oversight

Audit of the U.S. Office of Personnel Management's Security Assessment and Authorization Methodology

Published by the Office of Personnel Management, Office of Inspector General on 2017-06-20.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

        U.S. OFFICE OF PERSONNEL MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




               Final Audit Report
           AUDIT OF THE U.S. OFFICE OF PERSONNEL
          MANAGEMENT’S SECURITY ASSESSMENT AND
             AUTHORIZATION METHODOLOGY
                                            Report Number 4A-CI-00-17-014
                                                    June 20, 2017




                                                               -- CAUTION --
 This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may
contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act,
5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on
  the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG.
                 EXECUTIVE SUMMARY
                                           Audit of the U.S. Office of Personnel Management’s

                                           Security Assessment and Authorization Methodology
Report No. 4A-CI-00-17-014                                                                                                                       June 20, 2017

Why Did We Conduct the Audit?                             What Did We Find?

Since fiscal year (FY) 2014, the number                   OPM has dedicated significant resources toward re-Authorizing the
                                                          systems that were neglected as a result of the 2015 Authorization
of U.S. Office of Personnel Management
                                                          moratorium. Although the program has notably improved, the deficit left
(OPM) information systems without a                       by the moratorium continues to hamper the agency. We detected
current and valid Security Assessment                     significant problems with the Authorization packages prepared during
and Authorization (Authorization) was                     the Sprint, and there is still significant effort needed to stabilize the
significant enough to warrant reinstating                 Authorization program. Of primary concern is the fact that the assessors
a material weakness related to this issue.                performing the Sprint activity did not have access to enough accurate and
In FY 2015, OPM placed a moratorium                       complete information to make valid risk-based decisions about the
                                                          systems’ security posture. Our specific concerns include:
on all Authorization activity, further
weakening the agency’s security posture.                  	 The LAN/WAN system security plan (SSP) was missing relevant data
                                                             about hardware, software, minor systems, and inherited controls.
In FY 2016, OPM initiated an                                 Additionally, the LAN/WAN SSP also failed to appropriately address
“Authorization Sprint” (Sprint) in an                        several relevant controls, labeled as “not applicable.”
effort to get all of the agency’s systems
compliant with the Authorization                          	 Deficiencies in the security control testing performed as part of the
requirements. We performed this audit to                     LAN/WAN Authorization process likely prevented the assessors from
                                                             identifying security vulnerabilities that could have been detected with
evaluate OPM’s progress in addressing                        an appropriately thorough test.
the material weakness.
                                                          	 The security weaknesses detected during the LAN/WAN
What Did We Audit?                                           Authorization were not appropriately tracked in a Plan of Action and
                                                             Milestones document.
Our objectives were to review OPM’s
                                                          	 Critical elements were missing from many of the other Authorization
current Authorization methodology and                        packages prepared during the Sprint.
to evaluate the Authorization packages
completed during the Sprint. We focused                   OPM has acknowledged the deficiencies of the Sprint Authorization
our efforts on reviewing the                              packages, and explained that its intent was to obtain an initial level of
Authorization package for OPM’s                           compliance with Authorization requirements. It has already initiated a
primary general support system, the                       secondary review of the LAN/WAN Authorization in order to address
                                                          said deficiencies, and we will monitor this effort closely. However, at
Local Area Network / Wide Area
                                                          this time, we continue to believe that OPM’s management of system
Network (LAN/WAN).                                        Authorizations represents a material weakness in the internal control
                                                          structure of the agency’s IT security program.

