oversight

Federal Information Security Modernization Act Audit Fiscal Year 2018

Published by the Office of Personnel Management, Office of Inspector General on 2018-10-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

U.S. OFFICE OF PERSONNEL MANAGEMENT

   OFFICE OF THE INSPECTOR GENERAL

            OFFICE OF AUDITS





  Final Audit Report

 Federal Information Security Modernization Act Audit

                   Fiscal Year 2018


              Report Number 4A-CI-00-18-038

                     October 30, 2018

                EXECUTIVE SUMMARY 

                        Federal Information Security Modernization Act Audit - Fiscal Year 2018

Report No. 4A-CI-00-18-038                                                                                    October 30, 2018



Why Did We Conduct the Audit?                What Did We Find?

Our overall objective was to evaluate the    The Fiscal Year (FY) 2018 FISMA Inspector General reporting metrics use
U.S. Office of Personnel Management’s        a maturity model evaluation system derived from the National Institute of
(OPM) security program and practices, as     Standards and Technology’s Cybersecurity Framework. The Cybersecurity
required by the Federal Information          Framework is comprised of eight “domain” areas, and the modes (i.e., the
Security Modernization Act (FISMA) of        number that appears most often) of the domain scores are used to derive the
2014. Specifically, we reviewed the status   agency's overall cybersecurity score. In FY 2018, OPM's cybersecurity
of OPM’s information technology security     maturity level is measured as “2 - Defined.”
program in accordance with the U.S.
Department of Homeland Security’s (DHS)      In addition, OPM’s information security governance program has been a
FISMA Inspector General Reporting            longstanding concern. We have assessed it to be a material weakness or a
Metrics.                                     significant deficiency in OPM’s internal control structure since FY 2007.
                                             This year, we again consider deficiencies in the agency’s information
What Did We Audit?                           security governance program to be a material weakness in the agency’s IT
                                             security internal control structure. A lack of resources dedicated to IT
The OPM Office of the Inspector General      operations and the agency’s culture of minimizing the role of the Chief
has completed a performance audit of         Information Officer are primary factors causing these issues.
OPM’s general FISMA compliance efforts
in the areas defined in DHS’s guidance and   Like OPM’s IT security governance program, we have reported either a
the corresponding reporting instructions.    material weakness or a significant deficiency in OPM’s security assessment
Our audit was conducted from April           and authorization process since FY 2014 because of incomplete,
through September 2018 at OPM                inconsistent, and sub-par work products. This year we believe that the
headquarters in Washington, D.C.             current control weaknesses are less severe than a material weakness, but are
                                             still a significant deficiency in IT security controls. While there appears to
                                             be a valid security assessment and authorization in place for almost every
                                             major IT system in the agency’s system inventory, the quality of the work
                                             and supporting documentation is questionable.

                                             The following sections provide a high-level outline of OPM’s performance
                                             in each of the eight domains from the five cybersecurity framework function
                                             areas:




                                                         i
	
Risk Management – OPM is working to implement a comprehensive inventory management process for
its system interconnections, hardware assets, and software. OPM is also working to establish a risk
executive function that will help ensure that risk assessments are completed and risk is communicated
throughout the organization.

Configuration Management – OPM continues to develop and maintain baseline configurations and
approved standard configuration settings for its information systems. The organization is also working to
establish routine audit processes to ensure that its systems maintain compliance with established
configurations.

Identity, Credential, and Access Management (ICAM) – OPM is continuing to improve upon its program
by establishing an agency ICAM strategy, and ensuring that an auditing process is implemented for all
contractor access.

Data Protection and Privacy – OPM has not implemented several of the FISMA requirements related to
data protection and privacy. This is a new domain area for the FY 2018 FISMA metrics and maturity
models that we will continue to monitor going forward.

Security Training – OPM has implemented an IT security training program, but should perform a
workforce assessment to identify any gaps in its IT security training needs.

Information Security Continuous Monitoring (ISCM) – OPM has established many of the policies and
procedures surrounding ISCM, but the organization has not completed the implementation and
enforcement of the policies. OPM also continues to struggle with conducting a security controls
assessment on all of its information systems. This has been an ongoing weakness at OPM for over a
decade.

Incident Response – OPM has made the greatest strides this fiscal year in the incident response domain.
Based upon our audit work, OPM has successfully implemented all of the FISMA metrics at the level of
“consistently implemented” or higher. As such, we are closing our FY 2016 recommendation related to
the incident response program.

Contingency Planning – OPM has not implemented several of the FISMA requirements related to
contingency planning, and continues to struggle with maintaining its contingency plans as well as
conducting contingency plan tests on a routine basis.




                                                ii
	
                   ABBREVIATIONS
ATO             Authority to Operate
Authorization   Security Assessment and Authorization
BIA             Business Impact Analysis
CDM             Continuous Diagnostics and Mitigation
CFC             Combined Federal Campaign
CISO            Chief Information Security Officer
CM              Configuration Management
DHS             U.S. Department of Homeland Security
FISMA           Federal Information Security Modernization Act
FY              Fiscal Year
HCDW            Health Claims Data Warehouse
ICAM            Identity, Credential, and Access Management
IG              Inspector General
ISCM            Information Security Continuous Monitoring
ISSO            Information System Security Officer
IT              Information Technology
NIST            National Institute of Standards and Technology
OCIO            Office of the Chief Information Officer
OIG             Office of the Inspector General
OMB             U.S. Office of Management and Budget
OPM             U.S. Office of Personnel Management
PII             Personally Identifiable Information
PIV             Personal Identity Verification
POA&M           Plan of Action and Milestones
SDLC            Systems Development Lifecycle
SP              Special Publication
USAS            USA Staffing System




                                   iii
	
                           TABLE OF CONTENTS

                                                                                                               Page
	
       EXECUTIVE SUMMARY ............................................................................................ i
	

       ABBREVIATIONS ....................................................................................................... iii
	

I.     BACKGROUND .............................................................................................................1
	

II.    OBJECTIVES, SCOPE, AND METHODOLOGY .....................................................3
	

III. AUDIT FINDINGS AND RECOMMENDATIONS....................................................7 

     A. Introduction and Overall Assessment ......................................................................7
	
     B. Information Security Governance ..........................................................................11
	
     C. Security Assessment and Authorization ................................................................17
	
     D. Risk Management ..................................................................................................20
	
     E. Configuration Management ...................................................................................35
	
     F. Identity, Credential, and Access Management ......................................................46
	
     G. Data Protection and Privacy...................................................................................52
	
     H. Security Training ...................................................................................................59
	
     I. Information Security Continuous Monitoring .......................................................62
	
     J. Incident Response .................................................................................................67
	
     K. Contingency Planning ...........................................................................................69
	

       APPENDIX I:		              Detailed FISMA Results by Metric

       APPENDIX II:		 Status of Prior OIG Audit Recommendations

       APPENDIX III:		 The Office of Personnel Management’s October 11, 2018,
                       response to the draft audit report, issued September 17, 2018.

       REPORT FRAUD, WASTE, AND MISMANAGEMENT
                             I. BACKGROUND

On December 17, 2002, the President signed into law the E-Government Act (Public Law 107-
347), which includes Title III, the Federal Information Security Management Act. This Act
requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3)
agency reporting to the U.S. Office of Management and Budget (OMB) on the results of IG
evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the
material received from agencies. On December 18, 2014, President Obama signed Public Law
113-283, the Federal Information Security Modernization Act (FISMA), which reiterates the
need for an annual IG evaluation. In accordance with FISMA, we conducted an audit of OPM’s
security program and practices. As part of our audit, we reviewed OPM’s FISMA compliance
strategy and documented the status of its compliance efforts.

FISMA requirements pertain to all information systems supporting the operations and assets of
an agency, including those systems currently in place or planned. The requirements also pertain
to information technology (IT) resources owned and/or operated by a contractor supporting
agency systems.

FISMA reemphasizes the Chief Information Officer’s strategic agency-wide security
responsibility. At the U.S. Office of Personnel Management (OPM), security responsibility is
assigned to the agency’s Office of the Chief Information Officer (OCIO). FISMA also clearly
places responsibility on each agency’s OCIO to develop, implement, and maintain a security
program that assesses risk and provides adequate security for the operations and assets of
programs and systems under its control.

To assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the
U.S. Department of Homeland Security (DHS) Office of Cybersecurity and Communications
issued the Fiscal Year (FY) 2018 Inspector General FISMA Reporting Instructions. This
document provides a consistent form and format for agencies to report FISMA audit results to
DHS. It identifies a series of reporting topics that relate to specific agency responsibilities
outlined in FISMA.

The FY 2018 metrics also mark a continuation of the work that OMB, DHS, and the Council of
the Inspectors General on Integrity and Efficiency undertook in FY 2015 and FY 2016 to move
the IG assessments toward a maturity model approach. In previous years, the Council of the
Inspectors General on Integrity and Efficiency, in partnership with OMB and DHS, transitioned
two of the National Institute of Standards and Technology (NIST) Cybersecurity Framework
function areas to maturity models, with other function areas utilizing maturity model indicators.

                                              1                              Report No. 4A-CI-00-18-038 

The FY 2018 IG FISMA Reporting Metrics completed this work by transitioning the remaining
function areas to full maturity models. Our audit and reporting approaches were designed in
accordance with DHS guidance.




                                             2                         Report No. 4A-CI-00-18-038 

II. OBJECTIVES, SCOPE, AND METHODOLOGY

 OBJECTIVES

 Our overall objective was to evaluate OPM’s security program and practices, as required by
 FISMA. Specifically, we reviewed the status of the following areas of OPM’s IT security
 program in accordance with DHS’s FISMA IG reporting requirements:

 x Risk Management; 


 x Configuration Management; 


 x Identity, Credential, and Access Management; 


 x Data Protection and Privacy; 


 x Security Training; 


 x Information Security Continuous Monitoring; 


 x Incident Response; and 


 x Contingency Planning. 


 In addition, we evaluated the status of OPM’s IT security governance structure and the agency’s 

 system Security Assessment and Authorization (Authorization) methodology, areas that have
 represented a material weakness in OPM’s IT security program in prior FISMA audits. We also
 followed-up on outstanding recommendations from prior FISMA audits (see Appendix II), and
 performed audits focused on three of OPM’s major information systems – the implementation of
 the Combined Federal Campaign (CFC), the USA Staffing System (USAS), and the Health
 Claims Data Warehouse (HCDW).

 SCOPE AND METHODOLOGY

 We conducted this performance audit in accordance with the U.S. Government Accountability
 Office’s Generally Accepted Government Auditing Standards. Those standards require that we
 plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable


                                                3                   Report No. 4A-CI-00-18-038 

basis for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on our
audit objectives. The audit covered OPM’s FISMA compliance efforts throughout FY 2018.

We reviewed OPM’s general FISMA compliance efforts in the specific areas defined in DHS’s
guidance and the corresponding reporting instructions. We also performed information security
audits on the CFC, USAS, and HCDW major information systems and the Authorization
methodology. We considered the internal control structure for various OPM systems in planning
our audit procedures. These procedures were mainly substantive in nature, although we did gain
an understanding of management procedures and controls to the extent necessary to achieve our
audit objectives. Accordingly, we obtained an understanding of the internal controls for these
various systems through interviews and observations, as well as inspection of various documents,
including information technology and other related organizational policies and procedures. This
understanding of these systems’ internal controls was used to evaluate the degree to which the
appropriate internal controls were designed and implemented. As appropriate, we conducted
compliance tests using judgmental sampling to determine the extent to which established
controls and procedures are functioning as required.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
OPM. Due to time constraints, we did not verify the reliability of the data generated by the
various information systems involved. However, we believe that the data was sufficient to
achieve the audit objectives, and nothing came to our attention during our audit to cause us to
doubt its reliability.

Since our audit would not necessarily disclose all significant matters in the internal control
structure, we do not express an opinion on the set of internal controls for these various systems
taken as a whole.

The criteria used in conducting this audit included:

x	 DHS Office of Cybersecurity and Communications FY 2018 Inspector General Federal
   Information Security Modernization Act Reporting Instructions;

x	 OPM Information Technology Security and Privacy Policy Handbook;

x	 OPM Information Technology Security FISMA Procedures;

x	 OPM Security Assessment and Authorization Guide;


                                                 4		                         Report No. 4A-CI-00-18-038 

x OPM Plan of Action and Milestones Standard Operating Procedures; 


x OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; 


x OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of 

  Personally Identifiable Information;

x OMB Memorandum M-11-11: Continued Implementation of Homeland Security Presidential
  Directive 12;

x	 P.L. 107-347, Title III, Federal Information Security Management Act of 2002;

x	 P.L. 113-283, Federal Information Security Modernization Act of 2014;

x	 NIST Special Publication (SP) 800-12, Revision 1, An Introduction to Computer Security:
   The NIST Handbook;

x NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information
  Systems;

x	 NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;

x	 NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;

x	 NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to
   Federal Information Systems;

x NIST SP 800-39, Managing Information Security Risk – Organization, Mission, and
  Information System View;

x	 NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems;

x	 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations;

x	 NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and
   Information Systems to Security Categories;



                                              5		                          Report No. 4A-CI-00-18-038 

x	 NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
   Information;

x	 NIST SP 800-128, Guide for Security-Focused Configuration Management of Information
   Systems;

x	 Federal Information Processing Standards Publication 199, Standards for Security
   Categorization of Federal Information and Information Systems;

x	 Federal Cybersecurity Workforce Assessment Act of 2015;

x	 Federal Identity, Credential, and Access Management Roadmap Implementation Guidance;

x	 Federal Information Processing Standards Publication 140-2, Security Requirements for
   Cryptographic Modules; and

x	 Other criteria as appropriate.

The audit was performed by the Office of the Inspector General (OIG) at OPM, as established by
the Inspector General Act of 1978, as amended. Our audit was conducted from April through
September 2018 in OPM’s Washington, D.C. office.

COMPLIANCE WITH LAWS AND REGULATIONS

In conducting the audit, we performed tests to determine whether OPM’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
OPM’s OCIO and other program offices were not in complete compliance with all standards, as
described in Section III of this report.




                                                6		                         Report No. 4A-CI-00-18-038 

III. AUDIT FINDINGS AND RECOMMENDATIONS

A. INTRODUCTION AND OVERALL ASSESSMENT

  Management comments on the draft FISMA audit report

  As we have noted many times in conversations with OPM and OCIO officials, the objective of
  our IT audit work is to identify control weaknesses in OPM’s IT security program, from a policy,
  governance, and technical perspective, and recommend corrective action as needed. We share
  the OCIO’s goal of achieving a mature IT security program that will adequately protect OPM’s
  sensitive systems and data.

  It is understandable that an organization’s dedicated officials working hard to improve their
  operations would be disappointed with negative feedback. Even so, OPM’s response to the draft
  FISMA audit report was unusually adversarial, challenged our authority to make
  recommendations in certain areas, and asserted that our work violated Government Auditing
  Standards.

  Based on OPM’s response to our draft FISMA audit report, and from follow-up meetings with
  senior OPM and OCIO officials, we understand that there is a concern that we have not fairly
  “credited” OPM for progress in its IT security program. There is no doubt that OPM has
  significantly improved its technical security posture in recent years by implementing two-factor
  authentication at the network level, data encryption and other data loss prevention tools,
  improved monitoring and incident response, and better procedures for updating software patches.
  OPM engineers designed a more secure, segmented network architecture and introduced client
  security to better control users accessing the network.

  OPM’s perimeter security controls have greatly improved since 2015, meaning that it would be
  more difficult for a malicious adversary to gain remote access to the network. Internal firewalls
  and network segmentation would limit a hacker’s ability to traverse the network, escalate
  privileges, or steal sensitive data.

  A common assumption in IT security, though, is that no matter how secure a network perimeter
  is, skilled adversaries will eventually compromise it, if it has not been already. For this reason,
  security controls at the system level are critical to an organization’s overall security. At OPM,
  these controls need to be improved. In particular, only 6 of 54 OPM major systems require two-
  factor authentication, relying instead on unsecure user IDs and passwords for user authentication.
  In addition, monitoring and testing system security controls continues to be a challenge for OPM
  (see Section F).

                                                  7                    Report No. 4A-CI-00-18-038 

Of greater concern is that security controls are perishable and rely on proper governance and
management. This is an area in which OPM has historically struggled, and to some extent is a
result of agency culture and the degree to which IT operations continue to be inappropriately
decentralized. We have assessed IT security governance to be either a material weakness or a
significant deficiency in OPM’s internal control structure every year since 2008. This year we
are again reporting a material weakness in OPM’s IT security governance (see Section B) for
several reasons, but primarily because of degraded compliance with critical FISMA metrics.

In our judgment, the cause of non-compliance is that OPM has not provided adequate resources
to the OCIO to effectively manage the agency’s IT operations and security (see section B for
further discussion of this topic). Despite our recommendation in FY 2010 that OPM implement
a centralized team of information system security officers dedicated to managing the IT security
of OPM’s major IT systems, the agency has still not developed a mature capability in this area.
While part of the problem is one of resources, effective management of a skilled team of security
experts is also needed. The result of this is an inadequate security assessment and authorization
program, incomplete testing of system security controls and contingency plans, and lack of
corrective action for identified weaknesses.

OPM’s response to the draft FISMA audit report also questioned the IG’s authority to
recommend corrective action in these areas, stating that “the OIG’s comments intrude on the
broad discretion afforded to the agency by FISMA” (see Appendix III, page 2). OPM cites our
comments on its “staffing decisions” as one instance of this intrusion. Another example given is
our recommendation that OPM adopt an automated solution for tracking agency-wide risk. OPM
asserts that since there is no requirement for automated tools, our recommendation “intrudes on
OPM’s discretion to identify the right tools for its unique needs.”

Setting aside for the moment the merit of our recommendations, OPM’s comments reveal a
misunderstanding of the role of a Federal Office of Inspector General with respect to the agency
it oversees. The Inspector General Act of 1978, as amended, created independent and objective
units “to conduct audits … relating to the programs and operations” of the agency “to …
recommend policies … to promote economy, efficiency, and effectiveness in the administration
of … such programs and operations; and to provide a means for keeping the head of the
establishment and the Congress fully and currently informed about problems and deficiencies
related to the administration of such programs and operations and the necessity for and the
progress of corrective action … .”.




                                                8                   Report No. 4A-CI-00-18-038 

We do not agree that making recommendations to promote economy and efficiency in the
agency’s programs and operations related to the allocation of resources or the use of specific
tools “intrudes” on the agency’s discretion. The idea that certain areas of a Federal department
or agency would be “out of bounds” for a Federal Office of Inspector General to review and
recommend corrective action runs counter to the spirit and letter of the IG Act and its various
amendments.

OPM also asserts in its response to our draft FISMA audit report, without specifics, that “a
number of the conclusions reached by the OIG in this report appear to be unsubstantiated or
reflect a subjective opinion.” On the contrary, our audit was conducted in strict compliance with
Generally Accepted Government Auditing Standards, also known as the Yellow Book, which
provides a “framework for conducting high-quality audits with competence, integrity,
objectivity, and independence.”

Federal Office of Inspector General auditors are required to adhere to Yellow Book standards.
Yellow Book Section 6.03 defines the auditor’s responsibility to obtain reasonable assurance that
evidence is “sufficient and appropriate to support the auditors’ findings and conclusions ….”
Yellow Book Section 3.61 states that “Auditors must use professional judgment in planning and
performing audits and in reporting the results.”

Our findings and conclusions are not “unsubstantiated,” but are supported by relevant and
sufficient evidence gathered during the audit. In addition, to the extent that the results of our
audit are “subjective,” they are based on our professional judgment, competence, and experience.
Further, our ratings for the maturity model metrics (discussed in summary below, and in detail
starting on page 20) were informed by guidance provided by the Council of the Inspectors
General on Integrity and Efficiency, the U.S. Office of Management and Budget, and the U.S.
Department of Homeland Security.

We would also like to note that numerous times in the OCIO’s response to the draft FISMA audit
report, the OCIO indicated it did not have a clear understanding of what evidence is needed to
address an open recommendation. The OCIO also indicated in several instances that they had
previously provided the necessary documentation to address a recommendation. Prior to the
beginning of fieldwork, the OIG met with the OCIO to review the status of open
recommendations and ways to demonstrate corrective action has been taken. In addition,
throughout the duration of the audit status meetings were held to discuss information requests
made by the OIG that were still outstanding. Thus, there were multiple opportunities for the
OCIO to provide, or indicate that they had already provided, documentation to the OIG. Finally,
the OCIO does not regularly follow OPM’s established processes for managing the resolution of
audit recommendations through the agency’s Internal Oversight and Compliance office. These
processes involve establishing and executing corrective action plans, and tracking the status of
results, and is overseen by OPM management.

                                                 9                  Report No. 4A-CI-00-18-038 

Maturity Model Assessment

The FY 2018 FISMA IG Reporting Metrics use a maturity model evaluation system derived
from the NIST Cybersecurity Framework. The Cybersecurity Framework is comprised of five
“function” areas that are mapped to eight “domains” that fall under each function area. These
eight domains are broad cybersecurity control areas used to assess the effectiveness of the
information security policies, procedures, and practices of the agency. Each domain is
comprised of a series of individual metrics, which are the specific controls that we evaluate and
test when assessing the agency’s cybersecurity program. Each metric is rated on a maturity level
of 1 to 5. The overall maturity of OPM’s cybersecurity program is outlined in the chart below:
(detailed results by metric can be found in Appendix I):




The following table outlines the description of each maturity level rating, as defined by the
FY 2018 IG FISMA Reporting Metrics:

 Maturity Level                Maturity Level Description
 Level 1: Ad-hoc               Policies, procedures, and strategy are not formalized; activities
                               are performed in an ad-hoc, reactive manner.
 Level 2: Defined              Policies, procedures, and strategy are formalized and
                               documented but not consistently implemented.
 Level 3: Consistently         Policies, procedures, and strategy are consistently
 Implemented                   implemented, but quantitative and qualitative effectiveness
                               measures are lacking.
 Level 4: Managed and          Quantitative and qualitative measures on the effectiveness of
 Measureable                   policies, procedures, and strategy are collected across the
                               organization and used to assess them and make necessary
                               changes.


                                                  10                 Report No. 4A-CI-00-18-038 

   Level 5: Optimized            Policies, procedures, and strategy are fully institutionalized,
                                 repeatable, self-generating, consistently implemented, and
                                 regularly updated based on a changing threat and technology
                                 landscape and business/mission needs.

  The mode (i.e., the number that appears most often) from the maturity levels of each individual
  metric is used to determine the corresponding domain rating. Similarly, the mode from the
  domain ratings is used to assign the function area rating. The overall agency rating is calculated
  using the same methodology.




