oversight

Federal Information Security Modernization Act Audit Fiscal Year 2016

Published by the Office of Personnel Management, Office of Inspector General on 2016-11-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               U.S. OFFICE OF PERSONNEL
                     MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




                Final Audit Report

            Federal Information Security Modernization Act Audit
                              Fiscal Year 2016
                                            Report Number 4A-CI-00-16-039
                                                   November 9, 2016




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
             EXECUTIVE SUMMARY 

                   Federal Information Security Modernization Act Audit – FY 2016

Report No. 4A-CI-00-16-039                                                                                  November 9, 2016



Why Did We Conduct the Audit?                What Did We Find?
Our overall objective was to evaluate the    This audit report again communicates a material weakness related to OPM’s
U.S. Office of Personnel Management’s        Security Assessment and Authorization (Authorization) program. In April
(OPM) security program and practices, as     2015, the then Chief Information Officer issued a memorandum that granted
required by the Federal Information          an extension of the previous Authorizations for all systems whose
Security Modernization Act (FISMA).          Authorization had already expired, and for those scheduled to expire through
Specifically, we reviewed the status of      September 2016. Although the moratorium on Authorizations has since been
OPM’s information technology security        lifted, the effects of the April 2015 memorandum continue to have a
program in accordance with the U.S.          significant negative impact on OPM. At the end of fiscal year (FY) 2016, the
Department of Homeland Security’s (DHS)      agency still had at least 18 major systems without a valid Authorization in
FISMA Inspector General reporting            place.
instructions.
                                             However, OPM did initiate an “Authorization Sprint” during FY 2016 in an
What Did We Audit?                           effort to get all of the agency’s systems compliant with the Authorization
                                             requirements. We acknowledge that OPM is once again taking system
The Office of the Inspector General has      Authorization seriously. We intend to perform a comprehensive audit of
completed a performance audit of OPM’s       OPM’s Authorization process in early FY 2017.
general FISMA compliance efforts in the
specific areas defined in DHS’s guidance     This audit report also re-issues a significant deficiency related to OPM’s
and the corresponding reporting              information security management structure. Although OPM has developed a
instructions. Our audit was conducted from   security management structure that we believe can be effective, there has
April through September 2016 at OPM          been an extremely high turnover rate of critical positions. The negative
headquarters in Washington, D.C.             impact of these staffing issues is apparent in the results of our current FISMA
                                             audit work. There has been a significant regression in OPM’s compliance
                                             with FISMA requirements, as the agency failed to meet requirements that it
                                             had successfully met in prior years. We acknowledge that OPM has placed
                                             significant effort toward filling these positions, but simply having the staff
                                             does not guarantee that the team can effectively manage information security
                                             and keep OPM compliant with FISMA requirements. We will continue to
                                             closely monitor activity in this area throughout FY 2017.

                                             The following page summarizes the results of this FY 2016 FISMA audit.




 _______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                            i
     EXECUTIVE SUMMARY 

          Federal Information Security Modernization Act Audit – FY 2016

                            Summary of FY 2016 FISMA Results

	 The material weakness related to OPM’s Authorization program is reported again.
	 A significant deficiency related to OPM’s information security management structure has
   been re-opened (this was previously a material weakness that was closed).
	 OPM has not adequately defined the roles and responsibilities for all positions within its IT
   management structure.
	 OPM’s system development life cycle policy is not enforced for all system development
   projects.
	 OPM has made improvements to its continuous monitoring program and is now rated as Level
   2 (“Defined”) based upon the Council of the Inspectors General on Integrity and Efficiency
   (CIGIE) maturity model.
	 OPM has also made improvements to its security incident program and is now rated as Level
   2 (“Defined”) based upon the CIGIE maturity model.
	 OPM has developed an inventory of servers, databases, and network devices, but its overall
   inventory management program could be improved.
	 OPM does not have configuration baselines for all operating platforms. This deficiency
   impacts the agency’s ability to effectively audit and monitor systems for compliance.
	 OPM has made progress in its vulnerability management program. However, improvements
   are needed in both the scanning and remediation processes.
	 Multi-factor authentication is not required to access OPM systems in accordance with U.S.
   Office of Management and Budget memorandum M-11-11.
	 OPM has not fully established a Risk Executive Function.
	 Many individuals with significant information security responsibility have not taken
   specialized security training in accordance with OPM policy.
	 The majority of OPM systems contain Plan of Action and Milestones that are over 120 days
   overdue.
	 The contingency plans for most of OPM’s systems have not been reviewed or tested in FY
   2016.
	 Several information security agreements and memoranda of understanding between OPM and
   contractor-operated information systems have expired.




                                               ii
                      ABBREVIATIONS
Authorization   Security Assessment and Authorization
CIGIE           Council of the Inspectors General on Integrity and Efficiency
DHS             U.S. Department of Homeland Security
FACES           Federal Annuity Claims Expert System
FIPS            Federal Information Processing Standards
FISCAM          Federal Information System Controls Audit Manual
FISMA           Federal Information Security Modernization Act
FY              Fiscal year
IOC             Internal Oversight and Compliance
ISA             Interconnection Security Agreements
ISCM            Information Systems Continuous Monitoring
ISSO            Information System Security Officer
IT              Information Technology
ITPM            IT Project Manager
MOU/A           Memorandum of Understanding/Agreement
NIST            National Institute for Standards and Technology
OCIO            Office of the Chief Information Officer
OIG             Office of the Inspector General
OMB             U.S. Office of Management and Budget
OPM             U.S. Office of Personnel Management
PIV             Personal Identity Verification
POA&M           Plan of Action and Milestones
RMF             Risk Management Framework
SDLC            System Development Life Cycle
SP              Special Publication
VPN             Virtual private network




                                       iii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
          TABLE OF CONTENTS

                                                                                                                           Page 

         EXECUTIVE SUMMARY ......................................................................................... i 


         ABBREVIATIONS .................................................................................................... iii 


  I.     BACKGROUND ..........................................................................................................1 


  II.    OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 


  III.   AUDIT FINDINGS AND RECOMMENDATIONS.................................................5

         A. Information Security Governance ...........................................................................5 

         B. Security Assessment and Authorization ..................................................................9 

         C. Risk Management ..................................................................................................12 

         D. Contractor Systems ................................................................................................14 

         E. Configuration Management ...................................................................................15 

         F. Identity and Access Management ..........................................................................22 

         G. Security Training ...................................................................................................24 

         H. Continuous Monitoring .........................................................................................25 

         I. Incident Response Program ...................................................................................28 

         J. Contingency Planning............................................................................................29 


  IV.    MAJOR CONTRIBUTORS TO THIS REPORT ..................................................31 


         APPENDIX I:               Status of Prior OIG Audit Recommendations.
         APPENDIX II: The Office of the Chief Information Officer’s October 22, 2016
                      response to the draft audit report, issued September 30, 2016.
         APPENDIX III: FY 2016 Inspector General FISMA reporting metrics.

         REPORT FRAUD, WASTE, AND MISMANAGEMENT
                            I. I. BACKGROUND

On December 17, 2002, the President signed into law the E-Government Act (Public Law 107-
347), which includes Title III, the Federal Information Security Management Act. This Act
requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3)
agency reporting to the U.S. Office of Management and Budget (OMB) the results of IG
evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the
material received from agencies. On December 18, 2014, President Obama signed Public Law
113-283, the Federal Information Security Modernization Act (FISMA), which reiterates the
need for an annual IG evaluation. In accordance with FISMA, we conducted an audit of OPM’s
security program and practices. As part of our audit, we reviewed OPM’s FISMA compliance
strategy and documented the status of its compliance efforts.

FISMA requirements pertain to all information systems supporting the operations and assets of
an agency, including those systems currently in place or planned. The requirements also pertain
to IT resources owned and/or operated by a contractor supporting agency systems.

FISMA re-emphasizes the Chief Information Officer’s strategic, agency-wide security
responsibility. At OPM, security responsibility is assigned to the agency’s Office of the Chief
Information Officer (OCIO). FISMA also clearly places responsibility on each agency program
office to develop, implement, and maintain a security program that assesses risk and provides
adequate security for the operations and assets of programs and systems under its control.

To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the
Department of Homeland Security (DHS) Office of Cybersecurity and Communications issued
the Fiscal Year (FY) 2016 Inspector General FISMA Reporting Instructions. This document
provides a consistent form and format for agencies to report FISMA audit results to DHS. It
identifies a series of reporting topics that relate to specific agency responsibilities outlined in
FISMA. Our audit and reporting strategies were designed in accordance with the above DHS
guidance.




                                                 1                           Report No. 4A-CI-00-16-039
II. OBJECTIVES, SCOPE, AND METHODOLOGY
 Objectives

 Our overall objective was to evaluate OPM’s security program and practices, as required by 

 FISMA. Specifically, we reviewed the status of the following areas of OPM’s information 

 technology (IT) security program in accordance with DHS’s FISMA IG reporting requirements: 

    Risk Management; 

    Contractor Systems; 

    Configuration Management; 

    Identity and Access Management; 

    Security and Privacy Training; 

    Information Security Continuous Monitoring; 

    Incident Response Program; and 

    Contingency Planning. 


 In addition, we evaluated the status of OPM’s IT security governance structure and the agency’s 

 system Authorization process, areas that have represented a material weakness in OPM’s IT 

 security program in prior FISMA audits. We also followed-up on outstanding recommendations 

 from prior FISMA audits (see Appendix 1), and performed an audit focused on one of OPM’s 

 major information systems – the Federal Annuity Claims Expert System (FACES). 


 Scope and Methodology

 We conducted this performance audit in accordance with generally accepted government
 auditing standards. Those standards require that we plan and perform the audit to obtain
 sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
 based on our audit objectives. We believe that the evidence obtained provides a reasonable basis
 for our findings and conclusions based on our audit objectives. The audit covered OPM’s
 FISMA compliance efforts throughout FY 2016.

 We reviewed OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s
 guidance and the corresponding reporting instructions. We also performed an information
 security audit on the FACES major information system. We considered the internal control
 structure for various OPM systems in planning our audit procedures. These procedures were
 mainly substantive in nature, although we did gain an understanding of management procedures
 and controls to the extent necessary to achieve our audit objectives. Accordingly, we obtained
 an understanding of the internal controls for these various systems through interviews and
 observations, as well as inspection of various documents, including information technology and
 other related organizational policies and procedures. This understanding of these systems’


                                                2                          Report No. 4A-CI-00-16-039
internal controls was used to evaluate the degree to which the appropriate internal controls were
designed and implemented. As appropriate, we conducted compliance tests using judgmental
sampling to determine the extent to which established controls and procedures are functioning as
required.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attention during our audit to cause us to
doubt its reliability.

Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.

The criteria used in conducting this audit included:
 DHS Office of Cybersecurity and Communications FY 2016 Inspector General Federal
  Information Security Modernization Act of 2014 Reporting Metrics;
 OPM Information Technology Security and Privacy Policy Handbook;
 OPM Information Technology Security FISMA Procedures;
 OPM Security Assessment and Authorization Guide;
 OPM Plan of Action and Milestones Standard Operating Procedures;
 OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;
 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
  Personally Identifiable Information;
 OMB Memorandum M-11-11: Continued Implementation of Homeland Security Presidential
  Directive 12;
 P.L. 107-347, Title III, Federal Information Security Management Act of 2002;
 P.L. 113-283, Federal Information Security Modernization Act of 2014;
 National Institute for Standards and Technology (NIST) Special Publication (SP) 800-12, An
  Introduction to Computer Security: The NIST Handbook;
 NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information
  Systems;
 NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;
 NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;
 NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to
  Federal Information Systems;
 NIST SP 800-39, Managing Information Security Risk – Organization, Mission, and
  Information System View;


                                                 3                           Report No. 4A-CI-00-16-039
 NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems;
 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
  and Organizations;
 NIST SP 800-60, Volume 2, Guide for Mapping Types of Information and Information
  Systems to Security Categories;
 Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
  Categorization of Federal Information and Information Systems;
 FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and
 Other criteria as appropriate.

The audit was performed by the OIG at OPM, as established by the Inspector General Act of
1978, as amended. Our audit was conducted from April through September 2016 in OPM’s
Washington, D.C. office.

Compliance with Laws and Regulations

In conducting the audit, we performed tests to determine whether OPM’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM’s OCIO and other program offices were not in complete compliance with all standards, as
described in section III of this report.




                                                4                           Report No. 4A-CI-00-16-039
III. AUDIT FINDINGS AND RECOMMENDATIONS

  A. Information Security Governance

     Information security governance is the overall framework and supporting management
     structure and processes that are the foundation of a successful information security program.
     Proper governance requires agency management to proactively implement cost-effective
     controls to protect the critical information systems that support the core mission, while
     managing the changing risk environment. This includes a variety of activities, challenges,
     and requirements, but is primarily focused on identifying key roles and responsibilities and
     managing information security policy development, oversight, and ongoing monitoring
     activities.

     The following sections provide additional details of our review of IT security governance at
     OPM.

     1) Security Management Structure

        For many years, we reported increasing concerns about the state of OPM’s information
        security governance. Our FISMA audit reports from FY 2009 through FY 2013 reported
        this issue as a material weakness, and our recommendation was that the agency recruit a
        staff of information security professionals to act as Information System Security Officers
        (ISSO) that report to the OCIO.

        Our FY 2014 FISMA report reduced the severity of the material weakness to a significant
        deficiency based on OPM’s plan to hire enough ISSOs to manage the security for all of
        OPM information systems. In FY 2015, OPM successfully filled the vacant ISSO
        positions, effectively centralizing IT security responsibility under the Chief Information
        Officer (CIO). With this new governance structure in place, we closed the audit
        recommendation related to security management structure and removed the significant
        deficiency from our report.

        For a brief period of time, this governance structure was operating effectively. However,
        there has been an extremely high employee turnover rate for the ISSO positions, and
        OPM has struggled to backfill these vacancies. In addition, there have been five different
        individuals in the role of the Chief Information Officer in the past three years.




                                                 5                           Report No. 4A-CI-00-16-039
The negative impact of these staffing issues is apparent in the results of our current
FISMA audit work. There has been a significant regression in OPM’s compliance with
FISMA requirements, as the agency failed to meet requirements that it had successfully
met in prior years.

We believe that OPM’s IT security management
                                                        OPM’s security management
structure – as currently defined on paper – can
                                                        structure is reported as a
be effective with some minor improvements (see
                                                        significant deficiency, but the
the next section of this report). However, this
                                                        agency made recent progress in
structure was not operational for the majority of
                                                        filling critical IT security positions.
FY 2016, and therefore we believe that this issue
again rises to the level of a significant deficiency.

Although OPM’s security management structure was not effective throughout FY 2016,
there has been recent progress in hiring additional ISSOs. OPM currently has 16 ISSOs
on its security team; enough to manage security for all of the agency’s major information
systems. The agency also hired a new permanent Chief Information Security Officer.
However, simply having the staff on board does not guarantee that the team can
effectively manage information security and keep OPM compliant with FISMA
requirements. We will continue to closely monitor this team’s activity throughout FY
2017.

Recommendation 1

We recommend that OPM hire a sufficient number of ISSOs to adequately support all of
the agency’s major information systems.

OPM Response:

“We concur with the recommendation. In FY 2016, OPM hired eight ISSOs bringing the
total to 16 ISSOs currently in place. The Office of the Chief Information Officer (OCIO)
is hiring an additional eight ISSOs, three of which are now onboarding, for a total of 24
ISSO positions, which will support all of OPM’s major information systems.”

OIG Comment:

As part of the audit resolution process, we recommend that OPM provide its Internal
Oversight and Compliance (IOC) division with evidence that it has fully implemented
this recommendation. This statement applies to all subsequent recommendations that
OPM agrees to implement.



                                           6                            Report No. 4A-CI-00-16-039
2) Security Roles and Responsibilities                          OPM must more
                                                                thoroughly define the roles
   As noted above, OPM has designed (but not fully              and responsibilities of all
   implemented) an information security management              positions in its IT security
   structure. One opportunity for improvement for this          management structure.
   structure would be to more thoroughly define the roles
   and responsibilities of the individuals responsible for IT security and operations. Each
   ISSO position is complemented by an IT Project Manager (ITPM) position that typically
   has more operational (as opposed to security) responsibility. Throughout the fieldwork
   phase of this audit it became apparent to us that there is widespread confusion regarding
   whether certain responsibilities belong to the ISSO or the ITPM. One instance of this
   confusion came during our walkthrough of the vulnerability scanning process, where it
   was unclear to the individuals that received the scan results who would remediate and
   track the weaknesses identified. We understand that OPM is working on a draft
   document further defining the ISSO and ITPM roles and responsibilities, but it is still
   being developed and requires formal approval.

