U.S. OFFICE OFF PERSSONNEEL MA ANAGEMENNT OFFIC O CE OF THET IN NSPEC CTOR GENE ERAL OFFFICE OF AU UDITSS Finaal Aud A ditt Reepo ortt Fedeeral Infformatiion Secu urity M Managem ment A Act Aud dit FY Y 2014 Repo ort Numb ber 4A-CII-00-14-0016 Novem mber 12, 22014 -- CAUTION -- This audit report ha as been distributeed to Federal officcials who are resp ponsible for the a dministration off the audited program. This audit report may contain proprietary data which is prrotected by Federral law (18 U.S.C C. 1905). Therefofore, while this au udit report is avaailable under thee Freedom of Infoormation Act and d made availablee to the public on the OIG webp page (http://www..opm.gov/our-insppector-general), caution needs to be exercised befoore releasing the report to the geneeral public as it may contain proprietary informatiion that was redaacted from the pu ublicly distributed d copy. e e EXECUTIVE SUMMARY Federal Information Security Management Act Audit - FY 2014 ' U.•·pu11 '"· ~ \ c I 1111 I~ lilt. ''"'·•nh,·r 1~. ~111-1 Why Did We Conduct the Audit? What Did We Find? Our overall objective was to evaluate We determined that the Office of the Chieflnformation Officer (O CTO) bas OPM' s security program and made some improvements to the U.S. Office of Personnel Management's (OPM) information technology (IT) security program. However, some practices, as required by the Federal problem areas that had improved in past years have res urfaced. The Information Security Management fo llowing points summarize major improvements or areas of weakness: Act (FISMA). Specifically, we • The material weakness related to information secur ity governance has reviewed the status ofOPM ' s been upgraded to a significant deficiency due to the planned information technology security reorganization ofthe OCIO. program in accordance with DHS 's • Eleven major O PM information systems are operatin g without a valid FISMA Inspector General reporting A uthorization. This represents a material weakness in the internal instructions. control structure ofOPM's IT security program. • OPM has not fully established a Risk Executive Function. • The OCIO bas implemented an agency-wide information system What Did We Audit? configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating The Office of the Inspector General platfo rms are not routinely scanned for compliance with configuration (OIG) has completed a performance baselines. audit ofOPM's general FISMA • OPM does not maintain a comprehensive inventory of servers, compliance efforts in the specific databases, and network devices. In addition, we are unable to areas defined in DHS's guidance and independently attest that O PM has a mature vulnerability scanning program. the corresponding reporting • OPM has established an Enterprise Network Security Operations Center. instructions. Our audit was However, a ll OPM systems are not adequately monitored. conducted from April through • Program offices are not adequately incorporating known weaknesses September 2014 at OPM headquarters into Plans ofAction and M ilestones (POA&M) and the majority of in Washington, D .C . systems contain POA&Ms that are over 120 days overdue. • OPM continues to implement its continuous monitoring plan. However, security controls for all O PM systems are not adequately tested in accordance with OPM policy. • Not all O PM systems have conducted contingency plan tests in FY 2014. • Several information security agreements between OPM and contractor operated information systems have exp ired. • Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-1 1-l l. Michael R. Esser A ssistllntlnspector Genua/ for A IUiits ABBREVIATIONS Authorization Security Assessment and Authorization CISO Chief Information Security Officer DHS Department of Homeland Security DSO Designated Security Officer ENSOC Enterprise Network Security Operations Center FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act FY Fiscal year IOC Internal Oversight and Compliance ISA Interconnection Security Agreements ISSO Information System Security Officer IT Information Technology ITSP Information Technology Security and Privacy Group LAN Local area network MOU/A Memorandum of Understanding/Agreement NIST National Institute for Standards and Technology NMG Network Management Group OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB Office of Management and Budget OPM Office of Personnel Management POA&M Plan of Action and Milestones SDLC System Development Life Cycle SIEM Security information and event management SO System Owner SP Special Publication US-CERT United States Computer Emergency Readiness Team VPN Virtual private network ii TABLE OF CONTENTS Page EXECUTIVE SUMMARY ......................................................................................... i ABBREVIATIONS ..................................................................................................... ii I. BACK GROUND .......................................................................................................... 1 II. OBJECT IVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECO MMENDATIONS.................................................5 1. lnf01mation Security Govem ance ................................................................. .......... 5 2. Security Assessment and Authorization ..................................................................9 3. Risk Managernent .................................................................................................. 12 4. Configm·ation Management ................................................................................... 13 5. Incident Response an d Rep01iing .......................................................................... 17 6. Secm·ity Training ................................................................................................... 19 7. Plan of Act ion and Milestones ...............................................................................20 8. Remote Access Management ................................................................................23 9. Identity an d Access Man agement ..........................................................................24 10. Continuous Monitoring Management ............................... ..................................... 25 11. Contingency Planning...................................................................... ......................27 12. Contractor SystelllS ................................................................................................29 13. Security Capital Planning ...................................................................... ................ 31 IV. MAJOR C ONTRIBUTORS TO TillS REPORT ..................................................33 APPENDIX I: Status of Prior OIG Audit Recommendations APPENDIX II: The Office of the Chieflnf01mation Officer 's October 21 , 2014 response to the draft auditrepori, issued September 18,2014 . APPENDIX III: FY 2014 Inspector General FISMA reporting metrics REPORT FRAUD, WAST E, AND MI SMANAGEMENT I. BACKGROUND On December 17, 2002, the President signed into law the E-Govennnent Act (Public Law 107 347), which includes Title III, the Federal Infonnation Security Management Act (FISMA). FISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency rep01iing to the Office of Management and Budget (OMB) the results of IG evaluations for unclassified systems, and (4) an annual OMB rep01i to Congress sunnnarizing the material received from agencies. In accordance with FISMA, we conducted an evaluation of OPM's security program and practices. As pali of our evaluation, we reviewed OPM's FISMA compliance strategy and documented the status of its compliance efforts . FISMA requirements petiain to all infonnation systems supp01i ing the operations and assets of an agency, including those systems cmTently in place or planned. The requirements also petiain to IT resources owned and/or operated by a contractor supp01iing agency systems. FISMA reemphasizes the Chief lnfonnation Officer's strategic, agency-wide security responsibility. At OPM, security responsibility is assigned to the agency' s Office of the Chief Inf01mation Officer (OCIO). FISMA also clearly places responsibility on each agency prog~·am offi ce to develop, implement, and maintain a security program that assesses risk and provides adequate security for the operations and assets of prog~·ams and systems lmder its control. To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the Deprui ment of Homeland Security (DHS) Office ofCybersecurity and Commlmications issued the Fiscal Yeru· (FY) 2014 Inspector General FISMA Rep01iing Instm ctions. This document provides a consistent fonn and format for agencies to report FISMA audit results to DHS. It identifies a series of rep01iing topics that relate to specific agency responsibilities outlined in FISMA. Our audit and rep01iing strategies were designed in accordance with the above DHS guidance. 1 Rep01i No. 4A-CI-00-14-016 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objective Our overall objective was to evaluate OPM's security program and practices, as required by FISMA. Specifically, we reviewed the status ofthe following areas ofOPM's inf01mation technology (IT) security program in accordance with DRS ' s FISMA IG rep01ting requirements: • Security Assessment and Authorization; • Risk Management; • Configuration Management; • Incident Response and Rep01ting Program; • Security Training Program; • Plans of Action and Milestones (POA&M) Program; • Remote Access Program; • Identity and Access Management; • Continuous Monitoring Program; • Contingency Planning Program; • Agency Program to Oversee Contractor Systems; and, • Agency Security Capital Planning Program. In addition, we evaluated the status of OPM ' s IT security govemance stm cture, an area that has represented a material weakness in OPM ' s IT security program in prior FISMA audits. We also audited the security controls of five maj or applications/systems at OPM (see Scope and Methodology for details of these audits), and followed-up on outstanding recommendations from prior FISMA audits (see Appendix I). Scope and Methodology We conducted this perfonnance audit in accordance with generally accepted govemment auditing standards. Those standards require that we plan and perf01m the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit covered OPM's FISMA compliance eff01ts throughout FY 2014. We reviewed OPM's general FISMA compliance eff01ts in the specific areas defmed in DRS's guidance and the conesponding rep01t ing instructions. We also perf01med infonnation security 2 Rep01t No. 4A-CI-00-14-016 audits on the following major information systems: Investigations, Tracking, Assigning and Expediting System (Report No. 4A-IS-00-14-017, issued April 3, 2014); Services Online System (Report No. 4A-RI-00-14-018, issued April 3, 2014); Development Test Production General Support System (Report No. 4A-CI-00-14-015, issued June 6, 2014); BENEFEDS and Federal Long Term Care Insurance Program Information Systems (Report No. 4A-RI-00-14-036, issued August 19, 2014); and, Dashboard Management Reporting System (Report No. 4A-IS-00-14-064, final audit report not yet issued). We considered the internal control structure for various OPM systems in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. Accordingly, we obtained an understanding of the internal controls for these various systems through interviews and observations, as well as inspection of various documents, including information technology and other related organizational policies and procedures. This understanding of these systems’ internal controls was used to evaluate the degree to which the appropriate internal controls were designed and implemented. As appropriate, we conducted compliance tests using judgmental sampling to determine the extent to which established controls and procedures are functioning as required. In conducting our audit, we relied to varying degrees on computer-generated data provided by OPM. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, we believe that the data was sufficient to achieve the audit objectives, and nothing came to our attention during our audit testing to cause us to doubt its reliability. Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the set of internal controls for these various systems taken as a whole. The criteria used in conducting this audit include: DHS Office of Cybersecurity and Communications FY 2014 Inspector General Federal Information Security Management Act Reporting Instructions; OPM Information Technology Security and Privacy Policy Handbook; OPM Information Technology Security FISMA Procedures; OPM Security Assessment and Authorization Guide; OPM Plan of Action and Milestone Standard Operating Procedures; 3 Report No. 4A-CI-00-14-016 OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; OMB Memorandum M-11-11: Continued Implementation of Homeland Security Presidential Directive 12; E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security; NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems; NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems; NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-39, Managing Information Security Risk – Organization, Mission, and Information System View; NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems; NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-60 Volume 2, Guide for Mapping Types of Information and Information Systems to Security Categories; Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and, Other criteria as appropriate. The audit was performed by the OIG at OPM, as established by the Inspector General Act of 1978, as amended. Our audit was conducted from April through September 2014 in OPM’s Washington, D.C. office. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether OPM’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, OPM’s OCIO and other program offices were not in complete compliance with all standards, as described in section III of this report. 4 Report No. 4A-CI-00-14-016 III. AUDIT FINDINGS AND RECOMMENDATIONS The sections below detail the results of our FY 2014 FISMA audit ofOPM 's IT Security Program. Many recommendations were issued in prior FISMA audits and are rolled f01ward from the 2013 FISMA audit (Rep01i No. 4A-CI-00-13-021 , issued November 21 , 2013). 