oversight

Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Multi-State Plan Program Portal

Published by the Office of Personnel Management, Office of Inspector General on 2015-05-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

         U.S. OFFICE OF PERSONNEL MANAGEMENT 

            OFFICE OF THE INSPECTOR GENERAL 

                     OFFICE OF AUDITS 





                            Audit of the Information Technology 

                                  Security Controls of the 

                           U.S. Office of Personnel Management's 

                              Multi-State Plan Program Portal 


                                            Re p o rt Numbe r 4A-RI-00-15-01 3 

                                                        May 11 ,201 5 




                                                              --CAUTION -­
This audit r epot·t has been distributed to Federal officials who are n sponsible for the administration of the audited program. T his audit report may
contain pt·opl'ietat·y data which is protected by Federal l aw (18 U.S.C. 1905). Therefot·e, while this audit report is available undet· the Freedom of
Information Act and made available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iu spector-geuernl), caution needs t o be exer cised
before releasing the t·epot·t to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
             EXECUTIVE SUMMARY 

             Audit ofthe Information Technology Security Controls ofthe US. Office of
                    Personnel           ent 's Multi-State Plan        Portal




Why Did W e Conduct the Audit?                What Did We Find?

The Multi-State Plan Program (MSPP)           Our audit of the IT security conu·ols of the MSPP Portal determined that:
Portal is one of the U.S. Office of           • 	 A Security Assessment and Authorization (SA&A) of the MSPP P01t al
Personnel Management's (OPM) critical             was completed in October 2014. We reviewed the authorization
Inf01mation Technology (IT) systems. As           package for all required elements of an SA&A, and determined that the
such, the Federal Information Security            package contained all necessary doctunentation.
Management Act (FISMA) requires that          • 	 The security categorization of the MSPP Portal is consistent with
the Office of the Inspector General (OIG)         Federal Inf01mation Processing Standards (FIPS) 199 and NIST Special
perform an audit of IT security conu·ols of       Publication (SP) 800-60 requirements, and we agree with the
this system, as well as all of the agency's       categorization of "Low ."
systems on a rotating basis.                  • 	 The MSPP P01tal System Security Plan contains the critical elements
                                                  required by NIST SP 800-18 Revision 1.
What Did W e Audit?                           • 	 A security conu·ol assessment plan and report were completed in Jtme
                                                  and September 2014, respectively, for the MSPP Portal.
The OIG has completed a performance           • 	 NHO has perf01med regular security conu·ol self-assessments in
audit of the MSPP P01tal to ensure that the       accordance with OPM's continuous monitoring methodology.
system owner, National Healthcare             • 	 A contingency plan was developed for the MSPP P01tal that is in
                                                  compliance with NIST SP 800-34 Revision 1, and the plan is tested
Operations (NHO), has managed the
                                                  annually.
implementation of IT security policies and    • 	 A privacy threshold analysis was conducted for the MSPP Portal that
procedures in accordance with the                 indicated that a Privacy Impact Assessment (PIA) was not required.
standards established by FISMA, the           • 	 The MSPP P01tal Plan of Acton and Milestones (POA&M) follows the
National Institute of Standards and               f01mat ofOPM's standard template and has been loaded into Tmsted
Technology (NIST), the Federal                    Agent, the OCIO 's POA&M tracking tool. However, several delayed
Inf01mation Security Controls Audit               POA&M items were not updated with new scheduled completion dates
                                                  in accordance with OPM guidance.
Manual (FISCAM) and OPM's Office of
                                              • 	 We evaluated the degree to which a subset of the IT security conu·ols
the Chieflnf01mation Officer (OCIO).
                                                  outlined in NIST SP 800-53 Revision 4 were implemented for the MSPP
                                                  Portal. We detetmined that a majority of tested security controls appear
                                                  to be in compliance with NIST SP 800-53 Revision 4. However, we did
                                                  note several areas for improvement.