   NIST SP 800-53, Revision 4, requires that an organization “Designates individuals to
   fulfill specific roles and responsibilities within the organization’s risk management
   process.”

   The lack of clearly defined roles and responsibilities within the security management
   structure increases the risk that critical security processes are improperly managed or
   simply ignored.

   Recommendation 2

   We recommend that OPM thoroughly define the roles and responsibilities of all positions
   in its IT security management structure.

   OPM Response:

   “We concur with the recommendation. OCIO is finalizing the updated IT security
   policies and procedures involving the positions within the IT security management
   structure in the OCIO, including updated roles and responsibilities.”

3) Systems Development Lifecycle Methodology

   As noted in last year’s FISMA report, OPM has a history of troubled system development
   projects. Despite multiple attempts and hundreds of millions of dollars invested, OPM



                                            7                           Report No. 4A-CI-00-16-039
has encountered well publicized failures to modernize its retirement claims processing,
financial, and background investigation systems. In FY 2016, the agency’s enormous IT
infrastructure overhaul initiative was significantly behind schedule. In our opinion, the
root causes of these issues are related to the lack of centralized oversight of systems
development.

At the end of FY 2013, the OCIO published a new Systems Development Lifecycle
(SDLC) policy, which was a significant first step in implementing a centralized SDLC
methodology at OPM. The new SDLC policy incorporated several prior OIG
recommendations related to a centralized review process of system development projects.

However, this new SDLC is only applicable to major investment projects, and thus is not
actively enforced for all IT projects in the agency. OCIO’s response to last year’s
recommendation stated that “A plan and timeline for implementation of the policy for all
Development, Modernization and Enhancement (DM&E) projects is also being
developed.” As a part of this current audit we requested the current plan and timeline for
implementing the SDLC framework. The response was that “there is no implementation
timeline.”

While our concerns with the agency’s infrastructure improvement project are reported
separately from our FISMA audits, we have ongoing concerns that OPM’s lack of a
comprehensive SDLC will result in information systems not being properly managed
throughout their lifecycle and that new projects will fail to meet the stated objectives and
budgets.

The Federal Information System Controls Audit Manual (FISCAM) guidance states that
“The SDLC should provide a structured approach for identifying and documenting
needed changes to computerized operations; assessing the costs and benefits of various
options, including the feasibility of using off-the-shelf software; and designing,
developing, testing, and approving new systems and system modifications.”

Recommendation 3 (Rolled Forward from 2013)

We continue to recommend that the OCIO develop a plan and timeline to enforce the new
SDLC policy on all of OPM’s system development projects.

OPM Response:

“We concur with the recommendation. During transitions of two CIO’s since the prior
recommendation, it was decided to update the SDLC into a Digital Transformation SDLC
during FY 2017. This will be a collaborative effort between OPM SDLC Owner and the


                                         8                            Report No. 4A-CI-00-16-039
      18F team that is working with OPM. This SDLC will be completed with an initial iteration
      and expanded upon with each successive project that transforms to agile development
      processes.”

B. Security Assessment and Authorization

   An Information System Security Assessment and Authorization (Authorization) is a
   comprehensive assessment that evaluates whether a system’s security controls are meeting
   the security requirements of that system.

   OPM is working to implement a comprehensive security control continuous monitoring
   program that will eventually replace the need for periodic system Authorizations. Although
   the agency’s continuous monitoring program is rapidly improving, it has not reached the
   point of maturity where it can effectively replace the Authorization program (See Section H -
   Continuous Monitoring). In addition, OPM acknowledges that a current and comprehensive
   Authorization for each system is a prerequisite for a continuous monitoring program, as the
   Authorization will provide a baseline of the security controls that need to be continuously
   monitored going forward.

   Our previous FISMA audit reports identified a material weakness in OPM’s Authorization
   program related to incomplete, inconsistent, and sub-par Authorization products. OPM
   resolved the issues by implementing new policies and procedures to standardize the
   Authorization process. However, throughout FY 2014 and FY 2015, the number of OPM
   systems without a current and valid Authorization significantly increased, and we reinstated
   the material weakness related to this issue.

   In April 2015, OPM’s OCIO issued a memorandum that granted an extension of the previous
   Authorizations for all systems whose Authorization had already expired, and for those
   scheduled to expire through the end of FY 2016. All new Authorization activity was
   deferred. The justification was that OPM was in the process of modernizing its IT
   infrastructure and that once this modernization was completed, all systems would have to
   receive new Authorizations anyway. We expressed serious concern with this approach, and
   warned the agency of the extreme risk associated with neglecting the IT security controls of
   its information systems.

   Although the moratorium on Authorizations has since been lifted, the effects of the April
   2015 memorandum continue to have a significant negative impact on the agency. The
   infrastructure modernization project was suspended as the agency re-evaluates its approach,
   and many of the systems included in the memorandum continue to operate in the same legacy
   environment without a valid Authorization.



                                               9                          Report No. 4A-CI-00-16-039
    In FY 2016, OPM initiated an “Authorization Sprint” in an effort to get all of the agency’s 

    systems compliant with the Authorization requirements. We acknowledge that OPM is once 

    again taking system Authorization seriously, and is dedicating significant resources toward 

    re-Authorizing the systems that were neglected as a result of the 2015 moratorium. 

    However, the ISSO staffing issues discussed in section A, above, are preventing OPM from

    moving as quickly as it would like. In FY 2016, we have received evidence that 12 systems 

    were subject to the Authorization process as part of the Authorization Sprint. This includes 

    an Authorization for OPM’s “LAN/WAN,” which is a critical general support system that 

    provides inheritable controls for many smaller applications. The OIG was provided many of 

    these Authorization packages during the last two weeks of the fiscal year, and therefore we 

    were unable to perform a comprehensive review of the content and quality of these packages 

    before issuing this FY 2016 FISMA audit report. We will perform a comprehensive audit of 

    OPM’s Authorization process as a whole in early FY 2017. 


    Although OPM has put significant effort toward authorizing its information systems, there 

    are still 18 major systems that do not have a current Authorization in place. This includes 

    systems owned by the following program offices: 

     Chief Financial Officer (2 system); 

     Chief Information Officer (5 systems);
                 OPM is taking steps to improve
     Employee Services (1 system);                           its Authorization process, but it
     Federal Investigative Services (4 systems) ; 1
                                                              continued to represent a material
     Human Resources Solutions (1 system);                   weakness at the end of FY 2016.
     Office of the Inspector General (1 system); and 

     Retirement Services (4 systems). 


    NIST SP 800-53, Revision 4, states that an organization is to ensure “that the authorizing
    official authorizes the information system for processing before commencing operations; and
    … Updates the security authorization ….”

    While we acknowledge OPM’s ongoing efforts to address this issue, we believe that the
    volume and sensitivity of OPM systems that are currently operating without an active
    Authorization continues to represent a material weakness in the internal control structure of
    the agency’s IT security program.

    Recommendation 4 (Rolled Forward from 2014)

    We recommend that all active systems in OPM’s inventory have a complete and current
    Authorization.

1
  As of October 1, 2016, the responsibilities of the Federal Investigative Services program office were transitioned to
the National Background Investigation Bureau.


                                                         10                                 Report No. 4A-CI-00-16-039
OPM Response:

“We concur with the recommendation. In FY 2016, OPM issued 15 ATOs during its ATO
sprint and ATO relay initiatives and has 7 more authorizations in progress. OCIO plans to
have current ATOs for all systems by December 31, 2016.”

Recommendation 5 (Rolled Forward from 2014)

We recommend that the performance standards of all OPM system owners be modified to
include a requirement related to FISMA compliance for the information systems they own.
At a minimum, system owners should be required to ensure that their systems have valid
Authorizations.

OPM Response:

“We concur with the recommendation. OCIO established and implemented these performance
standards for the OCIO IT Project managers in FY 2015. In FY 2017, OCIO will develop the
performance standards for all IT Program and Project Managers in coordination with the
OPM Chief Human Capital Officer as required in the Federal IT Acquisition Reform Act
implementation memo signed by the Acting Director in October 2016.”

Recommendation 6 (Rolled Forward from 2014)

We recommend that the OPM Director consider shutting down information systems that do
not have a current and valid Authorization.

OPM Response:

“We partially concur with the recommendation. OCIO will update its policies and procedures
for security authorizations to include making a risk-based decision on the operation of a
system without a current authorization. These will be forwarded to the Director for ultimate
decision.”

OIG Comment:

Our recommendation is for the Director to consider shutting down systems that do not have a
valid Authorization, and it appears that OPM’s action plan is consistent with this
recommendation. Once the relevant policies and procedures are updated, OPM should
provide evidence to its IOC division for consideration of closing this recommendation.




                                           11                          Report No. 4A-CI-00-16-039
C. Risk Management

  NIST SP 800-37, Revision 1, “Guide for Applying the Risk Management Framework to
  Federal Information Systems” (Guide) provides Federal agencies with a framework for
  implementing an agency-wide risk management methodology. The Guide suggests that risk
  be assessed in relation to the agency’s goals and mission from a three-tiered approach:
   Tier 1: Organization (Governance);
   Tier 2: Mission/Business Process (Information and Information Flows); and
   Tier 3: Information System (Environment of Operation).

  NIST SP 800-39, “Managing Information Security Risk – Organization, Mission, and 

  Information System View” provides additional details of this three-tiered approach. 


  1) Agency Risk Management

     NIST SP 800-39 states that agencies should establish and implement “Governance
     structures [that] provide oversight for the risk management activities conducted by
     organizations and include:
     (i)	 the establishment and implementation of a risk executive (function);
     (ii)	 the establishment of the organization’s risk management strategy including the
           determination of risk tolerance; and
     (iii) the development and execution of organization-wide investment strategies for
           information resources and information security.”

     In FY 2016, OPM created a charter for a Risk Steering Committee, and the committee
     has begun to meet. However, OPM has not established an agency-wide risk management
     strategy. In addition, the 12 primary elements of the Risk Executive Function as
     described in NIST SP 800-39 are not all fully implemented. Key elements still missing
     from OPM’s approach to managing risk at an agency-wide level include: conducting an
     agency-wide risk assessment, maintaining a risk registry, communicating the agency-
     wide risks down to the system owners, and ensuring proper authorization of agency
     information systems.

     Recommendation 7 (Rolled Forward from 2011)

     We recommend that OPM continue to develop its Risk Executive Function to meet all of
     the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive
     (Function).




                                             12 	                        Report No. 4A-CI-00-16-039
   OPM Response:

   “We concur with the recommendation. Responsibility for the development and
   maintenance of the enterprise risk management program was assigned to the Risk
   Management Council (RMC) in October 2015. As noted in NIST 800-39, ‘the risk
   executive (function) requires a mix of skills, expertise, and perspectives to understand
   the strategic goals and objectives of organizations, organizational missions/business
   functions, technical possibilities and constraints, and key mandates and guidance that
   shape organizational operations.’ To provide this necessary mixture, we will fill the
   risk executive (function) through the RMC. The Council is working toward meeting
   all requirements, with the OCIO specifically managing risk associated with the IT
   portfolio.”

2) System Specific Risk Management

   NIST SP 800-37, Revision 1, outlines a risk management framework (RMF) that contains
   six primary steps, including “(i) the categorization of information and information
   systems; (ii) the selection of security controls; (iii) the implementation of security
   controls; (iv) the assessment of security control effectiveness; (v) the authorization of the
   information system; and (vi) the ongoing monitoring of security controls and the security
   state of the information system.”

   OPM has implemented the six-step RMF into its system-specific risk management
   activities through the Authorization process (See Security Assessment and Authorization
   section B). In addition, OPM policy requires each major information system to be
   subject to routine security controls testing through a continuous monitoring program (see
   Continuous Monitoring section G).

3) Adherence to Remediation Deadlines

   Many information system owners are not meeting the self-imposed deadlines for
   remediating the security weaknesses listed on the Plan of Action and Milestones
   (POA&M). Of OPM’s 46 major information systems, 43 have POA&M items that are
   greater than 120 days overdue. Furthermore, 85 percent of open POA&Ms are over 30
   days overdue, and over 78 percent are over 120 days overdue. The 43 systems with
   overdue POA&M items are owned by the following program offices:
    Chief Information Officer (10 systems);
    Employee Services (2 systems);
    Federal Investigative Services (8 systems);




                                            13                           Report No. 4A-CI-00-16-039
         Healthcare and Insurance (3 systems);                  78 percent of all POA&Ms
         Human Resources Solutions (8 systems);                 agency-wide are over 120
         Leadership and Talent Management (2 systems);          days overdue.
         Office of the Inspector General (3 systems);
         Planning and Policy Analysis (1 system); and
         Retirement Services (6 systems).

      Recommendation 8

      We recommend that OPM adhere to remediation dates for its POA&M weaknesses.

      OPM Response:

      “We concur with the recommendation. An updated POA&M guide and POA&M
      processes have been introduced in order to facilitate greater transparency of POA&M
      remediation actions and support more timely remediation through communication and
      mutual support amongst System Owners, Information System Security Officers, and
      other stakeholders in POA&M processes.”

D. Contractor Systems

   OPM’s master system inventory indicates that 16 of the agency’s 46 major applications are
   operated by a contractor.

   OPM tracks interfaces between agency-operated and contractor-operated systems and the
   related Interconnection Security Agreements (ISA). However, the ISAs for 64 of the 82
   interconnections have expired. NIST SP 800-47, Security Guide for Interconnecting
   Information Technology Systems, states that improperly designed interconnections could
   result in security failures that compromise the connected systems and the data that they store,
   process, or transmit. Failure to maintain valid ISAs could introduce risks similar to
   improperly designed interconnections.

   Program offices may also develop a Memorandum of Understanding/Agreement (MOU/A) to
   document the purpose for direct interconnection. These documents outline the terms and
   conditions for sharing data and information resources in a secure manner. While these
   documents are not required for each ISA, OPM has created 28 MOU/As. However, 21 of
   those 28 MOU/As are expired. The OCIO should maintain up-to-date MOU/As to ensure
   that valid agreements are in place for each documented ISA.




                                               14                           Report No. 4A-CI-00-16-039
   Recommendation 9 (Rolled Forward from 2014)

   We recommend that the OCIO ensure that all ISAs are valid and properly maintained.

   OPM Response:

   “We concur with the recommendation. OCIO will issue an updated policy on system
   interconnection requirements in the first quarter FY 2017. It will include monitoring
   processes for validating compliance with the policy.”

   Recommendation 10 (Rolled Forward from 2014)

   We recommend that the OCIO ensure that a valid MOU/A exists for every interconnection.

   OPM Response:

   “We concur with the recommendation. OCIO will issue an updated policy on system
   interconnection requirements in the first quarter FY 2017. It will include monitoring
   processes for validating compliance with the policy.”

E. Configuration Management

   The sections below detail the controls that the OCIO has in place to manage the technical
   configuration of OPM servers, databases, and workstations.

   1) Agency-wide Configuration Management Program

      OPM’s Information Security and Privacy Policy Handbook contains policies related to
      agency-wide configuration management. The handbook requires the establishment of
      secure baseline configurations and the monitoring and documenting of all configuration
      changes. Operational procedures are developed by individual program offices and
      technical operational groups as necessary.

   2) System Inventory

      OPM currently has several initiatives underway to improve its hardware and software
      inventory management program. The agency has recently made progress developing a
      list of its servers and databases, and uses an inventory management tool to track the
      software that is installed throughout the network.




                                              15                          Report No. 4A-CI-00-16-039
   However, lists of servers, databases, and software are only partial elements of a complete
   system inventory. OPM still has significant work ahead in converting the raw data it has
   collected into a comprehensive and mature system inventory. The current inventory data
   lists the devices and software that reside within the environment, but it does not describe
   the specific servers the software resides on, or the information systems the devices and
   software support.