  The remaining sections of this report provide the detailed results of our audit. Most notably,
  since the data breach in 2015, OPM has made significant strides to implement an incident
  response program that is “managed and measurable” (see Section J). However, Information
  Security Governance and Security Assessment and Authorizations (Sections B and C,
  respectively) do not directly map to the FY 2018 IG FISMA Reporting Metrics but warrant
  discussion in this report. Sections D through K outline how we rated the maturity level of each
  individual metric, which ultimately determined the agency’s maturity level for each domain and
  function.

B. INFORMATION SECURITY GOVERNANCE

  Information security governance is the foundation of a successful information security program.
  This includes a variety of activities, challenges, and requirements, but is primarily focused on
  identifying key roles and responsibilities and managing information security policy development,
  oversight, and ongoing monitoring activities.

  OPM’s information security governance program has been a longstanding concern. We have
  assessed it to be a material weakness or a significant deficiency in OPM’s internal control
  structure every year since FY 2007. This year, we again consider deficiencies in the agency’s
  information security governance program to be a material weakness in the agency’s IT security
  internal control structure. OPM has made some recent progress updating and maintaining policy
  documents, implementing standard procedures, and centralizing its cybersecurity program under
  a Chief Information Security Officer (CISO) supported by a team of Information System
  Security Officers (ISSO).


                                                   11                  Report No. 4A-CI-00-18-038 

However, as noted in Section A, OPM’s cybersecurity program has not reached the level of
maturity that would facilitate the consistent application of FISMA requirements. For example,
OPM has not been able to complete the annual requirement to independently test the security
controls and contingency plans of all of its major IT systems since 2008. What this means is
that, in some cases, mission-critical IT systems with highly sensitive data may have inadequate
security controls or may not be recovered in the event of a disaster.

OPM’s security assessment and authorization process (SA&A) is similarly inadequate. While
some progress was made during the agency’s 2016 ‘sprint’ there has been a relapse since then
(see Section C for details). Even if OPM’s SA&A process was well managed, it would still be
considered an outdated technique for managing IT risk. NIST SP 800-137, published in
September 2011, introduced the risk management framework and the concept of continuous
monitoring of vulnerabilities and threats to information systems to replace the triennial SA&A
process. Despite some effort, OPM has not made sufficient progress in adopting a mature
continuous monitoring program (see Section I on ISCM).

Another shortcoming in the OCIO’s overall governance program is its inability to manage and
implement corrective action for control weaknesses identified through audits or other types of
reviews. OPM has not implemented corrective action for any of the 39 recommendations in our
FY 2017 FISMA report, and has only closed 5 of the 26 recommendations in the FY 2016
FISMA audit report. Further, the OCIO’s process for managing plans of action and milestones
for correcting IT security control weaknesses is inadequate (see Section D).

The OCIO does not follow OPM’s established processes for managing the resolution of audit
recommendations through the agency’s Internal Oversight and Compliance office. These
processes involve establishing and executing corrective action plans, and tracking the status of
results.

The OCIO has made progress implementing corrective action on recommendations made in four
GAO audit reports issued between 2016 and 2018. As of September 2018, OPM had
implemented 51 of 80 GAO information security program and control recommendations. While
on the surface this is impressive, it should be noted that 46 of the closed recommendations were
specifically associated with two high-impact systems, and 21 of these 46 recommendations were
closed, not because the OCIO had actually implemented corrective action, but because one of the
systems had been decommissioned.




                                                 12                  Report No. 4A-CI-00-18-038 

The OCIO should be commended for its progress in implementing corrective action on the GAO
audit recommendations. But this corrective action was primarily focused on two systems and not
on strategic, enterprise-level controls. There is no evidence that the OCIO has improved its
overall program for managing corrective action of identified security control weaknesses.

However, the OCIO did award a contract to a vendor in May 2018 to help establish an enterprise
program management office (EPMO) with three objectives:

   1. Improve overall IT governance;

   2. Establish a technical enterprise architecture; and

   3. Implement improved procedures for managing corrective action.

While this is positive, it remains to be seen whether this project leads to lasting, long-term
improvement in OPM’s overall IT security program. The contract has one base year, with
options for two additional years, but the contract was financed with IT modernization funds and
the EPMO is not staffed with fulltime Federal employees. There does not appear to be a plan for
long-term funding and staffing.

Another ongoing issue emerged in FY 2018 regarding “shadow IT” systems, applications, and
data. The OCIO discovered at least 30 systems operating in its production environment without
defined boundaries, required security documentation, or an Authority to Operate. The OCIO’s
initiative to bring clarity to the IT environment, and its discovery of these undocumented
systems, reflects positively on its ongoing efforts to enhance security controls and improve
documentation.

But this is a larger problem rooted in OPM’s history and culture, and further evidence that the
agency’s IT security governance program needs improvement. OPM’s program offices in many
cases avoid involving the OCIO when acquiring or changing IT systems that support their
business operations. While some progress has been made to centralize IT under the OCIO,
OPM’s leadership has not fully adopted statutory requirements regarding the authority of Federal
CIOs. OPM’s program offices often avoid centralized IT security requirements and processes
through outsourcing system development, modification, or hosting services without OCIO
involvement.

Good governance requires centralized authority and control over all IT systems development and
operation in an agency. Without this, there is the potential for security vulnerabilities and poor
IT project management as individuals outside of the OCIO may not be fully versed in all security

                                                 13                 Report No. 4A-CI-00-18-038 

requirements or best practices. Additionally, we have observed instances where OCIO
involvement early in the process would have avoided costly contract modifications to ensure
system compliance with security requirements.

All of these examples discussed above are symptoms of the underlying issues at OPM: there are
inadequate resources to fully support OPM’s IT environment, and the agency has not historically
viewed the OCIO as a strategic partner on par with other program offices. Throughout this audit,
and in many other situations, OCIO officials expressed to us that inadequate resources are the
primary reason for the lack of progress in making the structural reforms needed to achieve strong
IT security governance.

In July 2017, OPM’s prior CIO prepared a document laying out a framework for strengthening
OCIO operations. In the document, entitled “CIO Value to OPM for Director, OPM,” the prior
CIO also discussed the budget and cultural limitations that adversely impacted his efforts to
implement this framework. OPM’s prior Deputy CIO, who recently departed, provided a copy
of this document to our office, and verbally emphasized many of the points presented in the
paper.

As discussed in Section (A) of the “CIO Value” document, after the OPM data breaches in 2014
and 2015, OPM’s effort to improve its technical IT security controls exhausted funds available to
maintain base IT operations in FY 2016. A supplemental appropriation of $37 million for IT
modernization requested in FY 2017 never materialized, and OPM’s FY 2017 budget was not
approved until May 2017. As a result, OPM cut back on planned modernization work and
applied a hiring freeze, forcing the OCIO to reduce its operational activities.

OPM’s budget process involves funding from several sources, including trust funds, revolving
funds, and a salaries and expenses fund. There is also a “common services” allocation from
OPM’s OCFO to fund support services such as IT, procurement, financial services, and facilities.
The OCFO develops a formula to collect the “common services” from each program office, and
then distributes those funds to the support offices. As discussed in our Audit of the U.S. Office of
Personnel Management Common Services (OIG Report No. 4A-CF-00-16-055, March 29, 2018),
this process is not clearly defined or transparent.

The OPM-administered trust and revolving fund monies allocated to the OCIO must be used for
the IT systems that support those activities. For core information technology services, including
security controls, the OCIO is completely reliant on the salaries and expenses fund, and its
common services allocation from the OCFO. In the “CIO Value” document, OPM’s prior CIO
discussed how this arrangement has resulted in “significant funding challenges” facing the



                                                  14                 Report No. 4A-CI-00-18-038 

OCIO, which he believed demonstrated the “lack of support and transparency for the OCIO
organization over the years.”

In FY 2016, OPM’s Congressional Budget Justification included $21 million for OPM to
“implement and sustain agency network upgrades and security software maintenance … This
updated network must be maintained over time to ensure that OPM’s system does not revert to
antiquity and insecurity.” (emphasis added). This funding was included in the OCIO’s FY 2016
budget but was subsequently absorbed into OPM’s core budget in FY 2017, resulting in a
decrease in the OCIO’s operating funds of almost $10 million. Because this funding was no
longer available to support ongoing maintenance costs associated with updated security tools, the
OCIO was forced to reduce spending that could have otherwise been used for fundamental
reforms. The prior CIO noted in the “CIO Value” document that only one-third of OPM’s
overall spending on IT was controlled by the OCIO.

Strengthening financial performance was one of the prior CIO’s top five priorities through FY
2020. The focus areas in this priority were improved transparency of overall IT spending in the
agency and replacing the common services budget process with a cost accounting model to better
identify the true costs of OCIO services to agency components.

The prior CIO expressed in the “CIO Value” document that “The OCIO has not been seen as an
important, innovative partner in support of all OPM business lines, one that brings value or
technological capabilities required to achieve the most effective and efficient mission delivery.”
His suggested framework for improving the OCIO’s operations was based, in part, on
transparency in costs, centralized authority for IT procurement within the OCIO, and including
the OCIO in the strategic-level decision making process.

This “CIO Value” document is only the viewpoint of two prior senior OCIO officials, although
we consider both to be highly respected and experienced. Based on our experience and
observations over a number of years, and recent audit work regarding OPM’s Federal
Information Technology Acquisition Reform Act compliance, we agree with the overall position
that the OCIO does not have adequate resources to effectively manage IT operations and
security, and that the agency has not historically valued the proper role of a Federal CIO.

This may be why there has also been an unusually high turnover in key OCIO senior positions at
OPM. There have been six CIOs in the last three years and the deputy CIO recently left the
agency. The prior CISO moved on to another position, and the acting CISO is also a senior
official responsible for running the agency’s infrastructure – a clear separation of duties problem.




                                                  15                 Report No. 4A-CI-00-18-038 

As a result, OPM continues to struggle to implement a mature and consistent overall IT security 

program. Progress in one area usually comes at the expense of regression in another. 

There is insufficient staff to maintain basic operational or security requirements. Specifically, in 

FY 2018 OPM was downgraded in FISMA metrics related to risk management (see Section D), 

and received low maturity level scores for continuous monitoring (see Section I), and 

contingency planning (see Section K). 


Recommendation 1 (Rolled forward from 2016)

Note: The recommendation in the draft FISMA audit report was
focused on recruitment of information system security officers.          OPM does not have the
Based on information received after the draft report was issued, we      appropriate resources
modified this recommendation in the final audit report to address        in place to manage its
the more strategic level discussion of resource issues affecting the     cybersecurity program.
OCIO.

We recommend that the OPM Director ensure that the OCIO has sufficient resources to
adequately operate, secure, and modernize agency IT systems.

We also recommend that the agency hire a sufficient number of Information System Security
Officers (ISSOs) to adequately support all of the agency’s major information systems.

OPM Response:

“We concur with the recommendation. The OPM OCIO conducted an analysis on the
funding requirements for ISSO positions and understands where the gaps are. OPM is
actively recruiting for these positions, having extended two offers at the end of September and
continuing with interviews into early October.”

OIG Comment:

As part of the audit resolution process, we recommend that the OCIO provide OPM’s Internal
Oversight and Compliance office with evidence that this recommendation has been implemented.
This statement applies to all subsequent recommendations in this audit report that the OCIO
agrees to implement.




                                                   16                  Report No. 4A-CI-00-18-038 

  Recommendation 2

  We recommend that OPM ensure that the OCIO’s senior leadership vacancies are filled and that
  there is a proper separation of duties for assigned roles and responsibilities.

  OPM Response:

  “We concur with the recommendation. OPM understands the importance of having the
  individual in the role of the Chief Information Security Officer have information security as
  his or her primary duties, and will assign an individual to this role in Fiscal Year (FY) 2019.”

C. SECURITY ASSESSMENT AND AUTHORIZATION

  Authorization is a process that includes both a comprehensive assessment that evaluates whether
  a system’s security controls are meeting its security requirements, and an attestation that the
  system risks are at an acceptable level. Both OPM policy and NIST guidance require each
  system to have a current Authorization.1

  Like OPM’s IT security governance program, we have reported either a material weakness or a
  significant deficiency in OPM’s Authorization process every year since FY 2014 because of
  incomplete, inconsistent, and sub-par work products. OPM implemented new policies and
  procedures to standardize its processes, but was not able to maintain a current Authorization for
  all major systems in its system inventory.

  After significant effort from OPM in FY 2017, the agency had established valid Authorizations
  for its major information systems, including the critical general support systems. The OCIO had
  also successfully addressed some of the weaknesses that our audits identified, but there were still
  widespread issues primarily related to documentation inconsistencies and incomplete or
  inadequate independent testing of the systems’ security controls.

  As part of the FY 2018 audit, we requested Authorization documentation supporting 23 of
  OPM’s 54 major systems. During the audit, the OCIO only provided a current Authorization for
  18 of the 23 systems under review. In addition, we found that many of the 18 Authorization
  packages for these systems were not in compliance with NIST requirements. They either were
  missing critical elements or were of such poor quality that it was unclear that an effective risk

  1
   The OCIO has continued its efforts to implement a comprehensive continuous monitoring program that will
  eventually replace the need for periodic system Authorizations. However, OPM’s continuous monitoring program
  has not reached the point of maturity where it can effectively replace the Authorization program (see Section I,
  Information Security Continuous Monitoring).

                                                           17                    Report No. 4A-CI-00-18-038 

decision was possible. Just before the draft FISMA audit report was issued, the OCIO provided
three additional Authorization letters (see OIG Comment for Recommendation 3 for additional
details).

Based on the information available at the time our draft FISMA audit report was issued, we
determined that the inadequate Authorization process represented a material weakness in the
agency’s IT security internal control structure. Specifically, the documentation that the OCIO
provided indicated that there were five systems operating in the production environment without
a valid Authority to Operate (ATO). In addition, many of the other production systems had
ATOs based on flawed Authorization packages.

However, based on the information we received after the draft report was issued, we believe that
the current control weaknesses are less severe than a material weakness, but are still a significant
deficiency in IT security controls. While there now appears to be a valid Authorization in place
for almost every major IT system in the agency’s system inventory (see the OIG Comment
for Recommendation 3 for additional details), the quality of the work and supporting
documentation is questionable.

In addition, we noted that in some cases, the OCIO issued short-term or interim ATOs in
violation of OMB guidance. OMB does not recognize interim ATOs for at least two reasons.
First, security should be included in the budgeting life cycle of all IT systems. The lack of
planning or budget is not a valid reason to extend existing ATOs, and the existence of open
weaknesses identified during the Authorization process is not a reason to issue a short-term
ATO. The second reason is to ensure consistency and quality in Government-wide reporting.

Furthermore, the newly identified “shadow IT” systems, applications, and data (discussed in
Section A) have not been evaluated for inclusion on the major system inventory. It is likely that
at least some of them will be considered major IT systems that must be subject to the Security
Assessment and Authorization process. There is a high risk that these undocumented and
unauthorized systems have control weaknesses that could compromise the agency’s overall IT
security program.

Recommendation 3 (Rolled forward from 2014)

We recommend that all active systems in OPM’s inventory have a complete and current
Authorization.




                                                  18                  Report No. 4A-CI-00-18-038 

OPM Response:

“We do not concur with the recommendation based on the conditions of the recommendation.
While OPM agrees with the premise that all active systems in the inventory must have a
complete and current authorization, it does not agree with the OIG's conclusion that discovery
of assets means that the system inventory and related authorizations are not complete. As
referenced by the OIG, significant efforts have been taken by OPM to identify hardware and
software assets on its network, including better detection of system boundaries, showing that
actions have already been taken that are consistent with past OIG recommendations in this
area and that achieve the goal of those recommendation. Issuance of this recommendation
along with the supporting language in the report suggests that OPM's posture has worsened,
when in fact the work being done in this area clearly shows that OPM has been making strides
in the maturity of these programs. Every active system within the inventory has a complete
and current authorization and OPM provided to OIG the authorization letters for each system
within its system inventory during this annual audit. If systems are identified as a part of
OPM' s continuous monitoring activities, they will be added to the inventory after completing
an assessment and authorization, as appropriate, for that system.”

OIG Comment:

After issuance of the draft audit report we were provided additional Authorizations for three
systems on OPM’s inventory. However, there are 2 systems of the 23 reviewed for which we
have not received a current Authorization. Both of these systems are implemented on platforms
supported by cloud service providers. OPM policy requires both that the platform be FedRAMP
certified and that the agency-specific system be appropriately authorized. We received
documentation from the FedRAMP certification for both platforms; however we have not
received the agency’s Authorizations for the specific systems.

Apart from these two systems it is more than likely that there are missing systems on OPM’s
inventory. During our discussions about recently discovered systems, OCIO officials indicated a
number of these systems would need to be added to the major system inventory. We do agree
with OPM that the progress made with finding previously unknown assets is positive. However,
we have not seen any evidence that shows these systems have been assessed to determine
whether they are major systems, which would necessitate inclusion on OPM’s major system
inventory and require Authorizations.




                                                19                Report No. 4A-CI-00-18-038 

  Recommendation 4 (Rolled forward from 2014)

  We recommend that the performance standards of all OPM system owners be modified to
  include a requirement related to FISMA compliance for the information systems they own. At a
  minimum, system owners should be required to ensure that their systems have valid
  Authorizations.

  OPM Response:

  “We do not concur with the recommendation. The agency has taken, and will continue to
  take, OIG's recommendation under advisement and agrees that system owners provide support
  to the business processes of the agency. However, performance metric adjustments would
  need input and guidance from the Human Capital Office. Apart from changes to performance
  standards, OPM will continue to identify appropriate ways to work with system owners to help
  ensure FISMA compliance. For instance, recently issued cybersecurity policies set forth
  expectations and requirements for system owners, consistent with NIST 800 Series guidance.”

  OIG Comment:

  The cybersecurity policies that set forth expectations for system owners referenced by OPM
  were not provided to us during the course of this audit. Historically, OPM has had difficulty
  keeping systems compliant with FISMA requirements. Although OPM disagrees with this
  recommendation, the OIG stands by its position that the best approach to ensure that systems are
  compliant with FISMA requirements is to include these in the performance standards for system
  owners. Incomplete and inadequate SA&A documentation has been an ongoing issue for OPM
  and this approach would help ensure the SA&A process is followed routinely as required by
  FISMA.

  We agree with OPM that performance metric adjustments would most likely need input from the
  Human Capital Office. Its involvement would be an effective step in developing a corrective
  action plan to address this recommendation.

D. RISK MANAGEMENT

  Risk management controls are the tools, policies, and procedures that enable an organization to
  understand and control risks associated with its IT infrastructure and services. These controls
  should be implemented throughout the agency and used to support making risk-based decisions
  with limited resources. The sections below detail the results for each individual metric in this
  domain. OPM’s overall maturity level for the Risk Management domain is “1 – Ad-hoc.”

                                                   20                 Report No. 4A-CI-00-18-038 

Metric 1 – Inventory of Major Systems and System Interconnections

FY 2018 Maturity Level: 1 – Ad-hoc. OPM policy requires that the agency keep a major system
inventory, to include system interconnections.2 While the agency has established a central
repository for its system inventory, agency procedures require that system boundaries be defined
before the system can be properly classified. At that point the system can be added to the system
inventory and undergo the Authorization process. OPM has historically struggled to fully define
its existing system boundaries as management of OPM systems has been decentralized. As
mentioned in Section C, OPM’s OCIO has taken steps to centralize the management of IT and
identify undocumented systems in the agency’s environment. As a byproduct of this effort,
OPM continues to discover existing systems, interconnections, and data that are not properly
classified and inventoried in its environment.

The current policy and procedures for defining system boundaries and classifying systems does
not appear to contain a sufficient level of detail to be consistently enforced. As a result, there are
systems in the production environment currently in a state of limbo without a defined boundary,
classification, or Authorization. This issue also relates to both Metric 2 and Metric 3 for risk
management. If the OPM hardware and software inventories were properly correlated to the
boundaries of the systems in the environment, there would be less risk of discovering improperly
classified systems.

NIST SP 800-53, Revision 4, requires that an organization “Develops and maintains an inventory
of its information systems.” Furthermore, NIST requires an organization “Documents, for each
interconnection, the interface characteristics, security requirements, and the nature of the
information communicated . . .” and that each connection should be authorized, and then
regularly reviewed and updated.

Failure to document and approve all systems and system interconnections increases the risk that
information systems will improperly contain, share, or fail to protect sensitive information.

Recommendation 5

We recommend that OPM improve the policies and procedures for defining system boundaries
and classifying the systems in its environment.




2
  System interconnections are documented in memoranda of understanding/agreements and interconnection security
agreements.

                                                       21                    Report No. 4A-CI-00-18-038 

OPM Response:

“We do not concur with the recommendation. OPM believes the OIG has provided no basis
for determining that the current policy and procedures for defining system boundaries and
classifying systems do not contain a sufficient level of detail to be consistently enforced. The
OIG simply states that “[t]he current policy and procedures for defining system boundaries
and classifying systems does not appear to contain a sufficient level of detail to be consistently
enforced.” (emphasis added). The agency considers its policy, which is based on NIST
guidance and recommendations, to be sufficient and without need of further improvement.
Nonetheless, although it is our view that we have fulfilled the requirements of this
recommendation, OPM asks the OIG to clarify their rationale on this recommendation.”

OIG Comment:

Regarding the agency’s statement in their response, “The agency considers its policy, which is
based on NIST guidance and recommendations, to be sufficient and without need of further
improvement”, there are three OPM documents we reviewed (the security policy, the procedure
guide, and the documentation template) that provide guidance for system documentation. The
most recent of the three documents reviewed is more than two years old. There was no more
than a sentence or two describing what to include in a system’s authorization boundary in each
letter. As stated in Metric 1, OPM continues to discover systems, applications, and data outside
of current system boundaries. The guidance for classifying systems is slightly more detailed.
However, there have been discussions with the OCIO about systems that have changed or might
change classifications on what appears to be individual preference or opinion rather than defined
criteria. Without clearly defined guidance for defining and classifying systems, OPM’s issues
with its major inventory and system authorizations will most likely continue.

Recommendation 6 (Rolled forward from 2014)

We recommend that the OCIO ensure that all interconnection security agreements are valid and
properly maintained.

OPM Response:

“We concur with the recommendation. Continued updates to centralized tracking, including
those that have been released in September, 2018, will improve overall management of the
Interconnection Security Agreements (ISAs).”