 ______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                                         i
           This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                           information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 522a.
                                            ABBREVIATIONS

    Authorization               Security Assessment and Authorization
    FISMA                       Federal Information Security Modernization Act
    FY                          Fiscal Year
    LAN/WAN                     Local Area Network / Wide Area Network General Support System
    IG                          Inspector General
    IOC                         Internal Oversight and Compliance
    IT                          Information Technology
    NIST                        National Institute of Science and Technology
    OCIO                        Office of the Chief Information Officer
    OIG                         Office of the Inspector General
    OMB                         U.S. Office of Management and Budget
    OPM                         U.S. Office of Personnel Management
    POA&M                       Plan of Action and Milestones
    SP                          Special Publication
    Sprint                      “Authorization Sprint”
    SSP                         System Security Plan




                                                                       ii
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                   TABLE OF CONTENTS

                                                                                                                     Page 

                EXECUTIVE SUMMARY ........................................................................................ i


                ABBREVIATIONS ..................................................................................................... ii 


    I.          BACKGROUND ..........................................................................................................1 


    II.         OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................3 


    III.        AUDIT FINDINGS AND RECOMMENDATIONS.................................................6


                A. Authorization Sprint ................................................................................................6 


                B. Security Authorization Guide ..................................................................................7 


                C. LAN/WAN General Support System Authorization ...............................................7 


                D. Other Authorization Packages ...............................................................................14 


                APPENDIX: OPM’s April 06, 2017, response to the draft audit report, issued
                          March 20, 2017.

                REPORT FRAUD, WASTE, AND MISMANAGEMENT




This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
            I. BACKGROUND
IV. MAJOR CONTRIBUTORS TO THIS REPORT

On December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),
which includes Title III, the Federal Information Security Management Act. It requires (1)
annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency
reporting to the U.S. Office of Management and Budget (OMB) the results of IG evaluations for
unclassified systems, and (4) an annual OMB report to Congress summarizing the material
received from agencies. In 2014, Public Law 113-283, the Federal Information Security
Modernization Act (FISMA) was established and reaffirmed the objectives of the prior Act. As
part of our evaluation, we reviewed the U.S. Office of Personnel Management (OPM)’s FISMA
compliance strategy and documented the status of their compliance efforts. In accordance with
FISMA, this final report details the findings, conclusions, and recommendations resulting from
an audit specific to OPM’s controls over its Security Assessment and Authorization
(Authorization) methodology.

An information system Authorization is a comprehensive assessment that evaluates whether a
system’s security controls are meeting the security requirements of that system. The purpose of
this assessment is to document the system’s controls, risks, and remediation plans. If the security
risk associated with the system is deemed to be acceptable, then the system is formally
authorized to operate in the agency’s production information technology (IT) environment.

Our fiscal year (FY) 2010 FISMA report identified a material weakness in OPM’s Authorization
program related to incomplete, inconsistent, and sub-par Authorization products. OPM resolved
these initial issues by implementing new policies and procedures to standardize the
Authorization process. However, throughout FY 2014 and FY 2015, the number of OPM
systems that had not been subject to the Authorization process significantly increased, and we
reinstated the material weakness related to this issue.

In April 2015, OPM’s Office of the Chief Information Officer (OCIO) issued a memorandum
that granted an extension of the previous Authorizations for all systems whose Authorization had
already expired, and for those scheduled to expire through the end of FY 2016. In effect, all
Authorization activity at OPM was halted. The OCIO’s justification was that the agency was in
the process of migrating its IT infrastructure to two new data centers and modernizing all of its
applications, and that once this effort was completed, all systems would have to receive new
Authorizations anyway. We expressed serious concern with this approach, and warned the
agency of the extreme risk associated with neglecting the IT security controls of its information
systems.
                                                                        1                                         Report No. 4A-CI-00-17-014
 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary

                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.

Although the moratorium on Authorizations has since been lifted, the effects of the April 2015
memorandum continue to have a significant negative impact on the agency. The original
modernization and migration effort was scrapped, and the agency is taking a different approach.
As a result, many of the systems included in the memorandum operated in the same legacy
environment without a valid Authorization.

OPM is also working to implement a comprehensive security control continuous monitoring
program that will eventually replace the need for periodic system Authorizations. Although the
agency’s continuous monitoring program is rapidly improving, it has not reached the point of
maturity where it can effectively replace the Authorization program. In addition, OPM
acknowledges that a current and comprehensive Authorization for each system is a prerequisite
for a continuous monitoring program, as the Authorization will provide a baseline of the security
controls that need to be continuously monitored going forward.