   The various elements of an inventory must be mapped to each other so that OPM can
   accurately define the boundaries of its information systems. A mature system inventory
   would not only identify all major information systems, but it would also contain details of
   the specific applications, software, servers, databases, and network devices that comprise
   and/or support each system. Furthermore, we issued a separate audit report on web
   application security that contained a recommendation related to OPM’s lack of an
   adequate web application inventory.

   The lack of a mature system inventory significantly hinders OPM’s efforts related to
   oversight, risk management, and securing the agency’s information systems.

   Recommendation 11

   We recommend that OPM improve its system inventory by correlating the elements of
   the inventory to the servers and information systems they reside on.

   OPM Response:

   “We concur with the recommendation. System Owners, Information System Security
   Officers, and Asset Managers will correlate hardware and software assets in the
   automated asset inventory to information systems in the information system inventory.”

3) Standard Security Configurations Settings

   Our FY 2015 FISMA audit concluded that OPM did not have adequate configuration
   standards in place for all operating platforms that it uses. In FY 2016, OPM developed
   an inventory of servers, databases, and applications – a critical first step toward
   developing security configurations standards. The agency has also begun using
   configuration checklists from recognized industry organizations to help develop the
   agency’s standard security configuration settings. However, we have not seen evidence
   that these standards have been developed and implemented for all operating systems
   identified in the inventory.




                                           16                           Report No. 4A-CI-00-16-039
In addition to not having documented configuration standards for some systems, OPM
has not documented its deviations from generic standards for all operating systems in the
environment. OPM requires all configuration deviations to be reviewed through the
change control process. However, once they are approved, these settings must be
documented in the appropriate standard.

NIST SP 800-53, Revision 4, requires agencies to identify, document, and approve any
deviations from established configuration settings.

Configuration standards are the foundation of a mature configuration management
program, as system configuration settings cannot be effectively monitored, audited, and
secured without a documented standard to reference.

Recommendation 12 (Rolled Froward from 2014)

We recommend that the OCIO develop and implement a baseline configuration for all
operating platforms in use by OPM including, but not limited to,   ,          ,
       , and            .

OPM Response:

“We partially concur with the recommendation. OCIO has baselines standardized
across the infrastructure for the current approved operating platforms. Legacy systems
(e.g. unsupported operating systems), with older, documented baselines continue to
exist in the environment. OCIO will continue to strengthen its IT infrastructure
environment by using only current, approved operating platforms with standard
baseline configurations meeting the requirements defined in OPM security policies and
procedures.”

OIG Comment:

We have not been provided evidence that documented baselines exist for all legacy
systems. If they do exist, evidence should be provided to the IOC division for
consideration of closing this recommendation.

Recommendation 13 (Rolled Froward from 2014)

Where an OPM configuration standard is based on a pre-existing generic standard, we
recommend that OPM document all instances where the OPM-specific standard deviates
from the recommended configuration setting.



                                        17                          Report No. 4A-CI-00-16-039
   OPM Response:

   “We partially concur with the recommendation. Although all changes to standard
   baselines are maintained and tracked as part of the Change Management process,
   OCIO realizes the value of maintaining a record specifically of the deviations to the
   standard baseline and will consider updating its standard baselines to include this
   information in accordance with security policies and standard best practices.”

   OIG Comment:

   Maintaining a record of the specific deviations from generic configuration standards is
   critical to the organization’s ability to effectively audit a system’s actual settings. We
   continue to recommend that OPM document all instances where an OPM-specific
   configuration standard deviates from a generic recommended standard.

4) Vulnerability Management Program

   OPM performs automated network vulnerability scans on its systems on a bi-weekly
   basis. The recent improvements to the agency’s system inventory provide some level of
   confidence that the automated tools are actually scanning all systems within the
   environment.

                                             While we acknowledge that improvements have
    OPM’s vulnerability scanning
                                             been made to OPM’s vulnerability scanning
    program has recently improved,
                                             program, our test work performed during this
    but our audit test work indicated
                                             audit indicates that several problems still exist.
    that several problems still exist.
                                             Specifically, the scanning tool did not have
                                             access to certain portions of OPM’s internal
   network. In some cases, OPM was not aware of these access issues until they were
   identified by our test work. In addition, the historical scan reports that we reviewed
   indicate that most of the vulnerability scans performed in the first half of the fiscal year
   were not run with the system credentials necessary to perform a thorough analysis.

   We also performed our own independent vulnerability scans on a sample of OPM’s
   information systems. The results of our vulnerability scans indicate that OPM’s
   production environment contains severely out-of-date and unsupported software and
   operating platforms. In other words, the software vendor no longer provides patches,
   security fixes, or updates for the software. As a result, there is an increased risk that
   OPM’s technical environment contains vulnerabilities that could be exploited to allow
   unauthorized access to sensitive data.



                                            18                           Report No. 4A-CI-00-16-039
Recommendation 14 (Rolled Forward from 2014)

We recommend that the OCIO implement a process to ensure routine vulnerability
scanning is conducted on all network devices documented within the inventory.

OPM Response:

“As noted in the report, OCIO encountered authentication errors in vulnerability scans
and worked swiftly to formulate a remediation process. Procedures were updated to
perform checks against authentication failures against the prior day's scheduled scans.
OCIO now regularly runs discovery scans in order to identify any devices that are
connected to the opm.gov network. We believe that these updated procedures address
the recommendation.”

OIG Comment:

As part of the audit resolution process, we recommend that OPM provide its IOC division
with evidence that all network devices have been routinely subject to authenticated
vulnerability scans over a six-month period.

Recommendation 15

We recommend that the OCIO implement a process to ensure that only supported
software and operating platforms are used within the network environment.

OPM Response:

“We concur with the recommendation. In FY 2016, OCIO implemented a Network
Access Control (NAC) solution across the enterprise to prevent unauthorized operating
platforms from accessing the network environment. The NAC also monitors systems to
ensure they are in compliance with NAC security policies. OCIO has also implemented
additional tools as part of the CDM effort, including a software ‘Blacklist,’ and is
working to implement ‘Whitelisting’ into FY 2017. OCIO has also reduced the number
of unsupported             operating platforms in its environment by 93% in FY 2016
and plans to complete these upgrades in FY 2017. OPM project managers and security
officers will work with business owners to implement good software lifecycle practices
across the agency and migrate from unsupported applications and operating platforms
to current versions.”




                                      19                          Report No. 4A-CI-00-16-039
5) Compliance with Baselines

   OPM uses automated scanning tools to conduct routine configuration compliance audits
   on its workstations, servers, and networking devices. These tools compare the actual
   configuration settings to industry standard templates. However, these automated scans
   do not take into account the customized configuration requirements specific to OPM’s
   technical environment. As mentioned above, OPM does not maintain documented
   configuration standards that detail these customizations, and therefore it is impossible to
   subject these systems to adequate configuration compliance audits.

   NIST SP 800-128 states that configuration monitoring is needed to identify
   “undiscovered/undocumented system components, misconfigurations, vulnerabilities, and
   unauthorized changes, all of which, if not addressed, can expose organizations to
   increased risk.”

   Failure to routinely audit information systems against their approved configurations
   decreases an organization’s ability to detect malicious activity or unapproved changes.

   Recommendation 16 (Rolled Forward from 2014)

   We recommend the OCIO conduct routine compliance scans against established baseline
   configurations for all servers and databases in use by OPM. This recommendation cannot
   be addressed until Recommendation 13 has been completed.

   OPM Response:

   “We concur with the recommendation. OCIO currently runs daily compliance scans
   against all established baselines through the use of OPM’s enterprise compliance
   scanning tool. OCIO will continue to refine its enterprise compliance scanning tool to
   evaluate compliance against the established baselines as they are developed for the
   remaining servers and databases.”

6) Vulnerability remediation

   OPM distributes vulnerability scan results to the agency’s various system owners so that
   they can remediate the weaknesses identified in the scans. Formal POA&M entries are
   created for weaknesses that require significant time to remediate. However, for other
   routine security weaknesses identified during vulnerability scans, OPM does not have a
   process to record or track the remediation status.




                                            20                           Report No. 4A-CI-00-16-039
  Without a formal process to track known
  vulnerabilities, there is a significantly increased     OPM does not formally track
  risk that these weaknesses will not be addressed in a   known vulnerabilities,
  timely manner, and that the systems will                increasing the risk the systems
  indefinitely remain susceptible to attack.              will indefinitely remain
                                                          susceptible to attack.
  Recommendation 17 (Rolled Forward from 2014)

  We recommend that the OCIO implement a process to centrally track the current status of
  security weaknesses identified during vulnerability scans to remediation or risk
  acceptance.

  OPM Response:

  “We concur with the recommendation. OCIO will integrate the weaknesses identified
  through the vulnerability scanning process with the POA&M inventory for centralized
  tracking of security weaknesses.”

7) Patch management

  OPM has a process in place for testing and installing patches for each operating system
  used within OPM’s network. The OCIO has been transitioning some of the patching
  process to a new management utility, but not all systems and applications are integrated
  at this time. The servers that have not been integrated with this new utility are patched
  via other utilities or manual processes.

  We made various efforts to validate the effectiveness of the OCIO’s patch management
  process – both by performing our own independent vulnerability scans and by reviewing
  the results of historical vulnerability scans run by OPM. However, these efforts did not
  produce any evidence indicating that OPM’s systems are consistently patched in a timely
  manner. Although we acknowledge that OPM is dedicating resources to improving its
  patch management process, we cannot at this time attest to any significant improvements
  in OPM’s patch management process and therefore, our previous recommendation on this
  issue will be rolled forward in this report.

  Recommendation 18 (Rolled Forward from 2014)

  We recommend that the OCIO implement a process to apply operating system and third
  party vendor patches in a timely manner, which is defined within the OPM Information
  Security and Privacy Policy Handbook.



                                          21                           Report No. 4A-CI-00-16-039
      OPM Response:

      “We concur with the recommendation. A new patch management application was
      implemented across the enterprise and has been used to patch systems for about six
      months. It has also successfully deployed software upgrades to the end-users
      workstations using current processes. OCIO will continue to refine the patch
      management process using this application into FY 2017.”

F. Identity and Access Management

   The following sections detail OPM’s account and identity management program.

   a) Policies for account and identity management

     OPM maintains policies and procedures for agency-wide system account and identity
     management within its Information Security and Privacy Policy Handbook. The policies
     contain procedures for creating user accounts with the appropriate level of access as well
     as procedures for removing access for terminated employees.

   b) Contractor Access Termination

     OPM has established a centralized process for securely granting employees and
     contractors access to its internal network. Our evaluation of OPM’s termination process
     indicates that the process appears to work as intended for removing terminated agency
     (non-contractor) employees in a timely manner. However, the process for terminating
     access for contractor employees leaving the agency is not centrally managed, and it is the
     responsibility of the various Contracting Officer Representatives to notify the OCIO that a
     contractor no longer requires access. Furthermore, OPM does not maintain a complete list
     of all the contractors that have access to OPM’s network, so there is no way for the OCIO
     to audit the termination process to ensure that contractor accounts are removed in a timely
     manner.

     FISCAM states that “Terminated employees who continue to have access to critical or
     sensitive resources pose a major threat . . . .”

     Recommendation 19

     We recommend that the OCIO maintain a centralized list of all contractors that have
     access to the OPM network and use this list to routinely audit all user accounts for
     appropriateness.



                                              22                          Report No. 4A-CI-00-16-039
  OPM Response:

  “We partially concur with the recommendation. OCIO maintains a list of all employee
  and contractor accounts granting access to the OPM network; however, management of
  the OPM contractor workforce is an agency-wide effort. OCIO will engage appropriate
  program offices to support the management of contractor personnel. OCIO will review
  and update its account management processes to ensure network accounts are secured
  after contractor termination actions are taken in a timely manner in accordance with
  OPM security policies.”

  OIG Comment:

  OPM’s response states that it only partially concurs with the recommendation, but its
  action plan appears to be fully consistent with the original recommendation.

c) Multi-factor authentication with PIV

  OMB Memorandum M-11-11 required all Federal information systems to use Personal
  Identity Verification (PIV) credentials for multi-factor authentication by the beginning of
  FY 2012. In addition, the memorandum stated that all new systems under development
  must be PIV compliant prior to being made operational.

  OPM-issued workstations can only be connected to the OPM network via two-factor
  authentication using PIV cards. In early FY 2016, OPM implemented controls that
  prevent non-OPM issued devices from connecting to the network. These controls close a
  previous loophole that allowed users to gain access to the network without PIV
  authentication. As such, OPM has successfully implemented a methodology that requires
  all users to connect to the network using PIV authentication.

                                          Although OPM has made progress in requiring PIV
  Only 2 of OPM’s 46 major
                                          authentication to gain access to the network, this
  applications are compliant with
                                          does not fully satisfy OMB mandates related to
  OMB requirements related to
                                          two-factor authentication. OMB Memorandum M-
  PIV authentication.
                                          11-11 states that PIV credentials must be used to
                                          gain authorized access to an agency’s 1) facilities,
  2) network, and 3) information systems. OPM is not fully PIV compliant until all of its
  information systems (applications) can be accessed only via PIV authentication in lieu of a
  username and password. Our audit work indicated that only 2 of OPM’s 46 major
  applications enforced PIV authentication. This is a critical control because without PIV
  authentication enforced at the application level, users of the network (either authorized or



                                           23                           Report No. 4A-CI-00-16-039
     unauthorized) could still gain access to applications that they are not authorized to use,
     and public-facing systems are more vulnerable to remote attack.

     Recommendation 20 (Rolled Forward from 2012)

     We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its
     major information systems to require multi-factor authentication using PIV credentials.

     OPM Response:

     “We concur with the recommendation. In FY 2016, OCIO initiated a project to
     implement an enterprise Identity and Access Management (IDAM) solution to manage
     access to OPM systems for both internal users and external customers. OCIO will
     continue its work on this project for enforcing multi-factor authentication, including
     the use of PIV credentials wherever feasible and appropriate.”

   d) Securing Public Websites

     In FY 2016, we evaluated OPM’s efforts to implement Hyper Text Transport Protocol
     Secure (HTTPS) on all of its publicly accessible websites, as required by OMB
     Memorandum M-15-13. We issued a memorandum to the OCIO to communicate the
     results of our evaluation on February 25, 2016. Our evaluation indicated that only a small
     percentage of OPM’s publicly accessible websites were compliant with the regulation –
     which requires full implementation by December 31, 2016.

     In recent months, however, OPM has made a significant effort to improve its compliance.
     OPM has stated that 47 of the 60 websites are now compliant, but we have not confirmed
     this. We will continue to monitor OPM’s progress with implementing the requirements
     outlined in OMB memorandum M-15-13 and will perform additional tests once OPM
     believes that it is 100 percent compliant.

G. Security Training

   FISMA requires all Government employees and contractors to take IT security awareness
   training on an annual basis. In addition, employees with IT security responsibility are
   required to take additional specialized training.

   a) IT security awareness training

      The OCIO provides annual IT security and privacy awareness training to all OPM
      employees through an interactive web-based course. The course introduces employees


                                               24                           Report No. 4A-CI-00-16-039
      and contractors to the basic concepts of IT security and privacy, including topics such as
      the importance of information security, security threats and vulnerabilities, viruses and
      malicious code, privacy training, telework, mobile devices, Wi-Fi guidance, and the roles
      and responsibilities of users.

      Over 94 percent of OPM’s employees and contractors completed the security awareness
      training course in FY 2016.

   b) Specialized IT security training

      OPM employees with significant information security responsibilities are required to take
      specialized security training in addition to the annual awareness training.

      The OCIO has developed a table outlining the security training requirements for specific
      job roles. The OCIO uses a spreadsheet to track the security training taken by employees
      that have been identified as having security responsibility. Only 73 percent of employees
      identified as having significant security responsibilities completed specialized IT security
      training in FY 2016.

      Recommendation 21

      We recommend that the OCIO ensure that all employees with significant information
      security responsibility take meaningful and appropriate specialized security training on an
      annual basis.

      OPM Response:

      “We concur with the recommendation. OCIO has updated its Security Awareness and
      Training policy, reinforcing the training requirements, and is tracking progress toward
      completion.”

H. Continuous Monitoring

   The following sections detail our review of OPM’s efforts to continuously monitor the
   security controls of its information systems.

   a) Information Security Continuous Monitoring Program

      In FY 2015, the Council of the Inspectors General on Integrity and Efficiency (CIGIE)
      developed a Continuous Monitoring Maturity Model that provides a framework for
      evaluating an agency’s information security program and ranking the maturity of its


                                               25                          Report No. 4A-CI-00-16-039
security control monitoring program on a five-level scale (level one being the least
mature and effective, five being completely mature).

