OPM that do
   not have documented and approved baselines. Without approved baseline configurations
   these systems cannot be subject to an adequate compliance audit.



                                               14                           Report No. 4A-CI-00-14-016
   NIST SP 800-53 Revision 4, control CM-3, requires agencies to audit activities associated
   with information system configurations.

   Recommendation 8
   We recommend the OCIO conduct routine compliance scans against established baseline
   configurations for all servers and databases in use by OPM. This recommendation cannot be
   addressed until Recommendation 6 has been completed.

   OCIO Response: 

   “We expand our routine compliance scans as we implement additional configuration 

   baselines for additional operating platforms.”


e) Software and hardware change management
   The OCIO has developed a Configuration Change Control Policy that outlines a formal
   process to approve and document all computer software and hardware changes. The OCIO
   utilizes a software application to manage, track, and document change requests.

   OPM also has a software product that has the capability to detect, approve, and revert all
   changes made to information systems. However, this capability has not been fully
   implemented, and OPM cannot ensure that all changes made to information systems have
   been properly documented and approved.

   OPM’s Information Security and Privacy Policy Handbook states that “SOs shall ensure the
   information system employs automated mechanisms to. . . Inhibit change until designated
   approvals are received.”

   Recommendation 9
   We recommend the OCIO implement technical controls that prevent configuration changes
   without proper documentation and approvals.

   OCIO Response:
   “Configuration changes require approval by the Change Control Board which meets on a
   regular basis. However, there are emergency situations where changes might be made
   outside of the CCB cycle. We will ensure required documentation and approvals are in
   place for all configuration changes.”

   OIG Reply:
   While emergency changes may be required outside of the CCB cycle, we still recommend
   that automated mechanisms be implemented to prevent changes to information systems




                                               15                          Report No. 4A-CI-00-14-016
   with out proper approval. Emergency changes should still require approval even if the
   documentation occurs after the change has been implemented .

f) Vulnerability scanning
   We were told in an interview that OPM's Network Management             The OIG is unable
   Group (NMG) perfon ns monthly vulnerability scans using                to independently
   automated scanning tools. However, we have been unable to obtain       verify that OPM has
   tangible evidence that vulnerability scans have been routinely         a mature 

   conducted for all OPM servers in FY 2014. As a result, we ar e 
       vulnerability 

   unable to independently attest that OPM has a mature vulnerability 
   scanning program.
   scanning program, an d must indicate as such on th e FISMA metrics
   provided to OMB .

   NMG has documented accepted weaknesses for OPM user workstations; however, it has not
   fully documented weaknesses for servers or databases (i.e., vulnerability scan findings that
   ar e j ustified by a business need) . This recommendation remains open fro m FY 2011 and is
   rolled f01ward in FY 2014 .

   We also determined through interviews an d our independent vulnerability scanning process
   that OPM does not maintain an accurate centralized invent01y containing all servers an d
   databases that reside within the network.

   NIST SP 800-53 Revision 4, control PM-5, requires agencies to develop an d mainta in an
   invent01y of its inf01mation systems.

   Recommendation 10
   We recommend that the OCIO develop an d mainta in a comprehensive invent01y of all
   servers, databases, and network devices that reside on the OPM network.

   OC/0 Response: 

   "Our Asset Management System serves as a repository for servers, databases and network 

   devices. We will continue to work to identify and document all assets residing on the OPM 

   network. " 


   Recommendation 11
   We recommend that the OCIO implement a process to ensure routine vulnerability scanning
   is conducted on all network devices documented within the invent01y.




                                              16                          Rep01i No. 4A-CI-00-14-016
     OCIO Response: 

     “We will continue to improve our scanning capabilities to ensure that vulnerability 

     scanning is conducted on all network devices documented in our inventory.” 


     Recommendation 12
     We recommend that the OCIO implement a process to centrally track the current status of
     security weaknesses identified during vulnerability scans to remediation or risk acceptance.

     OCIO Response: 

     “We concur with this recommendation and will implement the recommendation in FY15.” 


     Recommendation 13 (Rolled Forward from 2011)
     We recommend that the OCIO document “accepted” weaknesses identified in vulnerability
     scans.

     OCIO Response: 

     “We concur with this recommendation and will implement the recommendation in FY15.” 


  g) Patch management
     The OCIO has implemented a process to apply operating system patches on all devices
     within OPM’s network on a weekly basis. The OCIO also utilizes a third party patching
     software management program to manage and maintain all non-operating system software.
     However, through our independent vulnerability scans on a sample of servers we determined
     that numerous servers are not timely patched.

     Recommendation 14
     We recommend the OCIO implement a process to apply operating system and third party
     vendor patches in a timely manner, which is defined within the OPM Information Security
     and Privacy Policy Handbook.

     OCIO Response:
     The OCIO did not respond to this recommendation.

5. Incident Response and Reporting

  OPM’s Incident Response and Reporting Guide outlines the responsibilities of OPM’s Situation
  Room and documents procedures for reporting all IT security events to the appropriate entities.
  We evaluated the degree to which OPM is following its internal procedures and FISMA
  requirements for reporting security incidents internally, to the United States Computer
  Emergency Readiness Team (US-CERT), and to appropriate law enforcement authorities.


                                                 17                          Report No. 4A-CI-00-14-016
a) Identifying and reporting incidents internally
   OPM’s Incident Response and Reporting Guide requires any user of the agency’s IT
   resources to immediately notify OPM’s Situation Room when IT security incidents occur.
   OPM reiterates the information provided in the Incident Response and Reporting Guide in an
   annual mandatory IT security and privacy awareness training course. In addition, OPM also
   uses several different software tools to prevent and detect intrusions and malware in the
   agency’s network.

b) Reporting incidents to US-CERT and law enforcement
   OPM’s Incident Response and Reporting policy states that OPM's Situation Room is
   responsible for sending incident reports to US-CERT on security incidents. OPM notifies
   US-CERT within one hour of a reportable security incident occurrence.

   The Incident Response and Reporting policy also states that security incidents should be
   reported to law enforcement authorities, where appropriate. The OIG’s Office of
   Investigations is part of the incident response notification distribution list, and is notified
   when security incidents occur.

c) Correlating and monitoring security incidents
   OPM owns a security information and event management (SIEM) tool with the technical
   ability to automatically detect, analyze, and correlate potential security incidents over time.
   However, the correlation features of this tool are not fully utilized at this time. This tool only
   receives event data from approximately 80 percent of major OPM information systems.

   In FY 2014, the OCIO established an Enterprise Network Security Operations Center 

   (ENSOC) that provides continuous centralized support for OPM’s security incident 

   prevention/management program. However, the ENSOC cannot adequately fulfill its 

   purpose if it does not receive data from all OPM systems. 


   NIST SP 800-53 Revision 4, control IR-4, states that an organization must implement “an
   incident handling capability for security incidents that includes preparation, detection and
   analysis, containment, eradication, and recovery.” The organization should also employ
   “automated mechanisms to support the incident handling process.”

   Recommendation 15
   We recommend that the OCIO expand the capabilities of the ENSOC to ensure that security
   incidents from all OPM-operated information systems are centrally analyzed and correlated.




                                                 18                            Report No. 4A-CI-00-14-016
     OC/0 Response: 

     "A centralized monitoring center was put in place with first level alerting and monitoring 

     for the servers and network appliances within the major OPM sites. We are expanding our 

     monitoring capabilities to cover OPM operated information systems wherever feasible." 


  d) Responding to incidents
     As mentioned above, OPM owns a tool with the ability to automatically detect and rep01i
     potential secmity incidents by analyzing data from various som ces. After analyzing the data,
     the tool ale1is secmity analysts to potential secmity incidents.

     However, the tool needs to be configmed to collect relevant and meaningful data so the
     potential secmity ale1is contain fewer false-positives. The OPM systems cmTently providing
     data to the SIEM are over-rep01iing log and event data, which results in an excessive am mmt
     of data for secmity analysts to review. The number of ale1is that secmity analysts must
     review and identify as false-positive creates a backlog that could cause a delay in identifying
     and responding to actual incidents. This issue is compounded by the fact that the SIEM is
     not receiving any data from approximately 20 percent of OPM systems.

     Recommendation 16
     We recommend that OCIO configm e its secmity inf01mation and event management tool to
     collect and rep01i meaningful data, while reducing the volume of non-sensitive log and event
     data.

     OC/0 Response: 

     "The security event management system collects important data that we use to access 

     threats to the OPM environment. We will continue to refine our configuration settings to 

     improve the quality ofthe data being reviewed." 


6. Security Training

  FISMA requires all govemment employees and contractors to take IT secmity awareness training
  on an annual bas is. In addition, employees with IT secmity responsibility are required to take
  additional specialized training .

  a) IT security awareness training                                          OPM maintains an
     The OCIO provides annual IT secmity and privacy awareness               adequate IT security
     training to all OPM employees through an interactive web-based          training program.
     com se. The com se introduces employees and contractors to the




                                                 19                           Rep01i No. 4A-CI-00-14-01 6
     basic concepts of IT security and privacy, including topics such as the importance of
     information security, security threats and vulnerabilities, viruses and malicious code, privacy
     training, peer-to-peer software, and the roles and responsibilities of users.

     Over 99 percent of OPM’s employees and contractors completed the security awareness
     training course in FY 2014.

  b) Specialized IT security training
     OPM employees with significant information security responsibilities are required to take
     specialized security training in addition to the annual awareness training.

     The OCIO has developed a table outlining the security training requirements for specific job
     roles. The OCIO uses a spreadsheet to track the security training taken by employees that
     have been identified as having security responsibility. Of employees with significant
     security responsibilities, 95 percent have completed specialized IT training in FY 2014.