1. Information Security Governance lnf01mation security govemance is the overall framework and supp01iing management stmctu.re and processes that are the fmmdation of a successful infonnation security program. For many years, we have rep01ied increasing concems about the state ofOPM ' s inf01mation security govemance. In the FY 2007 FISMA report, we issued a material weakness related to the lack of IT policies and procedures. In FY 2009, we expanded the material weakness to include the lack of a centralized security management structure necessruy to implement and enforce IT policies. In FY 2013, we also had serious concems about OPM's ability to govem major system development projects. In FY 2014, significant changes have been approved related to inf01mation security govemance. Additional resources were allocated to implement a centr·alized lnf01mation System Security Officer (ISSO) security management structure, and steps were also taken to implement a centr·alized system development lifecycle (SDLC) methodology. As a result we ru·e upgrading the material weakness to a significant deficiency for FY 2014. The following sections provide additional details from the OIG's review ofiT security govemance at OPM. a) Information security management structure Inf01mation system security at OPM has historically been managed by Designated Security Officers (DSO) that report to the vru·ious program offices that own m aj or computer systems. Many of these DSOs ru·e not ce1iified IT security professionals, and ru·e perf01ming DSO duties in addition to the responsibilities of their full-time positions. In FY 2011 , the OCIO issued updated IT security and privacy policies, but inf01mation security was still managed by DSOs that were generally not qualified to implement the new policies. In FY 2012, the OPM Director issued a memo mandating the tr·ansfer ofiT security duties from the decentr·alized program office DSOs to a centr·alized team of ISSOs that report to the OCIO. This change was a major Inilestone in addressing the inf01mation security govemance material weakness. Through FY 2014, the centr·alized ISSO str11ctu.re was 5 Report No. 4A-CF-00-12-066 pruiially implemented, with 4 ISSOs assigned secm ity Material weakness responsibility for 17 of th e agency's inf01mation systems. related to security governance upgraded The existing ISSOs ar e effectively perfon ning secm ity work for to significant the limited number of systems they manage, but there ru·e still deficiency. many OPM systems that have not been assigned an ISSO. In FY 2014, OPM 's Director approved a plan to restm ctme the OCIO that includes funding for 10 additional ISSO positions, bringing the total to 14. After th ese positions have been filled, the ISSO 's secm ity responsibility will cover 100 percent of OPM inf01mation systems. The fmdings in this audit rep01i (as highlighted in the chart below) indicate that OPM's decentralized govem an ce stm cture continues to result in many instances of non-compliance with FISMA requirements . We believe that these issues could be improved with the full implem entation of a centralized secm ity govem ance stru cture. Compliance with FISMA Requirements • Percent of Syst ems Compliant 100 90 80 70 60 so 40 30 20 10 Systems with Valid POA&M Remed iation Security Controls Cont ingency Planning Contingency Plan Authorizations Time liness Assessments Test ing 6 Rep01i No. 4A-CI-00-14-016 While limited tangible improvements have been made to the security management structure in FY 2014, the ISSO positions that have been planned, approved and funded represent significant improvements over prior years. Therefore, we are upgrading the material weakness to a significant deficiency for FY 2014 due to the imminently planned improvements. However, we will reinstate the material weakness in FY 2015, if the OCIO fails to adequately implement the approved changes. The audit recommendation related to information security governance will remain open until the planned improvements have been fully implemented. Recommendation 1 (Rolled-Forward from 2010) We recommend that OPM implement a centralized information security governance structure where all information security practitioners, including designated security officers, report to the Chief Information Security Officer (CISO). Adequate resources should be assigned to the OCIO to create this structure. Existing designated security officers who report to their program offices should return to their program office duties. The new staff that reports to the CISO should consist of experienced information security professionals. OCIO Response: “A CIO memo directing the centralization of the security responsibilities of Designated Security Officers (DSO) into the Chief Information Security Officer (CISO) organization was issued by the OPM Director on August, 2012 with an effective date of October 1, 2012. The CIO has already hired the first complement of staff with professional IT security experience and certifications, consisting of seven Information Systems Security Officers (ISSO) with an additional four going through the OPM hiring process. The initial set of systems has been transitioned to ISSOs for security management, and we expect to have all OPM systems under ISSO security management in FY15.” OIG Reply: We acknowledge the progress that the OCIO has made in implementing a centralized IT security structure, and will continue to monitor its effectiveness in FY 2015. b) Systems development lifecycle methodology OPM has a history of troubled system development projects. In our opinion, the root causes of these issues have been related to the lack of centralized oversight of systems development. Many system development projects at OPM have been initiated and managed by program offices with limited oversight or interaction with the OCIO. These program office managers do not always have the appropriate background in project management or information technology systems development. 7 Report No. 4A-CI-00-14-016 At the end of FY 2013, the OCIO published a new SDLC policy, which was a significant first step in implementing a centralized SDLC methodology at OPM. The new SDLC policy incorporated several prior OIG recommendations related to a centralized review process of system development projects. However, policy alone will not improve the historically weak SDLC management capabilities of OPM. We also recommended that the OCIO develop a team with the proper project management and system development expertise to oversee new system development projects. Through this avenue, the OCIO should review SDLC projects at predefined checkpoints, and provide strict guidance to ensure that program office management is following OPM’s SDLC policy and is employing proper project management techniques to ensure a successful outcome for all new system development projects. To date, the SDLC is still only applicable to major investment projects, and is not actively enforced for all IT projects in the agency. The OCIO acknowledges the need to enforce the SDLC policy to 100 percent of OPM’s IT portfolio, and is currently implementing a reorganization to address this issue by assigning OCIO IT project managers to each of the agency’s program offices. However, the staff necessary to properly enforce and oversee the SDLC process for all OPM systems is not in place at this time. In the interim, the OCIO continues to provide training to existing project managers through a Project Management Community of Practice designed to provide guidance on best practices in systems development. Recommendation 2 (Rolled Forward from FY 2013) We continue to recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all of OPM’s system development projects. OCIO Response: “The OPM SDLC is being applied to OPM’s major investment projects. In FY15, a plan with timelines will be developed to enforce the SDLC policy for all applicable system development projects.” OIG Reply: We acknowledge the steps that the OCIO is taking to expand the enforcement of the SDLC policy and reiterate that we believe the policy should be enforced to all OPM IT projects. As part of the audit resolution process, we recommend that the OCIO provide OPM's Internal Oversight and Compliance Office (IOC) with evidence that it has implemented the audit 8 Report No. 4A-CI-00-14-016 recommendation . This statement applies to all subsequent recommendations in this rep01i where the OCIO agrees with the recoilllllendation and intends to implem ent a solution . 2. Security Assessment and Authorization System ce1iification is a comprehensive assessment that attests that a system 's secm ity controls are meeting the security requir ements of that system, an d accreditation is the official management decision to auth orize operation of an inf01m ation system an d accept its risks. OPM's process of ce1iifying a system 's security controls is refen ed to as Secm ity Assessment and Auth orization (Authorization .) Our FY 2010 FISMA audit rep01i stated that weaknesses in OPM's Authorization process represented a material weakness in the agency's IT security program. These weaknesses related to incomplete, inconsistent, and poor quality Authorization packages. In FY 2011 , the OCIO published updated policies, procedures, and templates designed to improve the overall Authorization process. The OCIO also dedicated resources to oversee OPM prog~·am office activity related to system Auth orizations. These new controls resulted in a significant improvement in the agency's Authorization packages. The material weakness was lowered to a significant deficiency in FY 2011, and after continued improvem ent, completely removed as an audit concem in the FY 2012 FISMA rep01i. OPM systems operating The Authorization packages reviewed as pa1i of this FY 2014 audit without an active generally maintained th e same satisfact01y level of quality that had Authorization represent been observed in recent years. However, of th e 21 OPM systems a material weakness in due for Auth orization in FY 2014, 11 were not completed on time the internal control and are cmTently operating without a valid Authorization (re structure of the agency's Authorization is required eve1y three years for major inf01m ation IT security program. systems). The drastic increase in the number of systems operating without a valid Authorization is alanning, an d represents a systelnic issue of inadequate planning by OPM prog~·am offices to authorize the inf01m ation systems th at th ey own . The OCIO's Infon nation Technology Security an d Privacy Group (ITSP) continuously provides OPM prog~·am offices with adequate guidance and support to facilitate a timely Authorization process. However, many prog~·am offices do not initiate the Authorization process early enough to meet its deadlines, do not adequately budget for the contractor supp01i that is needed to complete the process, and/or do not adhere to OPM policies an d templates related to the a1iifacts required for Authorization . Each of these issues contributes to delays in finalizing system Authorizations. 9 Rep01i No. 4A-CI-00-14-016 We believe that one of the core causes of these frequent delays is the fact that there are currently no consequences for OPM systems that do not have a valid Authorization to operate. OMB Circular A-130, Appendix III mandates that all Federal information systems have a valid Authorization. We believe that the most effective way to reduce delays is to introduce administrative sanctions for non-compliance with FISMA requirements. We recommend that the performance standards of all OPM major system owners be modified to include a requirement related to FISMA compliance for the systems they own. Furthermore, according to OMB, information systems should not be operating in a production environment without an Authorization. We therefore also recommend that OPM consider shutting down systems that do not have a current and valid Authorization. We acknowledge that OMB now allows agencies to make ongoing Authorization decisions for information systems based on the continuous monitoring of security controls – rather than enforcing a static, three-year re-Authorization process. However, as discussed in section 10, below, OPM has not yet developed a mature continuous monitoring program. Until such a program is in place, we continue to expect OPM to re-authorize all of its information systems every three years. The following program offices own one or more systems currently operating without a valid Authorization: Office of the Chief Information Officer (five systems); Federal Investigative Services (two systems); Human Resources Solutions (two systems); Office of the Inspector General (one system); and, Office of the Chief Financial Officer (one system). Not only is a large volume (11 out of 47 systems; 23 percent) of OPM’s systems operating without a valid Authorization, but several of these systems are amongst the most critical and sensitive applications owned by the agency. Two of the OCIO systems without an Authorization are general support systems that host a variety of other major applications. Over 65 percent of all systems operated by OPM (not including contractor operated systems) reside on one of these two support systems, and are therefore subject to any security risks that exist on the support systems. Furthermore, two additional systems without Authorizations are owned by OPM’s Federal Investigative Services, which is responsible for facilitating background investigations for suitability and security clearance determinations. Any weaknesses in the information systems supporting this program office could potentially have national security implications. 10 Report No. 4A-CI-00-14-016 Maintaining active Authorizations for all information systems is a critical element of a Federal information security program, and failure to thoroughly assess and address a system’s security weaknesses increases the risk of a security breach. We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program. Recommendation 3 We recommend that all active systems in OPM’s inventory have a complete and current Authorization. OCIO Response: “As part of the FY15 CIO reorganization, IT Program Managers will work with ISSOs to plan for Security Authorization of systems before existing ATOs expire. However, ATO extensions may be required in a limited number of situations such as the rebuilding of OPM’s network where we would need to maintain the existing system and initiate Authorization work after the new design is completed and the rebuilding is underway. We agree that it is important to maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises to the level of a Material Weakness.” OIG Reply: The Authorization process is intended to be a comprehensive assessment of the security controls of a major information system, and is a critical step toward preventing security breaches and data loss. Considering the well-publicized data breaches that occurred at OPM in FY 2014, we believe that this is an extremely critical and time sensitive issue. We continue to classify weaknesses in the Authorization process as a material weakness to ensure that the necessary attention and resources are dedicated to this issue. Recommendation 4 We recommend that the performance standards of all OPM system owners be modified to include a requirement related to FISMA compliance for the information systems they own. At a minimum, system owners should be required to ensure that their systems have valid Authorizations. OCIO Response: This recommendation was added after the draft report was issued; the OCIO has not yet had the opportunity to respond. Recommendation 5 We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization. 11 Report No. 4A-CI-00-14-016 OCIO Response: “The IT Program Managers will work with ISSOs to ensure that OPM systems maintain current ATOs and that there are no interruptions to OPM’s mission and operations.” 