862)),&E OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report AUDIT OF THE INFORMATION TECHNOLOGY SECURITY CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT’S USA STAFFING SYSTEM Report Number 4A-HR-00-18-013 May 10, 2018 EXECUTIVE SUMMARY Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management’s USA Staffing System Report No. 4A-HR-00-18-013 May 10, 2018 Why Did We Conduct the Audit? What Did We Find? The USA Staffing System is one of the Our audit of the IT security controls of the USA Staffing System determined that: U.S. Office of Personnel Management’s (OPM) major information technology (IT) x The USA Staffing System Security Assessment and Authorization systems. The Federal Information Security (Authorization) was updated in September 2017, and an Authorization to Modernization Act (FISMA) requires that Operate was granted for up to three years. the Office of the Inspector General (OIG) perform an audit of IT security controls of x The security categorization of the USA Staffing System is consistent with this system. Federal Information Processing Standards 199 and NIST Special Publication (SP) 800-60, and we agree with the categorization of “moderate.” What Did We Audit? x OPM completed a Privacy Impact Assessment for the USA Staffing System. The OIG completed a performance audit of the USA Staffing System to ensure that the x The System Security Plan for the USA Staffing System follows the OCIO system’s security controls meet the template, but the system inventory includes instances of unsupported standards established by FISMA, the software. National Institute of Standards and Technology (NIST), the Federal x An independent assessor conducted security controls testing and assessed Information System Controls Audit identified risks for the USA Staffing System. Manual, and OPM’s Office of the Chief Information Officer (OCIO). x The USA Staffing System has been subject to routine testing as part of OPM’s continuous monitoring program. x OPM developed and tested a contingency plan for the USA Staffing System that is generally in compliance with NIST SP 800-34, Revision 1, and the OCIO guidance. x The USA Staffing System Plan of Action and Milestones documentation from the most recent Authorization does not include all identified weaknesses. x We evaluated a subset of the system controls outlined in NIST SP 800-53, Revision 4. We determined most of the security controls tested appear to be in compliance, however we did note two areas for improvement. Michael R. Esser Assistant Inspector General for Audits i ABBREVIATIONS Authorization Security Assessment and Authorization FIPS Federal Information Processing Standards FISMA Federal Information Security Modernization Act HRS Human Resources Solutions IT Information Technology NIST National Institute of Standards and Technology OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB U.S. Office of Management and Budget OPM U.S. Office of Personnel Management POA&M Plan of Action and Milestones SP Special Publication ii TABLE OF CONTENTS Page EXECUTIVE SUMMARY..........................................................................................i ABBREVIATIONS ..................................................................................................... ii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5 A. Security Assessment and Authorization ..................................................................5 B. FIPS 199 Analysis ...................................................................................................5 C. Privacy Impact Assessment .....................................................................................6 D. System Security Plan ...............................................................................................6 E. Security Assessment Plan and Report .....................................................................8 F. Continuous Monitoring............................................................................................8 G. Contingency Planning and Contingency Plan Testing.............................................9 H. Plan of Action and Milestones Process....................................................................9 I. NIST 800-53 Evaluation ........................................................................................10 APPENDIX: OPM’s March 20, 2018, response to the draft audit report, issued March 6, 2018. REPORT FRAUD, WASTE, AND MISMANAGEMENT I. BACKGROUND On December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347), which includes Title III, the Federal Information Security Management Act. It requires (1) annual agency program reviews, (2) annual Inspector General evaluations, (3) agency reporting to the U.S. Office of Management and Budget (OMB) the results of Inspector General evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. In 2014, Public Law 113-283, the Federal Information Security Modernization Act (FISMA) was established and reaffirmed the objectives of the prior Act. This was our first audit of the USA Staffing System. The USA Staffing System is a web-based application used by human resources personnel to create and manage position vacancy announcements, application assessments and job questionnaires. Job applicants use the system to apply for open jobs, and hiring managers use it to select their candidates. The USA Staffing System is in the process of being upgraded, and there are currently two active versions, legacy and upgrade. Both versions are included in the scope of this audit. The U.S. Office of Personnel Management (OPM)’s Office of the Chief Information Officer (OCIO) and OPM’s Human Resources Solutions (HRS), share responsibility for implementing and managing the information technology (IT) security controls of the USA Staffing System. We discussed the results of our audit with the OCIO and HRS representatives at an exit conference. 