                                                                       2                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
II.
IV. OBJECTIVES, SCOPE, ANDTO
     MAJOR CONTRIBUTORS   METHODOLOGY
                             THIS REPORT

 OBJECTIVES

 Our objectives were to review OPM’s Authorization methodology and to evaluate all of the
 completed Authorization packages against OMB, FISMA, and National Institute of Science and
 Technology (NIST) regulations, as well as OPM’s own policies and procedures.

 SCOPE AND METHODOLOGY

 This performance audit was conducted in accordance with generally accepted government
 auditing standards issued by the Comptroller General of the United States. Accordingly, we
 obtained an understanding of OPM’s Authorization process through inspection of various
 documents, including IT and other related organizational policies and procedures.

 The scope of this audit included a review of OPM’s 28 recently completed Authorization
 packages, including the Authorization for the Local Area Network / Wide Area Network general
 support system (LAN/WAN). The LAN/WAN is OPM’s most critical general support system,
 as it provides inheritable controls to many of the agency’s major information systems and
 smaller applications.

 NIST Special Publication (SP) 800-37 identifies the key documents that an Authorization
 package should contain:

     (i)         the security plan;

     (ii)        the security assessment report; and

     (iii)       the plan of action and milestones (POA&M).

 Using a risk based approach we selected the LAN/WAN as the focal point for our review since
 many of the other major systems at OPM reside on and inherit controls from this general support
 system.

 To accomplish our objective, we reviewed federal laws, OMB policies and guidance, NIST
 guidance, OPM IT policies and procedures, and relevant Authorization documentation.


                                                                        3                                        Report No. 4A-CI-00-17-014
 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
The findings, recommendations, and conclusions outlined in this report are based on the status of
information system general and application controls in place at OPM as of March 2017 and are
located in the “Audit Findings and Recommendations” section of this report.

Various laws, regulations, and industry standards were used as a guide for evaluating OPM’s
control structure. These criteria include, but are not limited to, the following publications:

	 OPM Information Security and Privacy Policy Handbook;

	 OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;

	 E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
   Management Act of 2002;

	 The Federal Information System Controls Audit Manual;

	 NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information
   Systems;

	 NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;

	 NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;

	 NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to
   Federal Information Systems;

	 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations;

	 NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information
   Systems to Security Categories;

	 NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
   Capabilities;

	 Federal Information Processing Standards Publication 199, Standards for Security
   Categorization of Federal Information and Information Systems; and


                                                                       4	                                       Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
   Other criteria as appropriate.

In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe that the data was
sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in
accordance with the Generally Accepted Government Auditing Standards issued by the
Comptroller General of the United States.

The audit was performed by the OPM Office of the Inspector General, as established by the
Inspector General Act of 1978, as amended. The audit was conducted from December 2016
through March 2017 in OPM’s Washington, D.C. office.

We discussed the results of our audit with OCIO representatives at an exit conference.

COMPLIANCE WITH LAWS AND REGULATIONS

In conducting the audit, we performed tests to determine whether OPM’s management of the
Authorization process is consistent with applicable standards. While generally compliant, with
respect to the items tested, OPM was not in complete compliance with all standards, as described
in section III of this report.




                                                                       5                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
III. AUDIT FINDINGS AND RECOMMENDATIONS

  The following sections detail the results from our review of OPM’s Authorization methodology.

A. AUTHORIZATION SPRINT

  In an effort to revitalize its Authorization program, in FY 2016 OPM initiated an “Authorization
  Sprint” (Sprint) designed to get all of the agency’s systems compliant with the Authorization
  requirements. OPM dedicated significant resources toward re-Authorizing the systems that were
  neglected as a result of the 2015 Authorization moratorium. This Sprint was originally intended
  to be a concentrated 30-day effort involving the expedited review and Authorization of systems.
  However, OPM has since continued its efforts to improve its Authorization compliance. In
  tandem, OPM has also been updating the templates and guidance that support the Authorization
  process. Since the start of the Sprint, OPM has performed Authorization work on all 28 systems
  whose Authorization had expired during or prior to this time period.