3. Risk Management NIST SP 800-37 Revision 1 “Guide for Applying the Risk Management Framework to Federal Information Systems” (Guide) provides Federal agencies with a framework for implementing an agency-wide risk management methodology. The Guide suggests that risk be assessed in relation to the agency’s goals and mission from a three-tiered approach: Tier 1: Organization (Governance); Tier 2: Mission/Business Process (Information and Information Flows); and, Tier 3: Information System (Environment of Operation). NIST SP 800-39 “Managing Information Security Risk – Organization, Mission, and Information System View” provides additional details of this three-tiered approach. a) Agency-wide risk management NIST SP 800-39 states that agencies should establish and implement “Governance structures [that] provide oversight for the risk management activities conducted by organizations and include: (i) the establishment and implementation of a risk executive (function); (ii) the establishment of the organization’s risk management strategy including the determination of risk tolerance; and, (iii) the development and execution of organization-wide investment strategies for information resources and information security.” In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security professionals. However, as of the end of FY 2014, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 were not all fully implemented. Key elements still missing from OPM’s approach to managing risk at an agency-wide level include: conducting a risk assessment, maintaining a risk registry, and communicating the agency-wide risks down to the system owners. Recommendation 6 (Rolled Forward from 2011) We recommend that the OCIO continue to develop its Risk Executive Function to meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). 12 Report No. 4A-CI-00-14-016 OCIO Response: “In FY14, a number of steps were taken to establish and implement the Risk Executive Function per NIST Special Publication 800-39. A proposed Risk Executive Charter and Risk Registry Template were developed and discussed with the Chief Operating Officer who has agreed to serve as the OPM Risk Executive. Additional discussions will be held with the Chief Operating Officer on implementation plans and strategies.” b) System specific risk management and annual security controls testing NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that contains six primary steps, including “(i) the categorization of information and information systems; (ii) the selection of security controls; (iii) the implementation of security controls; (iv) the assessment of security control effectiveness; (v) the authorization of the information system; and (vi) the ongoing monitoring of security controls and the security state of the information system.” The OCIO has implemented the six-step RMF into its system-specific risk management activities through the Authorization process. In addition, OPM policy requires each major information system to be subject to routine security controls testing though a continuous monitoring program (see Continuous Monitoring section 10). 4. Configuration Management The sections below detail the controls that the OCIO has in place to manage the technical configuration of OPM servers, databases, and workstations. a) Agency-wide security configuration policy OPM’s Information Security and Privacy Policy Handbook contains policies and procedures related to agency-wide configuration management. The handbook requires the establishment of secure baseline configurations and the monitoring and documenting of all configuration changes. b) Configuration baselines In FY 2014, OPM has continued its efforts toward formalizing baseline configurations for critical applications, servers, and workstations. At the end of the fiscal year, the OCIO had established baselines and/or build sheets for the following operating systems: ; and, 13 Report No. 4A-CI-00-14-016 However, several additional operating platforms in OPM’s network environment do not have baseline configurations documented including, but not limited to, , and NIST SP 800-53 Revision 4, control CM-2, requires agencies to develop, document, and maintain a current baseline configuration of the information system. A baseline should serve as a formally approved standard outlining how to securely configure various operating platforms. Without an approved baseline, there is no standard against which actual configuration settings can be measured, increasing the risk that insecure systems exist in the operating environment. Recommendation 7 We recommend that the OCIO develop and implement a baseline configuration for all operating platforms in use by OPM including, but not limited to, and OCIO Response: “We are working to standardize operating systems and applications throughout the OPM environment. Over the past year, we have established approved baselines for all operating systems, as well as . We will continue to improve our processes and develop and implement configuration baselines for all operating platforms in use by OPM.” c) United States Government Computer Baseline Configuration OPM user workstations are built with a standard image that is compliant with the United States Government Baseline Configuration. Any deviations deemed necessary by the agency from the configurations are documented within each operating platform’s baseline configuration. We conducted an automated scan of the standard image to independently verify compliance with OPM’s baseline. Nothing came to our attention to indicate that there are weaknesses in OPM’s methodology to securely configure user workstations. d) Compliance with baselines The OCIO uses automated scanning tools to conduct routine compliance audits on the majority of operating platforms used in OPM’s server environment. These tools compare the actual configuration of servers and workstations to the approved baseline configuration. However, as mentioned above, there are several operating platforms used by OPM that do not have documented and approved baselines. Without approved baseline configurations these systems cannot be subject to an adequate compliance audit. 14 Report No. 4A-CI-00-14-016 NIST SP 800-53 Revision 4, control CM-3, requires agencies to audit activities associated with information system configurations. Recommendation 8 We recommend the OCIO conduct routine compliance scans against established baseline configurations for all servers and databases in use by OPM. This recommendation cannot be addressed until Recommendation 6 has been completed. OCIO Response: “We expand our routine compliance scans as we implement additional configuration baselines for additional operating platforms.” e) Software and hardware change management The OCIO has developed a Configuration Change Control Policy that outlines a formal process to approve and document all computer software and hardware changes. The OCIO utilizes a software application to manage, track, and document change requests. OPM also has a software product that has the capability to detect, approve, and revert all changes made to information systems. However, this capability has not been fully implemented, and OPM cannot ensure that all changes made to information systems have been properly documented and approved. OPM’s Information Security and Privacy Policy Handbook states that “SOs shall ensure the information system employs automated mechanisms to. . . Inhibit change until designated approvals are received.” Recommendation 9 We recommend the OCIO implement technical controls that prevent configuration changes without proper documentation and approvals. OCIO Response: “Configuration changes require approval by the Change Control Board which meets on a regular basis. However, there are emergency situations where changes might be made outside of the CCB cycle. We will ensure required documentation and approvals are in place for all configuration changes.” OIG Reply: While emergency changes may be required outside of the CCB cycle, we still recommend that automated mechanisms be implemented to prevent changes to information systems 15 Report No. 4A-CI-00-14-016 with out proper approval. Emergency changes should still require approval even if the documentation occurs after the change has been implemented . f) Vulnerability scanning We were told in an interview that OPM's Network Management The OIG is unable Group (NMG) perfon ns monthly vulnerability scans using to independently automated scanning tools. However, we have been unable to obtain verify that OPM has tangible evidence that vulnerability scans have been routinely a mature conducted for all OPM servers in FY 2014. As a result, we ar e vulnerability unable to independently attest that OPM has a mature vulnerability scanning program. scanning program, an d must indicate as such on th e FISMA metrics provided to OMB . NMG has documented accepted weaknesses for OPM user workstations; however, it has not fully documented weaknesses for servers or databases (i.e., vulnerability scan findings that ar e j ustified by a business need) . This recommendation remains open fro m FY 2011 and is rolled f01ward in FY 2014 . We also determined through interviews an d our independent vulnerability scanning process that OPM does not maintain an accurate centralized invent01y containing all servers an d databases that reside within the network. NIST SP 800-53 Revision 4, control PM-5, requires agencies to develop an d mainta in an invent01y of its inf01mation systems. Recommendation 10 We recommend that the OCIO develop an d mainta in a comprehensive invent01y of all servers, databases, and network devices that reside on the OPM network. OC/0 Response: "Our Asset Management System serves as a repository for servers, databases and network devices. We will continue to work to identify and document all assets residing on the OPM network. " Recommendation 11 We recommend that the OCIO implement a process to ensure routine vulnerability scanning is conducted on all network devices documented within the invent01y. 16 Rep01i No. 4A-CI-00-14-016 OCIO Response: “We will continue to improve our scanning capabilities to ensure that vulnerability scanning is conducted on all network devices documented in our inventory.” Recommendation 12 We recommend that the OCIO implement a process to centrally track the current status of security weaknesses identified during vulnerability scans to remediation or risk acceptance. OCIO Response: “We concur with this recommendation and will implement the recommendation in FY15.” Recommendation 13 (Rolled Forward from 2011) We recommend that the OCIO document “accepted” weaknesses identified in vulnerability scans. OCIO Response: “We concur with this recommendation and will implement the recommendation in FY15.” g) Patch management The OCIO has implemented a process to apply operating system patches on all devices within OPM’s network on a weekly basis. The OCIO also utilizes a third party patching software management program to manage and maintain all non-operating system software. However, through our independent vulnerability scans on a sample of servers we determined that numerous servers are not timely patched. Recommendation 14 We recommend the OCIO implement a process to apply operating system and third party vendor patches in a timely manner, which is defined within the OPM Information Security and Privacy Policy Handbook. OCIO Response: The OCIO did not respond to this recommendation. 5. Incident Response and Reporting OPM’s Incident Response and Reporting Guide outlines the responsibilities of OPM’s Situation Room and documents procedures for reporting all IT security events to the appropriate entities. We evaluated the degree to which OPM is following its internal procedures and FISMA requirements for reporting security incidents internally, to the United States Computer Emergency Readiness Team (US-CERT), and to appropriate law enforcement authorities. 17 Report No. 4A-CI-00-14-016 a) Identifying and reporting incidents internally OPM’s Incident Response and Reporting Guide requires any user of the agency’s IT resources to immediately notify OPM’s Situation Room when IT security incidents occur. OPM reiterates the information provided in the Incident Response and Reporting Guide in an annual mandatory IT security and privacy awareness training course. In addition, OPM also uses several different software tools to prevent and detect intrusions and malware in the agency’s network. b) Reporting incidents to US-CERT and law enforcement OPM’s Incident Response and Reporting policy states that OPM's Situation Room is responsible for sending incident reports to US-CERT on security incidents. OPM notifies US-CERT within one hour of a reportable security incident occurrence. The Incident Response and Reporting policy also states that security incidents should be reported to law enforcement authorities, where appropriate. The OIG’s Office of Investigations is part of the incident response notification distribution list, and is notified when security incidents occur. c) Correlating and monitoring security incidents OPM owns a security information and event management (SIEM) tool with the technical ability to automatically detect, analyze, and correlate potential security incidents over time. However, the correlation features of this tool are not fully utilized at this time. This tool only receives event data from approximately 80 percent of major OPM information systems. In FY 2014, the OCIO established an Enterprise Network Security Operations Center (ENSOC) that provides continuous centralized support for OPM’s security incident prevention/management program. However, the ENSOC cannot adequately fulfill its purpose if it does not receive data from all OPM systems. NIST SP 800-53 Revision 4, control IR-4, states that an organization must implement “an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.” The organization should also employ “automated mechanisms to support the incident handling process.” Recommendation 15 We recommend that the OCIO expand the capabilities of the ENSOC to ensure that security incidents from all OPM-operated information systems are centrally analyzed and correlated. 18 Report No. 4A-CI-00-14-016 OC/0 Response: "A centralized monitoring center was put in place with first level alerting and monitoring for the servers and network appliances within the major OPM sites. We are expanding our monitoring capabilities to cover OPM operated information systems wherever feasible." d) Responding to incidents As mentioned above, OPM owns a tool with the ability to automatically detect and rep01i potential secmity incidents by analyzing data from various som ces. After analyzing the data, the tool ale1is secmity analysts to potential secmity incidents. However, the tool needs to be configmed to collect relevant and meaningful data so the potential secmity ale1is contain fewer false-positives. The OPM systems cmTently providing data to the SIEM are over-rep01iing log and event data, which results in an excessive am mmt of data for secmity analysts to review. The number of ale1is that secmity analysts must review and identify as false-positive creates a backlog that could cause a delay in identifying and responding to actual incidents. This issue is compounded by the fact that the SIEM is not receiving any data from approximately 20 percent of OPM systems. Recommendation 16 We recommend that OCIO configm e its secmity inf01mation and event management tool to collect and rep01i meaningful data, while reducing the volume of non-sensitive log and event data. OC/0 Response: "The security event management system collects important data that we use to access threats to the OPM environment. We will continue to refine our configuration settings to improve the quality ofthe data being reviewed." 