1 Report No. 4A-HR-00-18-013 II. OBJECTIVES, SCOPE, AND METHODOLOGY OBJECTIVES Our objective was to perform an audit of the security controls for the USA Staffing System to ensure that OCIO and HRS officials have implemented IT security policies and procedures in accordance with standards established by FISMA, the National Institute of Standards and Technology (NIST), the Federal Information System Controls Audit Manual, and OPM’s OCIO. We accomplished our audit objective by reviewing the degree to which a variety of security program elements were implemented for the USA Staffing System, including: x Security Assessment and Authorization (Authorization); x Federal Information Processing Standards (FIPS) 199 Analysis; x Privacy Impact Assessment; x System Security Plan; x Security Assessment Plan and Report; x Continuous Monitoring; x Contingency Planning and Contingency Plan Testing; x Plan of Action and Milestones Process (POA&M); and x NIST Special Publication (SP) 800-53, Revision 4, Security Controls. SCOPE AND METHODOLOGY We conducted this performance audit in accordance with the Generally Accepted Government Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the audit included an evaluation of related policies and procedures, compliance tests, and other auditing procedures that we considered necessary. The audit covered security controls and 2 Report No. 4A-HR-00-18-013 FISMA compliance efforts of OPM officials responsible for the USA Staffing System, including the evaluation of IT security controls in place as of January 2018. We considered the USA Staffing System internal control structure in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an understanding of management procedures and controls to the extent necessary to achieve our audit objectives. To accomplish our objective, we interviewed representatives of OPM’s OCIO and HRS with security responsibilities for the USA Staffing System, reviewed documentation and system screenshots, viewed demonstrations of system capabilities, and conducted tests directly on the system. We also reviewed relevant OPM IT policies and procedures, Federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we conducted compliance tests to determine the extent to which established controls and procedures are functioning as required. Details of the security controls protecting the confidentiality, integrity, and availability of the USA Staffing System are located in the “Audit Findings and Recommendations” section of this report. Since our audit would not necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the USA Staffing System internal controls taken as a whole. The criteria used in conducting this audit include: x OPM Information Security and Privacy Policy Handbook; x OMB Circular A-130, Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; x E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; x P.L. 113-283, Federal Information Security Modernization Act of 2014; x The Federal Information System Controls Audit Manual; x NIST SP 800-12, Revision 1, An Introduction to Information Security; x NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems; x NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments; 3 Report No. 4A-HR-00-18-013 x NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems; x NIST SP 800-37, Revision 1, Guide for Applying Management Framework to Federal Information Systems; x NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; x NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories; x NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities; x FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems; and x Other criteria as appropriate. In conducting the audit, we relied to varying degrees on computer-generated data. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, nothing came to our attention during our audit testing utilizing the computer-generated data to cause us to doubt its reliability. We believe that the data was sufficient to achieve the audit objectives. Except as noted above, we conducted the audit in accordance with the Generally Accepted Government Auditing Standards issued by the Comptroller General of the United States. The OPM Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended, performed the audit. The OIG conducted the audit from November 2017 through January 2018 at OPM’s Washington, D.C. office. COMPLIANCE WITH LAWS AND REGULATIONS In conducting the audit, we performed tests to determine whether OPM’s management of the USA Staffing System is consistent with applicable standards. While generally compliant, with respect to the items tested, OPM was not in complete compliance with all standards, as described in section III of this report. 