We used this maturity model to conduct a review of OPM’s information systems
continuous monitoring program (ISCM). Our review determined that OPM’s ISCM is
currently operating at level 2, “Defined.” This is an improvement from the prior year, as
our FY 2015 FISMA audit report had previously evaluated the ISCM program at level 1,
“Ad Hoc.”

In FY 2016, OPM developed a new set of policies and procedures for the agency’s ISCM
program. These policies and procedures included the necessary controls required by
CIGIE’s ISCM maturity model.

The development of these new policies and procedures is a step in the right direction
towards a mature ISCM program. However, OPM still has a significant amount of work
to complete before it reaches the next level (level three, “Consistently Implemented”) of
the ISCM maturity model. We provided the OCIO with a listing of the specific ISCM
elements that it must implement to reach level three of the maturity model.

During this fiscal year the OCIO also acquired a new software tool that will better
support the requirements of the ISCM program. However, the OCIO has not fully
implemented this tool in this fiscal year. The use of the technology and automated tools
to support a continuous monitoring program is a critical element of CIGIE’s ISCM
Maturity Model.

As previously discussed in the information security governance section above, OPM’s
ISSO positions are severely understaffed, and these individuals have multiple
responsibilities within the ISCM program. We believe that the staffing limitations are
having a negative impact on OPM’s ability to implement a more mature continuous
monitoring program.

Recommendation 22

We recommend that OPM continue to implement sufficient tools and controls to meet all
requirements of CIGIE’s Information Security Continuous Monitoring Maturity Model
Level 3, “Consistently Implemented.”




                                        26                           Report No. 4A-CI-00-16-039
   OPM Response:

   “We partially concur with the recommendation. OCIO is hiring ISSOs to support the
   information security continuous monitoring (ISCM) program in order to provide
   adequate support for all OPM information systems, and integrate the automated tools it
   has deployed in FY 2016 under the Continuous Diagnostics and Mitigation program.
   OPM appreciates the value of a maturity model as a means to uniformly evaluate
   agencies against standard criteria for the ISCM program. OPM will continue to
   implement the ISCM program in accordance with Federal policy and NIST standards
   and guidelines.”

   OIG Comment:

   The CIGIE ISCM maturity model is in line with Federal policy and NIST standards,
   therefore OPM’s ongoing efforts to meet these requirements will ultimately address this
   audit recommendation.

b) Assessment of Individual System Security Controls

   Since OPM’s continuous monitoring program is not fully matured, we continue to expect 

   the agency to manually assess the security controls of each information system on a 

   routine basis. However, we continue to find that many system owners are not following 

   the security control testing schedule that the OCIO mandated for all systems. OPM’s 

   current policy requires the owners of all OPM-operated system to submit evidence of 

   ongoing security control testing activity at least quarterly. Security control testing is 

   currently only required annually for OPM systems operated by a contractor. 


   We requested the security control testing documentation for all OPM systems in order to 

   review them for quality and consistency. We determined that only 16 of OPM’s 46 

   systems were subject to adequate security control testing activity in FY 2016. 


   The following program offices own information systems that failed the security control 

   testing requirements in FY 2016: 

    Chief Financial Officer (1 system); 
             It has been over 10 years since
    Chief Information Officer, CIO (5 systems);       all OPM systems were subject to
    Employee Services (1 system);                     an adequate security controls
    Federal Investigative Services (8 systems);       test within a single fiscal year.
    Human Resources Solutions (8 systems);

    Planning and Policy Analysis (1 system); and 

    Retirement Services (6 systems). 




                                           27                          Report No. 4A-CI-00-16-039
      Failure to continuously monitor and assess security controls increases the risk that agency
      officials are unaware of major risks that exist within the organization.

      It has been over 10 years since all OPM systems were subject to an adequate security
      controls test within a single fiscal year.

      Recommendation 23 (Rolled forward from 2008)

      We recommend that OPM ensure that an annual test of security controls has been
      completed for all systems.

      OPM Response:

      “We concur with the recommendation. OCIO is hiring the necessary ISSOs to support
      annual security control testing for all information systems in accordance with OPM
      continuous monitoring policies and procedures.”

I. Incident Response Program

   In FY 2016, the CIGIE developed an Incident Response Program Maturity Model that
   provides a framework for evaluating an agency’s cyber defense program and ranking the
   maturity of its incident response handling procedures on a five-level scale (level one being
   the least mature and effective, five being completely mature).

   We used this maturity model to review OPM’s incident response program. Our review
   determined that OPM’s incident response program is currently operating at level 2,
   “Defined.” In FY 2016, the OCIO completed a new set of policies and procedures for the
   agency’s incident response program. These policies and procedures addressed the necessary
   controls identified in CIGIE’s incident response program maturity model.

   The OCIO has recently made significant improvements in its cyber defense program and has
   actually implemented the majority of the requirements to reach level three of the incident
   response maturity model. Most notably, OPM has implemented automated tools used to
   develop and maintain a baseline of network operations and expected data flows for
   information systems. However, agencies must meet 100 percent of the elements of each
   maturity model level before being rated at that level. We provided the OCIO with a listing of
   the specific incident response program elements that it must implement to reach level three of
   the maturity model.




                                               28                          Report No. 4A-CI-00-16-039
   Recommendation 24

   We recommend that OPM continue to implement sufficient tools and controls to meet all
   requirements of CIGIE’s Incident Response Program Maturity Model Level 3, “Consistently
   Implemented.”

   OPM Response:

   “We partially concur with the recommendation. OCIO provided a Cyber Protection and
   Defense Manual during the course of the audit that defined many of the requirements
   described within the maturity model. OCIO will follow up on any identified gaps in its TIC
   security controls as identified by DHS and continue to evaluate capabilities for defining
   expected data flows for users and systems. OPM appreciates the value of a maturity model
   as a means to uniformly evaluate agencies against standard criteria for the incident
   response program. OPM will continue to implement the incident response program in
   accordance with Federal policy and NIST standards and guidelines.”

   OIG Comment:

   The CIGIE incident response maturity model is consistent with Federal policy and NIST
   standards, therefore OPM’s ongoing efforts to meet these requirements will ultimately
   address this audit recommendation.

J. Contingency Planning

   OPM’s Information Security Privacy and Policy Handbook requires a contingency plan to be
   in place for each information system and that each system’s contingency plan be tested on an
   annual basis. The sections below detail our review of contingency planning activity in FY
   2016.

   1) Maintaining Contingency Plans

      We received contingency plans for 45 of 46 OPM major systems. However, only 17 of
      the plans received had been reviewed within the current fiscal year. Therefore, we do not
      believe that these documents have been adequately maintained and updated, as they do
      not contain current information regarding the impact that the ongoing changes to OPM’s
      infrastructure have to the system’s contingency plan. Maintaining an up-to-date
      contingency plan is a critical element to ensuring information systems can be properly
      recovered in the event of an emergency or disaster.




                                              29                          Report No. 4A-CI-00-16-039
   The Information Security Privacy and Policy Handbook states that OPM system owners
   “shall ensure the establishment, maintenance, and effective implementation of plans for
   emergency response, disaster recovery, backup operations, and post-disaster recovery for
   their information systems . . . .”

   Recommendation 25 (Rolled Forward from 2014)

   We recommend that the OCIO ensure that all of OPM’s major systems have Contingency
   Plans in place and that they are reviewed and updated annually.

   OPM Response:

   “We concur with the recommendation. With the ISSOs in place, OCIO will ensure
   system owners and project owners review and update their contingency plans
   annually.”

b) Contingency Plan Tests

  It has been over 9 years     OPM’s Information Security Privacy and Policy Handbook
  since the contingency        obligates system owners to test or exercise each system’s
  plans for all OPM            contingency plans at least annually. During the course of
  systems were tested          our audit we received evidence that only 2 of OPM’s 46
  within a single fiscal year. major information systems were subject to an adequate
                               contingency plan test in FY 2016. Furthermore, 9 of the 46
   major systems have not been tested at all since 2014. These 9 systems are owned by:
    Employee Services (2 systems);
    Federal Investigative Services (4 systems);
    Healthcare and Insurance Federal Employee Insurance Operations (1 system); and
    Retirement Services (2 systems).

   Recommendation 26 (Rolled Forward from 2008)

   We recommend that OPM’s program offices test the contingency plans for each system
   on an annual basis.

   OPM Response:

   “We concur with the recommendation. With the ISSOs in place, OCIO will ensure
   system owners and project owners will test contingency plans annually.”




                                          30                          Report No. 4A-CI-00-16-039
IV. MAJOR CONTRIBUTORS TO THIS REPORT

Information Systems Audit Group

              , Lead IT Auditor-In-Charge
                  , Senior Team Leader
                     , IT Auditor
            , IT Auditor
             , IT Auditor
                 , IT Auditor
______________________________________________________________________________

                , Group Chief




                                            31              Report No. 4A-CI-00-16-039
                                                                         Appendix I


The tables below outline the current status of prior audit recommendations issued in FY 2015 by the Office of the Inspector General.

Report No. 4A-CI-00-15-011: FY 2015 Federal Information Security Management Act Audit, issued November 10, 2015

Rec #     Original Recommendation                                          Recommendation History          Current Status
1         We recommend that the OCIO develop and maintain a                Rolled forward from FY 2014     CLOSED 7/20/16
          comprehensive inventory of all servers, databases, and
          network devices that reside on the OPM network.




2         We continue to recommend that the OCIO develop a plan            Rolled forward from FY 2013     OPEN: Rolled-forward as Report
          and timeline to enforce the new SDLC policy to all of                                            4A-CI-00-16-039 Recommendation 3
          OPM’s system development projects.
3         We recommend that all active systems in OPM’s inventory          Rolled forward from FY 2014     OPEN: Rolled-forward as Report
          have a complete and current Authorization.                                                       4A-CI-00-16-039 Recommendation 4
4         We recommend that the performance standards of all OPM           Rolled forward from FY 2014     OPEN: Rolled-forward as Report
          system owners be modified to include a requirement related                                       4A-CI-00-16-039 Recommendation 5
          to FISMA compliance for the information systems they own.
          At a minimum, system owners should be required to ensure
          that their systems have valid Authorizations.
5         We recommend that the OPM Director consider shutting             Rolled forward from FY 2014     OPEN: Rolled-forward as Report
          down information systems that do not have a current and                                          4A-CI-00-16-039 Recommendation 6
          valid Authorization.
6         We recommend that the new ISCM policies and procedures           New recommendation in FY 2015   CLOSED with issuance of Final Report
          being developed utilize and incorporate the controls                                             11/9/2016
          identified in the CIGIE Information Security Continuous
          Monitoring Maturity Model. At a minimum the policies and
          procedures should:
7         We recommend that OPM ensure that an annual test of              Rolled forward from FY 2008     OPEN: Rolled-forward as Report
          security controls has been completed for all systems.                                            4A-CI-00-16-039 Recommendation 23
8         We recommend that the OCIO develop and implement a               Rolled forward from FY 2014     OPEN: Rolled-forward as Report
          baseline configuration for all operating platforms in use by                                     4A-CI-00-16-039 Recommendation 12
          OPM including, but not limited to,           ,         ,
                 , and            .




                                                                                                                 Report No. 4A-CI-00-16-039
9    We recommend the OCIO conduct routine compliance scans            Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     against established baseline configurations for all servers and                                   4A-CI-00-16-039 Recommendation 16
     databases in use by OPM. This recommendation cannot be
     addressed until Recommendation 8 has been completed.
10   We recommend that the OCIO implement a process to ensure          Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     routine vulnerability scanning is conducted on all network                                        4A-CI-00-16-039 Recommendation 14
     devices documented within the inventory.
11   We recommend that the OCIO implement a process to                 Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     centrally track the current status of security weaknesses                                         4A-CI-00-16-039 Recommendation 17
     identified during vulnerability scans to remediation or risk
     acceptance.
12   We recommend that the OCIO document “accepted”                    Rolled forward from FY 2011     CLOSED: 3/01/2016
     weaknesses identified in vulnerability scans.

13   We recommend the OCIO implement a process to ensure that          New recommendation in FY 2015   OPEN: Rolled-forward as Report
     only supported software and operating platforms are utilized                                      4A-CI-00-16-039 Recommendation 15
     within the network environment.
14   We recommend the OCIO implement a process to apply                Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     operating system and third party vendor patches in a timely                                       4A-CI-00-16-039 Recommendation 18
     manner, which is defined within the OPM Information
     Security and Privacy Policy Handbook.
15   We recommend that the OCIO require PIV authentication to          New recommendation in FY 2015   CLOSED 11/10/15
     access the OPM network.
16   We recommend that the OCIO meet the requirements of               Rolled forward from FY 2012     OPEN: Rolled-forward as Report
     OMB M-11-11 by upgrading its major information systems                                            4A-CI-00-16-039 Recommendation 20
     to require multi-factor authentication using PIV credentials.
17   We recommend that OCIO configure its security information         Rolled forward from FY 2014     CLOSED 11/10/15
     and event management tool to collect and report meaningful
     data, while reducing the volume of non-sensitive log and
     event data.
18   We recommend that OPM continue to develop its Risk                Rolled forward from FY 2011     OPEN: Rolled-forward as Report
     Executive Function to meet all of the intended requirements                                       4A-CI-00-16-039 Recommendation 7
     outlined in NIST SP 800-39, section 2.3.2 Risk Executive
     (Function).
19   We recommend that the OCIO ensure that all employees              New recommendation in FY 2015   CLOSED: 11/20/15
     with significant information security responsibility take
     meaningful and appropriate specialized security training on
     an annual basis.


                                                                                                         Report No. 4A-CI-00-16-039
20   We recommend that the OCIO and program offices that own         Rolled forward from FY 2014     CLOSED: 12/18/15
     information systems ensure that all known security
     weaknesses are incorporated into the appropriate POA&M.
21   We recommend that the OCIO and system owners develop            New recommendation in FY 2015   CLOSED with issuance of Final Report
     formal corrective action plans to remediate all POA&M                                           11/9/2016
     weaknesses that are over 120 days overdue.
22   We recommend that all POA&Ms list the specific resources        New recommendation in FY 2015   CLOSED 1/6/16
     required to address each security weakness identified.
23   We recommend the OCIO configure the VPN servers to              Rolled forward from FY 2012     CLOSED: 3/22/2016
     terminate VPN sessions after 30 minutes of inactivity.

24   We recommend that the OCIO ensure that all of OPM’s             Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     major systems have Contingency Plans in place and that they                                     4A-CI-00-16-039 Recommendation 25
     are reviewed and updated annually.
25   We recommend that OPM’s program offices test the                Rolled forward from FY 2008     OPEN: Rolled-forward as Report
     contingency plans for each system on an annual basis. The                                       4A-CI-00-16-039 Recommendation 26
     contingency plans should be immediately tested for the 29
     systems that were not subject to adequate testing in FY 2015.
26   We recommend that the OCIO ensure that all ISAs are valid       Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     and properly maintained.                                                                        4A-CI-00-16-039 Recommendation 9
27   We recommend that the OCIO ensure that a valid MOU/A            Rolled forward from FY 2014     OPEN: Rolled-forward as Report
     exists for every interconnection.                                                               4A-CI-00-16-039 Recommendation 10




                                                                                                       Report No. 4A-CI-00-16-039
                                                                    Appendix II
                                     UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                                                      Washington, DC 20415



Chief Information
     Officer




      MEMORANDUM FOR NICHOLAS HOYLE
                     CHIEF, INFORMATION SYSTEMS AUDIT GROUP
                     OFFICE OF THE INSPECTOR GENERAL
                                                                                                                             Digitally signed by DAVID
      FROM:	                               DAVID L. DEVRIES                       DEVRIES
                                           CHIEF INFORMATION OFFICERDAVID DEVRIES Date: 2016.10.22 20:00:01
                                                                                                                             -04'00'

      Subject: 	                           Office of the Chief Information Officer Response to the Office of the
                                           Inspector General Federal Information Security Modernization Act Audit
                                           – FY 2016 (Report No. 4A-CI-00-16-039)

      Thank you for the opportunity to provide comments to the Office of the Inspector General
      (OIG) draft report for the Federal Information Security Modernization Act Audit for the U.S.
      Office of Personnel Management (OPM). The OIG comments are valuable to the Agency as
      they afford us an independent assessment of our operations and help guide our improvements to
      enhance the security of the data furnished to OPM by the Federal workforce, the Federal
      agencies, our private industry partners, and the public.