7. Plan of Action and Milestones

  A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring
  the progress of corrective efforts for IT security weaknesses. The sections below detail OPM’s
  effectiveness in using POA&Ms to track the agency’s security weaknesses.

  a) POA&Ms incorporate all known IT security weaknesses
     In November 2013, the OIG issued the FY 2013 FISMA audit report with 16 audit
     recommendations. We verified that all 16 recommendations were appropriately incorporated
     into the OCIO’s master POA&M.

     However, all known security weaknesses were appropriately incorporated to the system-
     specific POA&Ms for only 29 of OPM’s 47 systems. This includes 14 of the 25 systems
     operated by OPM, and 15 of the 22 systems operated by a contractor.

     Failure to incorporate all known IT security weaknesses into the associated POA&M limits
     the agency’s ability to effectively identify, assess, prioritize, and monitor the progress of the
     corrective efforts to remediate identified weaknesses. The following program offices failed
     to submit adequate documentation for one or more systems that they own:
            Human Resources Solutions (four systems); 

            Federal Investigative Services (three systems); 

            Office of the Inspector General (three systems); 

            Healthcare and Insurance (three systems); 



                                                   20                           Report No. 4A-CI-00-14-016
         Office of the Chief Information Officer (two systems); 

         Office of the Chief Financial Officer (one system); 

         Retirement Services (one system); and, 

         Employee Services (one system). 


   Recommendation 17
   We recommend that the OCIO and program offices that own information systems ensure that
   all known security weaknesses are incorporated into the appropriate POA&M.

   OCIO Response:
   “A centralized automated POA&M management system is in place and staffed by a
   dedicated resource to ensure that all findings, recommendations and POA&Ms are
   managed to resolution and we believe that this process is working as intended. Additional
   information was submitted to substantiate elimination of this recommendation.”

   OIG Reply:
   While evidence was provided in response to the draft audit report to indicate that all findings
   from the FY 2013 FISMA audit report were included in a POA&M, the program offices
   listed above have not adequately incorporated all known IT security weaknesses into the
   associated POA&M. We continue to recommend that the OCIO and program offices that
   own information systems ensure that all known security weaknesses are incorporated into the
   appropriate POA&M.

b) Prioritize weaknesses
   OPM’s POA&M Guide requires each program office to prioritize the security weaknesses on
   their POA&Ms to help ensure significant IT issues are addressed in a timely manner. We
   verified the POA&Ms that were provided did identify and prioritize each security weakness.

c) Effective remediation plans and adherence to remediation deadlines
   All system owners are required to create action steps (milestones) to effectively remediate
   specific weaknesses identified on POA&Ms. Our review of the POA&Ms indicated that
   system owners are appropriately listing milestones and target completion dates on their
   POA&Ms.

   However, our review also indicated that many system owners are not meeting the self-
   imposed remediation deadlines listed on the POA&Ms. Out of OPM’s 47 operational
   systems, 38 have POA&M items that are greater than 120 days overdue. We issued an audit
   recommendation in FY 2012 related to overdue POA&M items, and because overdue
   POA&Ms continue to be an issue, we will roll forward this recommendation into FY 2014.



                                               21                           Report No. 4A-CI-00-14-016
   Recommendation 18 (Rolled forward from FY 2012)
   We recommend that the OCIO and system owners develop formal corrective action plans to
   remediate all POA&M weaknesses that are over 120 days overdue.

   OCIO Response:
   “The CIO dedicated resources to this task and has successfully closed most POA&Ms that
   are over 120 days overdue and will continue to develop formal Action Plans for those
   remaining weaknesses. Most POA&Ms that are over 120 days overdue have dependencies
   that need to be coordinated with external entities that often are not ready to implement the
   required changes.”

   OIG Reply:
   Evidence was provided in response to the draft audit report to indicate that corrective action
   plans have been created for 25 of the 38 systems with POA&M items over 120 overdue. As
   part of the audit resolution process, the OCIO should provide IOC with evidence that the
   program offices for the remaining 13 systems have created corrective action plans.

d) Identifying resources to remediate weaknesses
   POA&Ms for 9 of the 47 OPM systems did not identify the resources needed to address
   POA&M weaknesses in FY 2014, as required by OPM’s POA&M policy. We made this
   recommendation in the FY 2013 FISMA audit report, and closed it in early FY 2014 based
   on evidence provided by the OCIO which indicated that POA&Ms had been updated.
   However, the fieldwork for this audit indicates that this situation continues to be a problem.

   Recommendation 19
   We recommend that all POA&Ms list the specific resources required to address each security
   weakness identified.

   OCIO Response: 

   “This recommendation has been implemented for most open POA&Ms. We will continue 

   to ensure that the ‘resources required’ for POA&Ms are identified and documented.” 


   OIG Reply:
   Evidence was provided in response to the draft audit report to indicate that required resources
   have been identified and documented for outstanding POA&M items; no further action is
   required.

e) OCIO tracking and reviewing POA&M activities
   The OCIO requires program offices to provide the evidence, or “proof of closure,” that
   security weaknesses have been resolved before officially closing the related POA&M. When


                                               22                           Report No. 4A-CI-00-14-016
      th e OCIO receives a proof of closure document from the program offices for a POA&M
      item, an OCIO employee will review th e documentation to deten nine whether or not the
      evidence provided was appropriate.

     We selected one closed POA&M item from 10 OPM systems an d                  OPM appears to
     reviewed the proof of closure documentation provided by the                 maintain adequate
     program offices. The 10 systems were judgmentally selected from             proof-of-closure
     th e 47 OPM systems. We detennined that adequate proof of closure           documenta tion when
     was provided for all 10 systems tested. The results of the sample test      closing POA&M
     were not projected to the entire population.                                weaknesses.


8. Remote Access Management
                                                                                -----------------
  OPM has implemented policies and procedures related to authorizing, monitoring, and 

  controlling all methods of accessing the agency's network resources fr om a remote location . In 

  addition, OPM has issued agency-wide telecommuting policies and procedures, and all 

  employees ar e required to sign a Rules of Behavior document that outlines their responsibility 

  for th e protection of sensitive inf01mation when working remotely. 


  OPM utilizes a Virtual Private Network (VPN) client to facilitate secure remote access to the
  agency's network environment. The OPM VPN requires the use of an individual's PIV card an d
  password authentication to lmiquely identify users. OIG has reviewed the VPN access list to
  ensure that there ar e no shared accounts an d that each user account has been tied to an individual.
  The agency maintains logs of individuals who remotely access the network, and th e logs are
  reviewed on a monthly basis for unusual activity or u·ends.

  Although there ar e still a small number of authorized network devices that are not compliant 

  with PIV cards (e.g., iPads), these devices still require multi-factor authentication for remote 

  access through the use of RSA tokens an d password authentication. 


  In previous years, we discovered that remote access sessions do not te1minate or lock out after      I
  -          inactivity as required by FISMA. OPM has acknowledged the issue and stated that 

  th e weakness cannot be remediated until the VPN vendor releases a software update. 


  Recommendation 20 (Rolled -Forward from 2012) 

  We recommend the OCIO configure the VPN servers to te1minate VPN sessions after ­

  of inactivity. 





                                                   23                           Rep01i No. 4A-CI-00-14-016
  OC/0 Response: 

  "All technological controls are in place. We believe there is a flaw in the vendor's product 

  that will require a patch update that the vendor so far is unwilling to provide. We will explore 

  an alternative product solution. " 


9. Identity and Access Management

  The following sections detail OPM's account and identity management program.

  a) 	 Policies for account and identity management
       OPM maintains policies and procedures for agency-wide account and identity management
       within the OCIO Infonnation Security and Privacy Policy Handbook. The policies contain
       procedures for creating user accounts with the appropriate level of access as well as
       procedures for removing access for terminated employees.

  b) 	 Terminated employees
     OPM maintains policies related to management of user accounts for its local area network
     (LAN) and its m ainframe environments . Both policies contain procedures for creating user
     accounts with the appropriate level of access as well as procedures for removing access for
     tenninated employees.

     We conducted an access test comparing the cmTent Windows and mainframe active user lists
     against a list of tenninated employees from th e past year. Nothing came to our attention to
     indicate that th ere ar e weaknesses in OPM's access termination management process.

  c) Multi-factor authentication with PIV
     OMB Memorandum M-11-11 required all Federal infonnation                 OPM not compliant with
     systems to be upgraded to use PIV credentials for multi-factor          OMB M-11-11 which
     authentication by the beginning ofFY 2012. In addition, the             mandates the use of PIV
     memorandmn stated that all new systems lmder development must           credentials for multi­
     be PIV compliant prior to being made operational, and that agencies     factor authentication for
     must be compliant with the memorandum prior to using technology         major information
     refresh funds to complete other activities.                             systems.

     In FY 2012, the OCIO began an initiative to require PIV authentication to access the
     agency's network. As of the end of FY 2014, over 95 percent ofOPM workstations require
     PIV authentication to access to the OPM network. However, none of the agency's 47 major
     applications require PIV authentication.




                                                 24 	                        Rep01i No. 4A-CI-00-1 4-016
      Recommendation 21 (Rolled Forward from 2012)
      We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its
      major information systems to require multi-factor authentication using PIV credentials.

      OCIO Response:
      “We have developed and are in the process of implementing multi-factor PIV
      authentication for compliance with OMB M-11-11. A major segment of the users on our
      network infrastructure are using PIV authentication. In FY15 we will continue to
      implement PIV authentication for major systems.”

10. Continuous Monitoring Management

   The following sections detail OPM’s controls related to continuous monitoring of the security
   state of its information systems.

   a) Continuous monitoring policy and procedures
      OPM’s Information Security and Privacy Policy Handbook states that the security controls of
      all systems must be continuously monitored and assessed to ensure continued effectiveness.
      In FY 2012, the OCIO published an addendum to the Information Security and Privacy
      Policy which states that it is the ISSO/DSOs responsibility to assess all security controls in
      an information system. The addendum also states that continuous monitoring security
      reports must be provided to ITSP at least semiannually. The OCIO also creates continuous
      monitoring plans each fiscal year that clearly describe the type and frequency of NIST SP
      800-53 Revision 4 security controls that must be tested throughout the year.