                                                 22                  Report No. 4A-CI-00-18-038 

Recommendation 7 (Rolled forward from 2014)

We recommend that the OCIO ensure that a valid memorandum of understanding/agreement
exists for every interconnection.

OPM Response:

“We concur with the recommendation. Continued updates to centralized tracking, including
those that have been released in September, 2018, will improve overall management
Memorandum of Understandings (MOUs).”

Metric 2 – Hardware Inventory

FY 2018 Maturity Level: 2 – Defined. OPM uses a software tool to maintain a centralized 

inventory of its hardware assets. The inventory contains details of the hardware such as type, 

model, serial number, location, and status. OPM’s hardware inventory includes many of the 

required elements, but it does not contain information that associates hardware components to 

the major system(s) that they support. 


NIST SP 800-53, Revision 4, states that organizations with centralized inventories must “ensure 

that the resulting inventories include system-specific information required for proper component 

accountability (e.g., information system association and information system owner).” 

Failure to associate components of a hardware inventory with the specific information system(s) 

they support increases the risk that there will not be proper accountability for the component or 

system owner. 


Recommendation 8 (Rolled forward from 2016)

We recommend that OPM improve its system inventory by correlating the elements of the
inventory to the servers and information systems they reside on.

OPM Response:

“We concur with the recommendation. OPM relies on support from the Department of
Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program to support
the implementation of these requirements. OPM has been at the forefront of working with
DHS throughout the lifecycle of the CDM program and will maintain this partnership as
CDM continues to evolve. The recommendation here underscores efforts across the Federal
government and is not unique to OPM.”

                                                 23                 Report No. 4A-CI-00-18-038 

Metric 3 – Software Inventory 


FY 2018 Maturity Level: 1 – Ad-hoc. In FY 2017, OPM provided the OIG with a list of
software in its environment. While the list was incomplete and missing information, it was an
adequate start of a centralized inventory. In response to our FY 2017 FISMA audit report, OPM
indicated that it was working towards an inventory that correlated the software list with the
centralized system inventory. However, OPM has changed its position this year and no longer
has a centralized software inventory. Instead, OPM now tracks software information at the
system level.

NIST SP 800-53, Revision 4, states that organizations with centralized inventories must “ensure
that the resulting inventories include system-specific information required for proper component
accountability (e.g., information system association and information system owner). Information
deemed necessary for effective accountability of information system components includes, for
example, hardware inventory specifications, software license information, software version
numbers, component owners, and for networked components or devices, machine names and
network addresses. Inventory specifications include, for example, manufacturer, device type,
model, serial number, and physical location.”

Failure to maintain a centralized software inventory increases the risk that the agency will not
fully understand the information assets in its environment or maintain a complete major system
inventory. This increases the agency’s susceptibility to unassessed risks and undetected
vulnerabilities because major systems are not undergoing the Authorization process. Another
disadvantage of decentralized software management is likely excess expense from the lost
opportunity to bundle software licensing or fully achieve volume discounts that could be
available at the agency-wide level.

Recommendation 9

We recommend that OPM define policies and procedures for a centralized software inventory.

OPM Response:

“We do not concur with the recommendation. While we concur with the general premise of
having policies and procedures related to a centralized software inventory, OPM notes that it
already has appropriate policies and procedures in place. The OIG states that, ‘OPM has
changed its policy and no longer has a centralized software inventory…’ This statement is not
correct. OPM issued a Secure Asset Management Policy in January 2018 to reinforce existing
asset management requirements and define requirements for management of hardware and

                                                 24                 Report No. 4A-CI-00-18-038 

software assets. The implementation of a centralized repository for the inventory of these
assets is explicitly required by the policy. OPM has also issued an Information Security
Continuous Monitoring Strategy, referenced by the OIG in Section I.

Further, the OIG report references supplemental guidance from the NIST 800-53, Rev. 4,
CM-8 security control in the text related to this recommendation. However, NIST guidance
affords agencies significant latitude to determine whether to implement a centralized
inventory, and implementation of a centralized inventory is not part of a baseline control per
NIST guidance. Therefore, in essence, the OIG's conclusion that there is a deficiency is based
on a determination that OPM has not implemented controls that exceed the baseline. Such a
conclusion intrudes on matters within the agency's discretion.”

OIG Comment:

The information conveyed to us during our interviews, status meetings, and the exit conference
with OCIO staff and management was that a centralized software inventory would not be
feasible given the current prevalence of shadow IT systems throughout the agency. The Secure
Asset Management Policy was not provided to us during the course of our audit fieldwork.

The OIG is not limited to NIST guidance when identifying criteria for developing audit programs
and making recommendations. Industry best practices are also considered when making
recommendations. A centralized software inventory management approach would provide the
greatest control over software installed throughout the agency. Additionally, this ensures cost
savings by reducing redundancy and facilitating volume discounts during the procurement
process.

Recommendation 10 (Rolled forward from 2017)

We recommend that OPM define the standard data elements for an inventory of software assets
and licenses with the detailed information necessary for tracking and reporting, and that it update
its software inventory to include these standard data elements.

OPM Response:

“We concur with the recommendation. OPM completed the definitions for standard data
elements for an inventory of software assets and licenses at the ·end of August 2018. The
standard data elements are provided along with this response. OPM continues to work with
DHS on the implementation of the CDM program and will adopt these data elements
within its current software asset management capabilities.”

                                                 25                  Report No. 4A-CI-00-18-038 

Metric 4 – System Security Categorization 


FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has implemented policies and
procedures for categorizing its information and information systems that follow Federal
Information Processing Standard 199 and NIST SP 800-60 guidance. This includes the
identification of the agency’s high value assets and consideration of the system categorization
when selecting, implementing, and monitoring controls.

Metric 5 – Risk Policy and Strategy

FY 2018 Maturity Level: 1 – Ad-hoc. OPM’s OCIO has                OPM created a Risk
defined policies for assessing and reporting IT-related risks.    Management Council to serve
OPM’s Risk Management Council serves as the primary risk          as the risk executive function
executive function and is responsible for the agency-wide         and develop the agency-wide
risk management program. The council meets regularly and          risk management approach.
has defined a risk profile for OPM, but has not yet
established an overall risk strategy for the agency.

An effective risk management strategy provides the guidance for understanding, tracking, and
addressing risks, as well as making risk-based decisions for agency systems and resources.
Without an approved risk management strategy, the agency will not be able to effectively create
and define consistent agency-wide risk management policies and procedures.

NIST SP 800-39 requires that a risk management strategy include “the risk tolerance for the
organization, acceptable risk assessment methodologies, risk response strategies, a process for
consistently evaluating risk across the organization with respect to the organization’s risk
tolerance, and approaches for monitoring risk over time.” It also states that the strategy must
“[make] explicit the specific assumptions, constraints, risk tolerances, and priorities/trade-offs
used within organizations for making investment and operational decisions.”

Without a risk management strategy, there is an increased likelihood that the agency will not
have or consider the proper risk information when making investment, security, and operational
decisions.

Recommendation 11 (Rolled forward from 2017)

We recommend that OPM define and communicate a risk management strategy based on the
requirements outlined in NIST SP 800-39.



                                                   26                 Report No. 4A-CI-00-18-038 

OPM Response:

“We concur with the recommendation. OPM published a Cybersecurity Risk Management
Strategy based on the requirements in NIST SP800-39 in September 2018. The Cybersecurity
Risk Management Strategy can be provided upon request.”

Metric 6 – Information Security Architecture

FY 2018 Maturity Level: 1 – Ad-hoc. OMB’s Federal Enterprise Architecture Guidance states
that an enterprise architecture “describes the current and future state of the agency, and lays out a
plan for transitioning from the current state to the desired future state.”

In FY 2017, we reported that OPM’s enterprise architecture had not been updated since 2008,
and does not support the necessary integration of an information security architecture. OPM
acknowledged this and incorporated remedial efforts as a part of OPM’s FY 2017 and FY 2018
IT Modernization Spending Plan. (For more information on these spending plans see
Management Advisory Nos. 4A-CI-00-18-022 & 4A-CI-00-18-044, dated February 15, 2018,
and June 20, 2018, respectively). A contract was awarded and efforts are underway to begin
developing an enterprise architecture. Despite projected completion dates well into FY 2019, we
are hopeful that OPM will be able to properly integrate the necessary information security
architecture as a part of this process.

NIST SP 800-53, Revision 4, defines an information security architecture as “An embedded,
integral part of the enterprise architecture that describes the structure and behavior for an
enterprise’s security processes, information security systems, personnel and organizational
subunits, showing their alignment with the enterprise’s mission and strategic plans.” It also
states that “The integration of information security requirements and associated security controls
into the organization’s enterprise architecture helps to ensure that security considerations are
addressed by organizations early in the system development life cycle and are directly and
explicitly related to the organization’s mission/business processes.”

Failure to have an enterprise architecture with an integrated information security architecture
increases the risks that the agency’s security processes, systems, and personnel are not aligned
with the agency mission and strategic plan.

Recommendation 12 (Rolled forward from 2017)

We recommend that OPM update its enterprise architecture to include the information security
architecture elements required by NIST and OMB guidance.

                                                  27                  Report No. 4A-CI-00-18-038 

OPM Response:

“We concur with the recommendation. As stated in the report, a contract was awarded and
activities are in progress to develop the enterprise architecture. Despite projected completion
dates well into FY 19, we expect that OPM will properly integrate the necessary information
security architecture as a part of this process.”

Metric 7 – Risk Management Roles, Responsibilities, and Resources

FY 2018 Maturity Level: 2 – Defined. OPM has defined the necessary roles and responsibilities
of stakeholders in its risk management program. This includes outlining the role of the Risk
Management Council, and defining the responsibilities of information system owners,
information security staff, and authorizing officials. The Risk Management Council has created
an agency risk profile, but is not yet fulfilling all of the responsibilities of the risk executive
function required by NIST. Specifically, OPM does not have a documented risk strategy. In
addition, the resource limitations noted in Section B, Information Security Governance, also
negatively impact the risk management program, since the CISO organization plays a key role in
tracking IT risks at the system level.
NIST SP 800-39 lists the required responsibilities of the risk executive function, including to
“Develop and implement an organization-wide risk management strategy that guides and informs
organizational risk decisions . . .” and to “Provide oversight for the risk management activities
carried out by organizations to ensure consistent and effective risk-based decisions . . . .”

Without all of the elements of the risk executive function in place, there is an increased
likelihood that OPM’s risk management program will not fully identify agency risks or make
effective risk-based decisions for its resources and programs.

Recommendation 13 (Rolled forward from 2011)

We recommend that OPM continue to develop its Risk Executive Function to meet all of the
intended requirements outlined in NIST SP 800-39, Section 2.3.2 Risk Executive (Function).

OPM Response:

“We partially concur with the recommendation. As described under Recommendation 11,
OPM published a Cybersecurity Risk Management Strategy based on the requirements in
NIST SP 800-39 in September 2018. OPM also drafted an Enterprise Risk Management
Policy, Enterprise Risk Management Strategy, and an updated charter for the Risk
Management Council. OPM expects to finalize and operationalize these documents early in

                                                 28                  Report No. 4A-CI-00-18-038 

the first quarter of FY 19. OPM does not concur that the resource limitations described in
Section B of the report will impact OPM’s ability to develop its Risk Executive Function since
those resource limitations are not a part of that function.”

OIG Comment:

We recognize that the Risk Executive Function has been established and stakeholders have been
defined and communicated across the organization, including the CISO organization. However,
stakeholders must have adequate resources (i.e., people, processes, and technology) to effectively
implement risk management activities. As noted in other areas throughout this report, the lack of
resources in the CISO organization affects the execution of risk management activities, such as
system level risk assessments, and Plans of Action and Milestones. The development of the Risk
Executive Function could benefit from CISO input as it shoulders a significant responsibility.

Metric 8 – Plan of Action and Milestones

FY 2018 Maturity Level: 2 – Defined. The Plan of Action and Milestones (POA&M) is a tool
used to track known weaknesses in information system controls and the corresponding
remediation efforts. Previous FISMA audits identified serious issues with the OPM POA&M
process, primarily related to system owners not meeting the self-assigned scheduled completion
dates for remediating weaknesses. As a part of the IT Modernization Spending Plan discussed in
Metric 6, OPM awarded a contract to develop a more effective process for implementing
corrective action related to outstanding POA&Ms and audit recommendations. This effort is
underway in connection with the contract to establish an Enterprise Project Management Office
(EPMO) at OPM.

While the additional funding has allowed OPM to begin the process of establishing an EPMO,
the longstanding lack of adequate security resources (See Section B, Information Security
Governance) continues to impact OPM’s ability to effectively manage its POA&Ms. POA&Ms
are required to contain information (e.g., POA&M status, remediation milestones, and planned
completion dates) necessary to allow OPM officials to monitor progress of remediation efforts.

However, as of August 1, 2018, over 81 percent of POA&Ms were more
than 30 days overdue, and over 68 percent were more than 120 days             Over 68 percent
overdue. The process of tracking, updating, and closing POA&Ms is key         of POA&Ms are
to understanding the changing level of risk that a system faces and how       more than 120
that system affects the risks of the agency. Without up-to-date POA&M         days overdue.
information the agency cannot make effective risk-based decisions and
efficiently allocate resources to address risks.

                                                 29                 Report No. 4A-CI-00-18-038 

As discussed in Section B, we continue to believe that OPM’s failure to meet long-standing
FISMA metrics (such as the ones in this section related to POA&Ms) is indicative of a material
weakness in the agency’s information security governance structure.

Failure to remediate known weaknesses increases the risk that agency systems will be vulnerable
to attack.

Recommendation 14 (Rolled forward from 2016)

We recommend that OPM adhere to remediation dates for its POA&M weaknesses.

OPM Response:

“We concur with the recommendation. The OCIO will use several processes to remediate this
recommendation, including the new Enterprise Project Management Office (PMO),
centralized POA&M management tool updates to streamline management of the POA&Ms,
and quarterly performance management of POA&M processes.”

Recommendation 15 (Rolled forward from 2017)

We recommend that OPM update the remediation deadline in its POA&Ms when the control
weakness has not been addressed by the originally scheduled deadline (i.e., the POA&M
deadline should not reflect a date in the past and the original due should be maintained to track
the schedule variance).

OPM Response:

“We concur with the recommendation. The OCIO will utilize several processes to remediate
this recommendation, including the new EPMO, centralized POA&M management tool
updates to streamline management of the POA&Ms, and quarterly performance management
of POA&M processes.”

Metric 9 – System Level Risk Assessments

FY 2018 Maturity Level: 2 – Defined. OPM has defined the policies and procedures for
conducting risk assessments for individual information systems. OPM policy requires that each
system be routinely assessed for risk as part of the Authorization process. Of the 23 system
Authorization packages requested this fiscal year, complete risk assessments were not provided
for 11, and widespread issues were noted with the security controls testing and/or the

                                                  30                 Report No. 4A-CI-00-18-038 

corresponding risk assessment. We found instances where not all of the applicable security
controls were independently tested and instances where not all of the identified control
weaknesses were included in the system risk assessments. Controls testing and risk assessments
are a key part of the Authorization process, and the problems we found indicate that Authorizing
Officials may not have all of the necessary risk information when granting an Authorization.

OPM policy requires, “All controls selected by the system . . . are assessed” and that “an
assessment of the risk to the system for each weakness is performed . . . .”

Failure to assess all system controls and system risks increases the possibility that weaknesses
will not be identified in the system controls.

Recommendation 16 (Rolled forward from 2017)

We recommend that OPM complete risk assessments for each major information system that are
compliant with NIST guidelines and OPM policy. The results of a complete and comprehensive
test of security controls should be incorporated into each risk assessment.

OPM Response:

“We concur with this recommendation. Supported by agency leadership, the OCIO has
committed to providing the resources and staffing to properly enforce compliance through
ISSOs and the development of an independent assessment team of contractors. The
independent assessment team has begun efforts to conduct risk assessments in a consistent
manner.”

Metric 10 – Risk Communication

FY 2018 Maturity Level: 3 – Consistently Implemented. The timely communication of risk
information is critical to an effective risk management process. OPM has implemented policies
and procedures to communicate information about risks across the agency and externally as
required. This communication is integrated into the Authorization, vulnerability management,
and continuous monitoring processes. As OPM continues to improve these processes, the timely
communication of risk information will continue to play a critical role in working to protect
OPM’s systems and infrastructure.




                                                  31                 Report No. 4A-CI-00-18-038 

Metric 11 – Contracting Clauses 


FY 2018 Maturity Level: 3 – Consistently Implemented. OPM policy mandates the use of
specific contracting language and service level agreements to ensure contractors meet both
Federal and OPM standards. This language includes information privacy and security
requirements, such as protection, detection, and reporting of information. This ensures that
contractor systems and services are implementing required controls, and that OPM receives the
information it needs to monitor and assess any risks. For both internal and external systems,
OPM uses the same process to evaluate that controls are working properly and effectively to
reduce risk.

Metric 12 – Centralized Enterprise-wide Risk Tool

FY 2018 Maturity Level: 1 – Ad-hoc. OPM does not have a centralized system or tool to view
enterprise-wide risk information. The Risk Management Council has the responsibility of
understanding and determining risk at the agency level, but this will be a monumental task and
highly inefficient without centralized storage of agency-wide risk information. OPM has begun
the preliminary effort to define the system requirements by documenting high-level system
mandates (i.e., the Federal and agency requirements for security and processing standards).
However, more work is still needed to define the system-level business and technical
requirements necessary prior to any system development or acquisition to ensure the needs of the
agency are met.

NIST SP 800-39 gives four responsibilities to the risk executive function that would require an
agency-wide view of risk:

x	 “Manage threat and vulnerability information with regard to organizational information
   systems and the environments in which the systems operate”;

x	 “Establish organization-wide forums to consider all types and sources of risk (including
   aggregated risk)”;

x	 “Determine organizational risk based on the aggregated risk from the operation and use of
   information systems and the respective environments of operation”; and

x	 “Develop a greater understanding of risk with regard to the strategic view of organizations
   and their integrated operations . . . .”




                                                 32		               Report No. 4A-CI-00-18-038 

Failure to implement an automated enterprise risk management tool increases the risk that
information is not captured, current, and/or not being assessed in aggregate.

Recommendation 17 (Rolled forward from 2017)

We recommend that OPM identify and define the requirements for an automated enterprise-wide
solution for tracking risks, remediation efforts, dependencies, risk scores, and management
dashboards, and implement the automated enterprise-wide solution.

OPM Response:

“We partially concur with the recommendation. OPM recognizes the need for tracking risks
to OPM and OPM systems as defined in the OPM Risk Management Strategy; however, no
federal requirements define the requirement for an automated centralized tool for tracking
such risks. Additionally, OPM believes this recommendation may intrude on its discretion to
allocate and manage resources in this area. Nonetheless, OPM exercised its broad discretion
under FISMA to develop requirements for an automated enterprise-wide solution and will
continue to leverage appropriate tools to document and manage risk related to OPM IT
systems.”

OIG Comment:

Metric 12 in the FY 2018 Inspector General FISMA Reporting Metrics specifically addresses the
extent to which agencies utilize technology for tracking enterprise-wide risk. In order for OPM
to move to the defined maturity level it must identify its requirements for an automated solution
that provides a centralized, enterprise-wide view of risks across the organization, including risk
control and remediation activities, dependencies, risk scores/levels, and management dashboards.

We agree that OPM should have broad discretion in identifying an automated enterprise-wide
solution that meets the agency’s specific needs. However, our recommendation for OPM to
develop requirements and implement a solution is consistent with the Maturity Level
Descriptions. As previously stated, we do not agree that making recommendations to promote
economy and efficiency in the agency’s programs and operations related to the allocation of
resources or the use of specific tools “intrudes” on the agency’s discretion. The idea that certain
areas of a Federal department or agency would be “out of bounds” for a Federal Office of
Inspector General to review and recommend corrective action runs counter to the spirit and letter
of the IG Act and it’s various amendments.




                                                  33                 Report No. 4A-CI-00-18-038 

Metric 13 – Risk Management Other Information - System Development Life Cycle 


OPM’s System Development Life Cycle (SDLC) policy was last updated in 2013 and to date is
still not actively enforced for all IT projects. As noted in the FY 2017 OIG FISMA audit report,
OPM’s long history of troubled system development projects further emphasizes the need for
OPM to develop a plan to enforce its SDLC policy. The OCIO’s response to the FY 2017 audit
recommendation discussed updating the SDLC policy prior to agency-wide distribution and
enforcement. However, we were informed this year that the policy update has been put on hold
due to organizational changes in the OCIO. The establishment of OPM’s Enterprise Project
Management Office (discussed in Metric 8) should allow the agency to provide better
consistency across its system development projects once finalized SDLC policies and procedures
are enacted.

The Federal Information System Controls Audit Manual
guidance states that “The SDLC should provide a               Despite a long history of troubled
structured approach for identifying and documenting           system development projects,
needed changes to computerized operations; assessing          OPM still does not consistently
the costs and benefits of various options, including the      enforce a comprehensive SDLC.
feasibility of using off-the-shelf software; and designing,
developing, testing, and approving new systems and
system modifications.”

The lack of an effective SDLC methodology increases the risk that OPM will waste resources on
system development projects that will not meet the needs and/or requirements of the agency. It
also increases the likelihood that adequate IT security controls are not built into a new system
during the development process, resulting in a potentially insecure system.

Recommendation 18 (Rolled forward from 2013)

We continue to recommend that the OCIO develop a plan and timeline to enforce the new SDLC
policy on all of OPM’s system development projects.

OPM Response:

“We concur with the recommendation. OPM recognizes the need to enforce its SDLC policy
on all IT projects. As referenced by the OIG for this metric, OPM is establishing a new
EPMO that will address this recommendation.”




                                                  34                 Report No. 4A-CI-00-18-038 

E. CONFIGURATION MANAGEMENT

 Configuration Management (CM) controls allow an organization to establish information system
 configuration baselines, processes for securely managing changes to configurable settings, and
 procedures for monitoring system software. OPM did not improve its CM program in FY 2018.
 Furthermore, we have identified additional areas for improvement in this domain. The sections
 below detail the results for each individual metric in this domain. OPM’s overall maturity
 level for the Configuration Management domain is “2 – Defined.”

 Metric 14 – Configuration Management Roles, Responsibilities, and Resources

 FY 2018 Maturity Level: 2 – Defined. OPM has policies and procedures in place defining CM
 stakeholders and their roles and responsibilities. However, OPM has indicated that it does not
 currently have adequate resources (people, processes, and technology) to effectively manage its
 CM program. The resource constraints discussed in Section B and the inventory management
 and architecture issues discussed in Section C are two impediments to a successful CM program.