6. Security Training FISMA requires all govemment employees and contractors to take IT secmity awareness training on an annual bas is. In addition, employees with IT secmity responsibility are required to take additional specialized training . a) IT security awareness training OPM maintains an The OCIO provides annual IT secmity and privacy awareness adequate IT security training to all OPM employees through an interactive web-based training program. com se. The com se introduces employees and contractors to the 19 Rep01i No. 4A-CI-00-14-01 6 basic concepts of IT security and privacy, including topics such as the importance of information security, security threats and vulnerabilities, viruses and malicious code, privacy training, peer-to-peer software, and the roles and responsibilities of users. Over 99 percent of OPM’s employees and contractors completed the security awareness training course in FY 2014. b) Specialized IT security training OPM employees with significant information security responsibilities are required to take specialized security training in addition to the annual awareness training. The OCIO has developed a table outlining the security training requirements for specific job roles. The OCIO uses a spreadsheet to track the security training taken by employees that have been identified as having security responsibility. Of employees with significant security responsibilities, 95 percent have completed specialized IT training in FY 2014. 7. Plan of Action and Milestones A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for IT security weaknesses. The sections below detail OPM’s effectiveness in using POA&Ms to track the agency’s security weaknesses. a) POA&Ms incorporate all known IT security weaknesses In November 2013, the OIG issued the FY 2013 FISMA audit report with 16 audit recommendations. We verified that all 16 recommendations were appropriately incorporated into the OCIO’s master POA&M. However, all known security weaknesses were appropriately incorporated to the system- specific POA&Ms for only 29 of OPM’s 47 systems. This includes 14 of the 25 systems operated by OPM, and 15 of the 22 systems operated by a contractor. Failure to incorporate all known IT security weaknesses into the associated POA&M limits the agency’s ability to effectively identify, assess, prioritize, and monitor the progress of the corrective efforts to remediate identified weaknesses. The following program offices failed to submit adequate documentation for one or more systems that they own: Human Resources Solutions (four systems); Federal Investigative Services (three systems); Office of the Inspector General (three systems); Healthcare and Insurance (three systems); 20 Report No. 4A-CI-00-14-016 Office of the Chief Information Officer (two systems); Office of the Chief Financial Officer (one system); Retirement Services (one system); and, Employee Services (one system). Recommendation 17 We recommend that the OCIO and program offices that own information systems ensure that all known security weaknesses are incorporated into the appropriate POA&M. OCIO Response: “A centralized automated POA&M management system is in place and staffed by a dedicated resource to ensure that all findings, recommendations and POA&Ms are managed to resolution and we believe that this process is working as intended. Additional information was submitted to substantiate elimination of this recommendation.” OIG Reply: While evidence was provided in response to the draft audit report to indicate that all findings from the FY 2013 FISMA audit report were included in a POA&M, the program offices listed above have not adequately incorporated all known IT security weaknesses into the associated POA&M. We continue to recommend that the OCIO and program offices that own information systems ensure that all known security weaknesses are incorporated into the appropriate POA&M. b) Prioritize weaknesses OPM’s POA&M Guide requires each program office to prioritize the security weaknesses on their POA&Ms to help ensure significant IT issues are addressed in a timely manner. We verified the POA&Ms that were provided did identify and prioritize each security weakness. c) Effective remediation plans and adherence to remediation deadlines All system owners are required to create action steps (milestones) to effectively remediate specific weaknesses identified on POA&Ms. Our review of the POA&Ms indicated that system owners are appropriately listing milestones and target completion dates on their POA&Ms. However, our review also indicated that many system owners are not meeting the self- imposed remediation deadlines listed on the POA&Ms. Out of OPM’s 47 operational systems, 38 have POA&M items that are greater than 120 days overdue. We issued an audit recommendation in FY 2012 related to overdue POA&M items, and because overdue POA&Ms continue to be an issue, we will roll forward this recommendation into FY 2014. 21 Report No. 4A-CI-00-14-016 Recommendation 18 (Rolled forward from FY 2012) We recommend that the OCIO and system owners develop formal corrective action plans to remediate all POA&M weaknesses that are over 120 days overdue. OCIO Response: “The CIO dedicated resources to this task and has successfully closed most POA&Ms that are over 120 days overdue and will continue to develop formal Action Plans for those remaining weaknesses. Most POA&Ms that are over 120 days overdue have dependencies that need to be coordinated with external entities that often are not ready to implement the required changes.” OIG Reply: Evidence was provided in response to the draft audit report to indicate that corrective action plans have been created for 25 of the 38 systems with POA&M items over 120 overdue. As part of the audit resolution process, the OCIO should provide IOC with evidence that the program offices for the remaining 13 systems have created corrective action plans. d) Identifying resources to remediate weaknesses POA&Ms for 9 of the 47 OPM systems did not identify the resources needed to address POA&M weaknesses in FY 2014, as required by OPM’s POA&M policy. We made this recommendation in the FY 2013 FISMA audit report, and closed it in early FY 2014 based on evidence provided by the OCIO which indicated that POA&Ms had been updated. However, the fieldwork for this audit indicates that this situation continues to be a problem. Recommendation 19 We recommend that all POA&Ms list the specific resources required to address each security weakness identified. OCIO Response: “This recommendation has been implemented for most open POA&Ms. We will continue to ensure that the ‘resources required’ for POA&Ms are identified and documented.” OIG Reply: Evidence was provided in response to the draft audit report to indicate that required resources have been identified and documented for outstanding POA&M items; no further action is required. e) OCIO tracking and reviewing POA&M activities The OCIO requires program offices to provide the evidence, or “proof of closure,” that security weaknesses have been resolved before officially closing the related POA&M. When 22 Report No. 4A-CI-00-14-016 th e OCIO receives a proof of closure document from the program offices for a POA&M item, an OCIO employee will review th e documentation to deten nine whether or not the evidence provided was appropriate. We selected one closed POA&M item from 10 OPM systems an d OPM appears to reviewed the proof of closure documentation provided by the maintain adequate program offices. The 10 systems were judgmentally selected from proof-of-closure th e 47 OPM systems. We detennined that adequate proof of closure documenta tion when was provided for all 10 systems tested. The results of the sample test closing POA&M were not projected to the entire population. weaknesses. 8. Remote Access Management ----------------- OPM has implemented policies and procedures related to authorizing, monitoring, and controlling all methods of accessing the agency's network resources fr om a remote location . In addition, OPM has issued agency-wide telecommuting policies and procedures, and all employees ar e required to sign a Rules of Behavior document that outlines their responsibility for th e protection of sensitive inf01mation when working remotely. OPM utilizes a Virtual Private Network (VPN) client to facilitate secure remote access to the agency's network environment. The OPM VPN requires the use of an individual's PIV card an d password authentication to lmiquely identify users. OIG has reviewed the VPN access list to ensure that there ar e no shared accounts an d that each user account has been tied to an individual. The agency maintains logs of individuals who remotely access the network, and th e logs are reviewed on a monthly basis for unusual activity or u·ends. Although there ar e still a small number of authorized network devices that are not compliant with PIV cards (e.g., iPads), these devices still require multi-factor authentication for remote access through the use of RSA tokens an d password authentication. In previous years, we discovered that remote access sessions do not te1minate or lock out after I - inactivity as required by FISMA. OPM has acknowledged the issue and stated that th e weakness cannot be remediated until the VPN vendor releases a software update. Recommendation 20 (Rolled -Forward from 2012) We recommend the OCIO configure the VPN servers to te1minate VPN sessions after of inactivity. 23 Rep01i No. 4A-CI-00-14-016 OC/0 Response: "All technological controls are in place. We believe there is a flaw in the vendor's product that will require a patch update that the vendor so far is unwilling to provide. We will explore an alternative product solution. " 9. Identity and Access Management The following sections detail OPM's account and identity management program. a) Policies for account and identity management OPM maintains policies and procedures for agency-wide account and identity management within the OCIO Infonnation Security and Privacy Policy Handbook. The policies contain procedures for creating user accounts with the appropriate level of access as well as procedures for removing access for terminated employees. b) Terminated employees OPM maintains policies related to management of user accounts for its local area network (LAN) and its m ainframe environments . Both policies contain procedures for creating user accounts with the appropriate level of access as well as procedures for removing access for tenninated employees. We conducted an access test comparing the cmTent Windows and mainframe active user lists against a list of tenninated employees from th e past year. Nothing came to our attention to indicate that th ere ar e weaknesses in OPM's access termination management process. c) Multi-factor authentication with PIV OMB Memorandum M-11-11 required all Federal infonnation OPM not compliant with systems to be upgraded to use PIV credentials for multi-factor OMB M-11-11 which authentication by the beginning ofFY 2012. In addition, the mandates the use of PIV memorandmn stated that all new systems lmder development must credentials for multi be PIV compliant prior to being made operational, and that agencies factor authentication for must be compliant with the memorandum prior to using technology major information refresh funds to complete other activities. systems. In FY 2012, the OCIO began an initiative to require PIV authentication to access the agency's network. As of the end of FY 2014, over 95 percent ofOPM workstations require PIV authentication to access to the OPM network. However, none of the agency's 47 major applications require PIV authentication. 24 Rep01i No. 4A-CI-00-1 4-016 Recommendation 21 (Rolled Forward from 2012) We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its major information systems to require multi-factor authentication using PIV credentials. OCIO Response: “We have developed and are in the process of implementing multi-factor PIV authentication for compliance with OMB M-11-11. A major segment of the users on our network infrastructure are using PIV authentication. In FY15 we will continue to implement PIV authentication for major systems.” 10. Continuous Monitoring Management The following sections detail OPM’s controls related to continuous monitoring of the security state of its information systems. a) Continuous monitoring policy and procedures OPM’s Information Security and Privacy Policy Handbook states that the security controls of all systems must be continuously monitored and assessed to ensure continued effectiveness. In FY 2012, the OCIO published an addendum to the Information Security and Privacy Policy which states that it is the ISSO/DSOs responsibility to assess all security controls in an information system. The addendum also states that continuous monitoring security reports must be provided to ITSP at least semiannually. The OCIO also creates continuous monitoring plans each fiscal year that clearly describe the type and frequency of NIST SP 800-53 Revision 4 security controls that must be tested throughout the year. As stated previously in Section 1, the ISSO function has not been fully established at OPM. We continue to believe that OPM’s continuous monitoring policies and procedures cannot be adequately implemented until the agency’s centralized ISSO function has been fully established. b) Continuous monitoring strategy The OCIO developed a continuous monitoring strategy document that provides a high-level strategy for the implementation of information security continuous monitoring. While the initial stages of implementation began in FY 2012, full implementation of the plan is an ongoing process. The OCIO achieved the FY 2014 milestones outlined in the roadmap which included quarterly reporting for high impact systems. The next stage in the OCIO’s plan involves requiring continuous monitoring by contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program. 