4 Report No. 4A-HR-00-18-013 III. AUDIT FINDINGS AND RECOMMENDATIONS A. SECURITY ASSESSMENT AND AUTHORIZATION A Security Assessment and Authorization (Authorization) includes 1) a The USA Staffing comprehensive assessment that attests that a system’s security controls System has a are meeting the security requirements of that system and 2) an official current and valid management decision to authorize operation of an information system Authorization. and accept its known risks. OMB’s Circular A-130, Appendix I, mandates that all Federal information systems have a valid Authorization. Although OMB previously required periodic Authorizations every three years, Federal agencies now have the option of continuously monitoring their systems to fulfill the Authorization requirement. However, OPM does not yet have a mature program in place to continuously monitor system security controls, therefore a current Authorization is required for every OPM system. In September 2017 OPM granted an Authorization to Operate that includes both the legacy and upgraded versions of the system. This Authorization to Operate is valid for up to three years and includes the requirement that the system owner monitor and remediate identified weaknesses on an ongoing basis. Nothing came to our attention to indicate that the USA Staffing System Authorization to Operate was inadequate. B. FIPS 199 ANALYSIS The E-Government Act of 2002 requires Federal agencies to categorize all Federal information and information systems. FIPS 199 provides guidance on how to assign appropriate categorization levels for information security according to a range of risk levels. NIST SP 800-60 Volume I, Guide for Mapping Types of Information and Information Systems to Security Categories, provides an overview of the security objectives and impact levels identified in FIPS Publication 199. The USA Staffing System security categorization documentation analyzes information processed by the system and its corresponding potential impacts on confidentiality, integrity, and availability. The USA Staffing System is assessed as having a “moderate” impact level for each area, resulting in an overall categorization of “moderate.” 5 Report No. 4A-HR-00-18-013 Nothing came to our attention to indicate that the USA Staffing System security categorization was inadequate. C. PRIVACY IMPACT ASSESSMENT The E-Government Act of 2002 requires agencies to perform a Privacy Threshold Analysis of Federal information systems to determine if a Privacy Impact Assessment is required for that system. A Privacy Threshold Analysis was performed on the USA Staffing System in July 2017, and it was determined that a Privacy Impact Assessment was required for this system. OMB Memorandum M-03-22 outlines the necessary components of a Privacy Impact Assessment. The purpose of the assessment is to evaluate and document any personally identifiable information maintained by an information system. The Privacy Impact Assessment was complete and was formally approved and signed by the Chief Privacy Officer in July 2017. We did not detect any issues with the Privacy Impact Assessment performed for the USA Staffing System. D. SYSTEM SECURITY PLAN Federal agencies must implement, for each information system, the security controls outlined in NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, requires that these controls be documented in a System Security Plan for each system, and provides guidance for doing so. The USA Staffing System’s System Security Plan was developed using the OCIO’s System Security Plan template that utilizes NIST SP 800-18, Revision 1, as guidance. The template requires that the System Security Plan contain the following elements: x System Name and Identifier; x General Description/Purpose; x System Owner; x System Categorization; x Other Designated Contacts; x Authorizing Official; x System Operational Status; x Assignment of Security Responsibility; 6 Report No. 4A-HR-00-18-013 x Information System Type; x Completion and Approval Dates; x System Environment; x Minimum Security Controls; x Laws, Regulations, and Policies Affecting x System Interconnection/Information the System; Sharing; and x Security Control Selection. We reviewed the current USA Staffing System’s System Security Plan, signed in August 2017, and determined that it does include the necessary information, approvals, and supporting documentation. We did identify one issue with the USA Staffing System’s System Security Plan. 1) Unsupported Software Platform The system’s software inventory includes an operating platform that is no longer supported by the vendor. Unsupported software does not receive updates and security patches. OMB Circular A-130 requires that “Agencies shall: … Prohibit the The system use of unsupported information systems and system components, and inventory includes ensure that systems and components that cannot be appropriately software that is no protected or secured are given a high priority for upgrade or longer supported replacement;” and details that this “Includes hardware, software, or by the vendor. firmware components no longer supported by developers, vendors, or manufacturers through the availability of software patches, firmware updates, replacement parts, and maintenance contracts.” Failure to remove unsupported software increases the risk that system weaknesses could be exploited. Recommendation 1 We recommend that OPM upgrade the unsupported operating platform hosting the USA Staffing System. 7 Report No. 4A-HR-00-18-013 OPM Response: “We concur. The software in question is currently in use by the Legacy version of [the USA Staffing System]. The Legacy servers are scheduled for a phased decommission starting but we have started upgrades where possible while not impacting mission critical functions. The outdated software does not impact [the USA Staffing System’s] Upgrade version.” OIG Comment: As part of the audit resolution process, we recommend that the OCIO provide OPM’s Internal Oversight and Compliance office with evidence that this recommendation has been implemented. This statement applies to all subsequent recommendations in this audit report that HRS agrees to implement. E. SECURITY ASSESSMENT PLAN AND REPORT The USA Staffing System’s Security Assessment Plan and Security Assessment Report were completed by OPM in August and September of 2017, respectively, as a part of the system’s Authorization process. We reviewed the relevant documents to verify that a risk assessment was conducted in accordance with NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments. We also verified that appropriate management, operational, and technical controls were tested for a system with a “moderate” security categorization. Nothing came to our attention to indicate that the USA Staffing System’s Security Assessment Plan and Report were inadequate. F. CONTINUOUS MONITORING OPM requires that the IT security controls of each application be The USA Staffing assessed on a continuous basis. OPM’s OCIO has developed an System security Information Security Continuous Monitoring Plan that includes a controls were subject template outlining the security controls that must be tested for all to routine testing as a information systems. All system owners are required to tailor the part of continuous Information Security Continuous Monitoring Plan template to each monitoring. individual system’s specific security control needs and then test the system’s security controls on an ongoing basis. The test results must be provided to the OCIO on a routine basis for centralized tracking. 8 Report No. 4A-HR-00-18-013 We did not detect any issues with the USA Staffing System continuous monitoring submissions thus far in fiscal year 2018. G. CONTINGENCY PLANNING AND CONTINGENCY PLAN TESTING NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, states that effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability. OPM’s security policies require all major applications to have viable and logical disaster recovery and contingency plans, and that these plans be annually reviewed, tested, and updated. 1) Contingency Plan The USA Staffing System contingency plan documents the functions, operations, and resources necessary to restore and resume the USA Staffing System when unexpected events or disasters occur. The contingency plan follows the format suggested by NIST SP 800-34, Revision 1, and OPM’s template for contingency plans. We did not detect any issues with the USA Staffing System contingency plan. 2) Contingency Plan Testing Contingency plan testing is a critical element of a viable disaster recovery capability. OPM requires that contingency plans for all systems be tested annually to evaluate the plan’s effectiveness and the organization’s readiness to execute the plan. NIST SP 800-34, Revision 1, provides guidance for testing contingency plans and documenting the results. The most recent contingency plan test for the USA Staffing System was conducted in April 2017. The functional test was considered successful although the recovery took slightly longer than anticipated. Nothing came to our attention to indicate that the USA Staffing System contingency plan testing process was inadequate. H. PLAN OF ACTION AND MILESTONES A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for known IT security weaknesses. OPM has implemented an 9 Report No. 4A-HR-00-18-013 agency-wide POA&M process to help track known IT security weaknesses associated with the agency’s information systems. 1) POA&M Review Three POA&Ms were not included The Security Assessment Report, completed as part of the USA in the most recent Staffing System Authorization, identified 17 control weaknesses, and Authorization. these were consolidated into 6 POA&M items that were appropriately included in the Authorization package. However, 3 additional POA&M items existed for the USA Staffing System prior to its most recent Authorization, and these 3 items were not included in the Authorization package for consideration. OPM’s policy states that “For systems going through a reauthorization, the POA&M also includes all other open and draft weaknesses that are on the existing POA&M as well.” Failure to properly include all POA&Ms in the Authorization package results in the authorizing official granting an Authorization to Operate without having access to all relevant risk information about the system. Recommendation 2 We recommend that OPM update the USA Staffing System Authorization package to include the missing POA&Ms and re-issue the Authorization to Operate. OPM Response: “We concur. The three existing POA&Ms, from prior to the FY2017 Authorization & Assessment, will be added to the [USA Staffing System] FY17 Authorization package and resubmitted to the [USA Staffing System] Authorizing Official for review and appropriate action.” I. NIST SP 800-53 EVALUATION NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, provides guidance for implementing a variety of security controls for information systems supporting the Federal government. As part of this audit, we evaluated whether a subset of these controls had been implemented for the USA Staffing System. We tested approximately 40 controls as outlined in NIST SP 800-53, Revision 4, including one or more controls from each of the following control families: 10 Report No. 4A-HR-00-18-013 x Access Control; x Audit and Accountability; x Configuration Management; x Contingency Planning; x Identity and Authentication; x Planning; x Risk Assessment; x Security Assessment and Authorization; x System and Communications Protection; and x System and Information Integrity. These controls were evaluated by interviewing individuals with system security responsibilities, reviewing documentation and system screenshots, viewing demonstrations of system capabilities, and conducting tests directly on the system. We determined that the tested security controls appear to be in compliance with NIST SP 800- 53, Revision 4, requirements, with the exceptions detailed below. Configuration deviations for the 1) Control CM-6 – Configuration Settings USA Staffing System have not The USA Staffing System security documentation states that the been documented approved server configuration settings for the system follow the and approved. Defense Information Systems Agency’s Security Technical Implementation Guide. Configuration settings are the system options that are adjusted to enforce or enhance protection of system components and data. We conducted configuration compliance scans on the servers supporting the USA Staffing System to verify that the established settings had been properly applied. However, our scans found over 200 configuration settings that were not in compliance with the Defense Information Systems Agency’s Security Technical Implementation Guide. These deviations have not been documented and approved. NIST SP 800-53, Revision 4, states that “Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers ... .” NIST requires that configuration settings be established and documented and any deviations be documented and approved. 