Michael R. Esser
Assistant Inspector General
for Audits
                ABBREVIATIONS

FIPS     Federal Information Processing Standards
FISCAM   Federal Information System Controls Audit Manual
FISMA    Federal Information Security Management Act
GAO      Government Accountability Office
HRTT     Human Resources Tools and Technology
IG       Inspector General
IOC      Internal Oversight and Compliance
IT       Information Technology
ITSP     Information Technology Security and Privacy Group
MSP      Multi-State Plan
MSPP     Multi-State Plan Program
NHO      National Healthcare Operations
NIST     National Institute of Standards and Technology
OCIO     Office of the Chief Information Officer
OIG      Office of the Inspector General
OMB      U.S. Office of Management and Budget
OPM      U.S. Office of Personnel Management
PIA      Privacy Impact Analysis
POA&M    Plan of Action & Milestones
PTA      Privacy Threshold Analysis
SA&A     Security Assessment & Authorization
SAP      Security Assessment Plan
SAR      Security Assessment Report
SP       Special Publication
SSP      System Security Plan




                              ii
                             TABLE OF CONTENTS 


                                                                                                            Page 

       EXECUTIVE SUMMARY ......................................................................................... i 


       ABBREVIATIONS ..................................................................................................... ii 


I.     BACK GROUND .......................................................................................................... 1 


II.    OBJECT IVES, SCOPE, AND METHODOLOGY ..................................................2 


III.   AUDIT FINDINGS AND RECO MMENDATIONS................................................ .4 

       A. Secm ity Assessment and Authorization ................................................................ .4 

       B. FIPS 199 Analysis ...................................................................................................4 

       C. System Security Plan ...............................................................................................4 

       D. Secm ity Assessment Plan and Rep01i ..... ................................................................ 5 

       E. Continuous Monitoring ............................................................................................6 

       F. Contingency Planning and Contingency Plan Testing.............................................6 

       G. Privacy Itnpact Assessment ..................... ................................................................ ? 

       H. Plan of Action and Milestones Process .................................................................... ? 

       I. NIST 800-53 Evaluation ..........................................................................................8 


IV.    MAJOR C ONTRIBUTORS TO TillS REPORT .................................................. 12 


       APPENDIX: National Healthcare Operations' response to the draft rep01i ............. 13 


       REPORT FRAUD, WAST E, AND MI SMANAGEMENT .................................... 15 

                              I. BACKGROUND 



On December 17, 2002, President Bush signed into law the E-Govemment Act (P.L. 107-347),
which includes Title III, the Federal Infonnation Secmity Management Act (FISMA) . It requires
(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency
rep01iing to the U .S. Office of Management and Budget (OMB) th e results ofiG evaluations for
unclassified systems, and (4) an annual OMB report to Congress summarizing the material
received from agencies. In accordance with FISMA, we audited the inf01mation technology (IT)
secmity controls related to the U.S . Office of Personnel Management' s (OPM) Multi-State Plan
Program (MSPP) Portal.

The MSPP P01ial is one ofOPM ' s critical IT systems. As such, FISMA requires that the Office
of the Inspector General (OIG) perf01m an audit ofiT secmity controls of this system, as well as
all of the agency's systems on a rotating basis.

The MSPP P01ial is a web-based application designed to assist National Healthcar e Operations
(NHO) in receiving, storing and evaluating inf01mation received from applicants who wish to
become ce1iified Multi-State Plan (MSP) Issuers in the MSPP. The system is cunently hosted by
AT&T.

We perf01med preliminruy test work of the MSPP P01ial in April 2013 when the system was first
lalmched. However, this was om first full scope audit of the secmity controls sunmmding th e
system. We discussed the results of om audit with NHO representatives at an exit conference.
At the end of the fieldwork phase of this audit, NHO inf01med us that the MSPP P01ial will no
longer be hosted by AT&T and will be moved to OPM 's data center in Macon, Georgia. This
move is expected to be completed in May 2015 .




                                               1                           Rep01i No. 4A-RI-00-1 5-0 13
 II. OBJECTIVES, SCOPE, AND METHODOLOGY


Objective
Our objective was to perform an evaluation of the security conu·ols for the MSPP Portal to
ensure that NHO officials have managed the implementation of IT security policies and
procedures in accordance with standards established by FISMA, the National Institute of
Standar ds and Technology (NIST), the Federal Infonnation System Conu·ols Audit Manual
(FISCAM) and OPM's Office of the Chief lnf01mation Officer (OCIO).