      As stated previously in Section 1, the ISSO function has not been fully established at OPM.
      We continue to believe that OPM’s continuous monitoring policies and procedures cannot be
      adequately implemented until the agency’s centralized ISSO function has been fully
      established.

   b) Continuous monitoring strategy
      The OCIO developed a continuous monitoring strategy document that provides a high-level
      strategy for the implementation of information security continuous monitoring. While the
      initial stages of implementation began in FY 2012, full implementation of the plan is an
      ongoing process. The OCIO achieved the FY 2014 milestones outlined in the roadmap
      which included quarterly reporting for high impact systems. The next stage in the OCIO’s
      plan involves requiring continuous monitoring by contractor-operated systems and
      implementation of the DHS Continuous Diagnostic and Mitigation program.




                                                  25                          Report No. 4A-CI-00-14-016
   Recommendation 22
   We recommend that the OCIO expand its continuous monitoring program to include
   mandatory continuous monitoring for contractor-operated systems and implementation of the
   DHS Continuous Diagnostic and Mitigation program as outlined in the OCIO’s continuous
   monitoring strategy.

   OCIO Response:
   “In FY15, we will continue to work with DHS to implement the Continuous Diagnostic
   and Mitigation program at OPM. As a result of working with DHS, OPM has been moved
   higher (sooner) in the implementation schedule. To date, we have submitted OPM
   requirements and hosted a Reading Room for vendors to validate our requirements. There
   will also be a major initiative to expand Continuous Monitoring programs to contractor
   systems where feasible.”

c) Assessment of individual system security controls
   OPM policy requires all OPM system owners to submit evidence of continuous monitoring
   activities at least semiannually (in April and October).

   We requested the security test results for all OPM-operated systems for April 2014 in order
   to review them for quality and consistency. We will test the October 2014 submission as part
   of the FY 2015 FISMA audit. For the April submission, we were only provided adequate
   testing documentation for 18 out of the 25 major systems operated by OPM. The following
   program offices failed to submit adequate documentation for one or more systems that they
   own:
       Office of the Chief Information Officer (four systems); 

       Office of the Inspector General (two systems); and, 

       Office of the Chief Financial Officer (one system). 


   At this time, security controls testing for contractor-operated systems is still only required
   once per year. A review of contractor system security control testing (see section 12, below)
   indicates that only 19 out of 22 contractor-operated systems were adequately tested in this
   fiscal year.

   Between contractor and agency-operated information systems, only 37 out of 47 systems
   were subject to adequate security controls testing in FY 2014. Failure to continuously
   monitor and assess security controls increases the risk that agency officials are unable to
   make informed judgments to appropriately mitigate risks to an acceptable level.

   It has been over eight years since all OPM systems were subject to an adequate security
   controls test. OPM’s decentralized approach to IT security has traditionally placed


                                               26                           Report No. 4A-CI-00-14-016
      responsibility on the various program offices to test the security controls of their systems.
      The OCIO’s lack of authority over these program offices continues to contribute to the
      inadequate security controls testing of the agency’s information systems. We are optimistic
      that the quality and consistency of security controls tests will improve with the full
      implementation of the OCIO’s centralized ISSO structure and with the shift to semi-annual
      continuous monitoring submissions.

      Recommendation 23 (Rolled forward from 2008)
      We recommend that OPM ensure that an annual test of security controls has been completed
      for all systems.

      OCIO Response: 

      “We continue to make progress with security controls testing and expect to have test plans 

      and results for all systems in FY15. Security controls testing is a major part of our 

      continuous monitoring program that is being implemented for OPM systems.”


11. Contingency Planning

   OPM’s Information Security Privacy and Policy Handbook requires a contingency plan to be in
   place for each information system and that each system’s contingency plan be tested on an
   annual basis. The sections below detail our review of contingency planning activity in FY 2014.

   a) Documenting contingency plans of individual OPM systems
      We received updated contingency plans for 41 out of 47 information systems on OPM’s
      master system inventory. We then verified that these contingency plans followed the
      template developed by the OCIO that is based on the guidance of NIST SP 800-34 Revision
      1, Contingency Planning Guide for Federal Information Systems. The following program
      offices failed to submit adequate contingency planning documentation for one or more
      systems that they own:
           Retirement Services (three systems); 

           Office of the Chief Information Officer (two systems); and, 

           Office of the Inspector General (one system). 


      According to OPM’s Information Security and Privacy Policy Handbook, “Contingency
      Plans shall be reviewed, updated, and tested at least annually to ensure [their] effectiveness.”
      Failure to document contingency plans increases the risk that agency information systems
      will not be recovered in a timely manner and that critical data could be lost.




                                                   27                           Report No. 4A-CI-00-14-016
   Recommendation 24
   We recommend that the OCIO ensure that all of OPM’s major systems have contingency
   plans in place and are reviewed and updated annually.

   OCIO Response: 

   “We will continue making progress on contingency plan updates in FY15. Having 

   additional ISSOs onboard is expected to significantly improve our ability to accomplish 

   this task.” 


b) Testing contingency plans of individual OPM systems
   OPM’s Information Security Privacy and Policy Handbook requires that the contingency
   plan for each information system be tested at least annually using information system
   specific tests and exercises. We received evidence that contingency plans were tested for
   only 39 of 47 systems in FY 2014. This is a slight decrease from the number of systems that
   were tested in FY 2013. The following program offices failed to submit adequate
   documentation for one or more systems that they own:
         Office of the Chief Information Officer (five systems); 

         Employee Services (one system); 

         Healthcare and Insurance (one system); and, 

         Office of the Inspector General (one system). 


   Of the contingency plan tests we did receive, we noted improved quality in documentation as
   it relates to the analysis or “lessons learned” section of the test report. However, due to the
   significantly low number of tests received, we cannot conclude that OPM has improved the
   quality and consistency of its documentation overall.

   NIST SP 800-34 Revision 1 states that following a contingency plan test, “results and lessons
   learned should be documented and reviewed by test participants and other personnel as
   appropriate. Information collected during the test and post-test reviews that improve plan
   effectiveness should be incorporated into the contingency plan.”

   Recommendation 25 (Rolled-Forward from 2008)
   We recommend that OPM’s program offices test the contingency plans for each system on an
   annual basis. The contingency plans should be immediately tested for the eight systems that
   were not subject to adequate testing in FY 2014.




                                               28                           Report No. 4A-CI-00-14-016
      OCIO Response: 

      “We will continue making progress on contingency plan testing in FY15. Having 

      additional ISSOs onboard is expected to significantly improve our ability to accomplish 

      this task.” 


   c) Testing contingency plans of OPM general support systems
      Many OPM systems reside on one of the agency’s general support systems. The OCIO
      typically conducts a full recovery test at the backup location of the Enterprise Server
      Infrastructure general support system (i.e., the mainframe and associated systems) on an
      annual basis. However, no full functional test was performed in FY 2014. Also, another one
      of OPM’s major general support system, the LAN/WAN general support system, was not
      subject to a full functional disaster recovery test.

      NIST SP 800-53 Revision 4, control CP-4, states that owners of FIPS 199 “high” systems
      should test “the contingency plan at the alternate processing site.” Without full functional
      routine testing of all OPM general support systems, there is a risk that OPM systems will not
      be successfully recovered in the event of a disaster.

      In the FY 2011 FISMA audit report we recommended that the OCIO implement a centralized
      (agency-wide) approach to contingency plan testing. We were informed that a single
      synchronized functional test is not feasible due to logistical and resource limitations.
      However, the intent of the recommendation is to ensure that all elements of the general
      support systems are subject to a full functional disaster recovery test each year. This
      recommendation can be remediated if each general support system is subject to a full
      functional test each year, even if it must be broken into a series of smaller tests.

      Recommendation 26 (rolled forward from 2011)
      We recommend that the OCIO implement and document a centralized (agency-wide)
      approach to contingency plan testing.

      OCIO Response: 

      “We will continue making progress on contingency plan testing in FY15. Having 

      additional ISSOs onboard is expected to significantly improve our ability to accomplish 

      this task.” 


12. Contractor Systems

   We evaluated the methods that the OCIO and various program offices use to maintain oversight
   of their systems operated by contractors on behalf of OPM.



                                                 29                          Report No. 4A-CI-00-14-016
a) Contractor system documentation
   OPM’s master system inventory indicates that 22 of the agency’s 47 major applications are
   operated by a contractor. However, the master system inventory does not indicate if the
   system is hosted in a cloud environment. NIST 800-53 Revision 4 states that the agency
   must develop and maintain an inventory of its information systems. The FY 2014 FISMA
   Reporting Metrics indicate that a complete inventory of systems indicates which systems and
   services reside in a public cloud environment.

   The OCIO maintains a separate spreadsheet documenting interfaces between OPM and
   contractor-operated systems and the related Interconnection Security Agreements (ISA).
   However, many of the documented ISAs have expired. NIST SP 800-47, Security Guide for
   Interconnecting Information Technology Systems, states that improperly designed
   interconnections could result in security failures that compromise the connected systems and
   the data that they store, process, or transmit. Failure to maintain valid ISAs could introduce
   risks similar to improperly designed interconnections.

   While the OCIO tracks ISAs, it does not track Memorandums of Understanding/Agreement
   (MOU/A). These documents outline the terms and conditions for sharing data and
   information resources in a secure manner. We were told that program offices were
   responsible for maintaining MOU/As. While we have no issue with the program offices
   maintaining the memorandums, the OCIO should track MOU/As to ensure that valid
   agreements are in place for each documented ISA.

   Recommendation 27
   We recommend that the OCIO identify agency systems that reside in a public cloud and
   document those systems on the master system inventory.

   OCIO Response: 

   “This recommendation was addressed and documented on the master system inventory.” 


   OIG Reply:
   Evidence was provided in response to the draft audit report to indicate that the OCIO has
   identified systems that reside in a public cloud; no further action is required.