25 Report No. 4A-CI-00-14-016 Recommendation 22 We recommend that the OCIO expand its continuous monitoring program to include mandatory continuous monitoring for contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program as outlined in the OCIO’s continuous monitoring strategy. OCIO Response: “In FY15, we will continue to work with DHS to implement the Continuous Diagnostic and Mitigation program at OPM. As a result of working with DHS, OPM has been moved higher (sooner) in the implementation schedule. To date, we have submitted OPM requirements and hosted a Reading Room for vendors to validate our requirements. There will also be a major initiative to expand Continuous Monitoring programs to contractor systems where feasible.” c) Assessment of individual system security controls OPM policy requires all OPM system owners to submit evidence of continuous monitoring activities at least semiannually (in April and October). We requested the security test results for all OPM-operated systems for April 2014 in order to review them for quality and consistency. We will test the October 2014 submission as part of the FY 2015 FISMA audit. For the April submission, we were only provided adequate testing documentation for 18 out of the 25 major systems operated by OPM. The following program offices failed to submit adequate documentation for one or more systems that they own: Office of the Chief Information Officer (four systems); Office of the Inspector General (two systems); and, Office of the Chief Financial Officer (one system). At this time, security controls testing for contractor-operated systems is still only required once per year. A review of contractor system security control testing (see section 12, below) indicates that only 19 out of 22 contractor-operated systems were adequately tested in this fiscal year. Between contractor and agency-operated information systems, only 37 out of 47 systems were subject to adequate security controls testing in FY 2014. Failure to continuously monitor and assess security controls increases the risk that agency officials are unable to make informed judgments to appropriately mitigate risks to an acceptable level. It has been over eight years since all OPM systems were subject to an adequate security controls test. OPM’s decentralized approach to IT security has traditionally placed 26 Report No. 4A-CI-00-14-016 responsibility on the various program offices to test the security controls of their systems. The OCIO’s lack of authority over these program offices continues to contribute to the inadequate security controls testing of the agency’s information systems. We are optimistic that the quality and consistency of security controls tests will improve with the full implementation of the OCIO’s centralized ISSO structure and with the shift to semi-annual continuous monitoring submissions. Recommendation 23 (Rolled forward from 2008) We recommend that OPM ensure that an annual test of security controls has been completed for all systems. OCIO Response: “We continue to make progress with security controls testing and expect to have test plans and results for all systems in FY15. Security controls testing is a major part of our continuous monitoring program that is being implemented for OPM systems.” 11. Contingency Planning OPM’s Information Security Privacy and Policy Handbook requires a contingency plan to be in place for each information system and that each system’s contingency plan be tested on an annual basis. The sections below detail our review of contingency planning activity in FY 2014. a) Documenting contingency plans of individual OPM systems We received updated contingency plans for 41 out of 47 information systems on OPM’s master system inventory. We then verified that these contingency plans followed the template developed by the OCIO that is based on the guidance of NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems. The following program offices failed to submit adequate contingency planning documentation for one or more systems that they own: Retirement Services (three systems); Office of the Chief Information Officer (two systems); and, Office of the Inspector General (one system). According to OPM’s Information Security and Privacy Policy Handbook, “Contingency Plans shall be reviewed, updated, and tested at least annually to ensure [their] effectiveness.” Failure to document contingency plans increases the risk that agency information systems will not be recovered in a timely manner and that critical data could be lost. 27 Report No. 4A-CI-00-14-016 Recommendation 24 We recommend that the OCIO ensure that all of OPM’s major systems have contingency plans in place and are reviewed and updated annually. OCIO Response: “We will continue making progress on contingency plan updates in FY15. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task.” b) Testing contingency plans of individual OPM systems OPM’s Information Security Privacy and Policy Handbook requires that the contingency plan for each information system be tested at least annually using information system specific tests and exercises. We received evidence that contingency plans were tested for only 39 of 47 systems in FY 2014. This is a slight decrease from the number of systems that were tested in FY 2013. The following program offices failed to submit adequate documentation for one or more systems that they own: Office of the Chief Information Officer (five systems); Employee Services (one system); Healthcare and Insurance (one system); and, Office of the Inspector General (one system). Of the contingency plan tests we did receive, we noted improved quality in documentation as it relates to the analysis or “lessons learned” section of the test report. However, due to the significantly low number of tests received, we cannot conclude that OPM has improved the quality and consistency of its documentation overall. NIST SP 800-34 Revision 1 states that following a contingency plan test, “results and lessons learned should be documented and reviewed by test participants and other personnel as appropriate. Information collected during the test and post-test reviews that improve plan effectiveness should be incorporated into the contingency plan.” Recommendation 25 (Rolled-Forward from 2008) We recommend that OPM’s program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the eight systems that were not subject to adequate testing in FY 2014. 28 Report No. 4A-CI-00-14-016 OCIO Response: “We will continue making progress on contingency plan testing in FY15. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task.” c) Testing contingency plans of OPM general support systems Many OPM systems reside on one of the agency’s general support systems. The OCIO typically conducts a full recovery test at the backup location of the Enterprise Server Infrastructure general support system (i.e., the mainframe and associated systems) on an annual basis. However, no full functional test was performed in FY 2014. Also, another one of OPM’s major general support system, the LAN/WAN general support system, was not subject to a full functional disaster recovery test. NIST SP 800-53 Revision 4, control CP-4, states that owners of FIPS 199 “high” systems should test “the contingency plan at the alternate processing site.” Without full functional routine testing of all OPM general support systems, there is a risk that OPM systems will not be successfully recovered in the event of a disaster. In the FY 2011 FISMA audit report we recommended that the OCIO implement a centralized (agency-wide) approach to contingency plan testing. We were informed that a single synchronized functional test is not feasible due to logistical and resource limitations. However, the intent of the recommendation is to ensure that all elements of the general support systems are subject to a full functional disaster recovery test each year. This recommendation can be remediated if each general support system is subject to a full functional test each year, even if it must be broken into a series of smaller tests. Recommendation 26 (rolled forward from 2011) We recommend that the OCIO implement and document a centralized (agency-wide) approach to contingency plan testing. OCIO Response: “We will continue making progress on contingency plan testing in FY15. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task.” 12. Contractor Systems We evaluated the methods that the OCIO and various program offices use to maintain oversight of their systems operated by contractors on behalf of OPM. 29 Report No. 4A-CI-00-14-016 a) Contractor system documentation OPM’s master system inventory indicates that 22 of the agency’s 47 major applications are operated by a contractor. However, the master system inventory does not indicate if the system is hosted in a cloud environment. NIST 800-53 Revision 4 states that the agency must develop and maintain an inventory of its information systems. The FY 2014 FISMA Reporting Metrics indicate that a complete inventory of systems indicates which systems and services reside in a public cloud environment. The OCIO maintains a separate spreadsheet documenting interfaces between OPM and contractor-operated systems and the related Interconnection Security Agreements (ISA). However, many of the documented ISAs have expired. NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, states that improperly designed interconnections could result in security failures that compromise the connected systems and the data that they store, process, or transmit. Failure to maintain valid ISAs could introduce risks similar to improperly designed interconnections. While the OCIO tracks ISAs, it does not track Memorandums of Understanding/Agreement (MOU/A). These documents outline the terms and conditions for sharing data and information resources in a secure manner. We were told that program offices were responsible for maintaining MOU/As. While we have no issue with the program offices maintaining the memorandums, the OCIO should track MOU/As to ensure that valid agreements are in place for each documented ISA. Recommendation 27 We recommend that the OCIO identify agency systems that reside in a public cloud and document those systems on the master system inventory. OCIO Response: “This recommendation was addressed and documented on the master system inventory.” OIG Reply: Evidence was provided in response to the draft audit report to indicate that the OCIO has identified systems that reside in a public cloud; no further action is required. Recommendation 28 We recommend that the OCIO ensure that all ISAs are valid and properly maintained. 30 Report No. 4A-CI-00-14-016 OCIO Response: “We will continue to improve ISA processes to ensure that they are maintained in a valid and consistent manner. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task.” Recommendation 29 We recommend that the OCIO ensure that a valid MOU/A exists for every interconnection. OCIO Response: “We will continue to improve MOU processes to ensure they are maintained in a valid and consistent manner. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task.” b) Contractor system oversight The OPM Information Security and Privacy Policy Addendum states that “It is the responsibility of the OPM system owner to ensure systems or services hosted by non-OPM organizations comply with OPM information security and privacy policies.” The handbook addendum also states that “OPM System Owners must ensure that an annual security controls assessment is performed by a government employee or an independent third party at the site where contracted information technology services are rendered.” We requested the annual security control tests for contractor-operated systems in order to review them for quality and consistency. We were only provided testing documentation for 19 out of the 22 systems. In the tests we received, we noticed significant differences in quality and consistency. We would normally make a recommendation for the OCIO to take action to improve the quality and consistency of these security control tests. However, the OCIO’s continuous monitoring strategy includes requiring continuous monitoring for contractor-operated systems. The OCIO also maintains a continuous monitoring plan that describes the type and frequency of NIST SP 800-53 Revision 4 security controls that must be tested throughout the year. We believe that use of the continuous monitoring plan will improve the quality and consistency of contractor system security control tests. See section 10 above for the related recommendation. 13. Security Capital Planning NIST SP 800-53 Revision 4, control SA-2, states that an organization needs to determine, document, and allocate the resources required to protect information systems as part of its capital planning and investment control process. 31 Report No. 4A-CI-00-14-016 OPM’s Information Security and Privacy Policy Handbook contains policies and procedures to ensure that information security is addressed in the capital planning and investment process. The OCIO uses the Integrated Data Collection, a replacement to the Exhibit 53B, to record information security resources allocation and submits this information annually to OMB. As mentioned previously in Section 2, the drastic increase in the number of systems operating without a valid Authorization is alarming, and represents a systemic issue of inadequate planning by OPM program offices to authorize the information systems that they own. Please see section 2 for audit recommendations related to this issue. 32 Report No. 4A-CI-00-14-016 IV. MAJOR CONTRIBUTORS TO THIS REPORT Information Systems Audit Group , Auditor-In-Charge , Lead IT Auditor , IT Auditor , IT Auditor , IT Auditor , IT Auditor , IT Auditor ______________________________________________________________________________ Group Chief 33 Report No. 4A-CI-00-14-016 Appendix I page 1 of 3 Status of Prior OIG Audit Recommendations The tables below outline the current status of prior audit recommendations issued in FY 2013 by the Office of the Inspector General. Report No. 4A-CI-00-13-021: FY 2013 Federal Information Security Management Act Audit, issued November 21, 2013 Rec # Original Recommendation Recommendation History Current Status We recommend that OPM implement a centralized information security governance structure where all information security practitioners, Roll-forward from OIG Reports: including designated security officers, report to the CISO. Adequate resources should be assigned to the OCIO to create this structure. 4A-CI-00-10-019 Recommendation 4, OPEN: Rolled-forward as Report 1 Existing designated security officers who report to their program offices 4A-CI-00-11-009 Recommendation 2, and 4A-CI-00-14-016 Recommendation 1 should return to their program office duties. The new staff that reports 4A-CI-00-12-016 Recommendation 1 to the CISO should consist of experienced information security professionals. We recommend that the OCIO develop a plan and timeline to enforce OPEN: Rolled-forward as Report 2 Recommendation new in FY 2013 the new SDLC policy to all of OPM’s system development projects. 4A-CI-00-14-016 Recommendation 2 Roll-Forward from OIG Report: We recommend that the OCIO continue to develop its Risk Executive OPEN: Rolled-forward as Report 3 Function to meet all of the intended requirements outlined in NIST SP 4A-CI-00-11-009 Recommendation 6 and 4A-CI-00-14-016 Recommendation 6 800-39, section 2.3.2 Risk Executive (Function). 4A-CI-00-12-016 Recommendation 2 We recommend that the OCIO develop and implement a baseline 4 Recommendation new in FY 2013 CLOSED 9/16/2014 configuration for both databases. We recommend that the OCIO conduct routine compliance audits on 5 databases with the OPM baseline configuration Recommendation new in FY 2013 CLOSED 9/16/2014 once they have been reviewed, updated, and approved. Roll-forward from OIG Reports: We recommend that the OCIO document “accepted” weaknesses OPEN: Rolled-forward as Report 6 identified in vulnerability scans. 4A-CI-00-11-009 Recommendation 9 and 4A-CI-00-14-016 Recommendation 13 4A-CI-00-12-016 Recommendation 4 Appendix I page 2 of 3 Status of Prior OIG Audit Recommendations We recommend that the OCIO establish a centralized network security operations center with the ability to monitor security events for all Roll-forward from OIG Reports: 7 CLOSED 11/25/2013 major OPM systems. 4A-CI-00-12-016 Recommendation 6 We recommend that the OCIO and system owners develop formal corrective action plans to remediate all POA&M weaknesses that are Roll-forward from OIG Reports: OPEN: Rolled-forward as Report 8 over 120 days overdue. 4A-CI-00-12-016 Recommendation 8 4A-CI-00-14-016 Recommendation 18 We recommend that all POA&Ms list the specific resources required to Roll-forward from OIG Reports: 9 address each security weakness identified. CLOSED 11/25/2013 4A-CI-00-12-016 Recommendation 9 We recommend the OCIO configure the VPN servers to terminate VPN Roll-forward from OIG Reports: OPEN: Rolled-forward as Report 10 sessions after of inactivity. 