OPM's IT security policies require owners of all major infonnation systems to complete a series
of steps to (1) ce1tify that their system's inf01mation is adequately protected and (2) authorize the
system for operations. The audit objective was accomplished by reviewing the degree to which a
variety of security program elements have been implemented for the MSPP P01tal, including:
• Security Assessment and Authorization (SA&A);
• Federal Inf01mation Processing Standards (FIP S) 199 Analysis;
• System Security Plan (SSP);
• Security Assessment Plan and Rep01t (SAP) and (SAR);
• Security Conu·ol Self-Assessment;
• Contingency Planning and Contingency Plan Testing;
• Privacy Impact Assessment (PIA);
• Plan of Action and Milestones Process (POA&M); and
• NIST Special Publication (SP) 800-53 Revision 4 Security Conu·ols.

Scope and Methodology
This perfonnance audit was conducted in accordance with Government Auditing Standards,
issued by the Compu·oller General of the United States. Accordingly, the audit included an
evaluation of related policies and procedures, compliance tests, and other auditing procedures
that we considered necessa1y. The audit covered FISMA compliance eff01ts ofNHO officials
responsible for the MSPP P01tal, including IT security conu·ols in place as of Janumy 2015.

We considered the MSPP Portal internal conu·ol sti11cture in planning our audit procedures.
These procedures were mainly substantive in nature, although we did gain an lmderstanding of
management procedures and conu·ols to the extent necessmy to achieve our audit objectives.

To accomplish our objective, we interviewed representatives of OPM's NHO progratn office
with MSPP Portal security responsibilities, reviewed documentation and system screenshots,
viewed demonsu·ations of system capabilities, and conducted tests directly on the system. We
also reviewed relevant OPM IT policies and procedures, federal laws, OMB policies and
guidance, and NIST guidance. As appropriate, we conducted compliance tests to dete1mine the
extent to which established conu·ols and procedures m·e ftmctioning as required.

Details of the security conu·ols protecting the confidentiality, integrity, and availability of the
MSPP P01tal are located in the "Results" section of this rep01t . Since our audit would not



                                                   2                            Rep01t No. 4A-RI-00-15-013
necessarily disclose all significant matters in the internal control structure, we do not express an 

opinion on the MSPP Portal of internal controls taken as a whole. 


The criteria used in conducting this audit include: 


	 OPM’s Information Security and Privacy Policy Handbook; 

	 OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; 

	 E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security 

   Management Act of 2002;
	 The Federal Information System Controls Audit Manual;
	 NIST SP 800-12, An Introduction to Computer Security;
	 NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
   Systems;
	 NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
	 NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
	 NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to
   Federal Information Systems;
	 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations;
	 NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information
   Systems to Security Categories;
	 NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
   Capabilities;
	 FIPS Publication 199, Standards for Security Categorization of Federal Information and
   Information Systems; and
	 Other criteria as appropriate.

In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe that the data was
sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in
accordance with generally accepted government auditing standards issued by the Comptroller
General of the United States.

The audit was performed by the OPM OIG, as established by the Inspector General Act of 1978,
as amended. The audit was conducted from October 2014 through January 2015 in OPM’s
Washington, D.C. office.

Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether NHO management of the
MSPP Portal is consistent with applicable standards. Nothing came to our attention during this
review to indicate that NHO is in violation of relevant laws and regulations.




                                                  3	                           Report No. 4A-RI-00-15-013
  II. AUDIT FINDINGS AND RECOMMENDATIONS

A. Security Assessment and Authorization
  The Security Assessment and Authorization (SA&A) of the MSPP Portal was completed in
  October 2013. OPM’s Chief Information Security Officer reviewed the MSPP Portal SA&A
  package and signed the system’s authorization letter on October 24, 2013. The system’s
  authorizing official signed the letter and authorized the operational status of the system on
  October 25, 2013.

  NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal
  Information Systems, provides guidance to federal agencies in meeting security accreditation
  requirements. The MSPP Portal SA&A appears to have been conducted in compliance with
  NIST requirements.

B. FIPS 199 Analysis
  FIPS Publication 199, Standards for Security Categorization of Federal Information and
  Information Systems, requires federal agencies to categorize all federal information and
  information systems in order to provide appropriate levels of information security according to a
  range of risk levels.

  NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems
  to Security Categories, provides an overview of the security objectives and impact levels
  identified in FIPS Publication 199.