 NIST SP 800-128 states that “For organizations with varied and complex enterprise architecture,
 implementing [CM] in a consistent and uniform manner across the organization requires
 organization-wide coordination of resources.”

 Without adequate resources to manage CM operations, there is an increased risk of improperly
 configured devices on the network, and an increased threat of malicious attacks.

 Recommendation 19 (Rolled forward from FY 2017)

 We recommend that OPM perform a gap analysis to determine the configuration management
 resource requirements (people, processes, and technology) necessary to effectively implement
 the agency’s CM program.

 OPM Response:

 “We concur with the recommendation. As referenced by the OIG, OPM has already dedicated
 resources to establishing a new EPMO. Defining the resource requirements to effectively
 implement the configuration management program is one of the objectives of the effort.”




                                                 35                Report No. 4A-CI-00-18-038 

Metric 15 – Configuration Management Plan 


FY 2018 Maturity Level: 2 – Defined. OPM has developed a CM plan that outlines CM-related
roles and responsibilities, establishes a change control board, and defines processes for
implementing configuration changes. Additionally, OPM has established a process to document
any lessons learned as a result of configuration changes, the overall change control process, and
flaw remediation. However, while the agency does document lessons learned from its
configuration change control process, it does not currently use these lessons to update and
improve its configuration management plan as necessary.

NIST SP 800-128 states that “An information system is composed of many components . . . .
How these system components are networked, configured, and managed is critical in providing
adequate information security and supporting an organization’s risk management process.”

Recommendation 20 (Rolled forward from 2017)

We recommend that OPM document the lessons learned from its configuration management
activities and update its configuration management plan as appropriate.

OPM Response:

“We do not concur with this recommendation. OPM is in the process of establishing a new
EPMO that will significantly modify its configuration management practices and create new
planning tools. Given the transformation already underway in this area that will incorporate
best practices based on lessons learned and other factors, OPM does not agree that this
recommendation is timely or appropriate.”

OIG Comment:

We support OPM’s effort in developing new configuration management practices and creating
new planning tools in an attempt to address this recommendation from last year. Once
completed, please provide the appropriate and adequate evidence to OPM’s Internal Oversight
and Compliance office to support closure of this recommendation.




                                                 36                 Report No. 4A-CI-00-18-038 

Metric 16 – Implementation of Policies and Procedures

FY 2018 Maturity Level: 2 – Defined. OPM has defined organization-wide CM policies and
procedures, but has not consistently implemented many of the controls outlined in these policies,
such as:

x	 Establishing and maintaining baseline configurations and inventories of information systems;

x	 Routinely verifying that information systems are actually configured in accordance with
   baseline configurations; and

x	 Conducting routine vulnerability scans on all information systems and remediating any
   vulnerabilities identified from the scan results in a timely manner.

Further details regarding these weaknesses are discussed with Metrics 17, 18, and 19, below.

Metric 17 – Baseline Configurations

FY 2018 Maturity Level: 1 – Ad-hoc. OPM has not developed a baseline configuration for all of
its information systems. NIST SP 800-53, Revision 4, states that “Baseline configurations are
documented, formally reviewed and agreed-upon sets of specifications for information systems.
Baseline configurations serve as a basis for future builds, releases, and/or changes to information
systems. Baseline configurations include information about information system components
(e.g., standard software packages installed on workstations, notebook computers, servers,
network components, or mobile devices; current version numbers and patch information on
operating systems and applications; and configuration settings/parameters), network topology,
and the logical placement of those components within the system architecture.”

OPM routinely runs automated compliance scans on its information systems to ensure that no
system configurations are modified outside of the approved change control process. However,
OPM does not currently run baseline configuration checks to verify that information systems are
in compliance with pre-established baseline configurations, as they have yet to be developed.
NIST SP 800-53, Revision 4, requires that an organization “develops, documents, [and]
maintains under configuration control, a current baseline configuration of the information
system.”

Failure to document a baseline configuration increases the risk that devices within the network
are not configured in accordance with agency policies and leaves them vulnerable to malicious
attacks that exploit those misconfigurations.

                                                  37		               Report No. 4A-CI-00-18-038 

Recommendation 21 (Rolled forward from 2017) 


We recommend that OPM develop and implement a baseline configuration for all information
systems in use by OPM.

OPM Response:

“We concur with the recommendation. OPM is establishing a new EPMO that will address
this recommendation.”

Recommendation 22 (Rolled forward from 2017)

We recommend that the OCIO conduct routine compliance scans against established baseline
configurations for all OPM information systems. This recommendation cannot be addressed
until Recommendation 21 has been implemented.

OPM Response:

“We concur with this recommendation. OPM is establishing a new EPMO that will address
this recommendation.”

Metric 18 – Security Configuration Settings

FY 2018 Maturity Level: 1 – Ad-Hoc. DHS makes the distinction between implementing
baseline configurations and implementing standard security configuration settings (see Metrics
17 - 18).

NIST SP 800-53, Revision 4, defines configuration settings as “the set of parameters that can be
changed in hardware, software, or firmware components of the information system that affect the
security posture and/or functionality of the system.” It also states that “Security-related
parameters are those parameters impacting the security state of information systems including
the parameters required to satisfy other security control requirements. Security-related
parameters include, for example: (i) registry settings; (ii) account, file, directory permission
settings; and (iii) settings for functions, ports, protocols, services, and remote connections.”

While OPM has workstation and server build images that leverage common best-practice
configuration setting standards, it has yet to document and approve standard security
configuration settings for all of its operating platforms nor any potential business-required
deviations from these configuration standards.

                                                  38                  Report No. 4A-CI-00-18-038 

NIST SP 800-53, Revision 4, requires that the organization “Establishes and documents
configuration settings for information technology products employed within the information
system . . . that reflect the most restrictive mode consistent with operational requirements . . . .”

Failure to document standard configuration settings for all information systems increases the risk
of insecurely configured systems.

Furthermore, without formally documented and approved configuration settings, OPM cannot
consistently run automated scans to verify that information systems maintain compliance with
the pre-established configuration settings. Security configuration setting scans can be configured
to automatically check the current status of the various system parameters outlined above in the
NIST definition of configuration settings. Automated compliance scanning ensures that the
configuration is not changed after initial implementation of security settings, which is a vital step
to maintain a secure environment.

Recommendation 23 (Rolled forward from FY 2014)

We recommend that the OCIO develop and implement [standard security configuration settings]
for all operating platforms in use by OPM.

OPM Response:

“We concur with the recommendation. OPM plans to expand and implement standard
security configurations for all servers and databases.”

Recommendation 24 (Rolled forward from FY 2014)

We recommend that the OCIO conduct routine compliance scans against [the standard security
configuration settings] for all servers and databases in use by OPM. This recommendation
cannot be addressed until Recommendation 23 has been completed.

OPM Response:

“We do not concur with the recommendation. The OCIO is currently conducting scans of
OPM servers and databases. OCIO will continue the practice for any new security standards
that we introduce or implement. The practice that OPM currently has in place is working
appropriately and is consistent with security standards.”




                                                   39                   Report No. 4A-CI-00-18-038 

OIG Comment:

As noted in Metric 18, OPM does not have documented standard security configuration settings
for its operating platforms and databases deployed in its technical environment. Without
approved security configuration standards, OPM cannot effectively scan its system’s security
settings for deviations or unauthorized changes (i.e., there are no approved settings to which to
compare the actual settings). Recommendations 23 and 24 have been open since FY 2014
because adequate and appropriate evidence has not been provided to OPM’s Internal Oversight
and Compliance office to support their closure. If the OCIO has addressed these
recommendations, it should provide supporting documentation.

Recommendation 25 (Rolled forward from FY 2016)

For OPM configuration standards that are based on a pre-existing generic standard, we
recommend that OPM document all instances where the OPM-specific standard deviates from
the recommended configuration setting.

OPM Response:

“We concur with the recommendation. Increased ISSO resources will allow for expanded
documentation and approval of deviations.”

Metric 19 – Flaw Remediation and Patch Management

FY 2018 Maturity Level: 2 – Defined. OPM routinely performs automated vulnerability and
patch compliance scans on its systems. While OPM’s vulnerability scanning program has
improved over the last year, our audit test work indicated that several problems still exist.

Specifically, OPM’s scanning tool was unable to successfully scan certain devices within OPM’s
internal network. In addition, the results of our independent vulnerability scans indicate that
OPM’s production environment contains many instances of unsupported software and operating
platforms. In other words, the software vendor no longer provides patches, security fixes, or
updates for the software. As a result, there is an increased risk that OPM’s technical
environment contains known vulnerabilities that will never be patched, and could be exploited to
allow unauthorized access to sensitive data.




                                                 40                 Report No. 4A-CI-00-18-038 

The agency’s flaw remediation process could also be improved. OPM currently distributes
system specific vulnerability scan results to the various
system owners so that they can remediate the weaknesses
                                                           OPM does not have a process to
identified in the scans. Formal POA&M entries are
                                                           record or track the remediation
created for weaknesses that require significant time to
                                                           status for weaknesses identified
remediate. However, OPM does not have a process to
                                                           during vulnerability scans.
record or track the remediation status for other routine
security weaknesses identified during vulnerability scans.

NIST SP 800-53, Revision 4, states that the organization “Scans for vulnerabilities in the
information system and hosted applications . . .” and that the organization “identifies, reports,
corrects information system flaws . . .” and “installs security-relevant software and firmware
updates . . . .”

Additionally, during our vulnerability and compliance testing, we found multiple scenarios
where administrator credentials in OPM’s password repository failed to authenticate. This issue
indicates that the agency does not have an adequate process to manage credentials for its
administrator accounts used for scanning. Also, we determined that not every device on OPM’s
network is scanned routinely, nor is there a formal process in place to ensure that all new devices
on the agency’s network are included in the scanning process.

NIST SP 800-53, Revision 4, states that “Specific actions that can be taken to safeguard
authenticators include, for example, maintaining possession of individual authenticators . . . .”
Furthermore, NIST SP 800-53, Revision 4, states that the organization should implement
privileged access authorization for vulnerability scanning activities. “Privileged access
authorization to selected system components facilitates more thorough vulnerability scanning
and also protects the sensitive nature of such scanning.”

Without a formal process to provision credentials, identify new servers, and scan and track
known vulnerabilities, there is a significantly increased risk that systems will indefinitely remain
susceptible to attack.
Recommendation 26

We recommend that the OCIO implement a process to ensure new server installations are
included in the scan repository.




                                                  41                  Report No. 4A-CI-00-18-038 

OPM Response:

“We concur with this recommendation. Projects involving changes to the environment that
include new server installations should not be considered complete until this action is
completed. We have identified security actions that should be completed, based on types of
changes that are made, that will be integrated into the change control process.”

Recommendation 27

We recommend that the OCIO implement a process for updating and maintaining credentials for
its scanning accounts.

OPM Response:

“We do not concur with this recommendation because OCIO has already implemented a
process for updating and maintaining credentials for its scanning accounts and provided
information to reflect that implementation to the OIG in May 2018. Implementation occurred
immediately following the conclusion of the prior year FISMA audit in response to the
issuance of Recommendation 23 from the OIG Report 4A-CI-00-17-020.”

OIG Comment:

During the course of our audit, we found significant weaknesses in the OCIO’s management of
scanning credentials. As noted in Metric 19, there were multiple instances during our scanning
exercise in July 2018 where credentials failed to properly authenticate. After the scanning
exercise, we requested additional information surrounding the management of scanning
credentials. OPM’s response indicated that changes to vendor contracts and its infrastructure
would improve the process. While this may be true in the future, our audit clearly demonstrated
that the current process for managing credentials is not effective. The recommendation cited in
OPM’s response is focused on OPM scanning all network devices and its closure would not
necessarily address the issues that we have identified.

Recommendation 28 (Rolled forward from FY 2014)

We recommend that the OCIO implement a process to ensure routine vulnerability scanning is
conducted on all network devices documented within the inventory.




                                                42                 Report No. 4A-CI-00-18-038 

OPM Response:

“We do not concur with this recommendation. As described under our response to
Recommendation 27, OPM implemented a process for updating and maintaining credentials
for its scanning accounts and provided information to reflect that implementation to the OIG
in May 2018. Implementation occurred immediately following the conclusion of the prior year
FISMA audit in response to the issuance of Recommendation 23 from the OIG Report 4A-CI­
00-17-020.”

OIG Comment:

Ensuring all devices on OPM’s network are routinely scanned has been an ongoing issue. Again
this year, our scanning exercise identified a number of network devices that are not subject to
routine credentialed vulnerability scanning. Recommendation 28 is not the same as
Recommendation 27 and the process needed to address this one would be very different from
one that is used to address the credential management issue. During this audit, our review of the
vulnerability scanning process did not reveal any significant changes that would address this
recommendation. Additionally, OPM’s Internal Oversight and Compliance office has not
received evidence for consideration related to OIG Report No. 4A-CI-00-17-020, OPM's
Compliance with Federal Information Security Modernization Act (FISMA) FY 2017, issued
October 27, 2017.

Recommendation 29 (Rolled forward from FY 2016)

We recommend that the OCIO implement a process to ensure that only supported software and
operating platforms are used within the network environment.

OPM Response:

“We partially concur with the recommendation. OPM understands we have unsupported
software and operating systems; however, risk assessments and mitigating controls have been
implemented by the agency so that detected vulnerabilities cannot be exploited. Additionally,
projects are underway to remove unsupported software and systems from the network.”




                                                 43                 Report No. 4A-CI-00-18-038 

OIG Comment: 



We do not agree that OPM’s risk assessments and mitigating controls are enough to compensate
for the risk of malicious exploitation of unsupported software and operating systems currently in
OPM’s production environment. We continue to find issues with OPM’s system level risk
assessments as discussed in Metric 9. Furthermore, OPM does not clarify the compensating
controls that are in place to reduce the risk of unsupported software.

As mentioned in Metric 19, the software vendor no longer provides patches, security fixes, or
updates for the software. As a result, there is an increased risk that OPM’s technical
environment contains known vulnerabilities that will never be patched, and could be exploited to
allow unauthorized access to sensitive data.

Recommendation 30 (Rolled forward from FY 2014)

We recommend that the OCIO implement a process to centrally track the current status of
security weaknesses identified during vulnerability scans to remediation or risk acceptance.

OPM Response:

“We do not concur with the recommendation because OPM has already implemented this type
of process. The OIG states in the report that OPM does not have a process to record or track
the remediation status for other routine security weaknesses identified during vulnerability
scans. However, in February 2018, OPM developed a process for tracking the remediation
status of weaknesses identified during vulnerability scans in response to the prior year audit.
OPM intends to use this process until the DHS CDM program delivers automated data feeds to
OPM's tracking repository.”

OIG Comment:

OPM’s Internal Oversight and Compliance office has not received evidence for consideration
related to Recommendation 30 in the prior year’s FISMA audit. OPM’s response to our follow-
up from the prior year’s audit indicated that the implementation of this recommendation would
not be completed until June 30, 2018. We have not seen evidence that implementation of this
recommendation has been completed.




                                                 44                 Report No. 4A-CI-00-18-038 

Recommendation 31 (Rolled forward from FY 2014)

We recommend that the OCIO implement a process to apply operating system and third party
vendor patches in a timely manner.

OPM Response:

“We partially concur with the recommendation. The agency has a process for patch
management to help ensure timely deployment of patches and has seen significant
improvements in timeliness and an ability to routinize patch deployments over the past year.
OCIO expects further improvements in timeliness over the upcoming year and will utilize
enterprise change management processes. This change management process will include
submissions of evidence supporting adherence to the processes. In the short term, a patch
management tiger team plan is in draft form.”

OIG Comment:

We fully support the OCIO’s efforts in improving its patch management process. Please provide
evidence to OPM’s Internal Oversight and Compliance office when this patch management
process is fully implemented.

Metric 20 – Trusted Internet Connection Program

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM
has defined and implemented controls to monitor and manage its      OPM has implemented
approved trusted internet connections. This has allowed OPM to      controls to monitor and
meet OMB requirements related to the trusted internet               manage its trusted
connections initiative. Any improvements that need to be made to    internet connections.
the agency’s current trusted internet connections controls are
documented within the organization’s POA&M.

Metric 21 – Configuration Change Control Management

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has developed and documented
policies and procedures for controlling configuration changes. The policies address the
necessary change control steps and required documentation needed to approve information
system changes. Our test work indicated that OPM has updated its configuration change control
process to include project plans and additional reviews and approvals and is consistently
adhering to its change control procedures.

                                               45                  Report No. 4A-CI-00-18-038 

  Metric 22 – Configuration Management Other Information 


  There are no additional comments regarding configuration management.

F. IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT

  The Federal Identity, Credential, and Access Management (FICAM)         OPM has consistently
  program is a government-wide effort to help Federal agencies            implemented many
  provision access to systems and facilities for the right person, at the ICAM related
  right time, for the right reason. While OPM still has work ahead in     security controls.
  this area, it has successfully implemented many Identity, Credential, 

  and Access Management (ICAM) related security controls. The sections below detail the results 

  for each individual metric in this domain. OPM’s overall maturity level for the Identity, 

  Credential, and Access Management domain is “3 – Consistently Implemented.”
	

  Metric 23 – ICAM Roles, Responsibilities, and Resources

  FY 2018 Maturity Level: 2 – Defined. OPM maintains policies and procedures that outline its
  agency-wide system account and identity management program roles and responsibilities. This
  includes procedures for creating user accounts with the appropriate level of access and
  procedures for removing access for terminated employees. However, as discussed in the
  Information Security Governance section of this report (see Section B), the OCIO has lost
  multiple key personnel in FY 2018 and has many vacant ISSO positions. As such, OPM does
  not have adequate resources (people, processes, and technology) in place to fully implement
  ICAM controls.

  FICAM Roadmap Implementation Guidance states that “As part of the [Logical Access Control
  Systems] modernization planning effort, agencies should evaluate their logical access policies
  and identify potential gaps where revisions, updates, and new policies and/or standards are
  needed to drive the process and underlying technology changes . . . .” The guidance also states
  that “an agency should assess its organizational structure, identity stores/repositories, access
  control processes, and IT resources when planning new or modifying existing [Logical Access
  Control Systems] investments.”

  Failure to identify the necessary resources required to maintain and progress OPM’s ICAM
  program increases the chances the agency will experience lapses in optimizing its ICAM
  strategy.




                                                   46                 Report No. 4A-CI-00-18-038 

Recommendation 32 (Rolled forward from FY 2017)

We recommend that OPM conduct an analysis to identify limitations in the current ICAM
program in order to ensure that stakeholders have adequate resources (people, processes, and
technology) to implement the agency’s ICAM activities.

OPM Response:

“We partially concur with this recommendation. The agency does not consider ICAM to be a
distinct program, though it could potentially be deemed a service area under the Security
Operations Center Monitoring and Analysis team. The agency has initial plans on how to
address this recommendation that can be incorporated as part of a long term strategy.

Further, the OIG references the loss of ISSOs as a reason for the lack of implementation of
ICAM controls but does not explain the connection it has made between ISSO resourcing and
the perceived limitations in the ICAM program. It is difficult for OPM to assess its response
to this recommendation without further information.”

OIG Comment:

Whether ICAM is treated as a distinct program or a service area under the Security Operations
Center Monitoring and Analysis team, the intent and principles of ICAM need to be adequately
addressed. OPM should evaluate if it has adequate resources necessary to design and implement
its ICAM activities as intended.

Section B references loss of key personnel, including ISSOs. According to OPM’s Access
Control policy, ISSOs perform an important role related to account management and access
monitoring; therefore, lack of resources would impact OPM’s ability to follow through in the
execution of ICAM activities.

Metric 24 – ICAM Strategy

FY 2018 Maturity Level: 1 – Ad Hoc. OPM has not developed an ICAM strategy that includes a
review of current practices (“as-is” assessment), identification of gaps (from a desired or “to-be”
state), and a transition plan.

According to FICAM Roadmap Implementation Guidance, “Agencies are to align their relevant
segment and solution architectures to the common framework defined in the government-wide
ICAM segment architecture. Alignment activities include a review of current business practices,

                                                  47                 Report No. 4A-CI-00-18-038 

identification of gaps in the architecture, and development of a transition plan to fill the
identified gaps. The ICAM segment architecture has been adopted as an approved segment
within the [Federal Enterprise Architecture], which agencies are required to implement.”

The lack of an ICAM strategy that includes a review of current practices, identification of gaps,
and a transition plan can prevent OPM from ensuring the success of its ICAM initiatives.
Although OPM has successfully implemented many ICAM-related controls, the development of
a comprehensive ICAM strategy will ensure the ongoing success of the agency’s ICAM
program.

Recommendation 33 (Rolled forward from FY 2017)

We recommend that OPM develop and implement an ICAM strategy that considers a review of
current practices (“as-is” assessment) and the identification of gaps (from a desired or “to-be”
state), and contains milestones for how the agency plans to align with Federal ICAM initiatives.

OPM Response:

“We partially concur with this recommendation. The agency does not consider ICAM to be a
distinct program though it could potentially be deemed a service area under the Security
Operations Center Monitoring and Analysis team. The agency has initial plans on how to
address this recommendation that can be incorporated as part of a long term strategy.”

OIG Comment:

We support OPM’s efforts in developing a long term ICAM strategy. Whether ICAM is treated
as a distinct program or a service area under the Security Operations Center Monitoring and
Analysis team, the intent and principles of ICAM need to be adequately addressed and executed.

Metric 25 – Implementation of an ICAM Program

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has consistently implemented
many of the required elements of a comprehensive ICAM program (see Metrics 26 - 31).
However, OPM has not implemented Personal Identity Verification (PIV) authentication at the
application level (see Metric 28), and does not adequately manage contractor accounts (see
Metric 32). Furthermore, OPM policies do not address the capturing and sharing of lessons
learned on the effectiveness of the agency’s ICAM program.




                                                 48                 Report No. 4A-CI-00-18-038 

According to the FICAM Roadmap Implementation Guidance, “Working groups are also used as
a forum for sharing implementation lessons learned across bureaus/components or individual
programs in order to reduce overall ICAM program risk and increase speed and efficiency in
implementation.”

An inability to consistently capture and share lessons learned on the effectiveness of an ICAM
program will decrease the speed and efficiency in which it is implemented.

Recommendation 34 (Rolled forward from FY 2017)

We recommend that OPM implement a process to capture and share lessons learned on the
effectiveness of its ICAM policies, procedures, and processes to update the program.

