U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Multi-State Plan Program Portal Re p o rt Numbe r 4A-RI-00-15-01 3 May 11 ,201 5 --CAUTION - This audit r epot·t has been distributed to Federal officials who are n sponsible for the administration of the audited program. T his audit report may contain pt·opl'ietat·y data which is protected by Federal l aw (18 U.S.C. 1905). Therefot·e, while this audit report is available undet· the Freedom of Information Act and made available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iu spector-geuernl), caution needs t o be exer cised before releasing the t·epot·t to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. EXECUTIVE SUMMARY Audit ofthe Information Technology Security Controls ofthe US. Office of Personnel ent 's Multi-State Plan Portal Why Did W e Conduct the Audit? What Did We Find? The Multi-State Plan Program (MSPP) Our audit of the IT security conu·ols of the MSPP Portal determined that: Portal is one of the U.S. Office of • A Security Assessment and Authorization (SA&A) of the MSPP P01t al Personnel Management's (OPM) critical was completed in October 2014. We reviewed the authorization Inf01mation Technology (IT) systems. As package for all required elements of an SA&A, and determined that the such, the Federal Information Security package contained all necessary doctunentation. Management Act (FISMA) requires that • The security categorization of the MSPP Portal is consistent with the Office of the Inspector General (OIG) Federal Inf01mation Processing Standards (FIPS) 199 and NIST Special perform an audit of IT security conu·ols of Publication (SP) 800-60 requirements, and we agree with the this system, as well as all of the agency's categorization of "Low ." systems on a rotating basis. • The MSPP P01tal System Security Plan contains the critical elements required by NIST SP 800-18 Revision 1. What Did W e Audit? • A security conu·ol assessment plan and report were completed in Jtme and September 2014, respectively, for the MSPP Portal. The OIG has completed a performance • NHO has perf01med regular security conu·ol self-assessments in audit of the MSPP P01tal to ensure that the accordance with OPM's continuous monitoring methodology. system owner, National Healthcare • A contingency plan was developed for the MSPP P01tal that is in compliance with NIST SP 800-34 Revision 1, and the plan is tested Operations (NHO), has managed the annually. implementation of IT security policies and • A privacy threshold analysis was conducted for the MSPP Portal that procedures in accordance with the indicated that a Privacy Impact Assessment (PIA) was not required. standards established by FISMA, the • The MSPP P01tal Plan of Acton and Milestones (POA&M) follows the National Institute of Standards and f01mat ofOPM's standard template and has been loaded into Tmsted Technology (NIST), the Federal Agent, the OCIO 's POA&M tracking tool. However, several delayed Inf01mation Security Controls Audit POA&M items were not updated with new scheduled completion dates in accordance with OPM guidance. Manual (FISCAM) and OPM's Office of • We evaluated the degree to which a subset of the IT security conu·ols the Chieflnf01mation Officer (OCIO). outlined in NIST SP 800-53 Revision 4 were implemented for the MSPP Portal. We detetmined that a majority of tested security controls appear to be in compliance with NIST SP 800-53 Revision 4. However, we did note several areas for improvement. Michael R. Esser Assistant Inspector General for Audits ABBREVIATIONS FIPS Federal Information Processing Standards FISCAM Federal Information System Controls Audit Manual FISMA Federal Information Security Management Act GAO Government Accountability Office HRTT Human Resources Tools and Technology IG Inspector General IOC Internal Oversight and Compliance IT Information Technology ITSP Information Technology Security and Privacy Group MSP Multi-State Plan MSPP Multi-State Plan Program NHO National Healthcare Operations NIST National Institute of Standards and Technology OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB U.S. Office of Management and Budget OPM U.S. Office of Personnel Management PIA Privacy Impact Analysis POA&M Plan of Action & Milestones PTA Privacy Threshold Analysis SA&A Security Assessment & Authorization SAP Security Assessment Plan SAR Security Assessment Report SP Special Publication SSP System Security Plan ii TABLE OF CONTENTS Page EXECUTIVE SUMMARY ......................................................................................... i ABBREVIATIONS ..................................................................................................... ii I. BACK GROUND .......................................................................................................... 1 II. OBJECT IVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECO MMENDATIONS................................................ .4 A. Secm ity Assessment and Authorization ................................................................ .4 B. FIPS 199 Analysis ...................................................................................................4 C. System Security Plan ...............................................................................................4 D. Secm ity Assessment Plan and Rep01i ..... ................................................................ 5 E. Continuous Monitoring ............................................................................................6 F. Contingency Planning and Contingency Plan Testing.............................................6 G. Privacy Itnpact Assessment ..................... ................................................................ ? H. Plan of Action and Milestones Process .................................................................... ? I. NIST 800-53 Evaluation ..........................................................................................8 IV. MAJOR C ONTRIBUTORS TO TillS REPORT .................................................. 12 APPENDIX: National Healthcare Operations' response to the draft rep01i ............. 13 REPORT FRAUD, WAST E, AND MI SMANAGEMENT .................................... 