   Recommendation 28
   We recommend that the OCIO ensure that all ISAs are valid and properly maintained.




                                               30                          Report No. 4A-CI-00-14-016
      OCIO Response: 

      “We will continue to improve ISA processes to ensure that they are maintained in a valid 

      and consistent manner. Having additional ISSOs onboard is expected to significantly 

      improve our ability to accomplish this task.”


      Recommendation 29
      We recommend that the OCIO ensure that a valid MOU/A exists for every interconnection.

      OCIO Response: 

      “We will continue to improve MOU processes to ensure they are maintained in a valid and 

      consistent manner. Having additional ISSOs onboard is expected to significantly improve 

      our ability to accomplish this task.”


   b) Contractor system oversight
      The OPM Information Security and Privacy Policy Addendum states that “It is the
      responsibility of the OPM system owner to ensure systems or services hosted by non-OPM
      organizations comply with OPM information security and privacy policies.” The handbook
      addendum also states that “OPM System Owners must ensure that an annual security controls
      assessment is performed by a government employee or an independent third party at the site
      where contracted information technology services are rendered.”

      We requested the annual security control tests for contractor-operated systems in order to
      review them for quality and consistency. We were only provided testing documentation for
      19 out of the 22 systems. In the tests we received, we noticed significant differences in
      quality and consistency. We would normally make a recommendation for the OCIO to take
      action to improve the quality and consistency of these security control tests. However, the
      OCIO’s continuous monitoring strategy includes requiring continuous monitoring for
      contractor-operated systems. The OCIO also maintains a continuous monitoring plan that
      describes the type and frequency of NIST SP 800-53 Revision 4 security controls that must
      be tested throughout the year. We believe that use of the continuous monitoring plan will
      improve the quality and consistency of contractor system security control tests. See section
      10 above for the related recommendation.

13. Security Capital Planning

   NIST SP 800-53 Revision 4, control SA-2, states that an organization needs to determine,
   document, and allocate the resources required to protect information systems as part of its capital
   planning and investment control process.




                                                   31                           Report No. 4A-CI-00-14-016
OPM’s Information Security and Privacy Policy Handbook contains policies and procedures to
ensure that information security is addressed in the capital planning and investment process. The
OCIO uses the Integrated Data Collection, a replacement to the Exhibit 53B, to record
information security resources allocation and submits this information annually to OMB.

As mentioned previously in Section 2, the drastic increase in the number of systems operating
without a valid Authorization is alarming, and represents a systemic issue of inadequate planning
by OPM program offices to authorize the information systems that they own. Please see section
2 for audit recommendations related to this issue.




                                               32                          Report No. 4A-CI-00-14-016
 IV. MAJOR CONTRIBUTORS TO THIS REPORT

Information Systems Audit Group

                  , Auditor-In-Charge
           , Lead IT Auditor
              , IT Auditor
                     , IT Auditor
                , IT Auditor
            , IT Auditor
             , IT Auditor
______________________________________________________________________________

                 Group Chief




                                        33                  Report No. 4A-CI-00-14-016
                                                                                 Appendix I                                                    page 1 of 3

                                                           Status of Prior OIG Audit Recommendations


    The tables below outline the current status of prior audit recommendations issued in FY 2013 by the Office of the Inspector General.

        Report No. 4A-CI-00-13-021: FY 2013 Federal Information Security Management Act Audit, issued November 21, 2013

Rec #                       Original Recommendation                                        Recommendation History                      Current Status
         We recommend that OPM implement a centralized information security
         governance structure where all information security practitioners,
                                                                                     Roll-forward from OIG Reports:
         including designated security officers, report to the CISO. Adequate
         resources should be assigned to the OCIO to create this structure.           4A-CI-00-10-019 Recommendation 4,       OPEN: Rolled-forward as Report
1
         Existing designated security officers who report to their program offices    4A-CI-00-11-009 Recommendation 2, and   4A-CI-00-14-016 Recommendation 1
         should return to their program office duties. The new staff that reports     4A-CI-00-12-016 Recommendation 1
         to the CISO should consist of experienced information security
         professionals.
         We recommend that the OCIO develop a plan and timeline to enforce                                                     OPEN: Rolled-forward as Report
2                                                                                    Recommendation new in FY 2013
         the new SDLC policy to all of OPM’s system development projects.                                                      4A-CI-00-14-016 Recommendation 2
                                                                                     Roll-Forward from OIG Report:
         We recommend that the OCIO continue to develop its Risk Executive
                                                                                                                               OPEN: Rolled-forward as Report
3        Function to meet all of the intended requirements outlined in NIST SP        4A-CI-00-11-009 Recommendation 6 and
                                                                                                                               4A-CI-00-14-016 Recommendation 6
         800-39, section 2.3.2 Risk Executive (Function).                             4A-CI-00-12-016 Recommendation 2
         We recommend that the OCIO develop and implement a baseline
4                                                                                    Recommendation new in FY 2013             CLOSED 9/16/2014
         configuration for both                       databases.
         We recommend that the OCIO conduct routine compliance audits on
5                               databases with the OPM baseline configuration        Recommendation new in FY 2013             CLOSED 9/16/2014
         once they have been reviewed, updated, and approved.
                                                                                     Roll-forward from OIG Reports:
         We recommend that the OCIO document “accepted” weaknesses                                                             OPEN: Rolled-forward as Report
6        identified in vulnerability scans.                                           4A-CI-00-11-009 Recommendation 9 and
                                                                                                                               4A-CI-00-14-016 Recommendation 13
                                                                                      4A-CI-00-12-016 Recommendation 4
                                                                             Appendix I                                                   page 2 of 3

                                                     Status of Prior OIG Audit Recommendations


     We recommend that the OCIO establish a centralized network security
     operations center with the ability to monitor security events for all     Roll-forward from OIG Reports:
7                                                                                                                         CLOSED 11/25/2013
     major OPM systems.                                                         4A-CI-00-12-016 Recommendation 6

     We recommend that the OCIO and system owners develop formal
     corrective action plans to remediate all POA&M weaknesses that are        Roll-forward from OIG Reports:             OPEN: Rolled-forward as Report
8
     over 120 days overdue.                                                     4A-CI-00-12-016 Recommendation 8         4A-CI-00-14-016 Recommendation 18

     We recommend that all POA&Ms list the specific resources required to      Roll-forward from OIG Reports:
9    address each security weakness identified.                                                                           CLOSED 11/25/2013
                                                                                4A-CI-00-12-016 Recommendation 9
     We recommend the OCIO configure the VPN servers to terminate VPN          Roll-forward from OIG Reports:             OPEN: Rolled-forward as Report
10   sessions after       of inactivity.
                                                                                4A-CI-00-12-016 Recommendation 10        4A-CI-00-14-016 Recommendation 20
     We recommend that the OCIO meet the requirements of OMB M-11-11
     by upgrading its major information systems to require multi-factor        Roll-forward from OIG Reports:             OPEN: Rolled-forward as Report
11
     authentication using PIV credentials.                                      4A-CI-00-12-016 Recommendation 11        4A-CI-00-14-016 Recommendation 21

     We recommend that the OCIO expand its continuous monitoring
     program to include quarterly submissions for High impact systems,
     more frequent controls testing for all systems, and further
12                                                                             Recommendation new is FY 2013              CLOSED 9/18/2014
     implementation of automated tools as outlined in the Information
     Security Continuous Monitoring Roadmap.

                                                                               Roll-forward from OIG Reports:
                                                                                4A-CI-00-08-022 Recommendation 1,
     We recommend that OPM ensure that an annual test of security controls      4A-CI-00-09-031 Recommendation 6,        OPEN: Rolled-forward as Report
13   has been completed for all systems.
                                                                                4A-CI-00-10-019 Recommendation 10,       4A-CI-00-14-016 Recommendation 23
                                                                                4A-CI-00-11-009 Recommendation 11, and
                                                                                4A-CI-00-12-016 Recommendation 14
                                                                          Appendix I                                                    page 3 of 3

                                                     Status of Prior OIG Audit Recommendations



                                                                              Roll-forward from OIG Reports:
     We recommend that OPM’s program offices test the contingency plans        4A-CI-00-08-022 Recommendation 2,
14   for each system on an annual basis. The contingency plans should be       4A-CI-00-09-031 Recommendation 9,        OPEN: Rolled-forward as Report
     tested for the systems that were not subject to adequate testing in FY
                                                                               4A-CI-00-10-019 Recommendation 30,       4A-CI-00-14-016 Recommendation 25
     2013 as soon as possible.
                                                                               4A-CI-00-11-009 Recommendation 19, and
                                                                               4A-CI-00-12-016 Recommendation 15
     We recommend that the OCIO implement and document a centralized          Roll-forward from OIG Reports:             OPEN: Rolled-forward as Report
15   (agency-wide) approach to contingency plan testing.                       4A-CI-00-11-009 Recommendation 21 and    4A-CI-00-14-016 Recommendation 26
                                                                               4A-CI-00-12-016 Recommendation 16
                                                                              Roll-forward from OIG Reports:
16   We recommend that OPM continue its efforts to eliminate the               4A-CI-00-08-022 Recommendation 12,
     unnecessary use of SSNs in accordance with OMB Memorandum M-              4A-CI-00-09-031 Recommendation 22,
     07-16.                                                                                                              CLOSED 9/26/2014
                                                                               4A-CI-00-10-019 Recommendation 39,
                                                                               4A-CI-00-11-009 Recommendation 28, and
                                                                               4A-CI-00-12-016 Recommendation 18
                                                      Appendix II


                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                    Washington, DC 20415 


Chief lnfonnation
     Officer

    MEMORANDUM FOR 

                   CHIEF, INFORMATION SYSTEMS AUDIT GROUP 


    FROM:                     DONNA K. SEYMOUR
                              CHIEF INFORMATION OF

    Subject: 	                Response to the Federal Information Security Management Act Audit
                              FY2014, Report NO. 4A-CI-00-14-016

    Thank you for the opportunity to comment on the subject report. The results provided in the draft report
    consist ofa number of recommendations. The recommendations are valuable to our program
    improvement efforts and most of them are generally consistent with our plan. We plan to continue
    making improvements in our security risk management strategy and the OPM IT security program.