4A-CI-00-12-016 Recommendation 10 4A-CI-00-14-016 Recommendation 20 We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its major information systems to require multi-factor Roll-forward from OIG Reports: OPEN: Rolled-forward as Report 11 authentication using PIV credentials. 4A-CI-00-12-016 Recommendation 11 4A-CI-00-14-016 Recommendation 21 We recommend that the OCIO expand its continuous monitoring program to include quarterly submissions for High impact systems, more frequent controls testing for all systems, and further 12 Recommendation new is FY 2013 CLOSED 9/18/2014 implementation of automated tools as outlined in the Information Security Continuous Monitoring Roadmap. Roll-forward from OIG Reports: 4A-CI-00-08-022 Recommendation 1, We recommend that OPM ensure that an annual test of security controls 4A-CI-00-09-031 Recommendation 6, OPEN: Rolled-forward as Report 13 has been completed for all systems. 4A-CI-00-10-019 Recommendation 10, 4A-CI-00-14-016 Recommendation 23 4A-CI-00-11-009 Recommendation 11, and 4A-CI-00-12-016 Recommendation 14 Appendix I page 3 of 3 Status of Prior OIG Audit Recommendations Roll-forward from OIG Reports: We recommend that OPM’s program offices test the contingency plans 4A-CI-00-08-022 Recommendation 2, 14 for each system on an annual basis. The contingency plans should be 4A-CI-00-09-031 Recommendation 9, OPEN: Rolled-forward as Report tested for the systems that were not subject to adequate testing in FY 4A-CI-00-10-019 Recommendation 30, 4A-CI-00-14-016 Recommendation 25 2013 as soon as possible. 4A-CI-00-11-009 Recommendation 19, and 4A-CI-00-12-016 Recommendation 15 We recommend that the OCIO implement and document a centralized Roll-forward from OIG Reports: OPEN: Rolled-forward as Report 15 (agency-wide) approach to contingency plan testing. 4A-CI-00-11-009 Recommendation 21 and 4A-CI-00-14-016 Recommendation 26 4A-CI-00-12-016 Recommendation 16 Roll-forward from OIG Reports: 16 We recommend that OPM continue its efforts to eliminate the 4A-CI-00-08-022 Recommendation 12, unnecessary use of SSNs in accordance with OMB Memorandum M- 4A-CI-00-09-031 Recommendation 22, 07-16. CLOSED 9/26/2014 4A-CI-00-10-019 Recommendation 39, 4A-CI-00-11-009 Recommendation 28, and 4A-CI-00-12-016 Recommendation 18 Appendix II UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Chief lnfonnation Officer MEMORANDUM FOR CHIEF, INFORMATION SYSTEMS AUDIT GROUP FROM: DONNA K. SEYMOUR CHIEF INFORMATION OF Subject: Response to the Federal Information Security Management Act Audit FY2014, Report NO. 4A-CI-00-14-016 Thank you for the opportunity to comment on the subject report. The results provided in the draft report consist ofa number of recommendations. The recommendations are valuable to our program improvement efforts and most of them are generally consistent with our plan. We plan to continue making improvements in our security risk management strategy and the OPM IT security program. In reviewing the draft report, we noticed that recommendation # 15 which covers specialized security training was issued. Additional information was submitted since the draft report was issued showing a specialized training participation rate above 90% . In addition, recommendation # 16 states that only 6 of 16 audit findings were incorporated into POA&Ms, and according to our records, all 16 recommendations were documented and converted to POA&Ms and centrally managed. Recommendation #26 is already in place and the information has been provided to your office. We aske for consideration in having recommendations # 15, #16 and #26 removed from the final audit report. The CIO's responses to the FYI4 Draft FISMA Audit Report are documented below: Recommendation #1 (Rolled-Forward from 2010) We recommend that OPM implement centralized information security governance structure where all information security practitioners, including designated security officers, report to the Chief Information Security Officer. Adequate resources should be assigned to the OCIO to create this structure. Existing designated security officers who report to their program offices should return to their program office duties. The new staff that reports to the CISO should consist ofexperienced information security professionals. CIO Response: A CIO memo directing the centralization ofthe security responsibilities of Designated Security Officers (DSO) into the Chieflnformation Security Officer (CISO) organization was issued by the OPM Director on August, 20 12 with an effective date ofOctober 1, 2012. The CIO has already hired the first complement ofstaff with professional IT security experience and certifications, consisting of seven Information Systems Security Officers (ISSO) with an additional four going through the OPM hiring process. The initial set of systems has been transitioned to ISSOs for security management, and we expect to have all OPM systems under ISSO security management in FY15. www.opm.gov Recruit: Retain and Honor a World-Class Workforce to Serve the American People www.usajobs.gov Recommendation #2 We continue to recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all of OPM's system development projects. CIO Response: The OPM SDLC is being applied to OPM's major investment projects. In FYlS, a plan with timelines will be developed to enforce the SDLC policy for all applicable system development projects. Recommendation #3 We recommend that all active systems in OPM's inventory have a complete and current Authorization. CIO Response: As part ofthe FY15 CIO reorganization, IT Program Managers will work with ISSOs to plan for Security Authorization of systems before existing ATOs expire. However, ATO extensions may be required in a limited number of situations such as the rebuilding of OPM's network where we would need to maintain the existing system and initiate Authorization work after the new design is completed and the rebuilding is underway. We agree that it is important to maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises to the level of a Material Weakness. Recommendation #4 We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization. CIO Response: The IT Program Managers will work with ISSOs to ensure that OPM systems maintain current ATOs and that there are no interruptions to OPM's mission and operations. Recommendation #5 (Rolled-Forward from 2011) We recommend that the OCIO continue to develop its Risk Executive Function to meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function). CIO Response: In FY 14, a number of steps were taken to establish and implement the Risk Executive Function per NIST Special Publication 800-39. A proposed Risk Executive Charter and Risk Registry Template were developed and discussed with the Chief Operating Officer who has agreed to serve as the OPM Risk Executive. Additional discussions will be held with the Chief Operating Officer on implementation plans and strategies. Recommendation #6 We recommend that the OCIO develop and implement a baseline confi platforms in use by OPM including, but not limited CIO Response: We are working to standardize operating systems and applications Over the past year, we have established approved baselines for all operating systems, as well as We will continue to improve our processes and develop and implement baselines for all operating platforms in use by OPM. 2 Recommendation #7 We recommend the OCIO conduct routine compliance scans against established baseline configurations for all servers and databases in use by OPM. This recommendation cannot be addressed until Recommendation 6 has been completed. CIO Response: We expand our routine compliance scans as we implement additional configuration baselines for additional operating platforms. Recommendation #8 We recommend the OCIO implement technical controls that prevent configuration changes without proper documentation and approvals. CIO Response: Configuration changes require approval by the Change Control Board which meets on a regular basis. However, there are emergency situations where changes might be made outside of the CCB cycle. We will ensure required documentation and approvals are in place for all configuration changes. Recommendation #9 We recommend that the OCIO develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. CIO Response: Our Asset Management System serves as a repository for servers, databases and network devices. We will continue to work to identify and document all assets residing on the OPM network. Recommendation #I 0 We recommend that the OCIO implement a process to ensure routine vulnerability scanning is conducted on all network devices documented within the inventory. CIO Response: We will continue to improve our scanning capabilities to ensure that vulnerability scanning is conducted on all network devices documented in our inventory. Recommendation # 11 We recommend that the OCIO implement a process to centrally track the current status of security weaknesses identified during vulnerability scans. CIO Response: We concur with this recommendation and will implement the recommendation in FY15. Recommendation #12 (Rolled Forward from 2011) We recommend that the OCIO document "accepted" weaknesses identified in vulnerability scans. CIO Response: We concur with this recommendation and will implement the recommendation in FY15 . 3 Recommendation # 13 We recommend that the OCIO expand the capabilities of the ENSOC to ensure that security incidents from all OPM-operated information systems are centrally analyzed and correlated. CIO Response: A centralized monitoring center was put in place with first level alerting and monitoring for the servers and network appliances within the major OPM sites. We are expanding our monitoring capabilities to cover OPM operated information systems wherever feasible. Recommendation # 14 We recommend that OCIO configure its security information and event management tool to collect and report meaningful data, while reducing the volume of non-sensitive log and event data. CIO Response: The security event management system collects important data that we use to access threats to the OPM environment. We will continue to refine our configuration settings to improve the quality of the data being reviewed. Recommendation # 15 We recommend that the OCIO ensure that all employees with significant information security responsibility take meaningful and appropriate specialized security training on an annual basis. CIO Response: We have successfully implemented this recommendation and significant improvements were achieved this year with a completion rate of over 90 percent. Additional information was submitted to substantiate elimination of this recommendation. Recommendation # 16 We recommend that the OCIO and program offices that own information systems ensure that all known security weaknesses are incorporated into the appropriate POA&M. CIO Response: A centralized automated POA&M management system is in place and staffed by a dedicated resource to ensure that all findings, recommendations and POA&Ms are managed to resolution and we believe that this process is working as intended. Additional information was submitted to substantiate elimination of this recommendation. Recommendation # 17 We recommend that the OCIO and system owners develop formal corrective action plans to immediately remediate all POA&M weaknesses that are over 120 days overdue. CIO Response: The CIO dedicated resources to this task and has successfully closed most POA&Ms that are over 120 days overdue and will continue to develop formal Action Plans for those remaining weaknesses. Most POA&Ms that are over 120 days overdue have dependencies that need to be coordinated with external entities that often are not ready to implement the required changes. 4 Recommendation # 18 We recommend that all POA&Ms list the specific resources required to address each security weakness identified. CIO Response: This recommendation has been implemented for most open POA&Ms. We will continue to ensure that the "resources required" for POA&Ms are identified and documented. Recommendation #19 (Rolled-Forward from 2012) We recommend the OCIO configure the VPN servers to terminate VPN sessions after inactivity. CIO Response: All teclmoJogicaJ controls are in place. We believe there is a flaw in the vendor's product that will require a patch update that the vendor so far is unwilling to provide. We will explore an alternative product solution. Recommendation #20 (Rolled-Forward 2012) We recommend that the OCIO meet the requirements ofOMB M-11-11 by upgrading its major information systems to require multi-factor authentication using PIV credentials. CIO Response: We have developed and are in the process of implementing multi-factor PIV authentication for compliance with OMB M-11-11. A major segment of the users on our network infrastructure are using PIV authentication. In FY 15 we will continue to implement PIV authentication for major systems. Recommendation #21 We recommend that the OCIO expand its continuous monitoring program to include mandatory continuous monitoring for contractor-operated systems and implementation of the DHS Continuous Diagnostic and Mitigation program as outlined in continuous monitoring strategy~ CIO Response: In FY15, we will continue to work with DHS to implement the Continuous Diagnostic and Mitigation program at OPM. As a result of working with DHS, OPM has been moved higher (sooner) in the implementation schedule. To date, we have submitted OPM requirements and hosted a Reading Room for vendors to validate our requirements. There will also be a major initiative to expand Continuous Monitoring programs to contractor systems where feasible. Recommendation #22 (Rolled forward from 2008) We recommend that OPM ensure that an arumal test of security controls has been completed for all systems. CIO Response: We continue to make progress with security controls testing and expect to have test plans and results for all systems in FY15. Security controls testing is a major part of our continuous monitoring program that is being implemented for OPM systems. 5 Recommendation #23 We recommend that the OCIO ensure that all ofOPM's major systems have Contingency Plans in place and are reviewed and updated annually. CIO Response: We will continue making progress on contingency plan updates in FY15. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task. Recommendation #24 (Rolled-Forward from 2008) We recommend that OPM's program offices test the contingency plans for each system on an annual basis. The contingency plans should be immediately tested for the eight systems that were not subject to adequate testing in FY 2014. CIO Response: We will continue to make progress on contingency plan testing in FY15. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task. Recommendation #25 (rolled forward from 2011) We recommend that the OCIO implement and document a centralized (agency-wide) approach to contingency plan testing. CIO Response: We will continue our efforts to centralize contingency plan testing in FYIS. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task. Recommendation #26 We recommend that the OCIO identify agency systems that reside in a public cloud and document those systems on the master system inventory. CIO Response: This recommendation was addressed and documented on the master system inventory. Recommendation #27 We recommend that the OCIO ensure that all ISA's are valid and properly maintained. CIO Response: We will continue to improve ISA processes to ensure that they are maintained in a valid and consistent manner. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task. Recommendation #28 We recommend that the OCIO ensure that a valid MOU/As exists for every interconnection. CIO Response: We will continue to improve MOU processes to ensure they are maintained in a valid and consistent manner. Having additional ISSOs onboard is expected to significantly improve our ability to accomplish this task. 6 Recommendation #29 (Rolled-Forward from 2008) We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in accordance with OMB Memorandum M-07-16. CIO Response: Significant work was done to eliminate the unnecessary use of social security numbers (SSN) including development of a consolidated Action Plan and elimination of the use of SSNs from USAJOBS and the PMF systems. In FY15, the Privacy Officer will conduct a pilot project with an OPM program office to review business processes to determine how SSN usage can be reduced further. 7 Appendix III 2014 Inspector General Annual FISMA Report Section Report Office of Personnel Management Section 1: Continuous Monitoring Management 1.1 Has the organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Yes 1.1.1 Documented policies and procedures for continuous monitoring (NIST SP 800-53: CA-7). Yes 1.1.2 Documented strategy for information security continuous monitoring (ISCM). Yes 1.1.3 Implemented ISCM for information technology assets. No Comments: The Office of the Chief Information Officer (OCIO) developed a continuous monitoring strategy document that provides a high-level strategy for the implementation of information security continuous monitoring. While the initial stages of implementation began in fiscal year (FY) 2012, full implementation of the plan is an ongoing process. The OCIO achieved the FY 2014 milestones outlined in the roadmap which included quarterly reporting for high impact systems. The next stage in the OCIO’s plan involves requiring continuous monitoring by contractor operated systems and implementation of the Department of Homeland Security Continuous Diagnostic and Mitigation program. 1.1.4 Evaluate risk assessments used to develop their ISCM strategy. Yes 1.1.5 Conduct and report on ISCM results in accordance with their ISCM strategy. Yes 1.1.6 Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved continuous monitoring plans (NIST SP 800-53, 800-53A). No Comments: Only 18 of the 25 systems subject to continuous monitoring were adequately tested in accordance with Office of Personnel Management (OPM) policy. OIG Report - Annual 2014 Page 1 of 17 For Official Use Only Section 1: Continuous Monitoring Management 1.1.7 Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security assessment reports, as well as a common and consistent POA&M program that is updated with the frequency defined in the strategy and/or plans (NIST SP 800-53, 800-53A). Yes 1.2 Please provide any additional information on the effectiveness of the organization’s Continuous Monitoring Management Program that was not noted in the questions above. N/A Section 2: Configuration Management 2.1 Has the organization established a security configuration management program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? No Comments: As noted below, there are notable deficiencies in OPM’s configuration management program, and we do not consider this program to be substantially compliant with FISMA requirements, OMB policy, and applicable NIST guidelines. 2.1.1 Documented policies and procedures for configuration management. Yes 2.1.2 Defined standard baseline configurations. No Comments: In FY 2014, OPM has continued its efforts toward formalizing baseline configurations for critical applications, servers, and workstations. However, several additional operating platforms in OPM’s network environment do not have baseline configurations documented including, but not limited to, ------------------------------------------------. 2.1.3 Assessments of compliance with baseline configurations. No Comments: The OCIO uses automated scanning tools to conduct routine compliance audits on the majority of operating platforms used in OPM’s server environment. These tools compare the actual configuration of servers and workstations to the approved baseline configuration. However, there are several operating platforms used by OPM that do not have documented and approved baselines. Without approved baseline configurations these systems cannot be subject to an adequate compliance audit. OIG Report - Annual 2014 Page 2 of 17 For Official Use Only Section 2: Configuration Management 2.1.4 Process for timely (as specified in organization policy or standards) remediation of scan result deviations. No Comments: OPM performs monthly vulnerability scans using automated scanning tools. However, we have been unable to obtain tangible evidence that vulnerability scans have been routinely conducted for all OPM servers in FY 2014. As a result, we are unable to independently attest that OPM has a mature vulnerability scanning program. 2.1.5 For Windows-based components, USGCB secure configuration settings are fully implemented, and any deviations from USGCB baseline settings are fully documented. Yes 2.1.6 Documented proposed or actual changes to hardware and software configurations. No Comments: OPM also has a software product that has the capability to detect, approve, and revert all changes made to information systems. However, this capability has not been fully implemented, and OPM cannot ensure that all changes made to information systems have been properly documented and approved. 2.1.7 Process for timely and secure installation of software patches. No Comments: See comment in 2.1.4 2.1.8 Software assessing (scanning) capabilities are fully implemented (NIST SP 800-53: RA-5, SI-2). No Comments: See comment in 2.1.4 2.1.9 Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner, as specified in organization policy or standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2) No Comments: See comment in 2.1.4 2.1.10 Patch management process is fully developed, as specified in organization policy or standards. (NIST SP 800-53: CM-3, SI-2). No Comments: See comment in 2.1.4 OIG Report - Annual 2014 Page 3 of 17 For Official Use Only Section 2: Configuration Management 2.2 Please provide any additional information on the effectiveness of the organization’s Configuration Management Program that was not noted in the questions above. N/A 2.3 Does the organization have an enterprise deviation handling process and is it integrated with the automated capability. Yes 2.3.1 Is there a process for mitigating the risk introduced by those deviations? Yes Section 3: Identity and Access Management 3.1 Has the organization established an identity and access management program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices? Besides the improvement opportunities that have been identified by the OIG, does the program include the following attributes? Yes 3.1.1 Documented policies and procedures for account and identity management (NIST SP 800-53: AC-1). Yes 3.1.2 Identifies all users, including Federal employees, contractors, and others who access organization systems (NIST SP 800-53, AC-2). Yes 3.1.3 Identifies when special access requirements (e.g., multi-factor authentication) are necessary. No Comments: In FY 2012, the OCIO began an initiative to require PIV authentication to access the agency’s network. As of the end of FY 2014, over 95 percent of OPM workstations require PIV authentication to access to the OPM network. However, none of the agency’s 47 major applications require PIV authentication. 3.1.4 If multi-factor authentication is in use, it is linked to the organization's PIV program where appropriate (NIST SP 800-53, IA-2). Yes 3.1.5 Organization has planned for implementation of PIV for logical access in accordance with government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11). No Comments: See comment in 3.1.3 OIG Report - Annual 2014 Page 4 of 17 For Official Use Only Section 3: Identity and Access Management 3.1.6 Organization has adequately planned for implementation of PIV for physical access in accordance with government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11). Yes 3.1.7 Ensures that the users are granted access based on needs and separation-of-duties principles. Yes 3.1.8 Identifies devices with IP addresses that are attached to the network and distinguishes these devices from users (For example: IP phones, faxes, and printers are examples of devices attached to the network that are distinguishable from desktops, laptops, or servers that have user accounts). No Comments: We determined through interviews and our independent vulnerability scanning process that OPM does not maintain an accurate centralized inventory containing all servers and databases that reside within the network. 3.1.9 Identifies all user and non-user accounts. (Refers to user accounts that are on a system. Data user accounts are created to pull generic information from a database or a guest/anonymous account for generic login purposes. They are not associated with a single user or a specific group of users.) Yes 3.1.10 Ensures that accounts are terminated or deactivated once access is no longer required. Yes 3.1.11 Identifies and controls use of shared accounts. Yes 3.2 Please provide any additional information on the effectiveness of the organization’s Identity and Access Management Program that was not noted in the questions above. N/A Section 4: Incident Response and Reporting 4.1 Has the organization established an incident response and reporting program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Yes OIG Report - Annual 2014 Page 5 of 17 For Official Use Only Section 4: Incident Response and Reporting 4.1.1 Documented policies and procedures for detecting, responding to, and reporting incidents (NIST SP 800-53: IR-1). Yes 4.1.2 Comprehensive analysis, validation and documentation of incidents. Yes 4.1.3 When applicable, reports to US-CERT within established timeframes (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19). Yes 4.1.4 When applicable, reports to law enforcement within established timeframes (NIST SP 800-61). Yes 4.1.5 Responds to and resolves incidents in a timely manner, as specified in organization policy or standards, to minimize further damage (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19). No Comments: OPM owns a tool with the ability to automatically detect and report potential security incidents by analyzing data from various sources. After analyzing the data, the tool alerts security analysts to potential security incidents. However, the tool needs to be configured to collect relevant and meaningful data so the potential security alerts contain fewer false-positives. The OPM systems currently providing data to the security information and event management (SIEM) tool are over-reporting log and event data, which results in an excessive amount of data for security analysts to review. The number of alerts that security analysts must review and identify as false-positive creates a backlog that could cause a delay in identifying and responding to actual incidents. 4.1.6 Is capable of tracking and managing risks in a virtual/cloud environment, if applicable. Yes 4.1.7 Is capable of correlating incidents. Yes OIG Report - Annual 2014 Page 6 of 17 For Official Use Only Section 4: Incident Response and Reporting 4.1.8 Has sufficient incident monitoring and detection coverage in accordance with government policies (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19). No Comments: OPM owns a SIEM tool with the technical ability to automatically detect, analyze, and correlate potential security incidents over time. However, the correlation features of this tool are not fully utilized at this time. This tool only receives event data from approximately 80 percent of major OPM information systems. In FY 2014, the OCIO established an Enterprise Network Security Operations Center (ENSOC) that provides continuous centralized support for OPM’s security incident prevention/management program. However, the ENSOC cannot adequately fulfill its purpose if it does not receive data from all OPM systems. 4.2 Please provide any additional information on the effectiveness of the organization’s Incident Management Program that was not noted in the questions above. N/A Section 5: Risk Management 5.1 Has the organization established a risk management program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? No Comments: In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security professionals. However, as of the end of FY 2014, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 were not all fully implemented. Key elements still missing from OPM’s approach to managing risk at an agency-wide level include: conducting a risk assessment, maintaining a risk registry, and communicating the agency-wide risks down to the system owners. Also, of the 21 OPM systems due for Authorization in FY 2014, 11 were not completed on time and are currently operating without a valid Authorization. We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program. 5.1.1 Documented policies and procedures for risk management, including descriptions of the roles and responsibilities of participants in this process. Yes OIG Report - Annual 2014 Page 7 of 17 For Official Use Only Section 5: Risk Management 5.1.2 Addresses risk from an organization perspective with the development of a comprehensive governance structure and organization-wide risk management strategy as described in NIST SP 800-37, Rev.1. Yes 5.1.3 Addresses risk from a mission and business process perspective and is guided by the risk decisions from an organizational perspective, as described in NIST SP 800-37, Rev. 1. Yes 5.1.4 Addresses risk from an information system perspective and is guided by the risk decisions from an organizational perspective and the mission and business perspective, as described in NIST SP 800-37, Rev. 1. Yes 5.1.5 Has an up-to-date system inventory. Yes 5.1.6 Categorizes information systems in accordance with government policies. Yes 5.1.7 Selects an appropriately tailored set of baseline security controls. Yes 5.1.8 Implements the tailored set of baseline security controls and describes how the controls are employed within the information system and its environment of operation. Yes 5.1.9 Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Yes 5.1.10 Authorizes information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. Yes OIG Report - Annual 2014 Page 8 of 17 For Official Use Only Section 5: Risk Management 5.1.11 Ensures information security controls are monitored on an ongoing basis, including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. No Comments: Only 37 out of OPM’s 47 systems were subject to adequate security controls testing in FY 2014. 