      We welcome a collaborative dialogue to help ensure we fully understand the OIG’s
      recommendations as we plan our remediation efforts so that our actions and the closure of
      the recommendations thoroughly address the underlying issues. I look forward to continued
      discussions during our monthly reviews to help ensure we remain aligned.

      Each of the recommendations provided in the draft report is discussed below:

      Recommendation 1
      We recommend that OPM hire a sufficient number of ISSOs to adequately support all the
      agency’s major information systems.

      Management Response: We concur with the recommendation. In FY 2016, OPM hired eight
      ISSOs bringing the total to 16 ISSOs currently in place. The Office of the Chief Information
      Officer (OCIO) is hiring an additional eight ISSOs, three of which are now onboarding, for a
      total of 24 ISSO positions, which will support all of OPM’s major information systems.

      Recommendation 2
      We recommend that OPM thoroughly define the roles and responsibilities of all positions in its
      IT security management structure.



       ______________________________________________________________________________________________________________________________________________
       www.opm.gov             Recruit, Retain and Honor a World-Class Workforce to Serve the American People                     www.usajobs.gov
Response to the OIG Federal Information Security Modernization Act Audit – FY 2016               2
(Report No. 4A-CI-00-16-039)


Management Response: We concur with the recommendation. OCIO is finalizing the updated
IT security policies and procedures involving the positions within the IT security management
structure in the OCIO, including updated roles and responsibilities.

Recommendation 3
We continue to recommend that the OCIO develop a plan and timeline to enforce the new
SDLC policy to all of OPM’s system development projects.

Management Response: We concur with the recommendation. During transitions of two
CIO’s since the prior recommendation, it was decided to update the SDLC into a Digital
Transformation SDLC during FY 2017. This will be a collaborative effort between OPM
SDLC Owner and the 18F team that is working with OPM. This SDLC will be completed with
an initial iteration and expanded upon with each successive project that transforms to agile
development processes.

Recommendation 4
We recommend that all active systems in OPM’s inventory have a complete and current
Authorization.

Management Response: We concur with the recommendation. In FY 2016, OPM issued 15
ATOs during its ATO sprint and ATO relay initiatives and has 7 more authorizations in
progress. OCIO plans to have current ATOs for all systems by December 31, 2016.

Recommendation 5
We recommend that the performance standards of all OPM system owners be modified to
include a requirement related to FISMA compliance for the information systems they own. At a
minimum, system owners should be required to ensure that their systems have valid
Authorizations.

Management Response: We concur with the recommendation. OCIO established and
implemented these performance standards for the OCIO IT Project managers in FY 2015. In
FY 2017, OCIO will develop the performance standards for all IT Program and Project
Managers in coordination with the OPM Chief Human Capital Officer as required in the
Federal IT Acquisition Reform Act implementation memo signed by the Acting Director in
October 2016.

Recommendation 6
We recommend that the OPM Director consider shutting down information systems that do not
have a current and valid Authorization.

Management Response: We partially concur with the recommendation. OCIO will update its
policies and procedures for security authorizations to include making a risk-based decision on
the operation of a system without a current authorization. These will be forwarded to the
Director for ultimate decision.

Recommendation 7
We recommend that OPM continue to develop its Risk Executive Function to meet all of the
Response to the OIG Federal Information Security Modernization Act Audit – FY 2016                 3
(Report No. 4A-CI-00-16-039)


intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk Executive (Function).

Management Response: We concur with the recommendation. Responsibility for the
development and maintenance of the enterprise risk management program was assigned to the
Risk Management Council (RMC) in October 2015. As noted in NIST 800-39, “the risk
executive (function) requires a mix of skills, expertise, and perspectives to understand the
strategic goals and objectives of organizations, organizational missions/business functions,
technical possibilities and constraints, and key mandates and guidance that shape organizational
operations.” To provide this necessary mixture, we will fill the risk executive (function)
through the RMC. The Council is working toward meeting all requirements, with the OCIO
specifically managing risk associated with the IT portfolio.


***Note - draft recommendation 8 was deleted from the final audit report. Subsequent
recommendations from the draft audit report were renumbered for the final
audit report.***


Recommendation 9 

We recommend that OPM adhere to remediation dates for its POA&M weaknesses.


Management Response: We concur with the recommendation. An updated POA&M guide 

and POA&M processes have been introduced in order to facilitate greater transparency of 

POA&M remediation actions and support more timely remediation through communication and 

mutual support amongst System Owners, Information System Security Officers, and other 

stakeholders in POA&M processes.


Recommendation 10 

We recommend that the OCIO ensure that all ISAs are valid and properly maintained.


Management Response: We concur with the recommendation. OCIO will issue an updated 

policy on system interconnection requirements in the first quarter FY 2017. It will include 

monitoring processes for validating compliance with the policy.


Recommendation 11 

We recommend that the OCIO ensure that a valid MOU/A exists for every interconnection.


Management Response: We concur with the recommendation. OCIO will issue an updated
policy on system interconnection requirements in the first quarter FY 2017. It will include
monitoring processes for validating compliance with the policy.

Recommendation 12
We recommend that OPM improve its system inventory by correlating the elements of the
inventory to the servers and information systems they reside on.
Response to the OIG Federal Information Security Modernization Act Audit – FY 2016                 4
(Report No. 4A-CI-00-16-039)


Management Response: We concur with the recommendation. System Owners, Information
System Security Officers, and Asset Managers will correlate hardware and software assets in
the automated asset inventory to information systems in the information system inventory.

Recommendation 13
We recommend that the OCIO implement configuration baselines for all operating platforms in
use by OPM.

Management Response: We partially concur with the recommendation. OCIO has baselines
standardized across the infrastructure for the current approved operating platforms. Legacy
systems (e.g. unsupported operating systems), with older, documented baselines continue to
exist in the environment. OCIO will continue to strengthen its IT infrastructure environment by
using only current, approved operating platforms with standard baseline configurations meeting
the requirements defined in OPM security policies and procedures.

Recommendation 14
In instances where a configuration standard is based on a pre-existing standard, we recommend
that OPM document all instances where the OPM-specific standard deviates from the
recommended configuration setting.

Management Response: We partially concur with the recommendation. Although all changes
to standard baselines are maintained and tracked as part of the Change Management process,
OCIO realizes the value of maintaining a record specifically of the deviations to the standard
baseline and will consider updating its standard baselines to include this information in
accordance with security policies and standard best practices.

Recommendation 15
We recommend that the OCIO implement a process to ensure routine vulnerability scanning is
conducted on all network devices documented within the inventory.

Management Response: As noted in the report, OCIO encountered authentication errors in
vulnerability scans and worked swiftly to formulate a remediation process. Procedures were
updated to perform checks against authentication failures against the prior day's scheduled
scans. OCIO now regularly runs discovery scans in order to identify any devices that are
connected to the opm.gov network. We believe that these updated procedures address the
recommendation.

Recommendation 16
We recommend that the OCIO implement a process to ensure that only supported software and
operating platforms are utilized within the network environment.

Management Response: We concur with the recommendation. In FY 2016, OCIO
implemented a Network Access Control (NAC) solution across the enterprise to prevent
unauthorized operating platforms from accessing the network environment. The NAC also
monitors systems to ensure they are in compliance with NAC security policies. OCIO has also
implemented additional tools as part of the CDM effort, including a software ‘Blacklist,’ and is
working to implement ‘Whitelisting’ into FY 2017. OCIO has also reduced the number of
Response to the OIG Federal Information Security Modernization Act Audit – FY 2016               5
(Report No. 4A-CI-00-16-039)


unsupported           operating platforms in its environment by 93% in FY 2016 and plans to
complete these upgrades in FY 2017. OPM project managers and security officers will work
with business owners to implement good software lifecycle practices across the agency and
migrate from unsupported applications and operating platforms to current versions.

Recommendation 17
We recommend the OCIO conduct routine compliance scans against established baseline
configurations for all servers and databases in use by OPM. This recommendation cannot be
addressed until Recommendation 13 has been completed.

Management Response: We concur with the recommendation. OCIO currently runs daily
compliance scans against all established baselines through the use of OPM’s enterprise
compliance scanning tool. OCIO will continue to refine its enterprise compliance scanning tool
to evaluate compliance against the established baselines as they are developed for the
remaining servers and databases.

Recommendation 18
We recommend that the OCIO implement a process to centrally track the current status of
security weaknesses identified during vulnerability scans to remediation or risk acceptance.

Management Response: We concur with the recommendation. OCIO will integrate the
weaknesses identified through the vulnerability scanning process with the POA&M inventory
for centralized tracking of security weaknesses.

Recommendation 19
We recommend the OCIO implement a process to apply operating system and third party
vendor patches in a timely manner, which is defined within the OPM Information Security and
Privacy Policy Handbook.

Management Response: We concur with the recommendation. A new patch management
application was implemented across the enterprise and has been used to patch systems for about
six months. It has also successfully deployed software upgrades to the end-users workstations
using current processes. OCIO will continue to refine the patch management process using this
application into FY 2017.

Recommendation 20
We recommend that OCIO maintain a centralized list of all contractors that have access to the
OPM network and use this list to routinely audit all user accounts for appropriateness.

Management Response: We partially concur with the recommendation. OCIO maintains a list
of all employee and contractor accounts granting access to the OPM network; however,
management of the OPM contractor workforce is an agency-wide effort. OCIO will engage
appropriate program offices to support the management of contractor personnel. OCIO will
review and update its account management processes to ensure network accounts are secured
after contractor termination actions are taken in a timely manner in accordance with OPM
security policies.
Response to the OIG Federal Information Security Modernization Act Audit – FY 2016                  6
(Report No. 4A-CI-00-16-039)


Recommendation 21
We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its major
information systems to require multi-factor authentication using PIV credentials.

Management Response: We concur with the recommendation. In FY 2016, OCIO initiated a
project to implement an enterprise Identity and Access Management (IDAM) solution to
manage access to OPM systems for both internal users and external customers. OCIO will
continue to its work on this project for enforcing multi-factor authentication, including the use
of PIV credentials wherever feasible and appropriate.

Recommendation 22
We recommend that the OCIO ensure that all employees with significant information security
responsibility take meaningful and appropriate specialized security training on an annual basis.

Management Response: We concur with the recommendation. OCIO has updated its Security

Awareness and Training policy, reinforcing the training requirements, and is tracking progress 

toward completion. 


Recommendation 23 

We recommend that OPM continue to implement sufficient tools and controls to meet all

requirements of CIGIE’s Information Security Continuous Monitoring Maturity Model Level 3, 

“Consistently Implemented”.


Management Response: We partially concur with the recommendation. OCIO is hiring ISSOs
to support the information security continuous monitoring (ISCM) program in order to provide
adequate support for all OPM information systems, and integrate the automated tools it has
deployed in FY 2016 under the Continuous Diagnostics and Mitigation program. OPM
appreciates the value of a maturity model as a means to uniformly evaluate agencies against
standard criteria for the ISCM program. OPM will continue to implement the ISCM program
in accordance with Federal policy and NIST standards and guidelines.

Recommendation 24
We recommend that OPM ensure that an annual test of security controls has been completed for
all systems.

Management Response: We concur with the recommendation. OCIO is hiring the necessary
ISSOs to support annual security control testing for all information systems in accordance with
OPM continuous monitoring policies and procedures.

Recommendation 25
We recommend that OPM continue to implement sufficient tools and controls to meet all
requirements of CIGIE’s Incident Response Program Maturity Model Level 3, “Consistently
Implemented”.

Management Response: We partially concur with the recommendation. OCIO provided a
Cyber Protection and Defense Manual during the course of the audit that defined many of the
requirements described within the maturity model. OCIO will follow up on any identified gaps
Response to the OIG Federal Information Security Modernization Act Audit – FY 2016            7
(Report No. 4A-CI-00-16-039)


in its TIC security controls as identified by DHS and continue to evaluate capabilities for
defining expected data flows for users and systems. OPM appreciates the value of a maturity
model as a means to uniformly evaluate agencies against standard criteria for the incident
response program. OPM will continue to implement the incident response program in
accordance with Federal policy and NIST standards and guidelines.

Recommendation 26
We recommend that the OCIO ensures that all contingency plans are in place for OPM’s major
systems.

Management Response: We concur with the recommendation. With the ISSOs in place, OCIO

will ensure system owners and project owners review and update their contingency plans 

annually.


Recommendation 27 

We recommend that the OPM program offices test each contingency plan annually.


Management Response: We concur with the recommendation. With the ISSOs in place, OCIO
will ensure system owners and project owners will test contingency plans annually.

Again, thank you for the opportunity to provide comment. Please contact me or
if you have questions or need additional information.



cc:

Chief Information Security Officer

Mark W. Lambert
Associate Director, Merit Systems Accountability and Compliance

Janet L. Barnes
Director, Internal Oversight and Compliance
                                      Appendix III 



Appendix III contains a system-generated report exported from the CyberScope FISMA
Reporting Application. CyberScope is maintained by the U.S. Department of Homeland
Security and the Office of Management and Budget.
The Office of the Inspector General at the U.S. Office of Personnel Management entered its
fiscal year 2016 FISMA audit results and narrative comments into the CyberScope system.
However, the numerical scores throughout the report were automatically generated by the
system.
                            	







	                                    

                                                    	

	
                                         




                 	







                            	



                                                                             	




	
	     							 	!"#		"	!			 	$%	&	 	
         		 	'"	'			
		(!				)		 		#	
         	!		 	!"#		"	!	$%	"	"	 				& 	 	!	
         				 		

          
	
			

	

	



	 !	 "#		$
          
	!%&"'()*

(+,	


	 #$-	*

	
          #
			 	.	
$/#		#	


	 
          #	


	%&'(0$



          

	#

	

	
	
		$
#
          
	
		11*	
12					#

$
          #





##		

			%3
	$	
1
		
          

#%3
	.	
*
	.	



#			
$/
          

#
		
#

*1
#
1	
	
          	
	#
#%3
	.	
$/

          	
		%&'(0$




367#	'()	                                                                                                                                   (45
                                                                             	



                                                                            	




	
                  8

 	
                              * 		+&			&,			$-	"			 .	 / .0	!			
                              	
12	 	( 		$				 	!		)		 		 .			
                              "	& 	 .	 	"	)2			 	 		)	 ! 	'	
		 ! 	 	
                              		 .	 		'	2	 			 		
1				 		!	!	
                              		$			 				"	/30	
2	 	!"		 			4	5	"	& 			 .		
                              
                              	
                              	
                              	
                              6&2	$			7 .	8					!			 	!"-	"		& 	 	 .	
                              9		:	,&!	 	$			!	,!	"	 .	"		:				
                               			$-	 .				& 		"	3	 
;
                              	
                              	
                              	
                              * 			+		!	"			$-		"	!			 ! 	$	 	
                              		"	!		 	&	'		'	2	 	 	'		)"	 ! 					
                              		* 	!			 	!					 							&,		* 	 	'		
                              !	!		$-	& 	 	92		 	!"				9	 		 	
                              "				"		:	,&!	 	$	 		!		&	!	 	2	'	"	
                                !	 			'			!	 	 			"	!		"		,	$		& 	
                              	9		:	&			"		"		 		 ! 	3	 
;




367#	'()                                                                                                                                       '45
                                                                            	



                                                                               	




(3
7

!3"

	     6	 	!.	' 		,	!	!	 		 	!"					                      9
         & 		92	$%	"2		'	<*	!=
          :

                  8
      $	 				 			!"					& 		9			3	
	
                                  $	'!					 		"			 	!"2	'	 		&		.	!	 		
                                  "		$							,	!		 		"
             				++	"	"2	 !	!.+		+	"2	 !	                   9
                  2		"	!		 	'2	 "'2				/
	 ($	2	>	<* 	
                  ("'"	&,	/(0	?2	<*4+1@A	+10
                  

          
   ?		,	!		 			 !	 	2	2					                     8


                   	!			!.+&	,	!	!"		'		<*		 4+@;2	                        3#
                  		/<* 		4+@B0
                  :

                            8
       	
                                             	3	
2	$			 			
,	!	(2		 		 	'!				6&2	$	
                                               		' 		!"+&	,	!	!"			2	 	
	"			 	
,	C)	
                                             		'		<*		4+@B				"			D"			!		$- 	
                                             	!!	,			!"+&		A	!	!"+&	,	2	!		,	!"2	
                                             !	 	!"+&	,	&		 	"	&2		!		 .		!"		
                                             "
          @   			'	+	,		,+'			 	!.	2		                   8



                  '		<*		4+@;2	
		/<*		4+@B0                                                                                      3#

                  :

                            8
       				
	$	"		& 			,	!			&		,			
                                             				 	!.	