    In reviewing the draft report, we noticed that recommendation # 15 which covers specialized security
    training was issued. Additional information was submitted since the draft report was issued showing a
    specialized training participation rate above 90% . In addition, recommendation # 16 states that only 6 of
    16 audit findings were incorporated into POA&Ms, and according to our records, all 16
    recommendations were documented and converted to POA&Ms and centrally managed.
    Recommendation #26 is already in place and the information has been provided to your office. We aske
    for consideration in having recommendations # 15, #16 and #26 removed from the final audit report.
    The CIO's responses to the FYI4 Draft FISMA Audit Report are documented below:
    Recommendation #1 (Rolled-Forward from 2010)
    We recommend that OPM implement centralized information security governance structure where all
    information security practitioners, including designated security officers, report to the Chief Information
    Security Officer. Adequate resources should be assigned to the OCIO to create this structure. Existing
    designated security officers who report to their program offices should return to their program office
    duties. The new staff that reports to the CISO should consist ofexperienced information security
    professionals.

    CIO Response:
    A CIO memo directing the centralization ofthe security responsibilities of Designated Security Officers
    (DSO) into the Chieflnformation Security Officer (CISO) organization was issued by the OPM Director
    on August, 20 12 with an effective date ofOctober 1, 2012. The CIO has already hired the first
    complement ofstaff with professional IT security experience and certifications, consisting of seven
    Information Systems Security Officers (ISSO) with an additional four going through the OPM hiring
    process. The initial set of systems has been transitioned to ISSOs for security management, and we
    expect to have all OPM systems under ISSO security management in FY15.




        www.opm.gov      Recruit: Retain and Honor a World-Class Workforce to Serve the American People   www.usajobs.gov
Recommendation #2 

We continue to recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy 

to all of OPM's system development projects. 


CIO Response: 

The OPM SDLC is being applied to OPM's major investment projects. In FYlS, a plan with timelines 

will be developed to enforce the SDLC policy for all applicable system development projects. 


Recommendation #3 

We recommend that all active systems in OPM's inventory have a complete and current Authorization. 


CIO Response: 

As part ofthe FY15 CIO reorganization, IT Program Managers will work with ISSOs to plan for 

Security Authorization of systems before existing ATOs expire. However, ATO extensions may be 

required in a limited number of situations such as the rebuilding of OPM's network where we would 

need to maintain the existing system and initiate Authorization work after the new design is completed 

and the rebuilding is underway. We agree that it is important to maintain up-to-date and valid ATOs for 

all systems but do not believe that this condition rises to the level of a Material Weakness. 


Recommendation #4 

We recommend that the OPM Director consider shutting down information systems that do not have a 

current and valid Authorization. 


CIO Response: 

The IT Program Managers will work with ISSOs to ensure that OPM systems maintain current ATOs 

and that there are no interruptions to OPM's mission and operations. 


Recommendation #5 (Rolled-Forward from 2011) 

We recommend that the OCIO continue to develop its Risk Executive Function to meet all of the 

intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). 


CIO Response: 

In FY 14, a number of steps were taken to establish and implement the Risk Executive Function per 

NIST Special Publication 800-39. A proposed Risk Executive Charter and Risk Registry Template were 

developed and discussed with the Chief Operating Officer who has agreed to serve as the OPM Risk 

Executive. Additional discussions will be held with the Chief Operating Officer on implementation 

plans and strategies. 


Recommendation #6 

We recommend that the OCIO develop and implement a baseline confi
platforms in use by OPM including, but not limited

CIO Response:
We are working to standardize operating systems and applications
Over the past year, we have established approved baselines for all                    operating
systems, as well as                  We will continue to improve our processes and develop and
implement                baselines for all operating platforms in use by OPM.



                                                   2

Recommendation #7 

We recommend the OCIO conduct routine compliance scans against established baseline configurations 

for all servers and databases in use by OPM. This recommendation cannot be addressed until 

Recommendation 6 has been completed. 


CIO Response: 

We expand our routine compliance scans as we implement additional configuration baselines for 

additional operating platforms. 


Recommendation #8 

We recommend the OCIO implement technical controls that prevent configuration changes without 

proper documentation and approvals. 


CIO Response: 

Configuration changes require approval by the Change Control Board which meets on a regular basis. 

However, there are emergency situations where changes might be made outside of the CCB cycle. We 

will ensure required documentation and approvals are in place for all configuration changes. 


Recommendation #9 

We recommend that the OCIO develop and maintain a comprehensive inventory of all servers, 

databases, and network devices that reside on the OPM network. 


CIO Response: 

Our Asset Management System serves as a repository for servers, databases and network devices. We 

will continue to work to identify and document all assets residing on the OPM network. 


Recommendation #I 0 

We recommend that the OCIO implement a process to ensure routine vulnerability scanning is 

conducted on all network devices documented within the inventory. 


CIO Response: 

We will continue to improve our scanning capabilities to ensure that vulnerability scanning is conducted 

on all network devices documented in our inventory. 


Recommendation # 11 

We recommend that the OCIO implement a process to centrally track the current status of security 

weaknesses identified during vulnerability scans. 


CIO Response: 

We concur with this recommendation and will implement the recommendation in FY15. 


Recommendation #12 (Rolled Forward from 2011) 

We recommend that the OCIO document "accepted" weaknesses identified in vulnerability scans. 


CIO Response: 

We concur with this recommendation and will implement the recommendation in FY15 . 





                                                    3

Recommendation # 13
We recommend that the OCIO expand the capabilities of the ENSOC to ensure that security incidents
from all OPM-operated information systems are centrally analyzed and correlated.

CIO Response:
A centralized monitoring center was put in place with first level alerting and monitoring for the servers
and network appliances within the major OPM sites. We are expanding our monitoring capabilities to
cover OPM operated information systems wherever feasible.

Recommendation # 14
We recommend that OCIO configure its security information and event management tool to collect and
report meaningful data, while reducing the volume of non-sensitive log and event data.

CIO Response:
The security event management system collects important data that we use to access threats to the OPM
environment. We will continue to refine our configuration settings to improve the quality of the data
being reviewed.

Recommendation # 15
We recommend that the OCIO ensure that all employees with significant information security
responsibility take meaningful and appropriate specialized security training on an annual basis.

CIO Response:
We have successfully implemented this recommendation and significant improvements were achieved
this year with a completion rate of over 90 percent. Additional information was submitted to
substantiate elimination of this recommendation.

Recommendation # 16
We recommend that the OCIO and program offices that own information systems ensure that all known
security weaknesses are incorporated into the appropriate POA&M.

CIO Response:
A centralized automated POA&M management system is in place and staffed by a dedicated resource to
ensure that all findings, recommendations and POA&Ms are managed to resolution and we believe that
this process is working as intended. Additional information was submitted to substantiate elimination of
this recommendation.

Recommendation # 17
We recommend that the OCIO and system owners develop formal corrective action plans to immediately
remediate all POA&M weaknesses that are over 120 days overdue.

CIO Response:
The CIO dedicated resources to this task and has successfully closed most POA&Ms that are over 120
days overdue and will continue to develop formal Action Plans for those remaining weaknesses. Most
POA&Ms that are over 120 days overdue have dependencies that need to be coordinated with external
entities that often are not ready to implement the required changes.




                                                     4
Recommendation # 18
We recommend that all POA&Ms list the specific resources required to address each security weakness
identified.

CIO Response:
This recommendation has been implemented for most open POA&Ms. We will continue to ensure that
the "resources required" for POA&Ms are identified and documented.

Recommendation #19 (Rolled-Forward from 2012)
We recommend the OCIO configure the VPN servers to terminate VPN sessions after
inactivity.

CIO Response:
All teclmoJogicaJ controls are in place. We believe there is a flaw in the vendor's product that will
require a patch update that the vendor so far is unwilling to provide. We will explore an alternative
product solution.

Recommendation #20 (Rolled-Forward 2012)
We recommend that the OCIO meet the requirements ofOMB M-11-11 by upgrading its major
information systems to require multi-factor authentication using PIV credentials.

CIO Response:
We have developed and are in the process of implementing multi-factor PIV authentication for
compliance with OMB M-11-11. A major segment of the users on our network infrastructure are using
PIV authentication. In FY 15 we will continue to implement PIV authentication for major systems.

Recommendation #21
We recommend that the OCIO expand its continuous monitoring program to include mandatory
continuous monitoring for contractor-operated systems and implementation of the DHS Continuous
Diagnostic and Mitigation program as outlined in continuous monitoring strategy~

CIO Response:
In FY15, we will continue to work with DHS to implement the Continuous Diagnostic and Mitigation
program at OPM. As a result of working with DHS, OPM has been moved higher (sooner) in the
implementation schedule. To date, we have submitted OPM requirements and hosted a Reading Room
for vendors to validate our requirements. There will also be a major initiative to expand Continuous
Monitoring programs to contractor systems where feasible.

Recommendation #22 (Rolled forward from 2008)
We recommend that OPM ensure that an arumal test of security controls has been completed for all
systems.

CIO Response:
We continue to make progress with security controls testing and expect to have test plans and results for
all systems in FY15. Security controls testing is a major part of our continuous monitoring program that
is being implemented for OPM systems.




                                                    5
Recommendation #23
We recommend that the OCIO ensure that all ofOPM's major systems have Contingency Plans in place
and are reviewed and updated annually.

CIO Response:
We will continue making progress on contingency plan updates in FY15. Having additional ISSOs
onboard is expected to significantly improve our ability to accomplish this task.