OPM Response:

“We partially concur with this recommendation. The agency does not consider ICAM to be a
distinct program though it could potentially be deemed a service area under the Security
Operations Center Monitoring and Analysis team. The agency has initial plans on how to
address this recommendation that can be incorporated as part of a long term strategy.”

OIG Comment:

We support OPM’s efforts in developing a long-term ICAM strategy. Whether ICAM is treated
as a distinct program or a service area under the Security Operations Center Monitoring and
Analysis team, the intent and principles of ICAM need to be adequately addressed and executed.

Metric 26 – Personnel Risk

FY 2018 Maturity Level: 4 – Managed and Measurable. OPM has defined and implemented
processes for assigning personnel risk designations and performing appropriate screenings prior
to granting access to its systems. OPM has also implemented an automated process to centrally
document, track, and share risk designations and screening information with necessary parties.
OPM has procedures to re-screen individuals when they change positions or the risk designation
of their current position is changed.




                                                49                 Report No. 4A-CI-00-18-038 

Metric 27 – Access Agreements

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has defined and implemented its
processes for developing, documenting and maintaining access agreements for all users of the
network. These access agreements are completed prior to granting any network or system
access. The agency also utilizes detailed agreements for privileged users or those with access to
sensitive information, as appropriate.

Metric 28 – Multi-factor Authentication with PIV

FY 2018 Maturity Level: 3 – Consistently Implemented. OMB Memorandum M-11-11 required
all Federal information systems to use Personal Identity Verification (PIV) credentials for multi-
factor authentication by the beginning of FY 2012. In addition, the memorandum stated that all
new systems under development must be PIV compliant prior to being made operational.

OPM has enforced multi-factor authentication for non-privileged users for facility, network, and
remote access through the use of PIV cards. The FY 2018
FISMA metrics state that these controls represent a                    OPM has not enforced PIV
“consistently implemented” strong authentication mechanism. authentication to the vast
In order to reach the next level of maturity, the enforcement          majority of its applications.
of PIV authentication to connect to the agency’s network in
itself is not a sufficient control, as users or attackers that do gain access to the network can still
access OPM applications containing sensitive data with a simple username and password. If the
back-end applications were configured to only allow PIV authenticated users, an attacker would
have extreme difficulty gaining unauthorized access to data without having physical possession
of an authorized user's PIV card.

Recommendation 35 (Rolled forward from 2012)

We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its major
information systems to require multi-factor authentication using PIV credentials.

OPM Response:

“We concur with the recommendation. The OCIO has plans to deploy an identity and access
tool to assist with meeting OMB M-11-11.”




                                                   50                   Report No. 4A-CI-00-18-038 

Metric 29 – Strong Authentication Mechanisms for Privileged Users

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has enforced multi-factor
authentication for privileged user access to the OPM network and its backend servers.

Metric 30 – Management of Privileged User Accounts

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has developed and implemented
processes for provisioning, managing, and reviewing privileged user accounts. Account sessions
are recorded, logged and reviewed periodically. OPM has placed restrictions on the functions
that can be performed from privileged user accounts, and also restricts the session time.

Metric 31 – Remote Access Connections

FY 2018 Maturity Level: 4 – Managed and Measurable. OPM has implemented a variety of
controls for remote access connections such as the use of cryptographic modules, system time
outs, and monitoring remote access sessions. The agency ensures that remote access users’
activities are logged and reviewed periodically. In addition, OPM ensures that user devices have
been appropriately configured prior to allowing remote access, and restricts the ability of
individuals to transfer data accessed remotely to non-authorized devices.

Metric 32 – ICAM Other Information – Contractor Access Management

OPM has defined and implemented processes for managing Federal employees’ physical and
logical access to sensitive resources. However, the process for terminating access for contractors
leaving the agency is not centrally managed, and it is the responsibility of the various contracting
officer representatives to notify the OCIO that a contractor no longer requires access.
Furthermore, OPM does not maintain a complete list of all contractors who have access to
OPM’s network, so there is no way for the OCIO to audit the termination process to ensure that
contractor accounts are removed in a timely manner.

The Federal Information System Controls Audit Manual states that “Terminated employees who
continue to have access to critical or sensitive resources pose a major threat . . . .”

Failure to maintain an accurate and up to date list of contractors with access to OPM systems
increases the risk of inappropriate access to critical or sensitive resources.




                                                  51                  Report No. 4A-CI-00-18-038 

  Recommendation 36 (Rolled forward from 2016) 


  We recommend that the OCIO maintain a centralized list of all contractors that have access to
  the OPM network and use this list to routinely audit all user accounts for appropriateness.

  OPM Response:

  “We concur with the recommendation. The OCIO has incorporated policy requirements into
  tool deployment. Use of this tool will also aid in auditing of user accounts.”

G. DATA PROTECTION AND PRIVACY

  The Data Protection and Privacy metrics deal with the controls over the protection of personally
  identifiable information that is collected, used, maintained, shared, and disposed of by
  information systems. This is a new domain area for the FY 2018 FISMA metrics and maturity
  models. The sections below detail the results for each individual metric in this domain. OPM’s
  overall maturity level for the Data Protection and Privacy domain is “1 – Ad-hoc.”

  Metric 33 – Data Protection and Privacy Policies and Procedures

  FY 2018 Maturity Level: 1 – Ad Hoc. The OPM Information Security and Privacy Policy
  Handbook is OPM’s primary source for data protection and privacy policies. However, this
  handbook has not been updated since 2011 and does not contain the personally identifiable
  information (PII) protection plans, policies, and procedures necessary for a mature privacy
  program. Additionally, there is an inadequate number of staff currently within OPM’s privacy
  program. OPM’s privacy program is supported by the Chief Privacy Officer, and two detailees
  from the OCIO. The Chief Privacy Officer position was established in October of 2016.
  Additional roles and responsibilities needed have not been clearly defined to support the
  program.

  NIST SP 800-53, Revision 4, requires that the organization “Develops a strategic organizational
  privacy plan for implementing applicable privacy controls, policies, and procedures . . . .”

  Without a strong privacy program in place, OPM increases the agency’s risk for data loss and
  mishandling of sensitive information.




                                                  52                 Report No. 4A-CI-00-18-038 

Recommendation 37

We recommend that OPM define the roles and responsibilities necessary for the implementation
of the agency’s privacy program.

OPM Response:

“We partially concur. We agree that in order for the privacy program to develop into a more
robust program, additional resources along with more clearly articulated roles and
responsibilities are needed, both in the office that has immediate responsibility for privacy
matters and throughout OPM. We disagree that no roles and responsibilities for privacy are
currently defined at OPM. OPM elevated the Chief Privacy Officer/Senior Agency Official for
Privacy to a senior-level position reporting directly to the Director of OPM. That position,
based on the position description and the requirements set forth in guidance from the Office of
Management and Budget, has responsibility for privacy policy and compliance at OPM.”

OIG Comment:

OPM and the OIG are in agreement that roles and responsibilities need to be more clearly
defined in order to implement a robust privacy program. As mentioned in Metric 33, we
acknowledge that a Chief Privacy Officer is in place. However, additional roles and
responsibilities have not been defined to support the program. In order for the Chief Privacy
Officer to carry out the responsibilities of the agency’s privacy program, roles and
responsibilities should be defined. We support OPM’s continued efforts to address data
protection and privacy.

Recommendation 38

We recommend that OPM develop its privacy program by creating the necessary plans, policies,
and procedures for the protection of PII.

OPM Response:

“We partially concur. We agree that a more focused articulation of privacy policies and
procedures that are separate from and/or integrated with information security policy and
procedures, as appropriate, will be beneficial and we are working towards that end. We
disagree that there are not currently in place plans, policies, and procedures for the protection
of PII. The Information Security and Privacy Policy Handbook includes appropriate privacy
provisions, as do the current PIA and SORN guides. In addition, the Chief Privacy Officer

                                                 53                 Report No. 4A-CI-00-18-038 

implemented a robust template for Privacy Impact Assessments (PIA) that has been in use
since calendar year 2017, as well as a new template for Privacy Threshold Analyses (PTA).
The PTA template has been implemented both to determine the need for a PIA or a Privacy
Act system of records notice and to track appropriate privacy controls as articulated in NIST
800-53, Appendix J. In addition to those OPM-specific policies and procedures, the agency
continues to rely on overarching privacy guidance issued by the Office of Management and
Budget and NIST.”

OIG Comment:

We do not agree with OPM that the current policies, plans, and procedures in place are working
to ensure the protection of PII. The material in the Information Security and Privacy Policy
Handbook does not reflect the current state of OPM’s privacy program since this policy has not
been updated/reviewed since 2011. Furthermore, during our discussions with OCIO we learned
that there are many system Authorizations in place without an approved Privacy Threshold
Analysis.

Metric 34 – Data Protection and Privacy Controls

FY 2018 Maturity Level: 1 – Ad Hoc. DHS requires the implementation of several technical
controls to help protect PII. OPM has implemented technical controls to limit the transfer of
information via removable media, but has not provided sufficient evidence to demonstrate that
controls to encrypt data at rest and in transit have been implemented in order to protect PII.

NIST SP 800-53, Revision 4, states that “The information system protects the [confidentiality
and integrity] of [information at rest].” Furthermore, NIST SP 800-53, Revision 4, states that
“The information system protects the [confidentiality and integrity] of transmitted information.”
Without strong security controls to protect PII, OPM increases its risk of cybersecurity threats
and loss of information.

Recommendation 39

We recommend that OPM implement controls over encryption of data at rest on its IT systems.




                                                 54                 Report No. 4A-CI-00-18-038 

OPM Response:

“We do not concur with this recommendation. OPM has implemented controls over
encryption of data at rest on its IT systems. The OIG has not yet provided OPM with a clear
understanding of what evidence is needed to demonstrate that controls over encryption of data
at rest on its IT systems are in place.”

OIG Comment:

No evidence was provided to the OIG during this audit demonstrating that OPM has controls in
place to encrypt data at rest. The information request that we provided to OPM stated that
screenshots demonstrating functionality, descriptions, and procedures would have been adequate
evidence. Please provide OPM’s Internal Oversight and Compliance office the appropriate and
adequate evidence to close this recommendation.

Recommendation 40

We recommend that OPM implement controls over encryption of data in transit on its IT
systems.

OPM Response:

“We do not concur with this recommendation. OPM has implemented controls over
encryption of data in transit on its IT systems. The OIG has not yet provided OPM with a
clear understanding of what evidence is needed to demonstrate that controls over encryption
of data at rest on its IT systems are in place.”

OIG Comment:

No evidence was provided to the OIG during this audit demonstrating that OPM has controls in
place to encrypt data in transit. The information request that we provided to OPM stated that
screenshots demonstrating functionality, descriptions, and procedures would have been adequate
evidence. Please provide OPM’s Internal Oversight and Compliance office the appropriate and
adequate evidence to close this recommendation.




                                               55                 Report No. 4A-CI-00-18-038 

Metric 35 – Data Exfiltration Prevention 


FY 2018 Maturity Level: 1 – Ad Hoc. OPM has implemented controls to monitor inbound and
outbound network traffic, as well as ensure all traffic passes through a web content filter.
However, OPM has not developed or defined its policies and procedures related to data
exfiltration or enhanced network defenses.

DHS requires that the organization define and communicate its policies and procedures related to
data exfiltration and network defenses.

Failure to develop and implement policies and procedures related to data exfiltration increases
the risk of the organization mishandling data and the likelihood of data loss through user error.

Recommendation 41

We recommend that OPM develop and implement policies and procedures related to data
exfiltration and enhanced network defenses.

OPM Response:

“We do not concur with this recommendation. OPM has issued several policies covering the
data exfiltration and enhanced network defenses, including: 1) Information System
Monitoring; 2), OPM Boundary Protection; 3) OPM Malicious Code; and 4) Mobile Code.”

OIG Comment:

Current policies and procedures related to OPM’s data protection and privacy program were
requested during our audit. However, as of August 1, 2018, OPM did not provide the policies
and procedures mentioned in their response. Therefore, we cannot express an opinion as to
whether the policies and procedures are adequate. Please provide OPM’s Internal Oversight and
Compliance office the appropriate and adequate evidence to close this recommendation.

Metric 36 – Data Breach Response Plan

FY 2018 Maturity Level: 2 – Defined. OPM has defined and communicated its Data Breach
Response Plan and established a data breach response team. However, OPM does not currently
conduct routine table-top exercises to test the Data Breach Response Plan.




                                                  56                 Report No. 4A-CI-00-18-038 

NIST SP 800-122, requires that “The policies and procedures should be communicated to the
organization’s entire staff through training and awareness programs. Training may include
tabletop exercises to simulate an incident and test whether the response plan is effective and
whether the staff members understand and are able to perform their roles effectively.”

Failure to test the Data Breach Response Plan increases the organization’s risk of major data loss
in the event of a security incident.

Recommendation 42

We recommend that OPM develop a process to routinely test the Data Breach Response Plan.

OPM Response:

“We partially concur. We agree that an annual table top exercise to review the Breach
Response Plan can help clarify and refine roles and responsibilities in the event of a breach
and help to more clearly articulate the appropriate risk analysis and mitigation steps that
should be taken, as provided by the Breach Response Plan and OMB Memorandum 17-12.
We disagree with the OIG's underlying premise that not conducting a table top exercise has
increased OPM' s risk of major data loss in the event of a security incident. Annual security
and privacy awareness training informs the OPM workforce of when to report a loss or
potential loss of PII to the Security Operations Center (SOC). The SOC routinely informs
appropriate OPM personnel when an incident has occurred and steps are taken to address and
mitigate any potential harm as appropriate. The Chief Privacy Officer is also a part of the
senior members of the OPM staff that routinely meets and interacts with other key members of
the workforce, which allows for consistent communication regarding the protection of
sensitive identifiable information to occur.”

OIG Comment:

Routine testing of the Data Breach Response Plan is a characteristic of a mature security posture
and will help ensure that OPM’s Data Breach Response Plan is working as intended.
Furthermore, as in the past, OPM did not properly notify the OIG of several recent security
incidents, suggesting that the Data Breach Response Plan is not always followed appropriately
and should be routinely tested.




                                                 57                 Report No. 4A-CI-00-18-038 

Metric 37 – Privacy Awareness Training 


FY 2018 Maturity Level: 2 – Defined. OPM has defined and communicated its privacy
awareness training program throughout the agency. OPM tailors the training to the
organization’s risk environment, ensures that all employees receive basic privacy awareness
training on an annual basis, and requires all users to accept a rules of behavior notice prior to
logging onto the network. However, individuals with responsibilities for PII or activities
involving PII do not receive elevated role-based privacy training.

NIST SP 800-122 requires that “To reduce the possibility that PII will be accessed, used, or
disclosed inappropriately, all individuals that have been granted access to PII should receive
appropriate training and, where applicable, specific role-based training.”

Additionally, NIST SP 800-53, Revision 4, requires that the organization “Administers basic
privacy training . . . and targeted, role-based privacy training for personnel having responsibility
for [PII] or for activities that involve PII [at least annually] . . . .”

Not providing specific training to individuals who handle PII increases the organization’s risk of
mishandled secure data resulting in a data loss incident.

Recommendation 43

We recommend that OPM identify individuals with heightened responsibility for PII and provide
role-based training to these individuals at least annually.

OPM Response:

“We partially concur. We agree that appropriate annual privacy training should be provided.
This is done formally through the annual security and privacy awareness training that all
individuals at OPM are required to complete. We also agree that it would be beneficial to
evaluate more formally whether there are individuals who, given their job responsibilities and
exposure to PII, should receive any additional annual training. We disagree with the
underlying assumption that individuals who regularly handle PII will always require
specialized formal annual training. In many instances the annual awareness training,
followed by tailored discussions with various offices, can be just as effective. To date, the
Chief Privacy Officer has provided presentations on privacy and engaged in group discussions
with various offices in an effort to further provide appropriate privacy awareness and
compliance.”



                                                   58                  Report No. 4A-CI-00-18-038 

  OIG Comment:

  This recommendation was made in alignment with DHS’s requirement that role-based privacy
  training be conducted at least annually for individuals with responsibilities for PII. Furthermore,
  no evidence was provided during this audit demonstrating the ad-hoc training described in
  OPM’s response. Please provide OPM’s Internal Oversight and Compliance office the
  appropriate and adequate evidence to close this recommendation.

  Metric 38 – Other Information Data Protection and Privacy

  There are no additional comments regarding data protection and privacy.

H. SECURITY TRAINING

  FISMA requires that all Government employees and contractors take annual IT security
  awareness training. In addition, employees with IT security responsibility are required to take
  specialized training specific to their job function. OPM has a strong history of providing its
  employees with IT security awareness training for the ever changing risk environment and has
  made progress in providing tailored training to those with significant security responsibilities.
  The sections below detail the results for each individual metric in this domain. OPM’s overall
  maturity level for the Security Training domain is “3 – Consistently Implemented.”

  Metric 39 – Security Training Policies and Procedures

  FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has developed and established an
  agency-wide IT security awareness training program. Roles and responsibilities for stakeholders
  are defined and communicated across the organization. OPM is continuing to improve its
  security training program by developing a process to consistently collect, monitor, and analyze
  qualitative and quantitative performance measures of the security awareness training activities.

  We noted no control deficiencies during our review of the agency’s security awareness training
  policies and procedures.

  Metric 40 – Assessment of Workforce

  FY 2018 Maturity Level: 1 – Ad Hoc. Since FY 2017, OPM has conducted an assessment of the
  knowledge, skills, and abilities of its workforce to determine employees’ specialized training
  needs. While progress has been made, OPM still needs to analyze the results of the assessment
  to determine any skill gaps and specialized training needs.

                                                    59                 Report No. 4A-CI-00-18-038 

The Federal Cybersecurity Workforce Assessment Act of 2015 requires agencies to implement
“a strategy for mitigating any gaps identified . . . with appropriate training and certification for
existing personnel.”

Failure to identify gaps within an IT security training program increases the risk that OPM staff
are not fully prepared to address the security threats facing the agency.

Recommendation 44 (Rolled forward from 2017)

We recommend that OPM develop and conduct an assessment of its workforce’s knowledge,
skills and abilities in order to identify any skill gaps and specialized training needs.

OPM Response:

“We concur with this recommendation. OPM completed the assessment of its workforce's
knowledge, skills, and abilities in accordance with the instructions given for the Federal
Cybersecurity Workforce Assessment Act of 2015. This assessment was completed in August
2018, after the OIG audit testing period, and can be provided upon request.”

Metric 41 – Security Awareness Strategy

FY 2018 Maturity Level: 3 – Consistently Implemented. In FY 2018, OPM developed a strategic
plan for the cybersecurity policy team, which includes security awareness training. The strategy
has been fully developed to maintain a security awareness program tailored to the mission and
risk environment.

Based upon our review of the agency’s Security Awareness and Training Strategy and its
implementation, no control deficiencies were noted.

Recommendation 45 (Rolled forward from 2017)

We recommend that OPM develop and document a security awareness and training strategy
tailored to its mission and risk environment.

OPM Response:

We do not concur with this recommendation. The Security Awareness and Training Strategy
was completed in May 2018 and was delivered to the OIG in June 2018. OPM's view is that
the strategy is appropriately tailored to the agency mission and risk environment.

                                                   60                  Report No. 4A-CI-00-18-038 

OIG Comment:

This recommendation was rolled forward from FY 2017 based on our meeting discussions that
indicated the Security Awareness and Training Strategy was still a work in progress. However,
after consideration of OPM’s response to the draft audit report and review of the documentation
provided to us during the audit we have determined that sufficient evidence has been provided to
close the recommendation from 2017, and no further action is required.

Metric 42 – Specialized Security Training Policies

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has established policies and
procedures that require agency employees to take security awareness and specialized security
training. OPM is working to improve its security training program by implementing a process to
measure the effectiveness of specialized training.

Based upon our review of the agency’s specialized security awareness training policies and
procedures, no control deficiencies were noted.

Metric 43 – Tracking IT Security Training

FY 2018 Maturity Level: 4 – Managed and Measureable. The OCIO provides annual IT
security and privacy awareness training to all OPM users through an interactive web-based
course. The course introduces employees and contractors to the basic concepts of IT security
and privacy, including topics such as the importance of information security, security threats and
vulnerabilities, viruses and malicious code, privacy training, telework,
mobile devices, Wi-Fi guidance, and the roles and responsibilities of    Over 95 percent of
users. In addition, OPM conducts random phishing exercises and           OPM employees and
tracks the results in order to measure the effectiveness of the          contractors
exercises. Lessons learned are reviewed and used to update the IT        completed security
security training program. Over 95 percent of OPM’s employees and        awareness training.
contractors completed the security awareness training course in FY
2018.

Metric 44 – Tracking Specialized IT Security Training

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM employees with significant
information security responsibilities are required to take specialized security training in addition
to the annual awareness training.

                                                   61                 Report No. 4A-CI-00-18-038 

  The OCIO uses a spreadsheet to track the security training taken by employees identified as
  having security responsibility. In order to improve the specialized training program, the OCIO is
  in the process of developing metrics to measure the effectiveness of the specialized training
  program.

  Metric 45 – Security Training Other Information

  There are no additional comments regarding the security training program.

I. INFORMATION SECURITY CONTINUOUS MONITORING

  Information Security Continuous Monitoring (ISCM) controls involve the ongoing assessment of
  the effectiveness of information security controls in support of the agency’s efforts to manage
  security vulnerabilities and threats. The sections below detail the results for each individual
  metric in this domain. OPM’s overall maturity level for the Information Security
  Continuous Monitoring domain is “2 – Defined.”

  Metric 46 –ISCM Strategy

  FY 2018 Maturity Level: 2 – Defined. OPM has developed an ISCM strategy that addresses the
  monitoring of security controls at the organization, business unit, and individual information
  system level. At the organization and business unit level, the ISCM strategy defines how the
  agency’s activities support risk management in accordance with organizational risk tolerance. At
  the information system level, the ISCM strategy establishes processes for monitoring security
  controls for effectiveness and reporting any findings.

  Despite a defined ISCM strategy, OPM is not consistently implementing several of the objectives
  outlined in its ISCM strategy, including:

  x	 “Security controls must be assessed to ensure continued effectiveness of their 

     implementation and operation”; 


  x	 “Identified threats and vulnerabilities must be reported timely to support risk management
     decisions”; and

  x	 “Feedback must be collected frequently and incorporated into a system of continually 

     improving processes.” 





                                                  62		                Report No. 4A-CI-00-18-038 

In FY 2018 only 29 of OPM’s 54 systems were subject to adequate security controls testing and
monitoring.