11 Report No. 4A-HR-00-18-013 Failure to apply established configuration settings increases the risk that hackers could exploit system weaknesses. Recommendation 3 We recommend that OPM apply the approved security configuration settings for the USA Staffing System. OPM Response: “We concur. All impacted and servers along with [the USA Staffing System] Legacy servers are scheduled for a phased decommission starting . The remaining [USA Staffing System] Upgrade servers are scheduled for replacement with [Defense Information Systems Agency’s Security Technical Implementation Guide] hardened . A phased rollout of servers is scheduled to start in .” 2) Control SI-2 – Flaw Remediation We also conducted credentialed vulnerability scans on the servers Several of the USA supporting the USA Staffing System looking for security Staffing System weaknesses. The results of our scans indicate several servers servers were missing were missing critical patches that had been released more than 30 patches more than 30 days before the scans took place. The specific vulnerabilities days old. found by the scans were provided to OPM personnel, but will not be detailed in this report. NIST SP 800-53, Revision 4, requires that, “The organization: ... Identifies, reports, and corrects information systems flaws ... [and] Installs security-relevant software and firmware updates ... .” Failure to remediate vulnerabilities increases the risk that hackers could exploit system weaknesses. Recommendation 4 We recommend that OPM apply system patches in a timely manner and in accordance with policy. 12 Report No. 4A-HR-00-18-013 OPM Response: “We concur. We have mitigated 75% of the server scan related and web-based findings identified within the OIG Audit Inquiry 01. The remaining 25% of identified findings will be addressed in conjunction with the phased Legacy server and web-based interface decommissioning starting , the phased rollout of servers scheduled to start in , and the Upgrade software release scheduled for .” 13 Report No. 4A-HR-00-18-013 APPENDIX March 20, 2018 MEMORANDUM FOR: Chief, Information Systems Audit Group Office of the Inspector General FROM: ROBERT M. LEAHY Deputy Chief Information Officer DIANNA SAXMAN Deputy Associate Director, Federal Staffing Center Human Resources Solutions SUBJECT: Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management’s USA Staffing System Report No. 4A-MO-00-18-013 Thank you for providing OPM the opportunity to respond to the Office of the Inspector General (OIG) draft report, Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management’s USA Staffing System, 4A-MO-00-18-013. Responses to your recommendations including planned corrective actions, as appropriate, are provided below. Recommendation 1: We recommend that OPM upgrade the unsupported operating system hosting the USAS. Management Response: We concur. The software in question is currently in use by the Legacy version of USAS. The Legacy servers are scheduled for a phased decommission starting but we have started upgrades where possible while not impacting mission critical functions. The outdated software does not impact USAS’s Upgrade version. Recommendation 2: We recommend that OPM update the USAS Authorization package to include the missing POA&Ms and re-issue the ATO. Report No. 4A-HR-00-18-013 Management Response: We concur. The three existing POA&Ms, from prior to the FY2017 Authorization & Assessment, will be added to the USAS FY17 Authorization package and resubmitted to the USAS Authorizing Official for review and appropriate action. Recommendation 3: We recommend that OPM apply the approved security configuration settings for the USAS. Management Response: We concur. All impacted and servers along with USAS Legacy servers are scheduled for a phased decommission starting . The remaining USAS Upgrade servers are scheduled for replacement with DISA STIG hardened servers. A phased rollout of servers is scheduled to start in . Recommendation 4: We recommend that OPM apply system patches in a timely manner and in accordance with policy. Management Response: We concur. We have mitigated 75% of the server scan related and web-based findings identified within the OIG Audit Inquiry 01. The remaining 25% of identified findings will be addressed in conjunction with the phased Legacy server and web- based interface decommissioning starting , the phased rollout of servers scheduled to start in , and the Upgrade software release scheduled for . I appreciate the opportunity to respond to this draft report. If you have any questions regarding our response, please contact , , and @opm.gov. Report No. 4A-HR-00-18-013 Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100
Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's USA Staffing System
Published by the Office of Personnel Management, Office of Inspector General on 2018-05-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)