  Although the program has notably improved, the deficit left by the moratorium continues to
  hamper the agency. As detailed in the sections below, we detected significant problems with the
  Authorization packages prepared during the Sprint, and there is still an enormous amount of
  effort needed to stabilize the Authorization program. Of primary concern is the fact that the
  assessors performing the Sprint activity did not have access to enough accurate and complete
  information to make valid risk-based decisions about the systems’ security posture.

  We acknowledge that the lack of a valid Authorization does not necessarily mean that a system is
  insecure. However, it does mean that a system is at a significantly higher risk of containing
  unidentified security vulnerabilities. A thorough Authorization process almost always identifies
  significant issues that must be addressed. If the process was not properly followed, then the
  agency does not know what weaknesses and vulnerabilities exist in its IT environment, and it
  cannot take steps to address and remove those weaknesses.
                                                                            OPM’s management of
  At this time, we continue to believe that OPM’s management of             system Authorizations
  system Authorizations represents a material weakness in the               continues to represent
                                                                1
  internal control structure of the agency’s IT security program . It is a material weakness.
  our understanding that the agency acknowledges this weakness and
  has a plan in place to address it, and we will continue to monitor this activity closely.

  1
    OPM OIG Audit Report No. 4A-CI-00-16-039, Recommendation 4, recommends that all systems in OPM’s
  inventory have a complete and current Authorization, and labels this issue as a material weakness. The results of
  this current audit determined that the material weakness and the associated audit recommendation both remain open.

                                                                         6                                        Report No. 4A-CI-00-17-014
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
B. SECURITY AUTHORIZATION GUIDE

  In 2016, the OCIO made several improvements to the OPM Authorization process. These
  included:

  	 Establishing and documenting a new Security Authorization Guide based on NIST’s risk
     management framework;

  	 Updating the roles and responsibilities for individuals in the Authorization process; and

  	 Updating outdated templates for the various Authorization elements.

  Nothing came to our attention to indicate that the OCIO has not developed an adequate
  framework surrounding the Authorization process. OPM should continue to apply this new
  framework as it works to improve its Authorization program.

C. LAN/WAN GENERAL SUPPORT SYSTEM AUTHORIZATION

  The OPM LAN/WAN was approved to continue operating in a production environment on
  September 12, 2016. At that time, the OCIO acknowledged issues with the Authorization
  package and therefore only approved the Authorization to be valid for one year (instead of the
  traditional three years).

  As described below, the LAN/WAN system security plan (SSP) did not include the critical
  system information or address all of the system’s relevant security controls. The issues with the
  SSP carried forward into the independent security control testing of the system. The assessor’s
  test work was restricted by missing information, inappropriate scope limitations, and insufficient
  time to assess a general support system of this size.

  Considering that the LAN/WAN is the agency’s primary general support system and hosts many
  of OPM’s other major applications, the issues found in the LAN/WAN Authorization have a
  significant impact to the security of OPM as a whole.

  The following sections detail our review of the LAN/WAN Authorization package.




                                                                         7	                                       Report No. 4A-CI-00-17-014
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
1) System Security Plan

    Federal agencies must implement for each information system the security controls outlined
    in NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information
    Systems and Organizations. NIST SP 800-18, Revision 1, Guide for Developing Security
    Plans for Federal Information Systems, requires that these controls be documented in an SSP
    for each system, and provides guidance for doing so.

    The SSP for the LAN/WAN was created using the OCIO’s SSP template that utilizes NIST
    SP 800-18, Revision 1, as guidance. The template requires that the following elements be
    documented within the SSP:

     System Name and Identifier                                            General Description/Purpose
     System Categorization                                                 System Environment
     System Owner                                                          System Interconnection/Information Sharing
     Authorizing Official                                                  Security Control Selection
     Other Designated Contacts                                             Minimum Security Controls
     Assignment of Security Responsibility                                 Completion and Approval Dates
     System Operational Status                                             Information System Type
     Laws, Regulations, and Policies Affecting
      the System

    Our review of the LAN/WAN SSP identified several gaps between the documentation
    provided and the relevant guidance and policies including:

    System Environment

    The LAN/WAN SSP did not adequately define the system environment, as it did not contain
    complete hardware, software, or minor system inventories.