Recommendation #24 (Rolled-Forward from 2008)
We recommend that OPM's program offices test the contingency plans for each system on an annual
basis. The contingency plans should be immediately tested for the eight systems that were not subject to
adequate testing in FY 2014.

CIO Response:
We will continue to make progress on contingency plan testing in FY15. Having additional ISSOs
onboard is expected to significantly improve our ability to accomplish this task.

Recommendation #25 (rolled forward from 2011)
We recommend that the OCIO implement and document a centralized (agency-wide) approach to
contingency plan testing.

CIO Response:
We will continue our efforts to centralize contingency plan testing in FYIS. Having additional ISSOs
onboard is expected to significantly improve our ability to accomplish this task.

Recommendation #26
We recommend that the OCIO identify agency systems that reside in a public cloud and document those
systems on the master system inventory.

CIO Response:
This recommendation was addressed and documented on the master system inventory.

Recommendation #27
We recommend that the OCIO ensure that all ISA's are valid and properly maintained.

CIO Response:
We will continue to improve ISA processes to ensure that they are maintained in a valid and consistent
manner. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish
this task.

Recommendation #28
We recommend that the OCIO ensure that a valid MOU/As exists for every interconnection.

CIO Response:
We will continue to improve MOU processes to ensure they are maintained in a valid and consistent
manner. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish
this task.



                                                   6
Recommendation #29 (Rolled-Forward from 2008)
We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in accordance
with OMB Memorandum M-07-16.

CIO Response:
Significant work was done to eliminate the unnecessary use of social security numbers (SSN) including
development of a consolidated Action Plan and elimination of the use of SSNs from USAJOBS and the
PMF systems. In FY15, the Privacy Officer will conduct a pilot project with an OPM program office to
review business processes to determine how SSN usage can be reduced further.




                                                  7
                            Appendix III




                                                   2014
Inspector General                                 Annual FISMA
                                                     Report
Section Report




                 Office of Personnel Management
Section 1: Continuous Monitoring Management
1.1      Has the organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems
         that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may
         have been identified by the OIG, does the program include the following attributes?
          Yes
          1.1.1   Documented policies and procedures for continuous monitoring (NIST SP 800-53: CA-7).
                  Yes
          1.1.2   Documented strategy for information security continuous monitoring (ISCM).
                  Yes
          1.1.3   Implemented ISCM for information technology assets.
                  No
                           Comments:      The Office of the Chief Information Officer (OCIO) developed a continuous monitoring strategy document that provides a
                                          high-level strategy for the implementation of information security continuous monitoring. While the initial stages of
                                          implementation began in fiscal year (FY) 2012, full implementation of the plan is an ongoing process. The OCIO achieved
                                          the FY 2014 milestones outlined in the roadmap which included quarterly reporting for high impact systems. The next stage
                                          in the OCIO’s plan involves requiring continuous monitoring by contractor operated systems and implementation of
                                          the Department of Homeland Security Continuous Diagnostic and Mitigation program.
          1.1.4   Evaluate risk assessments used to develop their ISCM strategy.
                  Yes
          1.1.5   Conduct and report on ISCM results in accordance with their ISCM strategy.
                  Yes
          1.1.6   Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved
                  continuous monitoring plans (NIST SP 800-53, 800-53A).
                  No
                           Comments:      Only 18 of the 25 systems subject to continuous monitoring were adequately tested in accordance with Office of
                                          Personnel Management (OPM) policy.




OIG Report - Annual 2014                                                                                                                                       Page 1 of 17
                                                                          For Official Use Only
Section 1: Continuous Monitoring Management
          1.1.7   Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security
                  assessment reports, as well as a common and consistent POA&M program that is updated with the frequency defined in the strategy
                  and/or plans (NIST SP 800-53, 800-53A).
                   Yes
1.2      Please provide any additional information on the effectiveness of the organization’s Continuous Monitoring Management Program that was
         not noted in the questions above.
          N/A

Section 2: Configuration Management
2.1      Has the organization established a security configuration management program that is consistent with FISMA requirements, OMB policy, and
         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the
         following attributes?
          No
                   Comments:      As noted below, there are notable deficiencies in OPM’s configuration management program, and we do not consider this program to
                                  be substantially compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.
          2.1.1   Documented policies and procedures for configuration management.
                   Yes
          2.1.2   Defined standard baseline configurations.
                   No
                           Comments:       In FY 2014, OPM has continued its efforts toward formalizing baseline configurations for critical applications, servers, and
                                           workstations. However, several additional operating platforms in OPM’s network environment do not have baseline
                                           configurations documented including, but not limited to, ------------------------------------------------.
          2.1.3   Assessments of compliance with baseline configurations.
                   No
                           Comments:       The OCIO uses automated scanning tools to conduct routine compliance audits on the majority of operating platforms used
                                           in OPM’s server environment. These tools compare the actual configuration of servers and workstations to the approved
                                           baseline configuration. However, there are several operating platforms used by OPM that do not have documented and
                                           approved baselines. Without approved baseline configurations these systems cannot be subject to an adequate compliance
                                           audit.

OIG Report - Annual 2014                                                                                                                                             Page 2 of 17
                                                                            For Official Use Only
Section 2: Configuration Management
          2.1.4    Process for timely (as specified in organization policy or standards) remediation of scan result deviations.
                   No
                            Comments:       OPM performs monthly vulnerability scans using automated scanning tools. However, we have been unable to obtain
                                            tangible evidence that vulnerability scans have been routinely conducted for all OPM servers in FY 2014. As a result, we
                                            are unable to independently attest that OPM has a mature vulnerability scanning program.
          2.1.5    For Windows-based components, USGCB secure configuration settings are fully implemented, and any deviations from USGCB
                   baseline settings are fully documented.
                   Yes
          2.1.6    Documented proposed or actual changes to hardware and software configurations.
                   No
                            Comments:       OPM also has a software product that has the capability to detect, approve, and revert all changes made to information
                                            systems. However, this capability has not been fully implemented, and OPM cannot ensure that all changes made to
                                            information systems have been properly documented and approved.
          2.1.7    Process for timely and secure installation of software patches.
                   No
                            Comments:       See comment in 2.1.4
          2.1.8    Software assessing (scanning) capabilities are fully implemented (NIST SP 800-53: RA-5, SI-2).
                   No
                            Comments:       See comment in 2.1.4
          2.1.9    Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner, as specified in organization
                   policy or standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)
                   No
                            Comments:       See comment in 2.1.4
          2.1.10   Patch management process is fully developed, as specified in organization policy or standards. (NIST SP 800-53: CM-3, SI-2).
                   No
                            Comments:       See comment in 2.1.4



OIG Report - Annual 2014                                                                                                                                             Page 3 of 17
                                                                             For Official Use Only
Section 2: Configuration Management
2.2      Please provide any additional information on the effectiveness of the organization’s Configuration Management Program that was not noted in
         the questions above.
          N/A
2.3      Does the organization have an enterprise deviation handling process and is it integrated with the automated capability.
          Yes
          2.3.1   Is there a process for mitigating the risk introduced by those deviations?
                  Yes

Section 3: Identity and Access Management
3.1      Has the organization established an identity and access management program that is consistent with FISMA requirements, OMB policy, and
         applicable NIST guidelines and identifies users and network devices? Besides the improvement opportunities that have been identified by the
         OIG, does the program include the following attributes?
          Yes
          3.1.1   Documented policies and procedures for account and identity management (NIST SP 800-53: AC-1).
                  Yes
          3.1.2   Identifies all users, including Federal employees, contractors, and others who access organization systems (NIST SP 800-53, AC-2).
                  Yes
          3.1.3   Identifies when special access requirements (e.g., multi-factor authentication) are necessary.
                  No
                           Comments:       In FY 2012, the OCIO began an initiative to require PIV authentication to access the agency’s network. As of the end of
                                           FY 2014, over 95 percent of OPM workstations require PIV authentication to access to the OPM network. However,
                                           none of the agency’s 47 major applications require PIV authentication.
          3.1.4   If multi-factor authentication is in use, it is linked to the organization's PIV program where appropriate (NIST SP 800-53, IA-2).
                  Yes
          3.1.5   Organization has planned for implementation of PIV for logical access in accordance with government policies (HSPD 12, FIPS 201,
                  OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).
                  No
                           Comments:       See comment in 3.1.3

OIG Report - Annual 2014                                                                                                                                             Page 4 of 17
                                                                           For Official Use Only
Section 3: Identity and Access Management
          3.1.6    Organization has adequately planned for implementation of PIV for physical access in accordance with government policies (HSPD 12,
                   FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).
                   Yes
          3.1.7    Ensures that the users are granted access based on needs and separation-of-duties principles.
                   Yes
          3.1.8    Identifies devices with IP addresses that are attached to the network and distinguishes these devices from users (For example: IP
                   phones, faxes, and printers are examples of devices attached to the network that are distinguishable from desktops, laptops, or
                   servers that have user accounts).
                   No
                            Comments:       We determined through interviews and our independent vulnerability scanning process that OPM does not maintain an
                                            accurate centralized inventory containing all servers and databases that reside within the network.
          3.1.9    Identifies all user and non-user accounts. (Refers to user accounts that are on a system. Data user accounts are created to pull generic
                   information from a database or a guest/anonymous account for generic login purposes. They are not associated with a single user or a
                   specific group of users.)
                   Yes
          3.1.10   Ensures that accounts are terminated or deactivated once access is no longer required.
                   Yes
          3.1.11   Identifies and controls use of shared accounts.
                   Yes
3.2      Please provide any additional information on the effectiveness of the organization’s Identity and Access Management Program that was not
         noted in the questions above.
          N/A

Section 4: Incident Response and Reporting
4.1      Has the organization established an incident response and reporting program that is consistent with FISMA requirements, OMB policy, and
         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the
         following attributes?
          Yes