  The MSPP Portal FIPS Publication 199 Security Categorization analyzes information processed
  by the system and its corresponding potential impacts on confidentiality, integrity, and
  availability. The MSPP Portal is categorized with a low impact level for confidentiality,
  moderate for integrity, moderate for availability, and an overall categorization of “low.”

  The security categorization of the MSPP Portal appears to be consistent with FIPS Publication
  199 and NIST SP 800-60 requirements, and we agree with the categorization of “low.”

C. System Security Plan
  Federal agencies must implement on each information system the security controls outlined in
  NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information systems and
  Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal
  Information Systems, requires that these controls be documented in a system security plan (SSP)
  for each system, and provides guidance for doing so.



                                                  4                          Report No. 4A-RI-00-15-013
  The SSP for the MSPP Portal was created using the OCIO’s template that utilizes NIST SP 800-
  18 Revision 1 as guidance. The template requires that the following elements be documented 

  within the SSP: 

   System Name and Identifier; 

   System Categorization;


   System Owner; 

   Authorizing Official; 

   Other Designated Contacts; 

   Assignment of Security Responsibility; 

   System Operational Status; 

   Information System Type; 

   General Description/Purpose; 

   System Environment; 

   System Interconnection/Information Sharing; 

   Laws, Regulations, and Policies Affecting the System; 

   Security Control Selection; 

   Minimum Security Controls; and 

   Completion and Approval Dates. 


  We reviewed the MSPP Portal SSP and determined that it adequately addresses each of the 

  elements required by NIST. Nothing came to our attention to indicate that the system security 

  plan of the MSPP Portal has not been properly documented and approved. 


D. Security Assessment Plan and Report
  A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were completed for
  the MSPP Portal in June 2013 and September 2013, respectively, as a part of the system’s SA&A
  process. The SAP and SAR were completed by a contractor that was operating independently
  from NHO. We reviewed the documents to verify that a risk assessment was conducted in
  accordance with NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments. We also
  verified that appropriate management, operational, and technical controls were tested for a
  system with a “low” security categorization according to NIST SP 800-53 Revision 4,
  Recommended Security Controls for Federal Information Systems.

  The SAR identified four control weaknesses; these weaknesses were appropriately added to the
  MSPP Portal POA&M. All weaknesses identified were classified with a low risk rating.




                                                 5                           Report No. 4A-RI-00-15-013
  Nothing came to our attention to indicate that the security controls of the MSPP Portal have not
  been adequately tested by an independent source, or that weaknesses identified have not been
  properly documented.

E. Continuous Monitoring
  OPM’s Information Security and Privacy Policy Handbook states that continuous monitoring
  security reports must be provided to the OCIO’s Information Technology Security and Privacy
  Group (ITSP) at least semiannually. The OCIO also creates continuous monitoring plans each
  fiscal year that clearly describe the type and frequency of NIST SP 800-53 Revision 4 security
  controls that must be tested throughout the year.

  In FY 2014, NHO submitted adequate evidence of continuous monitoring security control testing
  for the MSPP Portal to the ITSP in a timely manner.

  Nothing came to our attention to indicate NHO’s continuous monitoring activities were not in
  compliance with OPM guidelines.

F. Contingency Planning and Contingency Plan Testing
  NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems,
  states that effective contingency planning, execution, and testing are essential to mitigate the risk
  of system and service unavailability. OPM’s security policies require all major applications to
  have viable disaster recovery and contingency plans, and that these plans be annually reviewed,
  tested, and updated.

  Contingency Plan
  The MSPP Portal contingency plan documents the functions, operations, and resources necessary
  to restore and resume the MSPP Portal operations when unexpected events or disasters occur.
  The MSPP Portal contingency plan follows the format suggested by NIST SP 800-34 Revision 1
  and contains the required elements.

  Contingency Plan Test
  NIST SP 800-34 Revision 1 provides guidance for testing contingency plans and documenting
  the results. Contingency plan testing is a critical element of a viable disaster recovery capability.

  A contingency plan test of the MSPP Portal was conducted in August 2014. The test involved a
  discussion-based exercise of recovering the system at the backup data center and then returning
  operations to the regular data center. The testing documentation contained adequate analysis and
  review of the test results.