5.1.12 Information-system-specific risks (tactical), mission/business-specific risks, and organizational-level (strategic) risks are communicated to appropriate levels of the organization. Yes 5.1.13 Senior officials are briefed on threat activity on a regular basis by appropriate personnel (e.g., CISO). Yes 5.1.14 Prescribes the active involvement of information system owners and common control providers, chief information officers, senior information security officers, authorizing officials, and other roles as applicable in the ongoing management of information-system-related security risks. Yes 5.1.15 Security authorization package contains system security plan, security assessment report, and POA&M in accordance with government policies. (NIST SP 800-18, SP 800-37). No Comments: The Authorization packages reviewed as part of this FY 2014 audit generally maintained the same satisfactory level of quality that had been observed in recent years. However, of the 21 OPM systems due for Authorization in FY 2014, 11 were not completed on time and are currently operating without a valid Authorization. The drastic increase in the number of systems operating without a valid Authorization is alarming, and represents a systemic issue of inadequate planning by OPM program offices to authorize the information systems that they own. We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program. 5.1.16 Security authorization package contains accreditation boundaries, defined in accordance with government policies, for organization information systems. No Comments: See comment in 5.1.15 OIG Report - Annual 2014 Page 9 of 17 For Official Use Only Section 5: Risk Management 5.2 Please provide any additional information on the effectiveness of the organization’s Risk Management Program that was not noted in the questions above. N/A Section 6: Security Training 6.1 Has the organization established a security training program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Yes 6.1.1 Documented policies and procedures for security awareness training (NIST SP 800-53: AT-1). Yes 6.1.2 Documented policies and procedures for specialized training for users with significant information security responsibilities. Yes 6.1.3 Security training content based on the organization and roles, as specified in organization policy or standards. Yes 6.1.4 Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and other organization users) with access privileges that require security awareness training. Yes 6.1.5 Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other organization users) with significant information security responsibilities that require specialized training. Yes 6.1.6 Training material for security awareness training contains appropriate content for the organization (NIST SP 800-50,800-53). Yes 6.2 Please provide any additional information on the effectiveness of the organization’s Security Training Program that was not noted in the questions above. N/A Section 7: Plan Of Action & Milestones (POA&M) OIG Report - Annual 2014 Page 10 of 17 For Official Use Only Section 7: Plan Of Action & Milestones (POA&M) 7.1 Has the organization established a POA&M program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines and tracks and monitors known information security weaknesses? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Yes 7.1.1 Documented policies and procedures for managing IT security weaknesses discovered during security control assessments and that require remediation. Yes 7.1.2 Tracks, prioritizes, and remediates weaknesses. Yes 7.1.3 Ensures remediation plans are effective for correcting weaknesses. Yes 7.1.4 Establishes and adheres to milestone remediation dates. No Comments: Our review indicated that many system owners are not meeting the self-imposed remediation deadlines listed on the POA&Ms. Out of OPM’s 47 operational systems, 38 have POA&M items that are greater than 120 days overdue. 7.1.5 Ensures resources and ownership are provided for correcting weaknesses. Yes 7.1.6 POA&Ms include security weaknesses discovered during assessments of security controls and that require remediation (do not need to include security weakness due to a risk-based decision to not implement a security control) (OMB M-04-25). No Comments: All known security weaknesses were appropriately incorporated to the system-specific POA&Ms for only 29 of OPM’s 47 systems. This includes 14 of the 25 systems operated by OPM, and 15 of the 22 systems operated by a contractor. 7.1.7 Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25). Yes OIG Report - Annual 2014 Page 11 of 17 For Official Use Only Section 7: Plan Of Action & Milestones (POA&M) 7.1.8 Program officials report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO centrally tracks, maintains, and independently reviews/validates the POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5; OMB M-04-25). Yes 7.2 Please provide any additional information on the effectiveness of the organization’s POA&M Program that was not noted in the questions above. N/A Section 8: Remote Access Management 8.1 Has the organization established a remote access program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Yes 8.1.1 Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access (NIST 800-53: AC-1, AC-17). Yes 8.1.2 Protects against unauthorized connections or subversion of authorized connections. Yes 8.1.3 Users are uniquely identified and authenticated for all access (NIST SP 800-46, Section 4.2, Section 5.1). Yes 8.1.4 Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1). Yes 8.1.5 If applicable, multi-factor authentication is required for remote access (NIST SP 800-46, Section 2.2, Section 3.3). Yes 8.1.6 Authentication mechanisms meet NIST SP 800-63 guidance on remote electronic authentication, including strength mechanisms. Yes OIG Report - Annual 2014 Page 12 of 17 For Official Use Only Section 8: Remote Access Management 8.1.7 Defines and implements encryption requirements for information transmitted across public networks. Yes 8.1.8 Remote access sessions, in accordance with OMB M-07-16, are timed-out after 30 minutes of inactivity, after which re-authentication is required. No Comments: In previous years, we discovered that remote access sessions do not terminate or lock out after -------------- inactivity as required by FISMA. OPM has acknowledged the issue and stated that the weakness cannot be remediated until the VPN vendor releases a software update. 8.1.9 Lost or stolen devices are disabled and appropriately reported (NIST SP 800-46, Section 4.3, US-CERT Incident Reporting Guidelines). Yes 8.1.10 Remote access rules of behavior are adequate in accordance with government policies (NIST SP 800-53, PL-4). Yes 8.1.11 Remote access user agreements are adequate in accordance with government policies (NIST SP 800-46, Section 5.1, NIST SP 800-53, PS-6). Yes 8.2 Please provide any additional information on the effectiveness of the organization’s Remote Access Management that was not noted in the questions above. N/A 8.3 Does the organization have a policy to detect and remove unauthorized (rogue) connections? Yes Section 9: Contingency Planning OIG Report - Annual 2014 Page 13 of 17 For Official Use Only Section 9: Contingency Planning 9.1 Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? No Comments: It has been several years since OPM has adequately tested the contingency plans of all of its major information systems within one fiscal year (see 9.1.4.). In addition, two of OPM's major general support systems were not subject to adequate disaster recovery testing in FY 2014. We believe that this indicates that OPM does not have a FISMA-compliant enterprise-wide business continuity / disaster recovery program. 9.1.1 Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact of a disruptive event or disaster (NIST SP 800-53: CP-1). Yes 9.1.2 The organization has incorporated the results of its system’s Business Impact Analysis (BIA) into the analysis and strategy development efforts for the organization’s Continuity of Operations Plan (COOP), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP) (NIST SP 800-34). Yes 9.1.3 Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures (NIST SP 800-34). Yes 9.1.4 Testing of system specific contingency plans. No Comments: We received evidence that contingency plans were tested for only 39 of 47 systems in FY 2014. 9.1.5 The documented BCP and DRP are in place and can be implemented when necessary (FCD1, NIST SP 800-34). No Comments: We received updated contingency plans for 41 out of 47 information systems on OPM’s master system inventory. 9.1.6 Development of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST SP 800-53). Yes OIG Report - Annual 2014 Page 14 of 17 For Official Use Only Section 9: Contingency Planning 9.1.7 Testing or exercising of BCP and DRP to determine effectiveness and to maintain current plans. No Comments: Many OPM systems reside on one of the agency’s general support systems. The OCIO typically conducts a full recovery test at the backup location of the Enterprise Server Infrastructure general support system (i.e., the mainframe and associated systems) on an annual basis. However, no full functional test was performed in FY 2014. In the FY 2011 FISMA audit report we recommended that the OCIO implement a centralized (agency-wide) approach to contingency plan testing. We were informed that a single synchronized functional test is not feasible due to logistical and resource limitations. However, the intent of the recommendation is to ensure that all elements of the general support systems are subject to a full functional disaster recovery test each year. This recommendation can be remediated if each general support system is subject to a full functional test each year, even if it must be broken into a series of smaller tests. 9.1.8 After-action report that addresses issues identified during contingency/disaster recovery exercises (FCD1, NIST SP 800-34). No Comments: As mentioned in 9.1.4, we received evidence that contingency plans were tested for only 39 of 47 systems in FY 2014. 9.1.9 Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53). No Comments: As mentioned in 9.1.5, we only received that 41 or 47 system have documented contingency plans. 9.1.10 Alternate processing sites are not subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-53). Yes 9.1.11 Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53). Yes 9.1.12 Contingency planning that considers supply chain threats. Yes 9.2 Please provide any additional information on the effectiveness of the organization’s Contingency Planning Program that was not noted in the questions above. N/A Section 10: Contractor Systems OIG Report - Annual 2014 Page 15 of 17 For Official Use Only Section 10: Contractor Systems 10.1 Has the organization established a program to oversee systems operated on its behalf by contractors or other entities, including organization systems and services residing in the cloud external to the organization? Besides the improvement opportunities that may have been identified by the OIG, does the program includes the following attributes? Yes 10.1.1 Documented policies and procedures for information security oversight of systems operated on the organization’s behalf by contractors or other entities, including organization systems and services residing in a public cloud. Yes 10.1.2 The organization obtains sufficient assurance that security controls of such systems and services are effectively implemented and comply with Federal and organization guidelines (NIST SP 800-53: CA-2).(Base) No Comments: We were provided evidence that the security controls were tested for only 19 out of OPM’s 22 contractor operated systems. 10.1.3 A complete inventory of systems operated on the organization’s behalf by contractors or other entities, including organization systems and services residing in a public cloud. Yes 10.1.4 The inventory identifies interfaces between these systems and organization-operated systems (NIST SP 800-53: PM-5). Yes 10.1.5 The organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces between these systems and those that it owns and operates. No Comments: The OCIO maintains a separate spreadsheet documenting interfaces between OPM and contractor-operated systems and the related Interconnection Security Agreements (ISA). However, many of the documented ISAs have expired. 10.1.6 The inventory of contractor systems is updated at least annually. Yes OIG Report - Annual 2014 Page 16 of 17 For Official Use Only Section 10: Contractor Systems 10.1.7 Systems that are owned or operated by contractors or entities, including organization systems and services residing in a public cloud, are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines. No Comments: Of the 21 OPM systems due for Authorization in FY 2014, 11 were not completed on time and are currently operating without a valid Authorization. Three of the 11 are contractor-operated systems. 10.2 Please provide any additional information on the effectiveness of the organization’s Contractor Systems Program that was not noted in the questions above. N/A Section 11: Security Capital Planning 11.1 Has the organization established a security capital planning and investment program for information security? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following attributes? Yes 11.1.1 Documented policies and procedures to address information security in the capital planning and investment control (CPIC) process. Yes 11.1.2 Includes information security requirements as part of the capital planning and investment process. Yes 11.1.3 Establishes a discrete line item for information security in organizational programming and documentation (NIST SP 800-53: SA-2). Yes 11.1.4 Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required (NIST SP 800-53: PM-3). Yes 11.1.5 Ensures that information security resources are available for expenditure as planned. Yes 11.2 Please provide any additional information on the effectiveness of the organization’s Security Capital Planning Program that was not noted in the questions above. N/A OIG Report - Annual 2014 Page 17 of 17 For Official Use Only Repo ort Fra aud, Waste, and Mismaanagemment Frraud, waste, and mismannagement inn Government con ncerns everyyone: Officee of the Inspectorr General staaff, agency emmployees, and d the generaal public. We actively solicit alllegations off any inefficiient and wastefu ul practices, f raud, and mismmanagementt related to OPM program ms and operations. You can repport allegatioons to us in several ways: By Intern net: htttp://www.oppm.gov/our--inspector-geeneral/hotlinne-to- reeport-fraud-w waste-or-abuuse By Pho one: Toll Free Num mber: (8777) 499-72955 Washington Metro Area: (2002) 606-24233 By Mail: Office of the Inspector Geeneral U.S. Office of Personnel M anagemennt 900 E Streett, NW 19 Room 6400 Washington, DC 20415-11100 -- CAUTION -- This audit report ha as been distributeed to Federal officcials who are resp ponsible for the a dministration off the audited program. This audit report may contain proprietary data which is prrotected by Federral law (18 U.S.C C. 1905). Therefofore, while this au udit report is avaailable under thee Freedom of Infoormation Act and d made availablee to the public on the OIG webp page (http://www..opm.gov/our-insppector-general), caution needs to be exercised befoore releasing the report to the geneeral public as it may contain proprietary informatiion that was redaacted from the pu ublicly distributed d copy.
Federal Information Security Management Act Audit FY 2014
Published by the Office of Personnel Management, Office of Inspector General on 2014-11-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)