At this stage in the development of OPM’s ISCM
                                                               Only 29 of OPM’s 54 systems
program the goal of providing stakeholders with
                                                               were subject to adequate security
sufficient information to evaluate risk has not been met.
                                                               controls testing and monitoring.
Ensuring that the security controls of each system are
assessed on a continuous basis is the responsibility of the ISSO for each major system. ISSOs
should be both competent and knowledgeable, and the overall program should be properly
managed. As discussed in Section B, we continue to believe that OPM’s failure to meet long-
standing FISMA metrics (such as the ones in this section related to continuous monitoring) is a
direct result of OPM’s inability to fully staff critical information security positions, and is
indicative of a material weakness in the agency’s governance structure.

Metric 47 – ISCM Policies and Procedures

FY 2018 Maturity Level: 2 – Defined. OPM has developed ISCM policies and procedures that
have been tailored to OPM’s environment and include specific requirements and deliverables.
However, OPM does not capture lessons learned to make improvements to ISCM policies and
procedures. In addition, as discussed in more detail under Metric 49, OPM has not consistently
implemented its ISCM policies.

Metric 48 – ISCM Roles, Responsibilities, and Resources

FY 2018 Maturity Level: 2 – Defined. OPM has defined the structure, roles, and responsibilities
of its ISCM teams and stakeholders. However, we found that OPM’s ISCM program still does
not have adequate resources to effectively implement the activities required. This year, OPM
made some progress identifying resource gaps related to its ISCM program. However, more
work is still required to identify all of the ISCM resource gaps to effectively implement its ISCM
program.

NIST SP 800-137 states that “ISCM helps to provide situational awareness of the security status
of the organization’s systems based on information collected from resources (e.g., people,
processes, technology, [and] environment) and the capabilities in place to react as the situation
changes.”

Failure to identify and apply the resources needed to perform ISCM activities results in OPM
being unable to effectively implement its ISCM program, limiting its ability to protect sensitive
information.

                                                 63                  Report No. 4A-CI-00-18-038 

Recommendation 46 (Rolled forward from 2017) 


We recommend that OPM conduct an analysis to identify any resource gaps within its current
ISCM program. OPM should use the results of this gap analysis to ensure stakeholders have
adequate resources to effectively implement ISCM activities based on OPM’s policies and
procedures.

OPM Response:

“We partially concur with this recommendation. OPM agrees that challenges in resources
have affected the ISCM program. OPM has identified needs and have responded by recruiting
and making plans to bring onboard additional personnel.”

OIG Comment:

As noted in Metric 48, OPM has made some progress identifying resource gaps related to its
ISCM program. However, no evidence has been provided to us indicating that this
recommendation has been fully implemented. Please provide OPM’s Internal Oversight and
Compliance office the appropriate and adequate evidence to close this recommendation.

Metric 49 – Ongoing Security Assessments

FY 2018 Maturity Level: 2 – Defined. OPM has defined its processes for performing ongoing
security control assessments, granting system authorizations, and monitoring security controls
for individual systems.

However, we continue to find that many system owners are not following the security control
testing schedule that the OCIO mandated for all systems. OPM’s policy requires that evidence
of security control testing be provided to the OCIO on a quarterly basis for all OPM-operated
systems, and annually for all contractor-operated systems.

We submitted requests for the security control testing documentation for all OPM systems in
order to review them for quality and consistency. However, we were only provided evidence for
the first two quarters of FY 2018. In those two quarters, only 29 of OPM’s 54 major systems
were subject to security controls testing that complied with OPM’s ISCM submission schedule.
While this would represent an improvement in the first half of the fiscal year compared to FY
2017, we were not provided any evidence for the third quarter.




                                                64                 Report No. 4A-CI-00-18-038 

While resource limitations certainly impact OPM’s cybersecurity program, we believe that lack
of effective management is a contributing factor. Monitoring status, following up on incomplete
results, evaluating the quality of work products, and reporting to senior leadership and other
stakeholders are basic elements of a properly managed program. OPM has not been able to
adequately test the security controls of its systems for at least 10 years. In addition, OPM has not
been able to implement continuous monitoring of its major IT systems since 2011 when it was
required by NIST SP 800-37, Revision 1.

FISMA requires agencies to “conduct assessments of security controls at a frequency appropriate
to risk, but no less than annually.”

By failing to complete a comprehensive security controls test for all information systems and use
the results to establish a risk baseline for the agency, OPM cannot move forward in
implementing its ISCM strategy. Furthermore, OPM is at risk of an attack that exploits
vulnerabilities that could have been identified had security controls testing been completed.

Recommendation 47 (Rolled forward from 2008)

We recommend that OPM ensure that an annual test of security controls has been completed for
all systems.

OPM Response:

“We concur with this recommendation. OPM agrees that challenges in resources have
affected annual control testing. Additional resources joining the OCIO in the near future will
help to ensure thorough annual security control testing for all systems.”

Metric 50 – Measuring ISCM Program Effectiveness

FY 2018 Maturity Level: 2 – Defined. OPM has identified and defined the performance
measures and requirements to assess the effectiveness of its ISCM program, achieve situational
awareness, and control ongoing risk. OPM has also developed metrics to assess the program
implementation and intends to consolidate reported data into     OPM must consistently
a single repository as an efficient means to track the progress. test its systems’ security
                                                                  controls before it can
However, OPM still needs to define the format and frequency       implement a mature
of reports measuring its ISCM program effectiveness. In           continuous monitoring
addition, OPM has failed to complete the first step necessary     program.
to assess the effectiveness of its ISCM program – to collect

                                                  65                 Report No. 4A-CI-00-18-038 

the necessary baseline data by actually assessing the security controls of its systems. To reach
the next level in the ISCM maturity model OPM has to consistently capture the performance
measures needed to evaluate the effectiveness of the ISCM program.

NIST SP 800-137 states that an organization must “Analyze the data collected and report
findings, determining the appropriate response.” Furthermore, “Organizations [must] develop
procedures for collecting and reporting assessment and monitoring results, including results that
are derived via manual methods, and for managing and collecting information from POA&Ms to
be used for frequency determination, status reporting, and monitoring strategy revision.”

Recommendation 48 (Rolled forward from 2017)

We recommend that OPM evaluate qualitative and quantitative performance measures on the
performance of its ISCM program once it can consistently acquire security assessment results, as
referenced in Recommendation 47.

OPM Response:

“We do not concur with this recommendation. Performance measures for the ISCM program
have been established and the OCIO is conducting an evaluation of the management of
POA&Ms and inventory management. The use of a centralized tool is expected to provide a
significantly expanded capability for evaluation.”

OIG Comment:

No evidence was provided during the course of this audit to indicate that qualitative and
quantitative performance measures on the performance of its ISCM program have been
implemented. Please provide OPM’s Internal Oversight and Compliance office the appropriate
and adequate evidence to close this recommendation.

Metric 51 – ISCM Other Information

There are no additional comments regarding OPM’s ISCM program.




                                                 66                  Report No. 4A-CI-00-18-038 

J. INCIDENT RESPONSE

  An incident response capability is an organized approach for
                                                                               OPM has an
  responding to a cyber-attack in an effective manner and limiting the
                                                                               effective incident
  damage, repair costs, and down time of critical information systems.
                                                                               response program.
  OPM has consistently implemented an effective incident response
  program, and we have no audit recommendations in this area. The
  sections below detail the results for each individual metric in this domain. OPM’s overall
  maturity level for the Incident Response domain is “4 – Managed and Measurable.”

  Metric 52 – Incident Response Policies, Procedures, Plans, Strategies

  FY 2018 Maturity Level: 4 – Managed and Measureable. OPM’s incident response policies,
  procedures, plans, and strategies have been defined, communicated, and consistently
  implemented. OPM is consistently capturing and sharing lessons learned on the effectiveness of
  its incident response program. In addition, OPM monitors and analyzes qualitative and
  quantitative performance measures on the effectiveness of its incident response program and, as
  appropriate, implements updates to the program.

  Metric 53 – Incident Roles and Responsibilities

  FY 2018 Maturity Level: 4 – Managed and Measureable. OPM has defined roles and
  responsibilities related to incident response, and its incident response teams have adequate
  resources (people, processes, and technology) to manage and measure the effectiveness of
  incident response activities.

  Metric 54 – Incident Detection and Analysis

  FY 2018 Maturity Level: 3 – Consistently Implemented. OPM utilizes a threat vector
  classification system for its incident response program, allowing the agency to quickly analyze
  and prioritize any incidents reported or detected. In addition, OPM has implemented several
  security tools to analyze precursors and indicators of security threats to help it better identify
  possible security incidents before they occur. However, OPM has not implemented profiling
  techniques to measure the characteristics of expected activities on its networks and systems so
  that it can effectively detect security incidents.




                                                    67                  Report No. 4A-CI-00-18-038 

Metric 55 – Incident Handling 


FY 2018 Maturity Level: 4 – Managed and Measureable. OPM has defined its processes for
incident handling in an incident response manual. The processes include containment strategies
for various types of major incidents, eradication activities to eliminate components of an incident
and mitigate any vulnerabilities that were exploited, and the recovery of systems. OPM uses
metrics to measure the impact of successful incidents and is able to quickly mitigate related
vulnerabilities on other systems so that they are not subject to the same exploitation.

Metric 56 – Sharing Incident Response Information

FY 2018 Maturity Level: 4 – Managed and Measureable. OPM has a documented policy that
defines how incident response information will be shared with individuals with significant
security responsibility. OPM also has controls in place to generally ensure that security incidents
are reported to the United States Computer Emergency Readiness Team, law enforcement, the
OIG, and the Congress in a timely manner. OPM has developed and implemented incident
response metrics to measure and manage the timely reporting of incident information to
organizational officials and external stakeholders. However, we have noticed incidents where
OPM has failed to properly notify the OIG of security incidents in accordance with the defined
process.

Metric 57 – Contractual Relationships in Support of Incident Response

FY 2018 Maturity Level: 4 – Managed and Measureable. OPM collaborates with DHS and
other parties, when needed, for technical assistance, surge resources, and any special
requirements for quickly responding to incidents. OPM uses third party contractors, when
needed, to support incident response processes. OPM also utilizes software tools provided by
DHS for intrusion detection and prevention capabilities.

Metric 58 – Technology to Support Incident Response

FY 2018 Maturity Level: 4 – Managed and Measureable. OPM has implemented incident
response tools that have been configured to collect and retain relevant and meaningful data
consistent with the organization’s incident response policy, plans, and procedures. OPM utilizes
the reporting tools for monitoring and analyzing qualitative and quantitative incident response
performance across the organization. OPM uses the data collected from these tools to generate
monthly reports to stakeholders on the effectiveness of its incident response program.




                                                 68                  Report No. 4A-CI-00-18-038 

  Metric 59 – Incident Response Other Information

  There are no additional comments regarding OPM’s incident response capability.

K. CONTINGENCY PLANNING

  Contingency planning includes the policies and procedures that ensure adequate availability of
  information systems, data, and business processes. The sections below detail the results for each
  individual metric in this domain. OPM’s overall maturity level for the Contingency Planning
  domain is “2 – Defined.”

  Metric 60 – Contingency Planning Roles and Responsibilities

  FY 2018 Maturity Level: 2 – Defined. OPM has a policy in place that describes the roles and
  responsibilities of individuals that are part of the agency’s contingency planning program. OPM
  also uses a contingency plan template to develop consistent system level contingency plans.
  These policies, procedures, and templates are readily available to OPM personnel. However, the
  personnel limitations discussed in Section B are further evident in OPM’s inability to perform all
  contingency planning activities.

  NIST SP 800-34, Revision 1, states, “Recovery personnel should be assigned to . . . teams that
  will respond to the event, recover capabilities, and return the system to normal operations.”
  Failure to staff critical roles in the contingency planning process increases the risk that OPM will
  be unable to restore systems to an operational status in the event of a disaster.

  Recommendation 49

  We recommend that OPM perform a gap analysis to determine the contingency planning 

  requirements (people, processes, and technology) necessary to effectively implement the 

  agency’s contingency planning policy. 


  OPM Response:

  “We do not concur with the recommendation. The OCIO is aware of the technology and
  resource gaps related to enterprise disaster recovery testing that can result in an ability to
  further plan development and conduct exercises and is taking steps, supported by agency
  leadership, to eliminate those gaps. The OIG cites ISSO staffing issues as reason for
  contingency plan development and testing weaknesses but does not explain how it has reached
  this conclusion.”

                                                    69                  Report No. 4A-CI-00-18-038 

OIG Comment:

The OCIO has repeatedly cited the lack of personnel resources as a substantial cause of its
inability to address this recommendation. In addition to the loss of many ISSO positions,
Section B of this report discusses the loss of multiple key individuals. For example, OPM’s Data
Center Group Chief, who played a pivotal role with contingency planning efforts, has recently
left the agency. ISSOs perform an important role and impact OPM’s ability to follow through in
the execution of contingency activities. Conducting a gap analysis would be a prudent step to
document the need and support requests for additional staff.

Metric 61 – Contingency Planning Policies and Procedures

FY 2018 Maturity Level: 2 – Defined. OPM has contingency planning policies and procedures
in place, but does not consistently adhere to these policies. The remaining metrics in this domain
outline the specific deficiencies in OPM’s contingency planning program, but in summary:

x   Contingency plans exist for only 32 of OPM’s 54 major information systems;

x   Only 19 of the 32 contingency plans were
    reviewed and updated in FY 2018;                   OPM’s failure to test the contingency
                                                       plans for almost 80 percent of its
                                                       systems is a symptom of the significant
x   Only 13 of the 32 contingency plans were
                                                       deficiency in the agency’s information
    tested in FY 2018; and
                                                       security governance structure.
x   Only 1 contingency plan was updated to
    address the test results.

It is the responsibility of the ISSO for each major system to ensure that the system is subject to a
contingency plan test each year and that the plan is updated accordingly. As discussed in Section
B, we continue to believe that OPM’s failure to meet long-standing FISMA metrics (such as the
ones in this section related to contingency planning) is indicative of a material weakness in the
agency’s information security governance structure.

Failure to appropriately manage information system contingency plans in a changing
environment increases the risk that contingency plans will not meet OPM’s system recovery time
and business objectives should disruptive events occur. The sections below contain specific
recommendations related to contingency plan management; some of these recommendations
have been extremely longstanding issues at OPM.


                                                  70                 Report No. 4A-CI-00-18-038 

Metric 62 – Business Impact Analysis

FY 2018 Maturity Level: 1 – Ad-Hoc. Identifying an organization’s essential mission and the
risks facing its business functions is a critical element in developing contingency plans. OPM
currently has a process in place to develop a Business Impact Analysis (BIA) at the information
system level. While OPM has a substantial number of information systems that do not have an
approved BIA, those systems have existing POA&Ms identifying these weaknesses.

Additionally, OPM has not performed an agency-wide BIA, and therefore, risks to the agency as
a whole are not incorporated into the system-level BIAs and/or contingency plans. Currently,
OPM is in the preliminary planning stages for its enterprise-wide contingency planning efforts
that will include a BIA.

NIST SP 800-53, Revision 4, requires the agency to develop a contingency plan for information
systems that “Identifies essential missions and business functions and associated contingency
requirements . . . .”

Federal Continuity Directive 1 requires agencies to complete “a Business Impact Analysis for all
threats and hazards, and all capabilities associated with the continuance of essential functions at
least every two years.”

Without an organization-wide BIA, the agency leaves itself at risk of being unable to restore
systems based on criticality, and therefore, unable to meet its recovery time objectives and
mission.

Recommendation 50 (Rolled forward from FY 2017)

We recommend that the OCIO conduct an agency-wide BIA and incorporate the results into the
system-level contingency plans.

OPM Response:

“We do not concur with the recommendation. OPM completed an agency-wide BIA and
developed a new template with instructions for incorporating the results into system-level
contingency plans in May 2018. The document can be provided upon request.”




                                                  71                 Report No. 4A-CI-00-18-038 

OIG Comment: 


During the course of audit fieldwork, the OIG was not provided evidence that OPM completed
an agency-wide BIA. As part of the audit resolution process, please provide OPM’s Internal
Oversight and Compliance office with evidence that this recommendation has been implemented.

Metric 63 – Contingency Plan Maintenance

FY 2018 Maturity Level: 2 – Defined. OPM has a policy that requires a contingency plan to be
in place for every major information system, and that this plan be updated on a routine basis.
While OPM has made progress, OPM is still far from adhering to this policy. In FY 2018, we
received evidence that a contingency plan exists for 32 of OPM’s 54 major systems. However,
of those 33 contingency plans, only 19 were current, having been reviewed and updated in FY
2018.

The OPM contingency planning policy requires that Contingency planning procedures shall be
developed and disseminated [and] the procedures shall be reviewed at least annually.

NIST SP 800-34, Revision 1, states “it is essential that the [information system contingency
plan] be reviewed and updated regularly as part of the organization’s change management
process to ensure that new information is documented and contingency measures are revised if
required.”

Failure to have a current contingency plan in place for every major information system increases
the risk that the agency is unable to efficiently restore operations in the event of a disaster.

Recommendation 51 (Rolled forward from 2014)

We recommend that the OCIO ensure that all of OPM’s major systems have contingency plans
in place and that they are reviewed and updated annually.

OPM Response:

“We concur with the recommendation. The OCIO will coordinate with each system's
Program Management Office (PMO) including the System Owners and Authorizing officials
to help ensure contingency plans are in place and that the annual review and update of the
plans occurs in accordance with policy.”




                                                72                 Report No. 4A-CI-00-18-038 

Metric 64 – Contingency Plan Testing

FY 2018 Maturity Level: 2 – Defined. Routinely testing contingency plans is a critical step in
ensuring that plans can be successfully executed in the event of a disaster. Only 13 of the 54
major information systems were subject to an adequate contingency plan test in fiscal year 2018.
Furthermore, contingency plans for 17 of the 54 major systems have not been tested for 2 years
or longer.

The OPM Contingency Planning Policy states that system owners must “test the contingency
plan for the information system [at least annually] . . . .”

NIST SP 800-53, Revision 4, states that organizations should test “the contingency plan for the
information system . . . to determine the effectiveness of the plan and . . . readiness to execute the
plan.”

Recommendation 52 (Rolled forward from 2008)

We recommend that OPM test the contingency plans for each system on an annual basis.

OPM Response:

“We concur with the recommendation. The OCIO will coordinate with each system's
Program Management Office (PMO) including the System Owners and Authorizing officials
to help ensure annual testing of the contingency plans in accordance with policy.”

Metric 65 – Information System Backup and Storage

FY 2018 Maturity Level: 3 – Consistently Implemented. OPM has implemented processes,
strategies, and technologies for information system backup and storage. OPM’s systems are
backed up to alternative storage sites that are documented within each system’s security plan.




                                                   73                  Report No. 4A-CI-00-18-038 

Metric 66 – Communication of Recovery Activities

FY 2018 Maturity Level: 2 – Defined. OPM has policies in place that define how contingency
plan activities are performed throughout the agency. As discussed in Metric 61, these policies
and procedures are distributed to all relevant stakeholders. However, OPM is not consistently
adhering to this policy, as current contingency plans are not maintained for all systems.

The OPM contingency planning policy states that “Contingency planning procedures shall be
developed and disseminated. The procedures shall be reviewed at least annually . . . .”

NIST SP 800-34, Revision 1, states “it is essential that the [information system contingency
plan] be reviewed and updated regularly as part of the organization’s change management
process to ensure that new information is documented and contingency measures are revised if
required.”

Failure to disseminate a complete and current contingency plan to key stakeholders increases the
risk that the agency is unable to efficiently restore operations in the event of a disaster.

Recommendation 51 addresses the deficiencies in this metric.

Metric 67 – Contingency Planning Other Information

There are no additional comments regarding contingency planning.




                                                74                 Report No. 4A-CI-00-18-038 

                    APPENDIX I – Detailed FISMA Results by Metric
                                                                                                              Function         U.S. OPM
                                                                     Metric Maturity   Domain Maturity
                   Metric Number and Description                                                              Maturity      Overall Maturity
                                                                          Level            Level
                                                                                                               Level             Level
1 - Inventory of Major Systems and System Interconnections                  1
2 - Hardware Inventory                                                      2                                                                         KEY
3 - Software Inventory                                                      1
4 - System Security Categorization                                          3                                                                  Red – Ad Hoc
5 - Risk Policy and Strategy                                                1          Risk Management
6 - Information Security Architecture                                       1                                  Identify
                                                                                        and Contractor
7- Risk Management Roles, Responsibilities, and Resources                   2               Systems                                            Yellow – Defined
                                                                                                             Level 1: Ad
8 - Plan of Action and Milestones                                           2                                   Hoc
9 - System Level Risk Assessments                                           2           Level 1: Ad Hoc
                                                                                                                                               Green – Consistently
10 - Risk Communication                                                     3
11 - Contractor Clauses                                                     3                                                                  Implemented or
12 - Centralized Enterprise-wide Risk Tool                                  1                                                                  higher
13 - Risk Management Other Information - SDLC                              n/a
14 - Configuration Mgt. Roles, Responsibilities, and Resources              2
15 - Configuration Management Plan                                          2
16 - Implementation of Policies and Procedures                              2
17 - Baseline Configurations                                                1            Configuration
                                                                                         Management
18 - Security Configuration Settings                                        1
19 - Flaw Remediation and Patch Management                                  2           Level 2: Defined
20 - Trusted Internet Connection Program                                    3
21 - Configuration Change Control Management                                3
22 - Configuration Management Other Information                            n/a
23 - ICAM Roles, Responsibilities, and Resources                            2
24 - ICAM Strategy                                                          1
25 - Implementation of ICAM Program                                         3          Identify and Access
26 - Personnel Risk                                                         4             Management
27 - Access Agreements                                                      3
28 - Multi-factor Authentication with PIV                                   3               Level 3:           Protect
29 - Strong Authentication Mechanisms for Privileged Users                  3             Consistently
                                                                                          Implemented          Level 3:
30 - Management of Privileged User Accounts                                 3
                                                                                                             Consistently
31 - Remote Access Connections                                              4                                Implemented
32 - ICAM Other Information - Contractor Access Management                 n/a                                               Agency Overall
33 - Data Protection and Privacy Policies and Procedures                    1                                                 Cybersecurity
34 - Data Protection and Privacy Controls                                   1          Data Protection and                      Program
35 - Data Exfiltration Protection                                           1                Privacy
36 - Data Breach Response Plan                                              2                                               Level 2: Defined
37 - Privacy Awareness Training                                             2           Level 1: Ad Hoc
38 - Other Information - Data Protection and Privacy                       n/a
39 - Security Training Policies and Procedures                              3
40 - Assessment of Workforce                                                1           Security Training
41 - Security Awareness Strategy                                            3
42 - Specialized Security Training Policies                                 3               Level 3:
43 - Tracking IT Security Training                                          4             Consistently
44 - Tracking Specialized IT Security Training                              3             Implemented
45 - Other Information - Security Training Program                         n/a
46 - ISCM Strategy                                                          2
47 - ISCM Policies and Procedures                                           2             Continuous            Detect
48 - ISCM Roles, Responsibilities, and Resources                            2             Monitoring
49 - Ongoing Security Assessments                                           2                                  Level 2:
50 - Measuring ISCM Program Effectiveness                                   2           Level 2: Defined       Defined
51 - ISCM Other Information                                                n/a
52 - Incident Response Policies, Procedures, Plans, and Strategies          4
53 - Incident Roles and Responsibilities                                    4
54 - Incident Detection and Analysis                                        3                                  Respond
                                                                                       Incident Response
55 - Incident Handling                                                      4
                                                                                                              Level 4:
56 - Sharing Incident Response Information                                  4          Level 4: Managed
                                                                                                             Managed and
57 - Contractual Relationships in Support of Incident Response              4           and Measurable
                                                                                                             Measurable
58 - Technology to Support Incident Response                                4
59 - Incident Response Other Information                                   n/a
60 - Contingency Planning Roles and Responsibilities                        2
61 - Contingency Planning Policies and Procedures                           2
62 - Business Impact Analysis                                               1             Contingency          Recover
63 - Contingency Plan Maintenance                                           2              Planning
64 - Contingency Plan Testing                                               2                                  Level 2:
65 - Information System Backup and Storage                                  3           Level 2: Defined       Defined
66 - Communication of Recovery Activities                                   2
67 - Contingency Planning Other Information                                n/a

                                                                                                                     Report No. 4A-CI-00-18-038 

          APPENDIX II – Status of Prior OIG Audit Recommendations
The table below outlines the current status of recommendations issued in the FY 2017 FISMA audit (Report No. 4A-CI-00-17-020,
issued October 27, 2017).