    According to OPM’s SSP Template, “The purpose of [system security planning] is to . . .
    describe the controls and critical elements in place . . . .” We do not believe that the
    LAN/WAN SSP meets this objective because it does not define the boundaries of the general
    support system. Without complete inventories, the system owner does not have the
    information necessary to design controls that protect the entire environment, and an
    independent assessor cannot effectively evaluate the security posture of the system as a
    whole.


                                                                       8                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    Security Control Selection

    The LAN/WAN SSP does not fully and accurately identify all of the security controls
    applicable to this system. Specifically, the LAN/WAN SSP inappropriately identified
    multiple controls as “not applicable,” but NIST guidelines require these specific controls to
    be in place for all systems with a HIGH security categorization (such as the LAN/WAN.)

    Failure to document all applicable security controls in the SSP increases the risk to the
    system from both an implementation and testing perspective. If the SSP identifies a control
    as “not applicable,” a system owner is less likely to implement the control, and an assessor
    would likely exclude it from the scope of its testing.

    Inherited and Common Security Controls

    A substantial number of controls are identified as “common” or “inherited” by the
    LAN/WAN, but the SSP does not provide evidence that these controls are actually in place.
    NIST 800-37, Revision 1, requires that common control providers operate effectively as an
    independent system, requiring security planning, security assessment reporting, POA&M
    tracking, and continuous monitoring. Failure to maintain evidence that common or inherited
    controls are in place and operating as designed increases the risk that the LAN/WAN and the
    applications hosted by this support system contain unidentified vulnerabilities.

    Recommendation 1

    We recommend that the OCIO complete an SSP for the LAN/WAN that includes all of the
    required elements from OPM’s SSP template and relevant NIST guidance. This includes, but
    is not limited to, the specific deficiencies outlined in the section above.

    OPM Response:
                                                                      OPM recognized the
    “OPM concurs with the recommendation. During the course of        deficiencies of the
    the assessment, the LAN/WAN SSP was being modified to             LAN/WAN SSP and
    incorporate components that were a part of the infrastructure     proactively initiated
    data centers that were being ‘stood up’ as a part of the          a review and update
    infrastructure improvement program. The system environment        of this document.
    was also being modified as a result of two other infrastructure
    system boundaries being merged into the LAN/WAN system boundary as separate
    subsystems. This resulted in a complex, dynamic system that made it difficult for the


                                                                       9                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    independent assessor to evaluate the status of many security controls with a high degree of
    confidence. Understanding this, OPM determined that a supplementary assessment would
    be needed to reevaluate those controls that were not fully successful during the initial
    assessment, once the environment has fully incorporated these changes. OPM believes
    that the environment has reached this state and OPM will provide an updated SSP for the
    LAN/WAN, which addresses the gaps identified by the OIG, as soon as it is available.

    In regards to the OIG statement that the LAN/WAN SSP inappropriately identified
    multiple controls as ‘not applicable,’ OPM would like to provide clarification. NIST
    provides security control baselines for system owners to tailor and supplement in order to
    protect the information stored, processed, and transmitted by the system. Consistent with
    NIST 800-37, these controls are not specifically required until the controls go through the
    tailoring process. Any tailoring decisions must be documented and approved by the
    Authorizing Official (AO). The results of the tailoring process will be more readily
    apparent in the updated SSP, including a well-defined rationale for controls that are not
    applicable as previously identified by the OIG.”

    OIG Comment:

    We acknowledge the complexities that OPM faced when assessing the security controls of
    the LAN/WAN environment at a time when its boundaries were in a state of fluctuation.
    However, these complexities do not negate the criticality of a comprehensive Authorization
    based on a complete and accurate SSP. We will continue to monitor OPM’s efforts to update
    the LAN/WAN SSP as the environment approaches a more stable state.