367#	'()	                                                                                                                                            ;45
                                                                               	



                                                                                 	




(3
          E    (		"		,		 	!	,			 	!.		F'	             8


                   			,			 2	'2	, 2	2		,		)			              3#
                   			/<*		4+@;2	
	2	<*		4+@B2	<*		4+1@A	
+@0
                   

          1    	"				,		 		"2	F'2	 	!.+		                  

                   			 	!.                                                                                                   

	1
                   :

                             8
       * 		"					 	  	
,	!			 		,	
                                               ! 	 	!"
              	 			!.		"			& 				                             8


                   '	!	/	BB2		
2	2	("'"	2	$%	++E2	-	!	                                3#
                   (	/(0	"'"	0
                   

          ;    		"				'	"		'		F'	9				                  9
                   			"		& 	 		"					
                   

          4    	 				'	"			'		;                                                           8


                                                                                                                                                              3#
                   

          B    		!	,	& 	"	2	!	 ! 	 .!	"	2	                        

                   !		 		"	92		!		"	!	/ <*	             

	1
                   4+1@A	(+@0
                   :

                             8
       	
                                              $			9"	 .				"			("2	41			 			
                                              G!	F		"	!	!	 	!"#	"		 	)	
             ("		 	"	2	!	 "'		 	2	!				                8


                   		 	)		&  	 				"2	!		2		!	 		                 3#
                   	& 			!	 	"	9		 	"
367#	'()                                                                                                                                              445
                                                                                 	



                                                                               	




(3
                  :


                             8
     $-		!	!			"	2	&	 			)	 	!"		"		
                                             	"			 		"				'		6&2	&				 	"	"	&	
                                            		&!	 	"		!	 	 	 	$($				"		 $-	"	
                                            9		$+	"	&		'			!!	"		!	"			9"	
                                            '		"		!		"	9	"			"		"		'"				 :	
                                             	"				$-	E	"	&	'5		9	"		!	"		3	 

          	 	!!		"	 .	'					 	,		!.			               


                  2	2	 	!.2		 	<	!		 			 		"		 	                 

	1

                  	 	 	,		'	/$%	+E+@2	<*				$!!	 .0
                  :





367#	'()	                                                                                                                                           545
                                                                               	



                                                                            	




(3
                           8

 	
                                       $		&,!				 	"			!	!	 	&	"		
                                        				"	 .		 ! 	 	!"-		!	!		"	!2		
                                         		 	 			"	& 			"		 	 .	!			2	$	
                                       ,&!	 				 	 .	 	"			9				!	
                                       !2		 	 .	&			'		 	"		 			'	"		!!	
                                       &
                                       	
                                       	
                                       $							&, 		$-	 .	!			2	
                                       2		'+	 .			$	 		'"	!	&					
                                       .	 	 .			6&2	 ! 	3	
E		3	
12	 	'		$	"	& 		
                                       			 .	!"	2		 	&		 		&,			 	
                                       	
                                       	
                                       		
12	$-	$($				 	!		)		 		 .			"	
                                       & 	 .	 	"	)2			 	 		)	 ! 	 			3	 
		* 	5	
                                       &	 	$	&		 			.!		*			 		 	.		2		
                                       "	&	 			&	 .	"&"		:	)			& 	 	 2		&	
                                        	!"		 	)	,		& 	!!	 	*	"					"	
                                       	
                                       	
                                        ! 	 			 .	 		'	2	 			 		
1				 	
                                       	!	!			 	!"		* 		.	5	&			 	!"	
                                       +		 2		"		 	"			 						 		!"	
                                       	& 			 .	
                                       	
                                       	
                                       	3	
2	$			7 .	8					!			 	!"-	"		& 	 	
                                        .	9		:	,&!	 	$			!	,!	"	 .	"2			
                                       !	!		&	+ .!	 	"	 	&	!					 	
1			

367#	'()                                                                                                                                         )45
                                                                            	



                                                                               	




(3
                                             6&	 	!"#	$	!			!	$		!		9,"			&	,			3	
2	&	
                                              			 	
	 "	&	'5		 	 .					 	 .			* 	
                                             		 .		$-	7H<F:<28	&  				!		"	 		 '	
                                             		"				* 	$	&		"		 	 .	,!	!	 		&	
                                             &,		 		"2		 	&	&	'				 	&		 			9"		
                                              	,!	'	!	 	3	 
					:	&			 			$-	
                                              .				& 		"	3	 
;
          
   "	 .	,!		"	"	2	"		2		$I	 			                     


                   				& 	!		/	4+42	4+@;0                                                               

	1

                   

          @   $I				&			 "				!	"	&,                                        8


                                                                                                                                                              3#
                   :

                             8
      $"	@			$-	E	5		"			 	$I		 		!	 	
	"		
                                              2	41				$I			@	"		2			;4				
	"	
                                             			 	&			'	$		"	!!	$I	"			&,
          E   ("	,2	2		"	&F	$I				9"	/<*		4+1@	                     

                   A(+1>	$%	+E+
10                                                                                                                        

	1
                   

          1   '	 					"	&				2	  		2	                 

                   		"	2	 .!	2		 			'		 	!!	!		                   

	1
                   +"+	"	,
                   :





367#	'()                                                                                                                                              045
                                                                               	



                                                                              	




(3
                            8
      	
                                            $	 	!	/'		"	0			"	!			$	"		
                                            		 		&	'			 ! "		 			'		 		'	
                                            	*	"				C 	$				'"		*	5	!	 /*0		 	
                                            ""	 			/			"0	'"		* ! 	 	&,	 		 			
                                            '				 	 		&		!!	&  		'	'!		 	$		
                                             	*		$			 			!		&, ! 		 	'"	!	2	& 		&	
                                            		 		 		 			& 	&			,	 	&,			 :	
                                            	 	$		&,!					 	!	 	$		*			'2	'			
                                            	'!			9		
             			 				!2!	 			 	2	                     8



                   2	!2		!	2			& 	C)	$	@14;		 	<		                      3#

                   * 	"	/(>	<*		4+1@A	+
0
                   

          ;	 	"				 		 /		!0		 	!.#	
,	!	
                   !	 	&				 	9	'	%		!	2		 	
,	!	!	
                   =
                   :<
                            8
      %		 			"				 		 	&		2	&			'	 	$#	,	
                                            !	!		"			6&2	&			 	 	!"			'	,!				 	
                                            	
8		

!3"

	     6	 	!.	' 		!			"				' 	'"			 	2	!	 	               9
         !	!2	!	 !	2	 	"			!				)		 	!.	 		
         						& 		92	$%	"2		'	<*	!=
          :





367#	'()	                                                                                                                                           +45
                                                                              	



                                                                               	




(3
                   8
      $	 		9"	' 		!			"				' 	'"			 	2	!	
                                    	!	!2	!	 !	2	 	"			!				)		 	!.	
                                    								& 		92	$%	"2		'	<*	!		* 	
                                   	5"			"	!				!			+	"	 	
                                   )
          
	   C' 							 	F		&,F		"		2	                 8


                   			"		"	9			2	 
	2				                 3#
                   2	2		!			/
	(	
;+E2	(	"	(!2	 	
                   
EE2	@B2	@B12	@B2	1

@B+>	(2	
	($		42	 <*	4+1@2	+E	
	
                   	>	(	(!	(	%	0
                   

          

	   	& 		!	 &		"			2	2				                     8


                   +		 	"+	"	/($		($	(	%				9!	*			2	                   3#
                   <*		4+@10
                   :

                             8

 	
                                         $				 		$G								"
          
@    $'			 	 	"			"			 	!.-	' 	'"			               8


                    						 	!.-	' 			92	$%	"2		'	                    3#
                   <*	!	/<*		4+1@A	(+
2	+B0
                   

          
E    	"				 		 /		!0		 	!.-	(	"	
                   !	 	&				 	9	'	%		!	2		 	(	"	!	
                   =
                   :<
                             8
      %		 			"				 		 	&		2	&			'	 	$#		
                                             "	! 	!		"			6&2	&			 	 	!"			'	,!			
                                             	 		


367#	'()	                                                                                                                                            =45
                                                                               	



                           	



>                           	              

1	
	

                                      




367#	'()                                            (45
                           	



                                                                               	




'	
8	
!	"


      6	 	!.	' 		!	!	!	 				 	!"			                           9
         		& 		92	$%	"2		'	<*	!=
          

          
    ?				++	"		 	 &		/2	2	'	2	&,	2	                    9
                   F	2		
*F<C*	0			 	!.#	&,	& 	 			
                   "		,!		!	/<*	(	?+>	
	($			12	@;>	<*	4+1@A	(+40
                   

          

    ?				++	"		&					& 	 	!.		& 	                9
                    			"		,!		!	/<*	4+1@A	(+42	<*(	?+
0
                   :

                             8
      $	"	 			&"				 &		&	"	!	!		* 	
                                             !"	 	"		!	!							'2				"	!			
                                             ,	 	&	 			 ! 	 	&,	
                                             	
                                             6&2			2	'2		&		"						"	"		$		 	
                                             !	&,	 		!	 	&			 				 			"	"		* 	
                                             	"			 			&	 		& 	 	2	'				'	&  	
                                             		 	&		2		&  	"	 			&			* 		
                                             			"		'			 	 		 	$		"		 	'				
                                             "				"	"	&		"	"		5		"2	'		&					
                                              		2	&2	2	'2		&,		 		F		 	"		
                                              2	&							&'		"	 						
                                             $-	,			9	&'		"		
          
@	   	'	!		*	"	 							& 		                       8



                   	/<*		4+1@A	(+
>	<*(	
 +0                                                                                      3#

                   :





367#	'()	                                                                                                                                          ((45
                                                                               	



                                                                               	




'	
                             8
      $	3	
1				 	$			 	9	!						!	
                                             	 						3	
2	$			"		2	'2			+				
                                             	&	!	"	!			* 	!"	 		'!	!	!	 ,		
                                             !.	"	!.		 		 	!"-		"	!	! 		6&2	&	 	
                                             			 	 		 	'						!	"			 	
                                             "	
                                             	
                                             				 !		!				"2	$	 					
                                             	!				!	"		 			$	9		!			'	
                                             &	 ! 	 	 !				6&2		 "		2	 	!		'			 	
                                             	
          
E	   				"	!	/				"	!	 ,		 !	!0	         8



                   	*	"			& 			/<*		4+1@A	(+>	($	
	2	
@0                              3#

                   :

                             8

 			
@	'2	&	 				 	!		 	'					
                                         	!	"			 	"	
          
1	   	!	 !		2	!			!	!			 	                      

                   	 					/<*		4+1@A	(+@2	<*	(	
+@0                                                  

	1
                   

          
	   					!	!	'				& 	'	                       

                   5		,		: 	2		 			"	!	!		                

	1
                   "		!"	 			"2	& 							/<*		4+1@A	
                   (+2	(			"	(	/(0	@;0
                   :

                             8

 			
@	'2	$	 				
                                                                                                         	!				!	"		 	
                                         	
          
;    	(		&	!	/!0	'	!		"		 	&,			' 	                 

                   +'		!+'	'			& 	,	!		/ <*		4+1@A	                      

	1
                   
+12	+	
>	($	
			

2	(	E0

367#	'()                                                                                                                                           ('45
                                                                               	



                                                                               	




'	
                  :


                             8
      $			&,	'"				"			'+&,"	'		* 				 	
                                             !"-"	"						  	 	'"			"	 !		"	& 	
                                              		
                                             	
                                             : 	&	,&!	 		 	'			$-	'"	!	!2			&,	
                                             	!	 			 		'		)		"2	 	!				 			
                                             			$-		&,				2	$&		&		 				 "	&	
                                             	'"			&,			2	 	 			 	&	&		 			 	'"	
                                             			 		 		 		"	&			& 	 	"		"				 ! 	
                                             "		6&2	$	 	"					!				 	 	!		
                                             	 	"	"		
                                             	
                                             :				&		'"						$-		"		* 				
                                             '"			 	$-				"	++			&		
                                             !				 	&2	 	&			!		 2	"	)2				 	
                                             &
          
4   
	!+	'2	!		!2	 		"					!.	"	          8



                  		/<*4+1@A	(+E2	(+2	
+12	+
0                                                                                           3#

                  :

                             8
      $	'	'"				 	!"-		"	&		 	 "			 	&,	
                                             		 				$I					&,	 	9	!					
                                             6&2		 		"	&,		!	'"	2	$			 				
                                             		,	 			
          
B   ?				 	!				& 	!.	"		 2	!	"	                  

                  				&	 	/<*		4+1@A	(+@2	+
2	$%	++E2	?6	%!	$	                             

	1
                  ?	1+0
                  :




367#	'()                                                                                                                                             (;45
                                                                               	



                                                                               	




'	
                            8
       $	 						!		!	 		 	!	"		& 	$-	&,		* 	
                                             $($	 	'	!			 	 !				&	!	"2	'			"			
                                             	!		 			* 		 	 		'	!	& 	 	&	"		 		 			
                                             		
                                             	
                                             :						 			 	$($- 	!		J	' 	'"	!		
                                             &		'"			'"	&!	 			 	'"			'"	$		6&2	
                                              					"		!	 	$-	"		"	 			"			
                                              ! 	&	,&!	 	$		!			!		 	!	2	&			 	
                                             			"	!			$-	 	!			 2			
                                             		 		&	'		&		 	
          
	 	"				 		 /		!0		 	!.#	(!	!	
                  !	 	&				 	9	'	%		!	2		 	(!	!	
                  !	=
                  :<
                            8
       %		 			"				 		 	&		2	&			'	 	$#	!	
                                             !	!		"			6&2	&			 	 	!"			'	,!				 	
                                             	
3


!	"


      6	 	!.	' 		"			!	!2	!					& 	                            9
         	92	$%	"2		'	<*	!=
          

          

   C	 		9!			!.				"	!			                      8


                  !2			9	!			'!	!	2		"		!			                             3#
                  		/<*4+1@A	H+E2	+0
                  

          


   C	 				"	!		'			!		++	                                  8


                                                                                                                                                                3#
                  


367#	'()                                                                                                                                               (445
                                                                               	



                                                                                	




'	
          

@    ?! 	 &		 	 			/!2	,2	2	0		 	& 			                   8


                   /!	&,!	2	 			'			F	"2		 	F		                 3#
                    		)			 0
                   

          

E    	K		 "				& 	!		/6?	
2		
2	$%	+1+
E2	$%	                             8


                   +;+2	$%	+4+2	$%	++0                                                                                                           3#
                   

          

1    	K			<*	H			/H$0	E			!		'"		!		/"2	                          8


                   &,2	'	2		 	'		"F	2	!2			                      3#
                   0	/("'"	2	$%	++E2	(2	
	($			
10
                   

          

    C	K			<*	H$	E			!					41L		+!		/("'"	                         8


                   2	$%	++E2	(2	
	($			
E0                                                                                      3#
                   

                             8
       $+	&,		"	'			 	$	&,		&+	 	!	K				
                                              "	3	
2	$			 		+$				!		 	&,		* 	
                                              				 	 	&			!			 	&,	& 	K	 			 2	
                                              $	 	"			 !"	 	9						 	&,	!	K	 	
                                               ! 	$	 		!		9!	K	 		!			 	&,2	 			"	"	
                                              $%				&+	 		$%		++		 	K			'	
                                              		!	 .				!"-	 0	2	
0	&,2		@0		"		$			"	K	
                                              						"	/0	 	'		"		K	 						
                                              	&		$		&,		 	"	
	 	$-	E5			K 	 
          

;	   *,			 				!			 	 	!		"	&		
                  


                   5			& 	!."			/
	($			
B2	
>	$%	++E2	
                          

	1

                   (	1
0

                   