 Rec #     Original Recommendation                                  Recommendation History               Current Status
 1         We recommend that OPM hire a sufficient number of        New recommendation for FY 2016       OPEN: Rolled forward as Report
           ISSOs to adequately support all of the agency’s major                                         4A-CI-00-18-038 Recommendation 1
           information systems.




 2         We recommend that all active systems in OPM’s inventory Rolled Forward from FY 2014           OPEN: Rolled forward as Report
           have a complete and current Authorization.                                                    4A-CI-00-18-038 Recommendation 3
 3         We recommend that the performance standards of all OPM Rolled forward from FY 2014            OPEN: Rolled forward as Report
           system owners be modified to include a requirement related                                    4A-CI-00-18-038 Recommendation 4
           to FISMA compliance for the information systems they
           own. At a minimum, system owners should be required to
           ensure that their systems have valid Authorizations.
 4         We recommend that the OCIO ensure that all ISAs are        Rolled forward from FY 2014        OPEN: Rolled forward as Report
           valid and properly maintained.                                                                4A-CI-00-18-038 Recommendation 6

 5         We recommend that the OCIO ensure that a valid MOU/A Rolled forward from FY 2014              OPEN: Rolled forward as Report
           exists for every interconnection.                                                             4A-CI-00-18-038 Recommendation 7
 6         We recommend that OPM improve its system inventory by Rolled forward in FY 2016               OPEN: Rolled forward as Report
           correlating the elements of the inventory to the servers and                                  4A-CI-00-18-038 Recommendation 8
           information systems they reside on.
 7         We recommend that OPM define the standard data               New recommendation for FY 2017   OPEN: Rolled forward as Report
           elements for an inventory of software assets and licenses                                     4A-CI-00-18-038 Recommendation 10
           with the detailed information necessary for tracking and
           reporting, and that it update its software inventory to
           include these standard data elements.



                                                                                                                Report No. 4A-CI-00-18-038 

8    We recommend that OPM define and communicate a risk           New recommendation for FY 2017   OPEN: Rolled forward as Report
     management strategy based on the requirements outlined in                                      4A-CI-00-18-038 Recommendation 11
     NIST SP 800-39.
9    We recommend that OPM update its enterprise architecture      New recommendation for FY 2017   OPEN: Rolled forward as Report
     to include the information security architecture elements                                      4A-CI-00-18-038 Recommendation 12
     required by NIST and OMB guidance.
10   We recommend that OPM continue to develop its Risk            Rolled forward from FY 2011      OPEN: Rolled forward as Report
     Executive Function to meet all of the intended                                                 4A-CI-00-18-038 Recommendation 13
     requirements outlined in NIST SP 800-39, section 2.3.2
     Risk Executive (Function).
11   We recommend that OPM adhere to remediation dates for         Rolled forward from FY 2016      OPEN: Rolled forward as Report
     its POA&M weaknesses.                                                                          4A-CI-00-18-038 Recommendation 14
12   We recommend that OPM update its POA&M entries to             New recommendation for FY 2017   OPEN: Rolled forward as Report
     reflect both the original and updated remediation deadlines                                    4A-CI-00-18-038 Recommendation 15
     when the control weakness has not been addressed by the
     originally scheduled deadline (i.e., the POA&M deadline
     should not reflect a date in the past).
13   We recommend that OPM complete risk assessments for           New recommendation in FY 2017    OPEN: Rolled forward as Report
     each major information system that are compliant with                                          4A-CI-00-18-038 Recommendation 16
     NIST guidelines and OPM policy. The results of a
     complete and comprehensive test of security controls
     should be incorporated into each risk assessment.
14   We recommend that OPM identify and define the                 New recommendation in FY 2017    OPEN: Rolled forward as Report
     requirements for an automated enterprise-wide solution for                                     4A-CI-00-18-038 Recommendation 17
     tracking risks, remediation efforts, dependencies, risk
     scores, and management dashboards and implement the
     automated enterprise-wide solution.
15   We continue to recommend that the OCIO develop a plan         Rolled forward from FY 2013      OPEN: Rolled forward as Report
     and timeline to enforce the new SDLC policy on all of                                          4A-CI-00-18-038 Recommendation 18
     OPM’s system development projects.
16   We recommend that OPM perform a gap analysis to               New recommendation in FY 2017    OPEN: Rolled forward as Report
     determine the configuration management                                                         4A-CI-00-18-038 Recommendation 19


                                                                                                           Report No. 4A-CI-00-18-038 

     resource requirements (people, processes, and technology)
     necessary to effectively implement
     the agency’s CM program.
17   We recommend that OPM document the lessons learned             New recommendation in FY 2017   OPEN: Rolled forward as Report
     from its configuration management activities and update its                                    4A-CI-00-18-038 Recommendation 20
     configuration management plan as appropriate.
18   We recommend that OPM develop and implement baseline           New recommendation in FY 2017   OPEN: Rolled forward as Report
     configuration for all information systems in use by OPM.                                       4A-CI-00-18-038 Recommendation 21
19   We recommend that the OCIO conduct routine compliance          New recommendation in FY 2017   OPEN: Rolled forward as Report
     scans against established baseline configurations for all                                      4A-CI-00-18-038 Recommendation 22
     OPM information systems. This recommendation cannot be
     addressed until Recommendation 18 has been
     implemented.
20   We recommend that the OCIO develop and implement               Rolled forward from FY 2014     OPEN: Rolled forward as Report
     [standard security configuration settings] for all operating                                   4A-CI-00-18-038 Recommendation 23
     platforms in use by OPM.
21   We recommend that the OCIO conduct routine compliance          Rolled forward from FY 2014     OPEN: Rolled forward as Report
     scans against [the standard security configuration settings]                                   4A-CI-00-18-038 Recommendation 24
     for all servers and databases in use by OPM. This
     recommendation cannot be addressed until
     Recommendation 20 has been completed.
22   For OPM configuration standards that are based on a pre-       Rolled forward from FY 2016     OPEN: Rolled forward as Report
     existing generic standard, we recommend that OPM                                               4A-CI-00-18-038 Recommendation 25
     document all instances where the OPM-specific standard
     deviates from the recommended configuration setting.
23   We recommend that the OCIO implement a process to              Rolled forward from FY 2014     OPEN: Rolled forward as Report
     ensure routine vulnerability scanning is conducted on all                                      4A-CI-00-18-038 Recommendation 28
     network devices documented within the inventory.
24   We recommend that the OCIO implement a process to              Rolled forward from FY 2016     OPEN: Rolled forward as Report
     ensure that only supported software and operating                                              4A-CI-00-18-038 Recommendation 29
     platforms are used within the network environment.



                                                                                                           Report No. 4A-CI-00-18-038 

25   We recommend that the OCIO implement a process to               Rolled forward from FY 2014     OPEN: Rolled forward as Report
     centrally track the current status of security weaknesses                                       4A-CI-00-18-038 Recommendation 30
     identified during vulnerability scans to remediation or risk
     acceptance.
26   We recommend that the OCIO implement a process to               Rolled forward from FY 2014     OPEN: Rolled forward as Report
     apply operating system and third party vendor patches in a                                      4A-CI-00-18-038 Recommendation 31
     timely manner.
27   We recommend that OPM conduct an analysis to identify           New recommendation in FY 2017   OPEN: Rolled forward as Report
     limitations in the current ICAM program in order to ensure                                      4A-CI-00-18-038 Recommendation 32
     that stakeholders have adequate resources (people,
     processes, and technology) to implement the agency’s
     ICAM activities.
28   We recommend that OPM develop and implement an                  New recommendation in FY 2017   OPEN: Rolled forward as Report
     ICAM strategy that considers a review of current practices                                      4A-CI-00-18-038 Recommendation 33
     (“as-is” assessment) and the identification of gaps (from a
     desired or “to-be” state), and contains milestones for how
     the agency plans to align with Federal ICAM initiatives.
29   We recommend that OPM implement a process to capture            New recommendation in FY 2017   OPEN: Rolled forward as Report
     and share lessons learned on the effectiveness of its ICAM                                      4A-CI-00-18-038 Recommendation 34
     policies, procedures, and processes to update the program.
30   We recommend that the OCIO meet the requirements of             Rolled forward from FY 2012     OPEN: Rolled forward as Report
     OMB M-11-11 by upgrading its major information systems                                          4A-CI-00-18-038 Recommendation 35
     to require multi-factor authentication using PIV credentials.
31   We recommend that the OCIO maintain a centralized list of       Rolled forward from FY 2016     OPEN: Rolled forward as Report
     all contractors that have access to the OPM network and                                         4A-CI-00-18-038 Recommendation 36
     use this list to routinely audit all user accounts for
     appropriateness.
32   We recommend that OPM develop and conduct an                    New recommendation in FY 2017   OPEN: Rolled forward as Report
     assessment of its workforce’s knowledge, skills and                                             4A-CI-00-18-038 Recommendation 44
     abilities in order to identify any skill gaps and specialized
     training needs.



                                                                                                            Report No. 4A-CI-00-18-038 

33   We recommend that OPM develop and document a security         New recommendation in FY 2017   CLOSED: Closed with issuance of Final
     awareness and training strategy tailored to its mission and                                   Report 4A-CI-00-18-038
     risk environment.
34   We recommend that OPM conduct an analysis to identify         New recommendation in FY 2017   OPEN: Rolled forward as Report
     any resource gaps within its current ISCM program. OPM                                        4A-CI-00-18-038 Recommendation 46
     should use the results of this gap analysis to ensure
     stakeholders have adequate resources to effectively
     implement ISCM activities based on OPM’s policies and
     procedures.
35   We recommend that OPM ensure that an annual test of           Rolled forward from FY 2008     OPEN: Rolled forward as Report
     security controls has been completed for                                                      4A-CI-00-18-038 Recommendation 47
     all systems.
36   We recommend that OPM evaluate qualitative and                New recommendation in FY 2017   OPEN: Rolled forward as Report
     quantitative performance measures on the performance of                                       4A-CI-00-18-038 Recommendation 48
     its ISCM program once it can consistently acquire security
     assessment results, as referenced in recommendation 35.
37   We recommend that the OCIO conduct an agency-wide             New recommendation in FY 2017   OPEN: Rolled forward as Report
     BIA and incorporate the results into the system-level                                         4A-CI-00-18-038 Recommendation 50
     contingency plans.
38   We recommend that the OCIO ensure that all of OPM’s           Rolled forward from FY 2014     OPEN: Rolled forward as Report
     major systems have contingency plans in place and that                                        4A-CI-00-18-038 Recommendation 51
     they are reviewed and updated annually.
39   We recommend that OPM test the contingency plans for          Rolled forward from FY 2008     OPEN: Rolled forward as Report
     each system on an annual basis.                                                               4A-CI-00-18-038 Recommendation 52




                                                                                                          Report No. 4A-CI-00-18-038 

                                APPENDIX III




This appendix contains the U.S. Office of Personnel Management’s October 1, 2018, response to
the draft audit report, issued September 17, 2018.




                                                                 Report No. 4A-CI-00-18-038 

                    UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                     Washington, DC 20415

                                                October 1, 2018



The Director 




      Memorandum For
                                   Acting Chief, Information Systems Audit Group
                                   Office of the Inspector General

      From:                        Dr. Jeff T. H. Pon
                                   Director

      Subject:                     Office of Personnel Management Response to the Office of the
                                   Inspector General Federal Information Security Modernization
                                   Act Audit – FY 2018 (Report No. 4A-CI-00-18-038)


      Thank you for the opportunity to provide comments to the Office of the Inspector General
      (OIG) draft report for the Federal Information Security Modernization Act (FISMA) Audit for
      the U.S. Office of Personnel Management (OPM). The OIG comments are valuable to the
      agency as they afford us an independent assessment of our operations and help guide our
      improvements to enhance the security of the data furnished to OPM by the Federal workforce,
      the Federal agencies, our private industry partners, and the public.

      While we do not agree with all of the recommendations made in this report, we appreciate
      OIG's focus on attaining the perfect model of a fully matured, FISMA-compliant
      cybersecurity program as set forth by the FISMA maturity model and underlying metrics.
      This year, OPM concurs with 24 of the OIG's 52 recommendations and respectfully non-
       concurs or partially concurs with the remaining 28 recommendations.

      At the outset, OPM emphasizes that it has made great strides over the past year that are not
      given due credit in the audit report. For instance, we believe that OPM's efforts to develop
      more robust capabilities to search its systems consistent with past OIG recommendations, and
      that we discovered, catalogued, or removed dormant legacy software, systems, or hardware
      demonstrate the hallmarks of Level 4 maturity. However, OIG has reacted to OPM's
      improved capabilities and processes by downgrading the system Authority area to a material


                                                                        Report No. 4A-CI-00-18-038
weakness. OPM disputes that the identification and removal of such systems equates to a
failure to establish a full system inventory or to utilize an appropriate Authorization process.
That OIG would apparently penalize OPM for the success of its corrective efforts which
discourages the overall growth and improvement in our system management process.

OPM also notes that a number of the conclusions reached by the OIG in this report appear to
be unsubstantiated or reflect a subjective opinion. In some instances, the OIG's comments
intrude on the broad discretion afforded to the agency by FISMA to make its own choices
regarding appropriate safeguards that are administratively and technologically feasible. The
OIG offers comments on OCIO's staffing choices, suggesting that FISMA-related
performance standards should be incorporated into performance plans for certain job
categories and recommending that OCIO undertake a gap analysis as a top priority to
determine appropriate resource and staffing needs. The report reflects OIG's decision to
downgrade OPM's security governance structure to a material weakness is largely based on
OIG's opinions on OPM staffing decisions. This conclusion ignores the numerous steps that
OPM has taken this year to continue to enhance its cybersecurity posture, such as expanded
control testing, conducting risk assessments, completion of an agency-wide Business Impact
Assessment (BIA), conducting development of the Security Awareness and Training strategy,
asset discovery, and better defined system boundaries. OPM does not agree that this area
should be downgraded, but will take the OIG's suggestions under advisement and will
continue to work with the appropriate personnel within the agency on these topics. In
addition, OCIO is committed to appropriate staffing and maintenance of sufficient resources
to support OPM's cybersecurity needs. As you will see in our response to several staffing-
related recommendations, senior agency leadership is taking steps to help ensure that critical
positions within OCIO are funded and allocated. With this support, the agency is actively
interviewing candidates for vacant positions within OCIO and has already extended some
offers of employment to fill Information System Security Officer (ISSO) and other roles.

Elsewhere, OIG prescribes the use of automated tools, such as in Recommendation 17, where
it recommends that OPM implement an automated, enterprise-wide solution for risk tracking
and remediation. There is no requirement that OPM employ automated tools, and this
recommendation intrudes on OPM's discretion to identify the right tools for its unique needs.
Nonetheless, as is discussed in more detail later in this response, OPM agrees that a
centralized tool is beneficial and is already well into the process of implementing one.

Finally, OPM and OIG continue to work together toward mutual understanding of the use of
the evolving FISMA maturity model and its underlying metrics that were first introduced in
Fiscal Year 2017. This year, a new domain area was included in the maturity model that
covers Data




                                                                      Report No. 4A-CI-00-18-038 

Protection and Privacy. OPM recognizes that the report this year will establish a baseline for
OPM's future progress in that area and looks forward to further discussion about privacy and
its intersection with data security.

Each of the recommendations provided in the draft report is discussed below:

Recommendation 1

We recommend that OPM hire a sufficient number of ISSOs to adequately support all of the
agency's major information systems.

Management Response: We concur with the recommendation. The OPM OCIO has
conducted an analysis on the funding requirements for ISSO positions and understands where
the gaps are. OPM is actively recruiting for these positions, having extended two offers at the
end of September and continuing with interviews into early October.

Recommendation 2

We recommend that OPM ensure that OCIO's senior leadership vacancies are filled and that
there is a proper separation of duties for assigned roles and responsibilities.

Management Response: We concur with the recommendation. OPM understands the
importance of having the individual in the role of the Chief Information Security Officer have
information security as his or her primary duties, and will assign an individual to this role in
Fiscal Year (FY) 2019.

Recommendation 3

We recommend that all active systems in OPM's inventory have a complete and current
Authorization.

Management Response: We do not concur with the recommendation based on the conditions
of the recommendation. While OPM agrees with the premise that all active systems in the
inventory must have a complete and current authorization, it does not agree with the OIG's
conclusion that discovery of assets means that the system inventory and related authorizations
are not complete. As referenced by the OIG, significant efforts have been taken by OPM to
identify hardware and software assets on its network, including better detection of system
boundaries, showing that actions have already been taken that are consistent with past OIG
recommendations in this area and that achieve the goal of those recommendation. Issuance of
this recommendation along with the supporting language in the report suggests that OPM's
posture has worsened, when in fact the work being done in this area clearly shows that OPM
has been making strides in the maturity of these programs. Every active system within the
inventory has a complete and current authorization and OPM provided to OIG the

                                                                     Report No. 4A-CI-00-18-038
authorization letters for each system within its system inventory during this annual audit. If
systems are identified as a part of OPM's continuous monitoring activities, they will be added
to the inventory after completing an assessment and authorization, as appropriate, for that
system.

Recommendation 4

We recommend that the performance standards of all OPM system owners be modified to
include a requirement related to FISMA compliance for the information systems they own. At
a minimum, system owners should be required to ensure that their systems have valid
Authorizations.

Management Response: We do not concur with the recommendation. The agency has taken,
and will continue to take, OIG's recommendation under advisement and agrees that system
owners provide support to the business processes of the agency. However, performance
metric adjustments would need input and guidance from the Human Capital Office. Apart
from changes to performance standards, OPM will continue to identify appropriate ways to
work with system owners to help ensure FISMA compliance. For instance, recently issued
cybersecurity policies set forth expectations and requirements for system owners, consistent
with NIST 800 Series guidance.

Recommendation 5

We recommend that OPM improve the policies and procedures for defining system
boundaries and classifying the systems in its environment.

Management Response: We do not concur with the recommendation. OPM believes the OIG
has provided no basis for determining that the current policy and procedures for defining
system boundaries and classifying systems do not contain a sufficient level of detail to be
consistently enforced. The OIG simply states that "[t]he current policy and procedures for
defining system boundaries and classifying systems does not appear to contain a sufficient
level of detail to be consistently enforced." (emphasis added). The agency considers its
policy, which is based on NIST guidance and recommendations, to be sufficient and without
need of further improvement. Nonetheless, although it is our view that we have fulfilled the
requirements of this recommendation, OPM asks the OIG to clarify their rationale on this
recommendation.

Recommendation 6

We recommend that the OCIO ensure that all interconnection security agreements are valid
and properly maintained.



                                                                    Report No. 4A-CI-00-18-038
Management Response: We concur with the recommendation. Continued updates to
centralized tracking, including those that have been released in September, 2018, will
improve overall management of the Interconnection Security Agreements (ISAs).

Recommendation 7

We recommend that the OCIO ensure that a valid memorandum of understanding/agreement
exists for every interconnection.

Management Response: We concur with the recommendation. Continued updates to
centralized tracking, including those that have been released in September, 2018, will
improve overall management Memorandum of Understandings (MOUs).

Recommendation 8

We recommend that OPM improve its system inventory by correlating the elements of the
inventory to the servers and information systems they reside on.

Management Response: We concur with the recommendation. OPM relies on support from
the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM)
program to support the implementation of these requirements. OPM has been at the forefront
of working with DHS throughout the lifecycle of the CDM program and will maintain this
partnership as CDM continues to evolve. The recommendation here underscores efforts
across the Federal government and is not unique to OPM.

Recommendation 9

We recommend that OPM define policies and procedures for a centralized software
inventory.

Management Response: We do not concur with the recommendation. While we concur with
the general premise of having policies and procedures related to a centralized software
inventory, OPM notes that it already has appropriate policies and procedures in place. The
OIG states that, "OPM has changed its policy and no longer has a centralized software
inventory... " This statement is not correct. OPM issued a Secure Asset Management Policy in
January 2018 to reinforce existing asset management requirements and define requirements
for management of hardware and software assets. The implementation of a centralized
repository for the inventory of these assets is explicitly required by the policy. OPM has also
issued an

Information Security Continuous Monitoring Strategy, referenced by the OIG in Section I.
The strategy describes the objectives, significant activities, and roles and responsibilities of
the continuous monitoring program, which are aligned to the policy.

                                                                       Report No. 4A-CI-00-18-038
Further, the OIG report references supplemental guidance from the NIST 800-53, Rev. 4,
CM-8 security control in the text related to this recommendation. However, NIST guidance
affords agencies significant latitude to determine whether to implement a centralized
inventory, and implementation of a centralized inventory is not part of a baseline control per
NIST guidance. Therefore, in essence, the OIG's conclusion that there is a deficiency is based
on a determination that OPM has not implemented controls that exceed the baseline. Such a
conclusion intrudes on matters within the agency's discretion.