    We also acknowledge that the NIST SP 800-53 security controls must be tailored to each
    individual information system. However, it is not appropriate to simply list controls as “not
    applicable” without providing the relevant details to justify this conclusion, as it appears was
    done with the LAN/WAN SSP.

    We continue to recommend that OCIO provide Internal Oversight and Compliance (IOC)
    with evidence that the revised SSP has addressed all of our concerns outlined above.

    An updated version of the LAN/WAN SSP was provided to the OIG several weeks after the
    completion of the draft reporting phase of this audit. This document and any other artifacts
    completed after the draft reporting phase of the audit closed will be reviewed in the
    upcoming general FISMA audit.



                                                                      10                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
2) Security Controls Assessment

    A key element to the Authorization process is a thorough testing of the system’s security
    controls. OPM hired an independent third party to test the effectiveness of the security
    controls of the LAN/WAN general support system. We identified several issues with the
    LAN/WAN security controls test:

    	 Scope limitations – Critical components of the LAN/WAN were intentionally excluded
       from the scope of the security controls test. Specifically, the test work did not include
       applications and software installed on the LAN/WAN servers. In addition, multiple
       physical facilities hosting the LAN/WAN hardware were excluded from testing.

    	 Incomplete SSP and boundary – As mentioned in the section above, there are flaws in the
       most recent LAN/WAN SSP that was submitted with the final Authorization package.
       However, no current SSP was available to the security assessment team at the time the
       LAN/WAN security controls were tested. Not only was the SSP provided to the
       assessors outdated by approximately one year, but as described by the assessors it “did
       not contain the level of detail required to accurately describe the system, the assessment
       boundary . . ., or determine the plan, intent, and implementation status of each control.”

    	 Testing limitations – The assessment team was given a very limited window of seven
       days to perform the test work. This was not adequate time for the team to acquire the
       required evidence for controls that were simply described verbally in interviews. The
       assessor’s report states “While the interview sessions were extremely informative, the
       required evidence was not collected and a number of the technical interview statements
       were not witnessed via shoulder surf or screen-share during the review process.”

    Of the 334 LAN/WAN security controls that were tested, 202 were either not satisfied or
    only partially satisfied. The assessment team also noted that “There were thousands of
    findings that were the result of scans and missing documentation but were rolled up where
    applicable to cut down on the number of actual results.”

    The cumulative impact of these issues is that there is a                                   The LAN/WAN security
    significant risk, if not likelihood, that the security                                     controls assessment likely did
    controls testing performed as part of the LAN/WAN                                          not identify vulnerabilities
    Authorization process did not identify security                                            that could have been detected
    vulnerabilities that could have been detected with an                                      with a thorough test.



                                                                      11 	                                      Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    appropriately thorough test. It is our opinion that this test work does not meet the minimum
    requirements of a complete security controls assessment.

    As a result, the Authorization package as a whole likely under-represents the quantity and
    severity of security risks associated with this system. This risk is compounded by the fact
    that a substantial number of other OPM systems are designed to inherit security controls from
    the LAN/WAN.

    Recommendation 2

    We recommend that the OCIO perform a thorough security controls assessment on the
    LAN/WAN. This assessment should address the deficiencies listed in the section above, and
    should be completed after a current and thorough SSP is in place (see Recommendation 1).

    OPM Response:

    “OPM concurs with the recommendation. OPM would like to provide clarification,
    however, to the OIG assertion that critical components of the LAN/WAN were
    intentionally excluded from the assessment. The Security Assessment Plan provides a
    statement of software that is excluded and software that is included. The exclusions
    identified in the Security Assessment Plan and the Security Assessment Report refer to
    application software that is included in the security authorization boundary of other
    systems. Consistent with NIST 800-53, these application boundaries were outside of the
    scope of the LAN/WAN assessment because they were covered by separate system
    assessments; thus it was not appropriate to include them in the LAN/WAN Security
    Assessment Plan. OPM is taking into consideration that the language in the Security
    Assessment Plan may be an area where OPM can clarify what it has done and why and
    thus improve its performance during the current assessment effort of the LAN/WAN and
    common controls.