                                                    6                           Report No. 4A-RI-00-15-013
G. Privacy Impact Assessment
  FISMA requires agencies to perform a screening of federal information systems to determine if a
  PIA is required for that system. OMB Memorandum M-03-22 outlines the necessary
  components of a PIA. The purpose of the assessment is to evaluate any vulnerabilities of privacy
  in information systems and to document any privacy issues that have been identified.

  NHO completed an initial privacy screening or Privacy Threshold Analysis (PTA) of the MSPP
  and determined that a PIA was not required for this system. The PTA for the MSPP Portal
  appears consistent with FISMA and OPM requirements, and we agree a PTA was sufficient and
  a PIA is not required.

H. Plan of Action and Milestones Process
  A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring
  the progress of corrective efforts for IT security weaknesses. OPM has implemented an agency-
  wide POA&M process to help track known IT security weaknesses associated with the agency’s
  information systems.

  We evaluated the MSPP Portal POA&M and verified that it follows the format of OPM’s
  standard template and has been loaded into Trusted Agent, the OCIO’s POA&M tracking tool,
  for evaluation. We determined that the weaknesses discovered during the SA&A security
  assessment were included in the POA&M.

  However, we noted four items on the POA&M that were over 180 days overdue with a status of
  “delayed” that did not indicate a new scheduled completion date. OPM POA&M Standard
  Operating Procedures state that “If the weakness is not addressed by the scheduled completion
  date, the new scheduled completion date must be addressed in the Milestone Changes column,
  along with the updated milestones and dates necessary to achieve the new scheduled completion
  date.”

  Failure to update a system’s POA&M with material changes increases the likelihood of 

  weaknesses not being addressed in a timely manner and therefore exposing the system to 

  malicious attacks exploiting those unresolved vulnerabilities. 


  Recommendation 1
  We recommend that NHO update the MSPP Portal POA&M with new scheduled completion
  dates for all delayed items.




                                                  7                          Report No. 4A-RI-00-15-013
  HI Response: 

  “The POA&M has been updated for all delayed items. The estimated completion date for MA-
  4 is now 2015-06-30. All other weaknesses have been completed. Staff in OPM’s Chief 

  Information Officer/IT Security Policy office updated Trusted Agent (see attached).” 


  OIG Reply:
  Evidence was provided in response to the draft audit report to indicate that new scheduled
  completed dates have been updated for delayed items or have been remediated since the issuance
  of the draft report; no further action is required.

I. NIST SP 800-53 Evaluation
  NIST SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems
  and Organizations”, provides guidance for implementing a variety of security controls for
  information systems supporting the federal government. As part of this audit, we evaluated
  whether a subset of these controls had been implemented for the MSPP Portal. We tested
  approximately 50 security controls outlined in NIST SP 800-53 Revision 4 that were identified
  as being system specific or a hybrid control. Controls identified as common or inherited were
  omitted from testing because another system or program office is responsible for implementing
  the control. We tested one or more controls from each of the following control families:
   Access Control                                     Maintenance
   Audit and Accountability                           Media Protection
   Security Assessment and Authorization              Planning
   Configuration Management                           Risk Assessment
   Contingency Planning                               System and Communications Protection
   Identity and Authentication                        System and Information Integrity
   Incident Response

  These controls were evaluated by interviewing individuals with the MSPP Portal security
  responsibilities, reviewing documentation and system screenshots, viewing demonstrations of
  system capabilities, and conducting tests directly on the system.

  We determined that the tested security controls appear to be in compliance with NIST SP 800-53
  Revision 4 requirements with a few exceptions. The following recommendations are directed at
  the current version of the system hosted by AT&T. However if these issues are not remediated
  before the system is moved to OPM’s internal data center, the recommendations should still be
  implemented on the new platform, as moving to the new platform does not inherently resolve
  these issues.




                                                8                          Report No. 4A-RI-00-15-013
1.		 RA-5 Vulnerability Scanning
     We independently performed automated vulnerability scans on a sample of servers, databases
     and web applications. The detailed results of the scans were provided to NHO, but for
     security purposes will not be described in this report. A high level summary of the results is
     below.

   System Patching
   The vulnerability scans performed during the audit indicate that critical patches and service
   packs are not always implemented in a timely manner for the operating platforms supporting
   the MSPP Portal.