Recommendation 10

We recommend that OPM define the standard data elements for an inventory of software
assets and licenses with the detailed information necessary for tracking and reporting, and that
it update its software inventory to include these standard data elements.

Management Response: We concur with the recommendation. OPM completed the
definitions for standard data elements for an inventory of software assets and licenses at the
end of August 2018. The standard data elements are provided along with this response. OPM
continues to work with DHS on the implementation of the CDM program and will adopt
these data elements within its current software asset management capabilities.

Recommendation 11

We recommend that OPM define and communicate a risk management strategy based on the
requirements outlined in NIST SP 800-39.

Management Response: We concur with the recommendation. OPM published a
Cybersecurity Risk Management Strategy based on the requirements in NIST SP800-39 in
September 2018. The Cybersecurity Risk Management Strategy can be provided upon
request.

Recommendation 12

We recommend that OPM update its enterprise architecture to include the information
security architecture elements required by NIST and OMB guidance.

Management Response: We concur with the recommendation. As stated in the report, a
contract was awarded and activities are in progress to develop the enterprise architecture.
Despite projected completion dates well into FY 19, we expect that OPM will properly
integrate the necessary information security architecture as a part of this process.




                                                                     Report No. 4A-CI-00-18-038 

Recommendation 13 


We recommend that OPM continue to develop its Risk Executive Function to meet all of the
intended requirements outlined in NIST SP 800-39, Section 2.3.2 Risk Executive (Function).

Management Response: We partially concur with the recommendation. As described under
Recommendation 1 1, OPM published a Cybersecurity Risk Management Strategy based on
the requirements in NIST SP800-39 in September 2018. OPM also drafted an Enterprise Risk
Management Policy, Enterprise Risk Management Strategy, and an updated charter for the
Risk Management Council. OPM expects to finalize and operationalize these documents early
in the first quarter of FYI 9. OPM does not concur that the resource limitations described in
Section B of the report will impact OPM's ability to develop its Risk Executive Function
since those resource limitations are not a part of that function.

Recommendation 14

We recommend that OPM adhere to remediation dates for its POA&M weaknesses.

Management Response: We concur with the recommendation. The OCIO will use several
processes to remediate this recommendation, including the new Enterprise Project
Management Office (PMO), centralized POA&M management tool updates to streamline
management of the POA&Ms, and quarterly performance management of POA&M
processes.

Recommendation 15

We recommend that OPM update the remediation deadline in its POA&Ms when the control
weakness has not been addressed by the originally scheduled deadline (i.e., the POA&M
deadline should not reflect a date in the past)

Management Response: We concur with the recommendation. The OCIO will utilize several
processes to remediate this recommendation, including the new EPMO, centralized POA&M
management tool updates to streamline management of the POA&Ms, and quarterly
performance management of POA&M processes.

Recommendation 16

We recommend that OPM complete risk assessments for each major information system that
are compliant with NIST guidelines and OPM policy. The results of a complete and
comprehensive test of security controls should be incorporated into each risk assessment.

Management Response: We concur with this recommendation. Supported by agency
leadership, the OCIO has committed to providing the resources and staffing to properly


                                                                   Report No. 4A-CI-00-18-038
enforce compliance through ISSOs and the development of an independent assessment team
of contractors. The independent assessment team has begun efforts to conduct risk
assessments in a consistent manner.

Recommendation 17

We recommend that OPM identify and define the requirements for an automated enterprise-
wide solution for tracking risks, remediation efforts, dependencies, risk scores, and
management dashboards and implement the automated enterprise-wide solution.

Management Response: We partially concur with the recommendation. OPM recognizes the
need for tracking risks to OPM and OPM systems as defined in the OPM Risk Management
Strategy; however no federal requirements define the requirement for an automated
centralized tool for tracking such risks. Additionally, OPM believes this recommendation may
intrude on its discretion to allocate and manage resources in this area. Nonetheless, OPM
exercised its broad discretion under FISMA to develop requirements for an automated
enterprise-wide solution and will continue to leverage appropriate tools to document and
manage risk related to OPM IT systems.

Recommendation 18

We continue to recommend that the OCIO develop a plan and timeline to enforce the new
SDLC policy to all of OPM's system development projects.

Management Response: We concur with the recommendation. OPM recognizes the need to
enforce its SDLC policy on all IT projects. As referenced by the OIG for this metric, OPM is
establishing a new EPMO that will address this recommendation.

Recommendation 19

We recommend that OPM perform a gap analysis to determine the configuration management
resource requirements (people, processes, and technology) necessary to effectively implement
the agency's CM program.

Management Response: We concur with the recommendation. As referenced by the OIG,
OPM has already dedicated resources to establishing a new EPMO. Defining the resource
requirements to effectively implement the configuration management program is one of the
objectives of the effort.

Recommendation 20

We recommend that OPM document the lessons learned from its configuration management
activities and update its configuration management plan as appropriate.


                                                                   Report No. 4A-CI-00-18-038
Management Response: We do not concur with this recommendation. OPM is in the process
of establishing a new EPMO that will significantly modify its configuration management
practices and create new planning tools. Given the transformation already underway in this
area that will incorporate best practices based on lessons learned and other factors, OPM does
not agree that this recommendation is timely or appropriate.

Recommendation 21

We recommend that OPM develop and implement a baseline configuration for all information
systems in use by OPM.

Management Response: We concur with the recommendation. OPM is establishing a new
EPMO that will address this recommendation.

Recommendation 22

We recommend that the OCIO conduct routine compliance scans against established baseline
configurations for all OPM information systems. This recommendation cannot be addressed
until Recommendation 21 has been implemented.

Management Response: We concur with this recommendation. OPM is establishing a new
EPMO that will address this recommendation.

Recommendation 23

We recommend that the OCIO develop and implement [standard security configuration
settings] for all operating platforms in use by OPM.

Management Response: We concur with the recommendation. OPM plans to expand and
implement standard security configurations for all servers and databases.

Recommendation 24

We recommend that the OCIO conduct routine compliance scans against [the standard
security configuration settings] for all servers and databases in use by OPM. This
recommendation cannot be addressed until Recommendation 23 has been completed.

Management Response: We do not concur with the recommendation. The OCIO is currently
conducting scans of OPM servers and databases. OCIO will continue the practice for any new
security standards that we introduce or implement. The practice that OPM currently has in
place is working appropriately and is consistent with security standards.




                                                                   Report No. 4A-CI-00-18-038 

Recommendation 25

For OPM configuration standards that are based on a pre-existing generic standard, we
recommend that OPM document all instances where the OPM-specific standard deviates from
the recommended configuration setting.

Management Response: We concur with the recommendation. Increased ISSO resources will
allow for expanded documentation and approval of deviations.

Recommendation 26

We recommend that the OCIO implement a process to ensure new server installations are
included in the scan repository.

Management Response: We concur with this recommendation. Projects involving changes to
the environment that include new server installations should not be considered complete until
this action is completed. We have identified security actions that should be completed, based
on types of changes that are made, that will be integrated into the change control process.

Recommendation 27

We recommend that the OCIO implement a process for updating and maintaining credentials
for its scanning accounts.

Management Response: We do not concur with this recommendation because OCIO has
already implemented a process for updating and maintaining credentials for its scanning
accounts and provided information to reflect that implementation to the OIG in May 2018.

Implementation occurred immediately following the conclusion of the prior year FISMA
audit in response to the issuance of Recommendation 23 from the OIG Report 4A-CI-00-17-
020.

Recommendation 28

We recommend that the OCIO implement a process to ensure routine vulnerability scanning
is conducted on all network devices documented within the inventory.

Management Response: We do not concur with this recommendation. As described under our
response to Recommendation 27, OPM implemented a process for updating and maintaining
credentials for its scanning accounts and provided information to reflect that implementation
to the OIG in May 2018. Implementation occurred immediately following the conclusion of
the prior year FISMA audit in response to the issuance of Recommendation 23 from the OIG
Report 4A-C1-OO-17-020.


                                                                   Report No. 4A-CI-00-18-038
Recommendation 29 


We recommend that the OCIO implement a process to ensure that only supported software
and operating platforms are used within the network environment.

Management Response: We partially concur with the recommendation. OPM understands we
have unsupported software and operating systems; however, risk assessments and mitigating
controls have been implemented by the agency so that detected vulnerabilities cannot be
exploited. Additionally, projects are underway to remove unsupported software and systems
from the network.

Recommendation 30

We recommend that the OCIO implement a process to centrally track the current status of
security weaknesses identified during vulnerability scans to remediation or risk acceptance.

Management Response: We do not concur with the recommendation because OPM has
already implemented this type of process. The OIG states in the report that OPM does not
have a process to record or track the remediation status for other routine security weaknesses
identified during vulnerability scans. However, in February 2018, OPM developed a process
for tracking the remediation status of weaknesses identified during vulnerability scans in
response to the prior year audit. OPM intends to use this process until the DHS CDM
program delivers automated data feeds to OPM's tracking repository.

Recommendation 31

We recommend that the OCIO implement a process to apply operating system and third party
vendor patches in a timely manner.

Management Response: We partially concur with the recommendation. The agency has a
process for patch management to help ensure timely deployment of patches and has seen
significant improvements in timeliness and an ability to routinize patch deployments over the
past year. OCIO expects further improvements in timeliness over the upcoming year and will
utilize enterprise change management processes. This change management process will
include submissions of evidence supporting adherence to the processes. In the short term, a
patch management tiger team plan is in draft form.

Recommendation 32

We recommend that OPM conduct an analysis to identify limitations in the current ICAM
program in order to ensure that stakeholders have adequate resources (people, processes, and
technology) to implement the agency's ICAM activities.

                                                                    Report No. 4A-CI-00-18-038
Management Response: We partially concur with this recommendation. The agency does not
consider ICAM to be a distinct program, though it could potentially be deemed a service area
under the Security Operations Center Monitoring and Analysis team. The agency has initial
plans on how to address this recommendation that can be incorporated as part of a long term
strategy.

Further, the OIG references the loss of ISSOs as a reason for the lack of implementation of
ICAM controls but does not explain the connection it has made between ISSO resourcing and
the perceived limitations in the ICAM program. It is difficult for OPM to assess its response
to this recommendation without further information.

Recommendation 33

We recommend that OPM develop and implement an ICAM strategy that considers a review
of current practices ("as-is" assessment) and the identification of gaps (from a desired or "to-
be" state), and contains milestones for how the agency plans to align with Federal ICAM
initiatives.

Management Response: We partially concur with this recommendation. The agency does not
consider ICAM to be a distinct program though it could potentially be deemed a service area
under the Security Operations Center Monitoring and Analysis team. The agency has initial
plans on how to address this recommendation that can be incorporated as part of a long term
strategy.

Recommendation 34

We recommend that OPM implement a process to capture and share lessons learned on the
effectiveness of its ICAM policies, procedures, and processes to update the program.

Management Response: We partially concur with this recommendation. The agency does not
consider ICAM to be a distinct program though it could potentially be deemed a service area
under the Security Operations Center Monitoring and Analysis team. The agency has initial
plans on how to address this recommendation that can be incorporated as part of a long term
strategy.

Recommendation 3 5

We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading its
major information systems to require multi-factor authentication using PIV credentials.

Management Response: We concur with the recommendation. The OCIO has plans to deploy
an identity and access tool to assist with meeting OMB M-11-11.



                                                                      Report No. 4A-CI-00-18-038
Recommendation 36 


We recommend that OCIO maintain a centralized list of all contractors that have access to the
OPM network and use this list to routinely audit all user accounts for appropriateness.

Management Response: We concur with the recommendation. The OCIO has incorporated
policy requirements into tool deployment. Use of this tool will also aid in auditing of user
accounts.

Recommendation 37

We recommend that OPM define the roles and responsibilities necessary for the
implementation of the agency's privacy program.

Management Response: We partially concur. We agree that in order for the privacy program
to develop into a more robust program, additional resources along with more clearly
articulated roles and responsibilities are needed, both in the office that has immediate
responsibility for privacy matters and throughout OPM. We disagree that no roles and
responsibilities for privacy are currently defined at OPM. OPM elevated the Chief Privacy
Officer/Senior Agency Official for Privacy to a senior-level position reporting directly to the
Director of OPM. That position, based on the position description and the requirements set
forth in guidance from the Office of Management and Budget, has responsibility for privacy
policy and compliance at OPM.

Recommendation 38

We recommend that OPM develop its privacy program by creating the necessary plans,
policies, and procedures for the protection of PIL

Management Response: We partially concur. We agree that a more focused articulation of
privacy policies and procedures that are separate from and/or integrated with information
security policy and procedures, as appropriate, will be beneficial and we are working towards
that end. We disagree that there are not currently in place plans, policies, and procedures for
the protection of PII. The Information Security and Privacy Policy Handbook includes
appropriate privacy provisions, as do the current PIA and SORN guides. In addition, the
Chief Privacy Officer implemented a robust template for Privacy Impact Assessments (PIA)
that has been in use since calendar year 2017, as well as a new template for Privacy Threshold
Analyses (PTA). The PTA template has been implemented both to determine the need for a
PIA or a Privacy Act system of records notice and to track appropriate privacy controls as
articulated in NIST 800-53, Appendix J. In addition to those OPM-specific policies and
procedures, the agency continues to rely on overarching privacy guidance issued by the
Office of Management and Budget and NIST.


                                                                     Report No. 4A-CI-00-18-038
Recommendation 39 


We recommend that OPM implement controls over encryption of data at rest on its IT
systems.

Management Response: We do not concur with this recommendation. OPM has implemented
controls over encryption of data at rest on its IT systems. The OIG has not yet provided OPM
with a clear understanding of what evidence is needed to demonstrate that controls over
encryption of data at rest on its IT systems are in place.

Recommendation 40

We recommend that OPM implement controls over encryption of data in transit on its IT
systems.

Management Response: We do not concur with this recommendation. OPM has implemented
controls over encryption of data in transit on its IT systems. The OIG has not yet provided
OPM with a clear understanding of what evidence is needed to demonstrate that controls over
encryption of data at rest on its IT systems are in place.

Recommendation 41

We recommend that OPM develop and implement policies and procedures related to data
exfiltration and enhanced network defenses.

Management Response: We do not concur with this recommendation. OPM has issued
several policies covering the data exfiltration and enhanced network defenses, including: 1)
Information System Monitoring; 2), OPM Boundary Protection; 3) OPM Malicious Code; and
4) Mobile Code.

Recommendation 42

We recommend that OPM develop a process to routinely test the Data Breach Response Plan.

Management Response: We partially concur. We agree that an annual table top exercise to
review the Breach Response Plan can help clarify and refine roles and responsibilities in the
event of a breach and help to more clearly articulate the appropriate risk analysis and
mitigation steps that should be taken, as provided by the Breach Response Plan and OMB
Memorandum 17-12. We disagree with the OIG's underlying premise that not conducting a
table top exercise has increased OPM's risk of major data loss in the event of a security
incident. Annual security and privacy awareness training informs the OPM workforce of
when to report a loss or potential loss of PII to the Security Operations Center (SOC). The
SOC routinely informs appropriate OPM personnel when an incident has occurred and steps


                                                                    Report No. 4A-CI-00-18-038
are taken to address and mitigate any potential harm as appropriate. The Chief Privacy Officer
is also a part of the senior members of the OPM staff that routinely meets and interacts with
other key members of the workforce, which allows for consistent communication regarding
the protection of sensitive identifiable information to occur.

Recommendation 43

We recommend that OPM identify individuals with heightened responsibility for PII and
provide role based training to these individuals at least annually.

Management Response: We partially concur. We agree that appropriate annual privacy
training should be provided. This is done formally through the annual security and privacy
awareness training that all individuals at OPM are required to complete. We also agree that it
would be beneficial to evaluate more formally whether there are individuals who, given their
job responsibilities and exposure to PII, should receive any additional annual training. We
disagree with the underlying assumption that individuals who regularly handle PII will always
require specialized formal annual training. In many instances the annual awareness training,
followed by tailored discussions with various offices, can be just as effective. To date, the
Chief Privacy Officer has provided presentations on privacy and engaged in group
discussions with various offices in an effort to further provide appropriate privacy awareness
and compliance.

Recommendation 44

We recommend that OPM develop and conduct an assessment of its workforce's knowledge,
skills and abilities in order to identify any skill gaps and specialized training needs.

Management Response: We concur with this recommendation. OPM completed the
assessment of its workforce's knowledge, skills, and abilities in accordance with the
instructions given for the Federal Cybersecurity Workforce Assessment Act of 2015. This
assessment was completed in August 2018, after the OIG audit testing period, and can be
provided upon request.

Recommendation 45

We recommend that OPM develop and document a security awareness and training strategy
tailored to its mission and risk environment.

Management Response: We do not concur with this recommendation. The Security
Awareness and Training Strategy was completed in May 2018 and was delivered to the OIG
in June 2018. OPM's view is that the strategy is appropriately tailored to the agency mission
and risk environment.


                                                                    Report No. 4A-CI-00-18-038
Recommendation 46

We recommend that OPM conduct an analysis to identify any resource gaps within its current
ISCM program. OPM should use the results of this gap analysis to ensure stakeholders have
adequate resources to effectively implement ISCM activities based on OPM's policies and
procedures.

Management Response: We partially concur with this recommendation. OPM agrees that
challenges in resources have affected the ISCM program. OPM has identified needs and have
responded by recruiting and making plans to bring onboard additional personnel.

Recommendation 47

We recommend that OPM ensure that an annual test of security controls has been completed
for all systems.

Management Response: We concur with this recommendation. OPM agrees that challenges in
resources have affected annual control testing. Additional resources joining the OCIO in the
near future will help to ensure thorough annual security control testing for all systems.

Recommendation 48

We recommend that OPM evaluate qualitative and quantitative performance measures on the
performance of its ISCM program once it can consistently acquire security assessment results,
as referenced in recommendation 47.

Management Response: We do not concur with this recommendation. Performance measures
for the ISCM program have been established and the OCIO is conducting an evaluation of the
management of POA&Ms and inventory management. The use of a centralized tool is
expected to provide a significantly expanded capability for evaluation.

Recommendation 49

We recommend that OPM perform a gap-analysis to determine the contingency planning
requirements (people, processes, and technology) necessary to effectively implement the
agency's contingency planning policy.

Management Response: We do not concur with the recommendation. The OCIO is aware of
the technology and resource gaps related to enterprise disaster recovery testing that can result
in an ability to further plan development and conduct exercises and is taking steps,
supported by agency leadership, to eliminate those gaps. The OIG cites ISSO staffing issues
as reason for contingency plan development and testing weaknesses but does not explain how
it has reached this conclusion.


                                                                     Report No. 4A-CI-00-18-038
Recommendation 50

We recommend that the OCIO conduct an agency-wide BIA and incorporate the results into
the system-level contingency plans.

Management Response: We do not concur with the recommendation. OPM completed an
agency-wide BIA and developed a new template with instructions for incorporating the
results into system-level contingency plans in May 2018. The document can be provided upon
request.

Recommendation 51

We recommend that the OCIO ensure that all of OPM's major systems have contingency
plans in place and that they are reviewed and updated annually.

Management Response: We concur with the recommendation. The OCIO will coordinate
with each system's Program Management Office (PMO) including the System Owners and
       Authorizing officials to help ensure contingency plans are in place and that the annual
review and update of the plans occurs in accordance with policy.

Recommendation 52

We recommend that OPM test the contingency plans for each system on an annual basis.

Management Response: We concur with the recommendation. The OCIO will coordinate
with each system's Program Management Office (PMO) including the System Owners and

Authorizing officials to help ensure annual testing of the contingency plans in accordance
with policy.

Technical Comments on General Federal Information Security Modernization Act
Audit — FY 2018 (Report No. 4A-C1-OO-18-038), dated September 17, 2018

x	 Scope and Methodology, page 4, outlines that the criteria used in conducting the audit
   included OMB Memorandum M-07-16, Safeguarding Against and Responding to the
   Breach of Personally Identifiable Information. OMB M-07-16 was rescinded on January
   3, 2017, by OMB M-17-12, Preparing for and Responding to a Breach of Personally
   Identifiable Information.

x	 Section G. Data Protection and Privacy, page 33, states that OPM's privacy program is
   supported, in part, by intermittent supporting contract staff. That is not accurate. The
   Chief Privacy Officer does not have any contract staff support and is currently supported
   by two detailees from the OCIO's Information Management Office.


                                                                    Report No. 4A-CI-00-18-038
Again, thank you for the opportunity to provide comment. Please contact Mr. David Garcia or
me if you have question or need additional information.

cc:

Michael D. Dovilla
Chief of Staff

Stephen Billy
Deputy Chief of Staff

David A. Garcia
Chief Information Officer

Kathleen M. McGettigan
Chief Management Officer

Dennis D. Coleman
Chief Financial Officer

Mark W. Lambert
Associate Director, Merit System Accountability and Compliance

Janet L. Barnes
Director, Internal Oversight and Compliance

Jeffrey P. Wagner
Associate Chief Information Officer for Infrastructure

Kathie A. Whipple
Acting General Counsel

Robert M. Leahy
Deputy CIO

Kellie Cosgrove Riley
Chief Privacy Officer

Norbert Vint
Acting Inspector General



                                                                 Report No. 4A-CI-00-18-038
Michael R. Esser
Assistant Inspector General for Audits


Auditor-in-Charge, Office of the Inspector General

Anthony C. Marucci
Director, Office of Communications

Jonathan J. Blyth
Director, Congressional, Legislative & Intergovernmental Affairs




                                                                   Report No. 4A-CI-00-18-038 

	                                                                            



                 Report Fraud, Waste, and 

                     Mismanagement
	
                            Fraud, waste, and mismanagement in
                         Government concerns everyone: Office of
                           the Inspector General staff, agency
                          employees, and the general public. We
                        actively solicit allegations of any inefficient
                              and wasteful practices, fraud, and
                         mismanagement related to OPM programs
                       and operations. You can report allegations to
                                     us in several ways:

      By Internet: 	        http://www.opm.gov/our-inspector-general/hotline-to-
                            report-fraud-waste-or-abuse

        By Phone: 	         Toll Free Number:                   (877) 499-7295
                            Washington Metro Area:              (202) 606-2423

         By Mail:           Office of the Inspector General
                            U.S. Office of Personnel Management
                            1900 E Street, NW
                            Room 6400
                            Washington, DC 20415-1100