    OPM’s General Comments and Response to Recommendation 1 also apply to the OIG
    statements concerning the SSP and boundary.

    In the draft, OIG stated that an assessor made a statement to the effect that findings were
    rolled up to cut down on the number of actual results, which OPM believes is misleading
    and conveys inaccurate implications that OPM is compelled to correct. As a part of the
    assessment, the assessor is responsible for identifying the number of occurrences of a
    specific potential vulnerability. For the generation of the Plan of Action and Milestones


                                                                      12                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    (POA&Ms), each instance of a potential risk that occurs in the environment is not reported
    separately; including the information separately would make the POAMs too detailed and
    cumbersome to be useable or effective. Rather, these instances are rolled up into higher-
    level POA&Ms for reporting and management. This practice comports with OMB policy
    of the generation of POA&Ms, and is followed by OPM and other Executive agencies.”

    OIG Comment:

    We agree with OCIO’s statement that application software installed on the servers do not
    require testing if they fall within the authorization boundaries of other systems. However,
    not all of the LAN/WAN’s applications are within other system boundaries; OPM’s security
    and network monitoring tools are prime examples. We believe these applications should not
    have been excluded from the assessment, as they are pertinent to the security and risk of all
    systems inheriting controls from the LAN/WAN. The LAN/WAN SAP also excludes several
    OPM data centers from testing and simply states that they will be tested on a later date due to
    a condensed timeline. As such, there is a likelihood that the testing performed as part of the
    LAN/WAN Authorization process did not identify security vulnerabilities that could have
    been detected with a complete and thorough test.

    Regarding the number of weaknesses detected by the assessors, we agree with OPM that it is
    appropriate to roll multiple instances of the same finding into a single POA&M entry. Our
    reference to the number of controls that the assessor labeled as “not satisfied” is simply a
    reference to the magnitude of problems detected with the LAN/WAN’s security controls.

3) Plan of Action and Milestones

    A POA&M is a tool used to assist agencies in recording, assessing, prioritizing, and
    monitoring the progress of corrective efforts for known IT security weaknesses. OPM has
    implemented an agency-wide POA&M process to help track known IT security weaknesses
    associated with the agency’s information systems.

    A POA&M is typically used to track the security weaknesses identified during the
    Authorization process. However, OPM was unable to produce this documentation for the
    LAN/WAN.

    The OPM Authorization Guide states “All risks that have not been remediated must be
    documented in the POA&M, including risks from controls inherited from other systems, risks
    from the independent assessment, and any predefined risks.” The risks identified during the


                                                                      13                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
       Authorization process are added to any previously identified risks so that the POA&M list
       contains all known weaknesses and their remediation plans. NIST SP 800-53, Revision 4,
       states that an organization must develop “a plan of action and milestones for the information
       system to document the organization’s planned remedial actions to correct weaknesses or
       deficiencies noted during the assessment of the security controls and to reduce or eliminate
       known vulnerabilities in the system . . . .”

       Failure to document remediation plans for weaknesses identified in Authorizations inhibits
       the process of understanding the scale of a system’s security risk and allocating the
       appropriate resources to remediate weaknesses in a timely manner.

       Recommendation 3

       We recommend that the OCIO update and maintain a complete POA&M list for the
       LAN/WAN.

       OPM Response:

       “OPM concurs with the recommendation. OPM provided the POA&M for the LAN/WAN
       after receiving the draft audit report, which should result in closure of this
       recommendation.”

       OIG Comment:

       OPM did provide a POA&M list for the LAN/WAN as a part of its response to the draft
       report, but it did not contain all existing weaknesses identified during the LAN/WANs
       independent assessment (only 15 of the independent assessor’s 66 findings were included).
       We continue to recommend that OCIO update and maintain the POA&M for all existing
       vulnerabilities and provide IOC evidence once this has been completed.