   FISCAM states that “Software should be scanned and updated frequently to guard against
   known vulnerabilities.” NIST SP 800-53 Revision 4 states that the organization must
   identify, report, and correct information system flaws and install security-relevant software
   and firmware updates promptly.

   Failure to promptly install important updates increases the risk that vulnerabilities will not be
   remediated and sensitive information could be stolen.

   Recommendation 2
   We recommend that NHO implement procedures and controls to ensure that servers and
   databases are installed with appropriate patches, service packs, and hotfixes on a timely
   basis.

   HI Response:
   “We concur. The MSP Application Portal migrated from AT&T’s hosting environment in
   Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015
   rather than May 2015. OPM’s Chief Information Officer/Operations Technology
   Management has the lead now for installing patches, service packs, hotfixes, as well as
   conducting vulnerability scans, on a timely basis.”

   OIG Reply:
   The response to the draft report indicated that the MSPP has migrated to OPM’s
   Macon, Georgia hosting environment and is now managed by OPM’s OCIO. However, the
   transition alone is not sufficient evidence to close the recommendation. The intent of the
   recommendation was for the program office to establish a control methodology to ensure
   servers and databases are routinely updated with patches, service packs, and hotfixes. As
   part of the audit resolution process, we recommend that NHO provide OPM’s Internal
   Oversight and Compliance (IOC) division with additional evidence to support that a
   methodology has been implemented to ensure that servers and databases are updated in a
   timely manner.


                                                 9	                          Report No. 4A-RI-00-15-013
Noncurrent Software
The results of the vulnerability scans indicated that several servers supporting the MSPP
Portal contained noncurrent software applications that were no longer supported by the
vendors, and have known security vulnerabilities.

FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”

Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.

Recommendation 3
We recommend that NHO implement a methodology to ensure that only current and
supported versions of system software are installed on the production servers.

HI Response: 

“We concur. The MSP Application Portal migrated from AT&T’s hosting environment in 

Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015. 

OPM’s Web Team verified that no outdated system software migrated with the MSP 

Application Portal to Macon, Georgia, and verified that there is no outdated software 

saved on the Macon, Georgia production server that hosts the MSP Application Portal.” 


OIG Reply:
The response to the draft report indicated that OPM’s Web Team verified that no outdated
system software was migrated along with the application portal to the OPM Macon, Georgia
hosting environment. However, the intention of this recommendation was for the program
office to establish a routine audit process to ensure that only current, supported versions of
the system software are installed on production servers going forward. As part of the audit
resolution process, we recommend that NHO provide OPM’s IOC division with evidence
that controls that address this issue are in place in the system’s new environment.

Insecure Configurations
The results of the vulnerability scans also indicated that the web application for the MSPP
Portal is insecurely configured in a manner that is susceptible to several malicious attack
methods.

These malicious activities include, but are not limited to:




                                             10                          Report No. 4A-RI-00-15-013





Failure to remediate these vulnerabilities increases the risk of not only the web application
and backend data to hackers, but the organization as a whole, as a breach in a single access
point could lead to the whole network environment being exposed.

Recommendation 4
We recommend that NHO immediately remediate vulnerabilities discovered as a result of
the vulnerability scans conducted during this audit.

HI Response: 

“We concur. The MSP Application Portal migrated from AT&T’s hosting environment in 

Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015. 

OPM’s Chief Information Officer/Operations Technology Management has the lead now 

for conducting vulnerability scans on a regular basis. 


Since the MSP Application Portal is now hosted in Macon, Georgia, we would welcome 

the OIG to perform a vulnerability scan and we would commit to resolving any 

vulnerabilities detected.” 


OIG Reply:
Moving the application from one data center to another does not have an impact on the web
application code or the vulnerabilities we identified; the original recommendation remains
applicable.