OIG Report - Annual 2014                                                                                                                                        Page 5 of 17
                                                                            For Official Use Only
Section 4: Incident Response and Reporting
          4.1.1   Documented policies and procedures for detecting, responding to, and reporting incidents (NIST SP 800-53: IR-1).
                  Yes
          4.1.2   Comprehensive analysis, validation and documentation of incidents.
                  Yes
          4.1.3   When applicable, reports to US-CERT within established timeframes (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).
                  Yes
          4.1.4   When applicable, reports to law enforcement within established timeframes (NIST SP 800-61).
                  Yes
          4.1.5   Responds to and resolves incidents in a timely manner, as specified in organization policy or standards, to minimize further damage
                  (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).
                  No
                            Comments:       OPM owns a tool with the ability to automatically detect and report potential security incidents by analyzing data from
                                            various sources. After analyzing the data, the tool alerts security analysts to potential security incidents. However, the tool
                                            needs to be configured to collect relevant and meaningful data so the potential security alerts contain fewer false-positives.
                                            The OPM systems currently providing data to the security information and event management (SIEM) tool are
                                            over-reporting log and event data, which results in an excessive amount of data for security analysts to review. The number
                                            of alerts that security analysts must review and identify as false-positive creates a backlog that could cause a delay in
                                            identifying and responding to actual incidents.
          4.1.6   Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.
                  Yes
          4.1.7   Is capable of correlating incidents.
                  Yes




OIG Report - Annual 2014                                                                                                                                                Page 6 of 17
                                                                              For Official Use Only
Section 4: Incident Response and Reporting
          4.1.8   Has sufficient incident monitoring and detection coverage in accordance with government policies (NIST SP 800-53, 800-61; OMB
                  M-07-16, M-06-19).
                  No
                           Comments:       OPM owns a SIEM tool with the technical ability to automatically detect, analyze, and correlate potential security incidents
                                           over time. However, the correlation features of this tool are not fully utilized at this time. This tool only receives event data
                                           from approximately 80 percent of major OPM information systems. In FY 2014, the OCIO established an Enterprise
                                           Network Security Operations Center (ENSOC) that provides continuous centralized support for OPM’s security incident
                                           prevention/management program. However, the ENSOC cannot adequately fulfill its purpose if it does not receive data
                                           from all OPM systems.
4.2      Please provide any additional information on the effectiveness of the organization’s Incident Management Program that was not noted in the
         questions above.
          N/A

Section 5: Risk Management
5.1      Has the organization established a risk management program that is consistent with FISMA requirements, OMB policy, and applicable NIST
         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following
         attributes?
          No
                  Comments:      In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security professionals. However, as of the end
                                 of FY 2014, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 were not all fully implemented.
                                 Key elements still missing from OPM’s approach to managing risk at an agency-wide level include: conducting a risk assessment,
                                 maintaining a risk registry, and communicating the agency-wide risks down to the system owners. Also, of the 21 OPM systems due
                                 for Authorization in FY 2014, 11 were not completed on time and are currently operating without a valid Authorization. We believe
                                 that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in
                                 the internal control structure of the agency’s IT security program.
          5.1.1   Documented policies and procedures for risk management, including descriptions of the roles and responsibilities of participants in this
                  process.
                  Yes




OIG Report - Annual 2014                                                                                                                                                Page 7 of 17
                                                                             For Official Use Only
Section 5: Risk Management
          5.1.2    Addresses risk from an organization perspective with the development of a comprehensive governance structure and organization-wide
                   risk management strategy as described in NIST SP 800-37, Rev.1.
                   Yes
          5.1.3    Addresses risk from a mission and business process perspective and is guided by the risk decisions from an organizational
                   perspective, as described in NIST SP 800-37, Rev. 1.
                   Yes
          5.1.4    Addresses risk from an information system perspective and is guided by the risk decisions from an organizational perspective and the
                   mission and business perspective, as described in NIST SP 800-37, Rev. 1.
                   Yes
          5.1.5    Has an up-to-date system inventory.
                   Yes
          5.1.6    Categorizes information systems in accordance with government policies.
                   Yes
          5.1.7    Selects an appropriately tailored set of baseline security controls.
                   Yes
          5.1.8    Implements the tailored set of baseline security controls and describes how the controls are employed within the information system
                   and its environment of operation.
                   Yes
          5.1.9    Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are
                   implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for
                   the system.
                   Yes
          5.1.10   Authorizes information system operation based on a determination of the risk to organizational operations and assets, individuals,
                   other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
                   Yes




OIG Report - Annual 2014                                                                                                                                       Page 8 of 17
                                                                             For Official Use Only
Section 5: Risk Management
          5.1.11   Ensures information security controls are monitored on an ongoing basis, including assessing control effectiveness, documenting
                   changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting
                   the security state of the system to designated organizational officials.
                   No
                             Comments:       Only 37 out of OPM’s 47 systems were subject to adequate security controls testing in FY 2014.
          5.1.12   Information-system-specific risks (tactical), mission/business-specific risks, and organizational-level (strategic) risks are
                   communicated to appropriate levels of the organization.
                   Yes
          5.1.13   Senior officials are briefed on threat activity on a regular basis by appropriate personnel (e.g., CISO).
                   Yes
          5.1.14   Prescribes the active involvement of information system owners and common control providers, chief information officers, senior
                   information security officers, authorizing officials, and other roles as applicable in the ongoing management of
                   information-system-related security risks.
                   Yes
          5.1.15   Security authorization package contains system security plan, security assessment report, and POA&M in accordance with
                   government policies. (NIST SP 800-18, SP 800-37).
                   No
                             Comments:       The Authorization packages reviewed as part of this FY 2014 audit generally maintained the same satisfactory level of quality
                                             that had been observed in recent years. However, of the 21 OPM systems due for Authorization in FY 2014, 11 were not
                                             completed on time and are currently operating without a valid Authorization. The drastic increase in the number of systems
                                             operating without a valid Authorization is alarming, and represents a systemic issue of inadequate planning by OPM program
                                             offices to authorize the information systems that they own. We believe that the volume and sensitivity of OPM systems that
                                             are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s
                                             IT security program.
          5.1.16   Security authorization package contains accreditation boundaries, defined in accordance with government policies, for organization
                   information systems.
                   No
                             Comments:       See comment in 5.1.15


OIG Report - Annual 2014                                                                                                                                              Page 9 of 17
                                                                              For Official Use Only
Section 5: Risk Management
5.2      Please provide any additional information on the effectiveness of the organization’s Risk Management Program that was not noted in the
         questions above.
          N/A

Section 6: Security Training
6.1      Has the organization established a security training program that is consistent with FISMA requirements, OMB policy, and applicable NIST
         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following
         attributes?
          Yes
          6.1.1   Documented policies and procedures for security awareness training (NIST SP 800-53: AT-1).
                  Yes
          6.1.2   Documented policies and procedures for specialized training for users with significant information security responsibilities.
                  Yes
          6.1.3   Security training content based on the organization and roles, as specified in organization policy or standards.
                  Yes
          6.1.4   Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and other
                  organization users) with access privileges that require security awareness training.
                  Yes
          6.1.5   Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other
                  organization users) with significant information security responsibilities that require specialized training.
                  Yes
          6.1.6   Training material for security awareness training contains appropriate content for the organization (NIST SP 800-50,800-53).
                  Yes
6.2      Please provide any additional information on the effectiveness of the organization’s Security Training Program that was not noted in the
         questions above.
          N/A

Section 7: Plan Of Action & Milestones (POA&M)


OIG Report - Annual 2014                                                                                                                                    Page 10 of 17
                                                                           For Official Use Only
Section 7: Plan Of Action & Milestones (POA&M)
7.1      Has the organization established a POA&M program that is consistent with FISMA requirements, OMB policy, and applicable NIST
         guidelines and tracks and monitors known information security weaknesses? Besides the improvement opportunities that may have been
         identified by the OIG, does the program include the following attributes?
          Yes
          7.1.1   Documented policies and procedures for managing IT security weaknesses discovered during security control assessments and that
                  require remediation.
                  Yes
          7.1.2   Tracks, prioritizes, and remediates weaknesses.
                  Yes
          7.1.3   Ensures remediation plans are effective for correcting weaknesses.
                  Yes
          7.1.4   Establishes and adheres to milestone remediation dates.
                  No
                           Comments:      Our review indicated that many system owners are not meeting the self-imposed remediation deadlines listed on the
                                          POA&Ms. Out of OPM’s 47 operational systems, 38 have POA&M items that are greater than 120 days overdue.
          7.1.5   Ensures resources and ownership are provided for correcting weaknesses.
                  Yes
          7.1.6   POA&Ms include security weaknesses discovered during assessments of security controls and that require remediation (do not need
                  to include security weakness due to a risk-based decision to not implement a security control) (OMB M-04-25).
                  No
                           Comments:      All known security weaknesses were appropriately incorporated to the system-specific POA&Ms for only 29 of OPM’s 47
                                          systems. This includes 14 of the 25 systems operated by OPM, and 15 of the 22 systems operated by a contractor.
          7.1.7   Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25).
                  Yes




OIG Report - Annual 2014                                                                                                                                      Page 11 of 17
                                                                            For Official Use Only
Section 7: Plan Of Action & Milestones (POA&M)
          7.1.8   Program officials report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO centrally tracks, maintains,
                  and independently reviews/validates the POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5; OMB
                  M-04-25).
                  Yes
7.2      Please provide any additional information on the effectiveness of the organization’s POA&M Program that was not noted in the questions
         above.
          N/A

Section 8: Remote Access Management
8.1      Has the organization established a remote access program that is consistent with FISMA requirements, OMB policy, and applicable NIST
         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following
         attributes?
          Yes
          8.1.1   Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access (NIST 800-53: AC-1,
                  AC-17).
                  Yes
          8.1.2   Protects against unauthorized connections or subversion of authorized connections.
                  Yes
          8.1.3   Users are uniquely identified and authenticated for all access (NIST SP 800-46, Section 4.2, Section 5.1).
                  Yes
          8.1.4   Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1).
                  Yes
          8.1.5   If applicable, multi-factor authentication is required for remote access (NIST SP 800-46, Section 2.2, Section 3.3).
                  Yes
          8.1.6   Authentication mechanisms meet NIST SP 800-63 guidance on remote electronic authentication, including strength mechanisms.
                  Yes