D. Other Authorization Packages

  While this audit largely focused on the LAN/WAN Authorization, we also reviewed all
  Authorization packages performed during the Sprint. There were several issues that we detected
  across multiple packages, including:

  	 SSP supporting documentation – An SSP should include multiple appendices for important
     system information. These documents should address privacy considerations, security

                                                                         14 	                                      Report No. 4A-CI-00-17-014
   This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                   information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
     classifications, system inventories, and contingency planning. A significant number of
     packages were missing various elements of supporting documentation.

	 Security controls assessments – Many Authorization packages lacked evidence that the
   system was subject to a thorough security controls assessment.

	   POA&Ms – A significant number of packages were missing a POA&M outlining the
     vulnerabilities detected during the assessment.

In short, many of the Authorization packages were not complete. We                                                      Many of the
acknowledge that every OPM system has been technically “authorized to                                                   Authorization
operate” by a senior-level official that has put their signature on a document                                          packages
stating that they accept all security risks associated with that system.                                                developed
However, we believe that the deficiencies in the Authorization packages                                                 during the
completed as part of the Sprint prohibited these individuals from making a                                              Sprint were
reasonably informed risk-based decision.                                                                                not complete.

Recommendation 4

We recommend that the OCIO perform a gap analysis to determine what critical elements are
missing and/or incomplete for all Authorization packages developed during the Sprint. For
systems that reside on the LAN/WAN general support system, the OCIO should also evaluate the
impact that an updated LAN/WAN SSP has on these systems’ security controls.

OPM Response:

“OPM concurs with the recommendation and provides the following clarifications. OPM
reviewed the gap analysis conducted by the OIG of the documents OIG identified as missing
from authorization packages. OPM determined that some of the documents were included in
the original set of evidence provided to OIG during the audit. OPM also provided several
additional documents that OIG identified as missing from the packages. During the exit
briefing, OPM updated the OIG on the status of its improvements to the automation of its
system inventory and documentation repository. These improvements will support OPM’s
AOs to make risk determination and authorization decisions based on the status of controls
inherited from its systems.”




                                                                      15 	                                      Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
OIG Comment:

OPM provided us with multiple batches of Authorization documentation during and after the
fieldwork phase of this audit. Our final review of all documentation provided by OPM
determined that the Authorization packages completed during the Sprint continue to lack
significant critical artifacts. We have still not received current and valid copies of 51 out of the
336 artifacts expected for the Authorization packages in the scope of this audit. The chart below
provides a breakdown of missing documentation by artifact type.


                                   Authorization Required Documentation
                       30


                       25
   Number of Systems




                       20


                       15


                       10


                        5


                        0




                                                    Missing/Out‐of‐date          Received



While our review provides the OCIO with a head start in completing the gap analysis, it is the
OCIO’s responsibility to independently verify and update this information. The OCIO’s analysis
should also evaluate the impact that an updated LAN/WAN assessment has on the information
systems that inherit security controls from the LAN/WAN. The owners of these other systems
should be made aware of any deficiencies in the LAN/WAN’s controls so that they can
appropriately assess the risk to their own systems.

Once this process has been completed, the OCIO should provide IOC with the evidence that each
system has a complete, up to date, Authorization package.




                                                                      16                                        Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                       APPENDIX




                                                                                                                Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                                                Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                                                Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                                                Report No. 4A-CI-00-17-014
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                  



                Report Fraud, Waste, and
                    Mismanagement 

                           Fraud, waste, and mismanagement in
                        Government concerns everyone: Office of
                            the Inspector General staff, agency
                         employees, and the general public. We
                       actively solicit allegations of any inefficient
                             and wasteful practices, fraud, and
                        mismanagement related to OPM programs
                      and operations. You can report allegations to
                                    us in several ways:

     By Internet: 	        http://www.opm.gov/our-inspector-general/hotline-to-
                           report-fraud-waste-or-abuse

       By Phone:           Toll Free Number:                   (877) 499-7295
                           Washington Metro Area:              (202) 606-2423

        By Mail:           Office of the Inspector General
                           U.S. Office of Personnel Management
                           1900 E Street, NW
                           Room 6400
                           Washington, DC 20415-1100