                                            11                           Report No. 4A-RI-00-15-013
 IV. MAJOR CONTRIBUTORS TO THIS REPORT

Information Systems Audit Group

              , Auditor-In-Charge
            , Lead IT Auditor
            , IT Auditor
                , IT Auditor
______________________________________________________________________________

                , Group Chief




                                      12                    Report No. 4A-RI-00-15-013
                                                Appendix
                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
                                        Washington, DC 20415




Healthcare and
  Insurance


                                               March 10, 2015

MEMORANDUM FOR 	
                              Chief, Information Systems Audit Group
                              Office of the Inspector General

FROM:
                              Deputy Assistant Director
                              Healthcare and Insurance
                              National Healthcare Operations
SUBJECT:	                     Reply to Draft Audit Report No. 4A-RI-00-15-013

Thank you for providing us the opportunity to respond to the U.S. Office of Personnel Management’s Office of the
Inspector General (OIG) draft report, Audit of the Information Technology Security Controls of the OPM's Multi-
State Plan Program Portal (Report No. 4A-RI-00-15-013).
We recognize that even the most well run programs benefit from external evaluations, and we appreciate your input
as we continue to enhance our programs. Responses to your recommendations are provided below.

    Recommendation 1: We recommend NHO update the MSPP Portal POA&M with new scheduled completion
    dates for all delayed items.

    Management Response: We concur. The POA&M has been updated for all delayed items. The estimated
    completion date for MA-4 is now 2015-06-30. All other weaknesses have been completed. Staff in OPM’s
    Chief Information Officer/IT Security Policy office updated Trusted Agent (see attached).


    Recommendation 2: We recommend that NHO implement procedures and controls to ensure that servers and
    databases are installed with appropriate patches, service packs, and hotfixes on a timely basis.

    Management Response: We concur. The MSP Application Portal migrated from AT&T’s hosting
    environment in Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015 rather
    than May 2015. OPM’s Chief Information Officer/Operations Technology Management has the lead now for
    installing patches, service packs, hotfixes, as well as conducting vulnerability scans, on a timely basis.




                                                       13 	                             Report No. 4A-RI-00-15-013
        Recommendation 3
        We recommend that NHO implement a methodology to ensme that only cm1·ent and suppmt ed versions of
        system softv.•are are installed on the production servers.

        Managem ent R espons e: We concm. The MSP Application Portal migrated from AT&T' s hosting
        environment in Ashburn, Virginia to OPM's Macon, Georgia hosting environment on Febmaty 25, 2015.
        OPM 's Web Team verified that no outdated system softv.•are migrated with the M SP Application Pmta.l to
        Macon, Georgia, and verified that there is no outdated software saved on the Macon, Georgia. production server
        that hosts the M SP Application Portal.


        Recommendation 4
        We recommend that NHO immediat ely remedia.te vulnerabilities discovered as a result ofthe vulnerability
        scans conducted dming this audit.

        Managem ent R esp ons e: We concm. The MSP Application Portal migrat ed from AT&T' s hosting
        environment in Ashburn, Virginia to OPM's Macon, Georgia hosting environment on Febmaty 25, 2015.
        OPM 's Chieflnfonnation Officer/Operations Technology Management has the lead now for conducting
        vulnerability scans on a regular basis.

        Since the MSP Application Pmtal is now hosted in Macon, Georgia, we w ould w elcome the OIG to perform a
        vulnerability scan and we would commit to resolving any vulnerabilities detected.


                                                                   Ifyou have any questions regarding om response, please




c.c.:                   CIO!Infonnation Technology System Policy
                       Cl<J/llllionu:ah c•n T eclmology System Polic.y
                         , MSAC!Intemal Oversight and Compliance




                                                                14                              Rep01i No. 4A-RI-00-15-013
                                                                                 



               Report Fraud, Waste, and 

                   Mismanagement 

                        Fraud, waste, and mismanagement in
                     Government concerns everyone: Office of
                         the Inspector General staff, agency
                      employees, and the general public. We
                    actively solicit allegations of any inefficient
                          and wasteful practices, fraud, and
                     mismanagement related to OPM programs
                    and operations. You can report allegations
                                to us in several ways:


     By Internet:        http://www.opm.gov/our-inspector-general/hotline-to-
                         report-fraud-waste-or-abuse


      By Phone:          Toll Free Number:                  (877) 499-7295
                         Washington Metro Area:             (202) 606-2423


        By Mail:         Office of the Inspector General
                         U.S. Office of Personnel Management
                         1900 E Street, NW
                         Room 6400
                         Washington, DC 20415-1100
  
                                                                                 
                                                                                 




                                         15                                Report No. 1C-54-00-14-061