OIG Report - Annual 2014                                                                                                                                     Page 12 of 17
                                                                           For Official Use Only
Section 8: Remote Access Management
          8.1.7    Defines and implements encryption requirements for information transmitted across public networks.
                   Yes
          8.1.8    Remote access sessions, in accordance with OMB M-07-16, are timed-out after 30 minutes of inactivity, after which re-authentication
                   is required.
                   No
                            Comments:      In previous years, we discovered that remote access sessions do not terminate or lock out after -------------- inactivity as
                                           required by FISMA. OPM has acknowledged the issue and stated that the weakness cannot be remediated until the VPN
                                           vendor releases a software update.
          8.1.9    Lost or stolen devices are disabled and appropriately reported (NIST SP 800-46, Section 4.3, US-CERT Incident Reporting
                   Guidelines).
                   Yes
          8.1.10   Remote access rules of behavior are adequate in accordance with government policies (NIST SP 800-53, PL-4).
                   Yes
          8.1.11   Remote access user agreements are adequate in accordance with government policies (NIST SP 800-46, Section 5.1, NIST SP 800-53,
                   PS-6).
                   Yes
8.2      Please provide any additional information on the effectiveness of the organization’s Remote Access Management that was not noted in the
         questions above.
          N/A
8.3      Does the organization have a policy to detect and remove unauthorized (rogue) connections?
          Yes

Section 9: Contingency Planning




OIG Report - Annual 2014                                                                                                                                             Page 13 of 17
                                                                             For Official Use Only
Section 9: Contingency Planning
9.1      Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with FISMA
         requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the
         OIG, does the program include the following attributes?
          No
                  Comments:      It has been several years since OPM has adequately tested the contingency plans of all of its major information systems within one
                                 fiscal year (see 9.1.4.). In addition, two of OPM's major general support systems were not subject to adequate disaster recovery
                                 testing in FY 2014. We believe that this indicates that OPM does not have a FISMA-compliant enterprise-wide business continuity /
                                 disaster recovery program.
          9.1.1   Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact of a
                  disruptive event or disaster (NIST SP 800-53: CP-1).
                  Yes
          9.1.2   The organization has incorporated the results of its system’s Business Impact Analysis (BIA) into the analysis and strategy
                  development efforts for the organization’s Continuity of Operations Plan (COOP), Business Continuity Plan (BCP), and Disaster
                  Recovery Plan (DRP) (NIST SP 800-34).
                  Yes
          9.1.3   Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures (NIST SP
                  800-34).
                  Yes
          9.1.4   Testing of system specific contingency plans.
                  No
                           Comments:       We received evidence that contingency plans were tested for only 39 of 47 systems in FY 2014.
          9.1.5   The documented BCP and DRP are in place and can be implemented when necessary (FCD1, NIST SP 800-34).
                  No
                           Comments:       We received updated contingency plans for 41 out of 47 information systems on OPM’s master system inventory.
          9.1.6   Development of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST SP 800-53).
                  Yes




OIG Report - Annual 2014                                                                                                                                        Page 14 of 17
                                                                           For Official Use Only
Section 9: Contingency Planning
          9.1.7    Testing or exercising of BCP and DRP to determine effectiveness and to maintain current plans.
                   No
                            Comments:      Many OPM systems reside on one of the agency’s general support systems. The OCIO typically conducts a full recovery
                                           test at the backup location of the Enterprise Server Infrastructure general support system (i.e., the mainframe and associated
                                           systems) on an annual basis. However, no full functional test was performed in FY 2014. In the FY 2011 FISMA audit
                                           report we recommended that the OCIO implement a centralized (agency-wide) approach to contingency plan testing. We
                                           were informed that a single synchronized functional test is not feasible due to logistical and resource limitations. However,
                                           the intent of the recommendation is to ensure that all elements of the general support systems are subject to a full functional
                                           disaster recovery test each year. This recommendation can be remediated if each general support system is subject to a full
                                           functional test each year, even if it must be broken into a series of smaller tests.
          9.1.8    After-action report that addresses issues identified during contingency/disaster recovery exercises (FCD1, NIST SP 800-34).
                   No
                            Comments:      As mentioned in 9.1.4, we received evidence that contingency plans were tested for only 39 of 47 systems in FY 2014.
          9.1.9    Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).
                   No
                            Comments:      As mentioned in 9.1.5, we only received that 41 or 47 system have documented contingency plans.
          9.1.10   Alternate processing sites are not subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-53).
                   Yes
          9.1.11   Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53).
                   Yes
          9.1.12   Contingency planning that considers supply chain threats.
                   Yes
9.2      Please provide any additional information on the effectiveness of the organization’s Contingency Planning Program that was not noted in the
         questions above.
          N/A

Section 10: Contractor Systems



OIG Report - Annual 2014                                                                                                                                              Page 15 of 17
                                                                             For Official Use Only
Section 10: Contractor Systems
10.1     Has the organization established a program to oversee systems operated on its behalf by contractors or other entities, including organization
         systems and services residing in the cloud external to the organization? Besides the improvement opportunities that may have been identified
         by the OIG, does the program includes the following attributes?
          Yes
          10.1.1   Documented policies and procedures for information security oversight of systems operated on the organization’s behalf by
                   contractors or other entities, including organization systems and services residing in a public cloud.
                   Yes
          10.1.2   The organization obtains sufficient assurance that security controls of such systems and services are effectively implemented and
                   comply with Federal and organization guidelines (NIST SP 800-53: CA-2).(Base)
                   No
                            Comments:       We were provided evidence that the security controls were tested for only 19 out of OPM’s 22 contractor operated
                                            systems.
          10.1.3   A complete inventory of systems operated on the organization’s behalf by contractors or other entities, including organization systems
                   and services residing in a public cloud.
                   Yes
          10.1.4   The inventory identifies interfaces between these systems and organization-operated systems (NIST SP 800-53: PM-5).
                   Yes
          10.1.5   The organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces
                   between these systems and those that it owns and operates.
                   No
                            Comments:       The OCIO maintains a separate spreadsheet documenting interfaces between OPM and contractor-operated systems and
                                            the related Interconnection Security Agreements (ISA). However, many of the documented ISAs have expired.
          10.1.6   The inventory of contractor systems is updated at least annually.
                   Yes




OIG Report - Annual 2014                                                                                                                                       Page 16 of 17
                                                                            For Official Use Only
Section 10: Contractor Systems
          10.1.7   Systems that are owned or operated by contractors or entities, including organization systems and services residing in a public cloud,
                   are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.
                   No
                            Comments:       Of the 21 OPM systems due for Authorization in FY 2014, 11 were not completed on time and are currently operating
                                            without a valid Authorization. Three of the 11 are contractor-operated systems.
10.2     Please provide any additional information on the effectiveness of the organization’s Contractor Systems Program that was not noted in the
         questions above.
          N/A

Section 11: Security Capital Planning
11.1     Has the organization established a security capital planning and investment program for information security? Besides the improvement
         opportunities that may have been identified by the OIG, does the program include the following attributes?
          Yes
          11.1.1   Documented policies and procedures to address information security in the capital planning and investment control (CPIC) process.
                   Yes
          11.1.2   Includes information security requirements as part of the capital planning and investment process.
                   Yes
          11.1.3   Establishes a discrete line item for information security in organizational programming and documentation (NIST SP 800-53: SA-2).
                   Yes
          11.1.4   Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required (NIST SP 800-53: PM-3).
                   Yes
          11.1.5   Ensures that information security resources are available for expenditure as planned.
                   Yes
11.2     Please provide any additional information on the effectiveness of the organization’s Security Capital Planning Program that was not noted in
         the questions above.
          N/A




OIG Report - Annual 2014                                                                                                                                        Page 17 of 17
                                                                           For Official Use Only
                                                                                                                               



                                         Repo
                                            ort Fra
                                                  aud, Waste, and 

                                             Mismaanagemment 

                                                    Frraud, waste, and mismannagement inn
                                                 Government con   ncerns everyyone: Officee of
                                                     the Inspectorr General staaff, agency
                                                  emmployees, and  d the generaal public. We
                                                actively solicit alllegations off any inefficiient
                                                      and wastefu ul practices, f raud, and
                                                 mismmanagementt related to OPM program       ms
                                                and operations. You can repport allegatioons
                                                            to us in several ways:


                         By Intern
                                 net: 	              htttp://www.oppm.gov/our--inspector-geeneral/hotlinne-to-
                                                     reeport-fraud-w
                                                                   waste-or-abuuse


                           By Pho
                                one: 	               Toll Free Num
                                                                 mber:                                 (8777) 499-72955
                                                     Washington Metro Area:                            (2002) 606-24233


                             By Mail: 	              Office of the Inspector Geeneral 

                                                     U.S. Office of Personnel M anagemennt 

                                                      900 E Streett, NW 

                                                     19
                                                     Room 6400

                                                     Washington, DC 20415-11100 

                      
                                                                                                                               
                                                                                                                               


                                                                -- CAUTION --

This audit report ha as been distributeed to Federal officcials who are resp
                                                                           ponsible for the a dministration off the audited program. This audit report may
contain proprietary data which is prrotected by Federral law (18 U.S.C    C. 1905). Therefofore, while this au
                                                                                                             udit report is avaailable under thee Freedom of
Infoormation Act and  d made availablee to the public on the OIG webp      page (http://www..opm.gov/our-insppector-general), caution needs to be exercised
befoore releasing the report to the geneeral public as it may contain proprietary informatiion that was redaacted from the pu ublicly distributed
                                                                                                                                                d copy.