          

4	   C	 									!	9						"2	                      

                   !		!.	"                                                                                                         

	1

367#	'()	                                                                                                                                              (545
                                                                                	



                                                                                	




'	
                   :


                              8
      $	 	' 		.			"	!!"							&,		
                                              $			$-				 	 				&,				!	
                                              	!"	/+0	"			"			6&2	 			!			
                                              	"	!	 	!"			"	!2				 	'"		 		(	
                                              $	
		"	 	$($	 				!	9			 2	$			
                                              						 		 	 			$-	&,2		 			&"		 	$($			
                                               					 							"	
          

B    2	2			 			 		/<*		4+1@A	(+
0                                                        8


                                                                                                                                                              3#
                   

          

   			9"			 				!	!	 	 /+02	!	              8


                   K	/<*		4+E2		E
2		12	<*		4+@0                                                                            3#
                   

          

   	!			 .					'		 .			                             8


                   2	!	 ! 		!		 		/(	
;2	
42	 3	
	($		
;@2	                        3#
                   
;E2	@2	@0
                   

          


   
				+		@			"2	9!		+ 2		& 	$%	                

                   +;+                                                                                                                                    

	1
                   :

                              8
      
				$#	&,						@			"		$	 			,	
                                              		 	"					 		,	
          

@   C								!			"	,	 			"	 	)	               8


                   !		/<*4+1@A	(+;0                                                                                                           3#
                   

          

E   		,+'	 			 		!"	'	&'				'	 ! 			                   8


                   	 ! 	 					 				"	/$%	+1+@0                                           3#
                   :

367#	'()                                                                                                                                             ()45
                                                                                	



                                                                                	




'	
                            8
       	3	
2	&		$-				6"	*)	*			 /6**0					
                                             '"	'	&'2		9	'"	 	$%-		+1+@		$			 	"			
                                             !		$-	'"	'	&'	&	"		& 	 	!				 	$	 	
                                             		!			!				'	&'			$	 		 		"	 	E;		 		
                                             &'	2	'	 	$	 					!		&		 	!		
                                             		:	&				$-	!	& 	!	 	9			$%	
                                             	+1+@		&					$	'	 							
          

1	 	"				 		 /		!0		 	!.#	"			
                  !	!	 	&				 	9	'	 %			!			 	"			
                  !	!	=
                  :<
                            8
       %		 			"				 		 	&		2	&			'	 	$#	"		
                                             	!	!		"			:	'	 	!	K 		 					
                                             	9				!
			!	"

@      6	 	!.	' 		"		"	&		!	!2	!	 	!"			                    9
         		& 		92	$%	"2		'	<*	!=
          

          
@   ?	!			"		"	&	!	!				 	!. 2	               8


                  !	+  !2	&	2		!!2			 		/<*		4+12	4+1@A	
+12	                    3#
                  $%	+1+2	
	($	2	(2	<		* 	"	/<*00
                  

          
@
   C	 	,			& 	!	"		"	'				"		            8


                  "	!				 		!				!	/<*		4+10                                  3#
                  :

                            8
       : 		"		 		$	"	&!2	"	;@			"			
                                              !	!	"	'		.	*	!		3	 




367#	'()	                                                                                                                                            (045
                                                                                	



                                                                                	




'	
          
@@    		,			"		"	&	!				"		/!	"2	              8


                   2		 	!.	0	9!	"	&	!	& 						              3#
                   			/<*	4+1@A	*+
0
                   

          
@E    		,			.	"		"	!				/!	"2	2	              8


                   	 	!.	0	& 	!		"		"	'	9!	.	!             3#
                   

          
@1    	 				"		"	&		!	!2	!	 ! 		!!	               

                   	  !	)	/(2	
	($			
B2	<*		4+12	<*		4+110                                                  

	1
                   

          
@    	"				 		 /		!0		 	!.#	"		"	
                   *!	!	 	&				 	9	'	%			!			 	"		"	
                   *!	!	=
                   :<
                             8
       %		 	"		 			 		 	&	2	&			'	 	$#	"		"	
                                              !	!		"	

>                                                                                 	                                      

1	
	

                                                                                                                      




367#	'()                                                                                                                                              (+45
                                                                                	



                                                                               	




;9
>(
9
          @   (	!			.		(								!				 	!	 	
                  			H	
	9				!		& 	<*		 4+1@2	4+@;2	$%	+E+@2	
                  	 	($	(	($<$
#
@   (	, 		 	'	 		'	"					 	!.                        -
          

@
   * 	!.	 						 	,2	,&!2					"			(	         -
          !	D"					,&!2	,2	 	'		"				(	!
          

@@   * 	!.	 			 &	(		&	'	 	& 		& 	!	"	'		     -
          		,	,	'	
          

@E   * 	!.	 			 &		&	!	(		& 	!.	,	2	 	 	2		   -
          'F	9
          

	



@1   (		 		'	"						+ 2				 	&!	A	!!	               -
          		!		"	>	!	 &		!2	&		!2	!	
          !	!2			'"	!>	!	"			9		2	2	
          	!>	".!	(	2	!	!2		!	 		,	>		&!		!	
           	(	!
          

@   (		"	!		& 		 	"2	& 			2		 	 			                           -
          

@;   * 	!.	 					 	9		9			 	&	'				 	    -
          			(	!2	 		&2			!!	,
367#	'()                                                                                                                              (=45
                                                                               	



                                                                              	




;9
          

@4   * 	!.	 						!		!					(	             -
          


@B   * 	!.	 					 	(	 !							 	&!				   -
          		F	 			& 		&	'			G		(	 !		 	
          &!			+ 
          +	 	!
          +	H	!
          +		!
          +	&	
          +	K'"	!
          +	C	!
          +	&	
          +		!
          +	(!	!
          +	<&,	!
          +		!
          

@ * 	!.	 			 &		&							++	"		 	 .		     -
           .			&			&,		 	"	!		 			&
          

>'
9
          @
   * 	!.	 	.		(	!	 ! 	 			 	(	2	2	
                  	!		& 	<*		4+1@2		4+@;2	$%	+E+@2		 	($	(	($<$	6&2	
                  (	2	2		!			"		!.+&
#
@
   (	, 		 	'	 	'					 	!.	6&2	, 	      9
367#	'()                                                                                                                          '45
                                                                              	



                                                                               	




;9
          "		 	9		/2	2		 !"0	 	"		(	
          

@

   * 	!.	 					 	,2	,&!2					"			(	             9
          !		2	 	!.	 					!	"	!		6&2	,"		"		,	 	
          ,&!2	,2		'		"				(	!
          

@
@   * 	!.	 		 &	(		&	'	 	& 		& 	!	"	'			    9
          	,	,+'		6&2	(				&"	 	& 		& 	!	"	
          '			"		& 	&  		,	,+'	
          

@
E   * 	!.	 		 &		&	!	(		& 	!.	,	2	 	 	2	        9
          'F	9	6&2	 (				"	!	& 	 	!.-	,	!	
          !
          

	



@
1   (		 	'	"			 	&!	A	!!			!		"	>	!	      9
           &		!2	&		!2	!	!	!2			'"	!>	
          !	"			9		2	2		!>	".!	(	2	!	!2		
          !	 		,	>		&!		!	 	(	!	6&2	 			
          "			 	!.
          

@
   (		"	!		& 		 	"2	& 			2		 	 			                           9
          

@
;   * 	!.	 				 				9	 	&	'				 		      9
          		(	!2	 		&2		!!	,	6&2	 				"	
          2	".2				 	!.
          

@
4   * 	!.	 					!				 				(	!		,!	"	       9
          	6&2					"	 		 	!.				,	"		
367#	'()                                                                                                                               '(45
                                                                               	



                                                                               	




;9
          	 	(	!
          


@
B   * 	!.	 			"		 	(	 !				.		 	&!			           9
          2	 	!.	 					!	(	 !		 	A	 	!2		
          !2		!2	&	2	'"	!2		!2	&	2		
          !2	!	!2	&,	!2			!	6&2	  	!.	 		"	
          	 !"		 						"		F	 			& 		
          &	'				2	& 							(	2	 		"	 '	
          '
          

@
 * 	!.	 		 &		&							++	"		 	 .		                9
           .			&			&,		 	"	!		 			&	6&2	 	
          !.			"		 	 !	 	&	'			!			++	"		 	
           .		 .			&			&,	 	"	!		 			&
          

>;
9
          @@   			 	.					(	!	/H	
02	  	!.	"			
                  (	!		 	!"	6&2	 9		9					 			 	
                  (	!		 	!.					.		,	,+'	2		& 	<*		
                  4+1@2	4+@;2	$%	+E+@2		 	($	(	($<$
#
@@   (	, 		 	'	 	'					 	!.2		, 	 	        8


          9		/2	2		 !"0	 	"		(	                                         3#
          :





367#	'()                                                                                                                                  ''45
                                                                               	



                                                                               	




;9
                   8
      	
                                   * 	 	'		)"	 ! 	"				$#		M	"	"	$M	2		 	
                                   !"	 	!!		',	 				2	  	 	'					 			 	( 	
                                   	$		 		 	"		* 	!			 	!					 						
                                   	&,		* 	 	'		!	!		$-		& 		9	!		!2	
                                   	 	!"				9	 		 	"				"		* 2	&			'	$	 	9	
                                   	/2	2		 !"0	 "				"		(	
@@
   * 	!.	 	"						"	!		,2	,&!2			9		"	                    8



          		(	!			 	9	,&!2	,2	 	'		"		 	                            3#

          !.-	(	!
          :

                   8
      				@@
	'2	 	 	'	)"	 ! 	"					"			
                                    ! 	 	 	'			!		 !			 	2	"	 !	 			'			!	 	
                                    			"	!		"		,	$		& 		9		* 	!"			
                                   				!		,		,&!		 	
@@@   (			 	& 		& 	!	"	'					"		& 	&  		              8


          ,	,+'				!!	"	 .                                                                                 3#
          :

                   8
      $	 		"						"	!	"			* 	 	!"		"	
                                   '			,"		& 			(			,	,	'	
@@E   (			"	!	& 	!.	,	2	 	 	2		'F	9                  8


                                                                                                                                                               3#
          :

                   8
      $	 		"						"	!	"			* 	 	!"		"	
                                   '		"	!	(	"			,	!	!
	



@@1   (			"			 	!.		 	&!	A	!!			!		                     8


          "	>	!	 &		!2	&		!2	!	!	!2		                           3#
          	'"	!>	!	"			9		2	2		!>	".!	
367#	'()                                                                                                                                              ';45
                                                                               	



                                                                                	




;9
           (	2	!	!2		!	 		,	>		&!		!	 	(	!
           

@@    * 	!2	"2	2				(			'		'		 	!.                           8


                                                                                                                                                         3#
           

@@;    * 	!.		"	!	9		9				 				(	!	          8


           		& 	' 	9			2	!2	"2	2		!	(			          3#
           		 			(			
           :

                    8

 $	 	"	' 	9		9						!	!	+	 	&	
                                	'"	!	9"	"				!	 				(	 '		6&2	 		&		
                                			!	'		"	 ! 	3	 

@@4	   * 	!.		"	!		 !				 			(			 	H	       8


           				,"			,!	!			(	                                                                     3#
           

@@B	   * 	!.	 	"				 !				 	&!	(			(			         8


           '		 	)	'                                                                                                      3#
           +	 	!
           +	H	!
           +		!
           +	&	
           +	K'"	!
           +	C	!
           +	&	
           +		!
           +	(!	!
           +	<&,	!
           +		!
           


367#	'()	                                                                                                                                       '445
                                                                                	



                                                                               	




;9

@@ * 	!.					++	"		 	 .		 .			&			               8


          &,		 	"	!		 			&                                                                         3#
          

>4
9
          @E   			'!	"		/H	@02	(			'								
                  !	 			 	(	!2	 		&2		!!	,2			!!	
                  "	 .
#
@E   * 	!.-			"	!2	!2		".!	9		9			           

          	 	!.			!2	".!2		!			 			 	!.-	(	!             

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E
   ,		 	'	 	F	)!					 					 			 	             

          (	!                                                                                                                                 

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E@   		!	'		!		!	(	2		&		!		!				           

          '		!.	,	2	 	 	2	'F	92		 			 	(	!             

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
	





367#	'()                                                                                                                                       '545
                                                                               	



                                                                                	




;9
@EE   * 	!.	 			"	!2	!2		".!	9		9		             

          		 	!.			!2	".!2		!			 						!	       

	1
          (
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E1   ?	!	(			'	"2	"2				'	                                             

                                                                                                                                                        

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E   * 	!.		'		!			 				(	!					&	           

          	 	!.2	)	 			' 		 F'"		,F	2					       

	1
          			"	
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E;   * 	!.			(			!	,			!	,	2	F52		              

                                                                                                                                               

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E4   (					 	!.		 !	& 	!		".!	 			&"	 			       

          	,	!	                                                                                                               

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9


367#	'()                                                                                                                                       ')45
                                                                                	



                                                                               	




;9
@EB   (					!!	 .			"		 			&  	 	"	2	                  

          !				,	9	"				/2	 "	"		
,		
2	                 

	1
          "		
2		$I0						!!'
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9

@E * 	!.		 !		"	!2	!2		".!	9		9		          

          	 	!.			!2	".!2		!			 				 !		!	(        

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E * 	!.-	(						 				(	!					 	                   

          &,		 			 !	 			2	2		                           

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
@E
 * 	!.	.		C			2	2	2		".	*	"	2	 		&2	      

          	!	,                                                                                                                               

	1
          :

                   8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                   	'				E	9
>5
9
          @1	   			'!	!		'	/H	E02	  	!.-	(	!		.2	'2	

                   +!!2						+	'	'		 !		'F	9			 !!	

                    		 !"	


367#	'()	                                                                                                                                      '045
                                                                               	



                                                                                	




;9
#

@1	   * 	!.-	!		"			 ! 	,						(					+	        # 
           '		,	"	 !				(		'		!.	,	2	 	 	2		
           'F	9
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9
	



@1
	   * 	!.	 	.						!		"'"		                  # 
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9
@1@	   $			+	'2	 	!.	"			(	!			 !!	"'"					             # 
           !		 	 			"	
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9
@1E	   * 	(	!		"	!	& 	!	!2		 			!				              # 
           2		 	F'	2		
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9
@11	   * 	(	!	 	+	*"	'5 		!				,!	 		'		2	                # 
           ,2			
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9

367#	'()	                                                                                                                                       '+45
                                                                                	



                                                                                	




;9

@1	   * 	!.	 	.	 				"'"	 !			 +                            # 
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9
@1;	   * 	!.	 	.	 				 !		"					!	' ,		           # 
           "			(	!
           :

                    8
      $	 				 	9			@	/("	0		 	(	"	2		 		
                                    	'				1	9

>                                                                                	                                        

1	







                                                                                                   




367#	'()	                                                                                                                                       '=45
                                                                                	



                                                                                	




47
#
>(
9
          E   		!			.											!		
                  	+ 	!	 				H	
	 9				!		& 		 /!	
                  !		<*		4+4@2	<*		4+	
	
2	<*		4+1@2	$%	++@2	$%	++E2		
                  G+(C
*			<	0
#
E   			F2	, 2		 	2	'2			 "2			 	     -
          	'	"					 	!.2	!	 	!				"				
          9	!.	 		'		!"	 2	?62		$%					
          

E
   * 	!.	 						 	,2	,&!2					"			               -
          		!	D"					 	,&!2	,2	 	'		"				
          		!
          

E@   * 	!.	 					 		)"			 &				&	'	 	             -
          & 		& 	!	"	'		 	, 2				,	"2	,+'	
          

EE   * 	!.	 			 &		&	!				& 	!.	,	!2		       -
          !2	"		2		 	F'	2		
          

	



E1   			 		'	"							+ 2				 	&!	A	          -
          		!2			!		!>				">		2	2	
          	">		2		 !2		!				)	, 	!			
          				& 		' 	'"	G+(C
*
          

E   * 	!.	 		"		 &		&	'	& 	?6		 	2		2			+2 	   -

367#	'()                                                                                                                               ;45
                                                                                	



                                                                                	




47
#
          F!	F	'		9,"	!		
          

E;   * 	!.	 					 	9		9			 	&	'				 	       -
          					!2			"2	 		&2			!!	,
          

E4   * 	!.	 						!		!								"	         -
          				
          


EB   * 	!.	 					 			 !							 	&!			         -
          		F	 			& 		&	'			G				 !	
          	 	&!			+ 	
          +	:'		2	 		&'		&
          +	C			!2	 						2			,!		!	
          +	!!!		"2	 		"				!	/C0	
          +	&	2	 		+			&	 !
          +		!2	 				
          +		!"					"	
          

E * 	!.	 			 &		&		 		*		(	 /*(0	"				 		       -
          !"	2	!	'		2			 ! 			2		
          

E * 	!.	 			 &				.	?6-	C	!			F	'			   -
          !		!	 	!.-	&,
          

E
 * 	!.	 			 &				.	 !"						'		&,			             -
          )		&				"
          

>'
367#	'()                                                                                                                                 ;(45
                                                                                	



                                                                                	




47
#
9
          E
   * 	!.	 	.				! ! 	 			 		
                  	2	2				& 		/!	!		<*		4+4@2	<* 	
                  4+	
	
2	<*		4+1@2	$%	++@2	$%	++E2		G+(C
*			<	
                  0	6&2			2	2					"		
                  !.+&
#
E
   			F2	, 2		 	2	'2			 "2			 	     9
          '	"					 	!.2	!	 	!				"				
          9	!.	 		'		!"	 2	?62		$%						6&2	
          , 	"		 	9		/2	2		 !"0	 	"				
          	 2	 	!.	 					'						!
          

E

   * 	!.	 					 	,2	,&!2					"				          9
          	!		2	 	!.	 					!	"	!		6&2	,"		"	
          	,	 	,&!2	,2		'		"						!
          

E
@   * 	!.	 				 		)"			 &				&	'	 	& 	            9
          	& 	!	"	'		 	, 2				,	"2	,+'		6&2	
           	!.			"	.		 		)"							&"	 	& 	
          	& 	!	"	'		 	, 			"	
          

E
E   * 	!.	 		 &		&	!				& 	!.	,	!2		           9
          !2	"		2		 	F'	2			6&2						
          "	!	& 	 	
          

	



E
1   			 	'	"			 	&!	A			!2			!		   9
          !>				">		2	2		">		2		 !2	
367#	'()                                                                                                                                ;'45
                                                                                	



                                                                                	




47
#
          	!	!							& 		' 	'"	G+(C
*	6&2	 	
          		"			 	!.
          

E
   * 	!.	 	"	2	'		"	2				'	& 	?6		 			            9
          2			+2	 	F!	F	'		9,"	!		
          

E
;   * 	!.	 				 	9		9			 	&	'				 	           9
          					!2			"2	 		&2			!!	,	
          6&2	 				"	2	".2	 			 	!.
          

E
4   * 	!.	 					!		!								"	             9
          					6&2	 				"			 		 	!.	
          			,	"			"			 			!
          


E
B   * 	!.	 			"		 			 !				.		 	&!	A	            9
          +	:'		2	 		&'		&
          +	C			!2	 						2			,!		!	
          +	!!!		"2	 		"				!	/C0		6&2	  	!.	 		
          	 	"					!!!								
          +	&		 		+			&	 !
          +		!	 				
          +		!"					"	
          6&2	 	!.	 		"		 !		 					"		F	 	
          		& 		&	'				2	& 									
          2	 				'		 	)	'2	 						 	!.-	&,2	F	
            		'	!							!			& 	 	!.-			
          "2	2		
          



367#	'()                                                                                                                                  ;;45
                                                                                	



                                                                                	




47
#
E
 * 	!.	 		 &		&		 		*(	"				 		!"	2	!	'		     9
          2			 ! 			2			6&2	  	!.	 			 	 	*(	 
		
          	!"	!	'		"	
          

E
 * 	!.	 		 &				.	?6-	C	!			F	'			       9
          !		!		&,
          

E

 * 	!.	 		 &				.	 !"					'		&,			                  9
          )		&				"	6&2	  	!.	 		' 2				"	2		
           	'		&,			)		&				"
          

>;
9
          E@   			 	.							!	/H	
02	  	!.	"	
                  				!		 	!"2	 		& 		/!	!		<*		
                  4+4@2	<*		4+	
	
2	<*		4+1@2	$%	++@2	$%	++E2		G+(C
*		
                  <	0	6&2		!			 			 			!		 	
                  !.			2	".2		
#
E@   			F2	, 2		 	2	'2			 "2			 	     8


          '	"	2	2	 	"			 	!.	 /H	
0	 2	 	!.	 	         3#
          			'				, 						!
          

E@
   * 	!.	 	"						"	!		 	,2	,&!2					"	          8


          				!					"				 	,&!2	,2		           3#
          '		
          




367#	'()                                                                                                                                   ;445
                                                                                	



                                                                                  	




47
#
E@@   * 	!.	"	.			 		)"		 		& 		& 	!	"	   8


          '		 	, 			"	 			,+'		,!                                             3#
          

E@E   				!	& 	!.	,	!2		!2	"		2		         8


           	F'	2		                                                                                                  3#
          

	



E@1   				"			 	!.		 	&!	A			!2	         8


          		!		!>				">		2	2		">		            3#
          2		 !2		!	!							& 		' 	
          '"	G+(C
*
          

E@   * 	!.	 		 			'	& 	?6		 			2			+2	 	           8


          F!	F	'		9,"	!					"		 	                   3#
          !.
          

E@;   * 	!.		"	!	9		9				 					        8


          !	6&2	 	!.	 			 	 		!	 		&	'	"				                      3#
          '			 	 			".				&"	 				,	!
          

E@4   * 	!.		"	!		!							 						     8


          !			6&2			"		'	 		 	!.			"					,	                3#
          "			 			!		"	
          

E@B   * 	!2	"2	2							/	2	2	"2	2	2	    8


          	"2	!			0	 	'		'		 	!.                                            3#
          



367#	'()                                                                                                                                       ;545
                                                                                  	



                                                                                	




47
#
E@	 * 	!.	 	"						 !		 	&!	A                                     8



          +	:'		2	 		&'		&                                                                                     3#

          +	C			!2	 						2			,!		!	
          +	!!!		"2	 		"				!	/C0		 * 	!.		 	
          "					!!!								
          +	&	2	 		+			&	 !
          +		!2	 				
          +		!"					"	
          	2	 			'		 	)	'2	 				 	!.-	&,2		 	'	
          !							!			& 	 	!.-			" 2	2	
          	
          

E@	 * 	!.	 	"			*(	"							 		!"	 2	             8



          !	'		2			 ! 			2		                                                                3#

          :

                   8

 $	 		 		 			*(	"			 	!.2	'		 				
                               !	 	
E@
 * 	!.		.!	?6-	C	!			F	'			!		!	 	           8


          &,                                                                                                                                            3#
          

E@@ * 	!.	 	"		 !						'		&,			)		                       8


          &				"                                                                                                                         3#
          :

                   8
      $	"			&				 	'	"			&,		6&2	 	!"	 	 	
                                   		'			2		"			 	"			&								"		
                                   $		"		 			9!		&			 	
>4
9
          EE   			'!	"		/H	@02					'						
367#	'()	                                                                                                                                             ;)45
                                                                                	



                                                                                	




47
#
                  		!	 			 			!2	 		&2			
                  !!	,		2	 			!		&	9		!+&	
#
EE   		, 		"	!2	!2		".!	9		9		             

          		 	!.			!2	".!2		!			 			 	!.-		       

	1
          	!
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
EE
   ,		 	'	 	F	)!					 					 			 	             

          		!                                                                                                                    

	1
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
EE@   		, 		!	'		!		!			2		&		             

          !		!				'		!.	,	2	 	 	2	'F	92	         

	1
          	 			 			!
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
	



EEE   * 	!.	 			"	!2	!2		".!	9		9		             

          		 	!.			!2	".!2		!			 						!	       

	1
          	
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9


367#	'()                                                                                                                                        ;045
                                                                                	



                                                                                	




47
#
EE1   ?	!							'	"2	"2				'	                   

                                                                                                                                                        

	1
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
EE   		2	2				".2	2			!		2	2	            

                                                                                                                                           

	1
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
EE;   						!.		 !	& 	!		".!	 			&"	 		       

          		,	!	                                                                                                      

	1
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9

EE4   * 	!.		 !		"	!2	!2		".!	9		9		         

          	 	!.			!2	".!2		!			 				 !		!		    

	1
          	
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
EEB   * 	!.-								 						!		            

          			 	&,                                                                                                                  

	1
          :

                   8
      $	 				 	9			@	/("	0		 			"	2		
                                    			'				E	9
>5
367#	'()                                                                                                                                        ;+45
                                                                                	



                                                                                	




47
#
9
           E1	   			'!	!		'	/H	E02	  	!.-			!		.2

                                                                                                                                              	
                    '2	+!!2						+	'	'		 !		'F	92		

                    	 !!	 		 !"	

#
E1	   * 	!.-	!		"			 ! 	,											          # 
           	+	'		,	"	 !							'		!.	,	 2	  	
           2		'F	9
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9
	



E1
	   * 	!.	 	.						!		"'"	                      # 
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9
E1@	   $			+	'2	 	!.	"					!			 !!	"'"			            # 
           		!		 	 				+	
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9
E1E	   * 			!		"	!	& 	!.	,	!2		!2	"		                    # 
           2		 	F'	2		
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9
E11    * 			!	 	+	*	"	'5		!				,!	 		'	            # 

367#	'()                                                                                                                                         ;=45
                                                                                	



                                                                                	




47
#
           	2	,2			
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9

E1	   * 	!.	 	.	 						 !			 +                        # 
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9
E1;	   * 	!.	 	.	 				 !		"					!	' ,		           # 
           "					!
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9
E14	   * 	!.			'	 !		"		 				"				*	             # 
           		5					"		!"
           :

                    8
      $	 				 	9			@	/("	0		 			"	2		
                                     			'				1	9

>                                                                                 	                                      

1	







                                                                                                   




367#	'()	                                                                                                                                        445
                                                                                	



                                                                             	




57	
8!7	"
1      6	 	!.	' 		+&	'	"F	"	!2	!				                 9
         	& 		92	$%	"2		'	<*	!=
          

          1   ?			"	!2	!2		)	/**IC0	!	/(?2	 <*		4+@E2	<* 	                       8


                  4+1@0                                                                                                                                   3#
                  :

                            8
      (!"		)		E1			E	$	5	"		6&2	"	;		 		 	'	&	& 	
                                             			"		* 2	&			'	 	 		 	'	9"					
                                            	 	 	!!	 !		$#				2	"	
		 	E1	!"		&	'5			
                                            9			3	
		 2	B		 	!"		 		'					
E	
          1
   	 	"-	%		"		%		"		"		!"	&	                       8


                  		 	!.-	("		$	2	%	("		/%(02		?	
"	                   3#
                  	/?
0	/<*		4+@E0
                  

          1@   ?				"	!2	2				 	2	2	 	*	                         8


                  		/<*		4+@E0                                                                                                   3#
                  :

                            8
      			1	'2	"		$#	!"							++	
          1E   %(	?
 					"		'	)			"	/(?2	<*		4+@E2	
	($		                               8


                  	1@2	(0                                                                                                                         3#
                  

          11   *	%(	?
 							"	/
	($	2	1E0                                          

                                                                                                                                                            

	1
                  :





367#	'()                                                                                                                                           4(45
                                                                             	



                                                                               	




57	
                            8
       :		!"			 E1			E	$	5	"		6&2	"	;		 			 	'	
                                             &	& 	 			"		* 2	&			'	 	 		 	'	9"		
                                             				 	!!	 !		$#			!		++	!"				
                                             			!		"		'	"			 				!"		 	$-	
                                             	"	"		"	6',	'!	"	&				)	 	"-!"	
                                             			"		?!	 					&			 	"	&		$-	 E	5		
                                             "	&	'5			9	!"				3	 
		 2	B		 	E	5	"	 		
                                             '					
E
          1   *	"+	!"	2			& 	!."		2			 	                          8



                  		 			&				)	 			"	/<*		4+1@A	(+E0                                   3#

                  :

                            8
       			1	'2	"		$#	!"		&			 		"
          1;   ?	+		 				!	!"F	"	)				                   

                  	!"F	"		/(?2	 <*		4+@E0                                                                   

	1
                  :

                            8
       			1	'2	"		$#	!"		&			 		"2	 		&		'		
                                             	+	
          14   ?		!		!		'		,		&  		 				 	                 8


                  !.-	'"							.2				'5		 		 "	F	                    3#
                  "'"	,		 	"		/(?2	<*		4+@E2	<*		4+1@A	(+2	(+;0
                  :

                            8
       $	"	9	,			'				!"			6&2				1	'2	
                                             "	&		$#	!"		 	'	&		 		"		 	&		)		 	
                                              	,			'					
          1B   (	',				 	+		"+			 	"2	!"2		'"		           

                  ',			!		/(?2	<*		4+@E2	<*		4+1@A	(+B2	<*	(2	
+E2	<
	                                  

	1
                  !			"	"	0
                  


367#	'()                                                                                                                                             4'45
                                                                               	



                                                                               	




57	
          1   (!"	!	 		"	 	                                                                                    9
                   :

                             8
      * 	!"			$#	!		"		 	"	 	 	 	'				
                                             		'		"!				"	9			6&2	&	 			
                                             			 	
          1	 	"				 		 /		!0		 	!.-	(!"	!	
                   !	 	&				 	9	'	%		!			 	(!"	!	!	
                   =
                   :<
                             8
      %		 			"				 		 	&		2	&			'	 	$#	!"	
                                             !	!		"	

>                                                                               	                                     

1	
	

                                                                                                                   




367#	'()	                                                                                                                                          4;45
                                                                               	



                                                   	



<:93?
	
	
                                             
	>
1
                                    >                                      	         

1	
	A	"                        HCKCH
A	?                             ;                

	
A	                         HCKCH
A	?                             ;                

	@A	?                          HCKCH@A	("	            @               

	EA	
                         HCKCH@A	("	            @               

	1A	
                         HCKCH
A	?                              ;               

*$*H                                                                                  E;               
                                                 (3

 
3	                     
       :
                   @   


   

1

 +6                                                                 L         @                 @
 ?                             
            
              E         1L          E                 E
 ("	                        1             	        11L                           
 !		'             
            E                       @@L                           1
 $.                                                              L                          
                                                 '	

 
3	                     
       :
                   @   


   

1

 +6                                                                 L         @                 @
 ?                              E                         1         4L          E                 E
 ("	            @           1             4         ;
L                           
 !		'              @           1              4         @4L                           1
 $.                                                              L                          
                                                  ;9

 
3	                     
       :
                   @   


   

1

 +6                                                               L         @                 @
 ?                                                              L         E                 E
 ("	            1            1                      1L                           
 !		'                         
            
         L                            1
 $.                                       ;             ;          L                            

367#	'()                                                                                       4445
                                                   	



                                     	




                                   47
#
 
3	            
   :
                @     


   

1

 +6                     
                   
         L         @                 @
 ?                    
                   
         L         E                 E
 ("    	     
             @         41L                           
 !		'           B              B          L                           1
 $.                         4              4          L                           
                                   57	

 
3	            
   :
                @     


   

1

 +6                                                   L         @                 @
 ?                                        
          1L          E                 E
 ("	   
        E                      @@L                           
 !		'            
            @          @@L                           1
 $.                                                L                          




367#	'()                                                                         4545
                                     	



                                                                                                                         



                                       Report Fraud, Waste, and 

                                           Mismanagement 

                                                  Fraud, waste, and mismanagement in
                                               Government concerns everyone: Office of
                                                   the Inspector General staff, agency
                                                employees, and the general public. We
                                              actively solicit allegations of any inefficient
                                                    and wasteful practices, fraud, and
                                               mismanagement related to OPM programs
                                              and operations. You can report allegations
                                                          to us in several ways:


                        By Internet:               http://www.opm.gov/our-inspector-general/hotline-to-
                                                   report-fraud-waste-or-abuse


                         By Phone:                 Toll Free Number:                              (877) 499-7295
                                                   Washington Metro Area:                         (202) 606-2423


                           By Mail:                Office of the Inspector General
                                                   U.S. Office of Personnel Management
                                                   1900 E Street, NW
                                                   Room 6400
                                                   Washington, DC 20415-1100
                     
                                                                                                                         
                                                                                                                         


                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.