15 I. BACKGROUND On December 17, 2002, President Bush signed into law the E-Govemment Act (P.L. 107-347), which includes Title III, the Federal Infonnation Secmity Management Act (FISMA) . It requires (1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency rep01iing to the U .S. Office of Management and Budget (OMB) th e results ofiG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the material received from agencies. In accordance with FISMA, we audited the inf01mation technology (IT) secmity controls related to the U.S . Office of Personnel Management' s (OPM) Multi-State Plan Program (MSPP) Portal. The MSPP P01ial is one ofOPM ' s critical IT systems. As such, FISMA requires that the Office of the Inspector General (OIG) perf01m an audit ofiT secmity controls of this system, as well as all of the agency's systems on a rotating basis. The MSPP P01ial is a web-based application designed to assist National Healthcar e Operations (NHO) in receiving, storing and evaluating inf01mation received from applicants who wish to become ce1iified Multi-State Plan (MSP) Issuers in the MSPP. The system is cunently hosted by AT&T. We perf01med preliminruy test work of the MSPP P01ial in April 2013 when the system was first lalmched. However, this was om first full scope audit of the secmity controls sunmmding th e system. We discussed the results of om audit with NHO representatives at an exit conference. At the end of the fieldwork phase of this audit, NHO inf01med us that the MSPP P01ial will no longer be hosted by AT&T and will be moved to OPM 's data center in Macon, Georgia. This move is expected to be completed in May 2015 . 1 Rep01i No. 4A-RI-00-1 5-0 13 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objective Our objective was to perform an evaluation of the security conu·ols for the MSPP Portal to ensure that NHO officials have managed the implementation of IT security policies and procedures in accordance with standards established by FISMA, the National Institute of Standar ds and Technology (NIST), the Federal Infonnation System Conu·ols Audit Manual (FISCAM) and OPM's Office of the Chief lnf01mation Officer (OCIO). OPM's IT security policies require owners of all major infonnation systems to complete a series of steps to (1) ce1tify that their system's inf01mation is adequately protected and (2) authorize the system for operations. The audit objective was accomplished by reviewing the degree to which a variety of security program elements have been implemented for the MSPP P01tal, including: • Security Assessment and Authorization (SA&A); • Federal Inf01mation Processing Standards (FIP S) 199 Analysis; • System Security Plan (SSP); • Security Assessment Plan and Rep01t (SAP) and (SAR); • Security Conu·ol Self-Assessment; • Contingency Planning and Contingency Plan Testing; • Privacy Impact Assessment (PIA); • Plan of Action and Milestones Process (POA&M); and • NIST Special Publication (SP) 800-53 Revision 4 Security Conu·ols. Scope and Methodology This perfonnance audit was conducted in accordance with Government Auditing Standards, issued by the Compu·oller General of the United States. Accordingly, the audit included an evaluation of related policies and procedures, compliance tests, and other auditing procedures that we considered necessa1y. The audit covered FISMA compliance eff01ts ofNHO officials responsible for the MSPP P01tal, including IT security conu·ols in place as of Janumy 2015. We considered the MSPP Portal internal conu·ol sti11cture in planning our audit procedures. These procedures were mainly substantive in nature, although we did gain an lmderstanding of management procedures and conu·ols to the extent necessmy to achieve our audit objectives. To accomplish our objective, we interviewed representatives of OPM's NHO progratn office with MSPP Portal security responsibilities, reviewed documentation and system screenshots, viewed demonsu·ations of system capabilities, and conducted tests directly on the system. We also reviewed relevant OPM IT policies and procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we conducted compliance tests to dete1mine the extent to which established conu·ols and procedures m·e ftmctioning as required. Details of the security conu·ols protecting the confidentiality, integrity, and availability of the MSPP P01tal are located in the "Results" section of this rep01t . Since our audit would not 2 Rep01t No. 4A-RI-00-15-013 necessarily disclose all significant matters in the internal control structure, we do not express an opinion on the MSPP Portal of internal controls taken as a whole. The criteria used in conducting this audit include: OPM’s Information Security and Privacy Policy Handbook; OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; The Federal Information System Controls Audit Manual; NIST SP 800-12, An Introduction to Computer Security; NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems; NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems; NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories; NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities; FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems; and Other criteria as appropriate. In conducting the audit, we relied to varying degrees on computer-generated data. Due to time constraints, we did not verify the reliability of the data generated by the various information systems involved. However, nothing came to our attention during our audit testing utilizing the computer-generated data to cause us to doubt its reliability. We believe that the data was sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. The audit was performed by the OPM OIG, as established by the Inspector General Act of 1978, as amended. The audit was conducted from October 2014 through January 2015 in OPM’s Washington, D.C. office. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether NHO management of the MSPP Portal is consistent with applicable standards. Nothing came to our attention during this review to indicate that NHO is in violation of relevant laws and regulations. 3 Report No. 4A-RI-00-15-013 II. AUDIT FINDINGS AND RECOMMENDATIONS A. Security Assessment and Authorization The Security Assessment and Authorization (SA&A) of the MSPP Portal was completed in October 2013. OPM’s Chief Information Security Officer reviewed the MSPP Portal SA&A package and signed the system’s authorization letter on October 24, 2013. The system’s authorizing official signed the letter and authorized the operational status of the system on October 25, 2013. NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, provides guidance to federal agencies in meeting security accreditation requirements. The MSPP Portal SA&A appears to have been conducted in compliance with NIST requirements. B. FIPS 199 Analysis FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, requires federal agencies to categorize all federal information and information systems in order to provide appropriate levels of information security according to a range of risk levels. NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems to Security Categories, provides an overview of the security objectives and impact levels identified in FIPS Publication 199. The MSPP Portal FIPS Publication 199 Security Categorization analyzes information processed by the system and its corresponding potential impacts on confidentiality, integrity, and availability. The MSPP Portal is categorized with a low impact level for confidentiality, moderate for integrity, moderate for availability, and an overall categorization of “low.” The security categorization of the MSPP Portal appears to be consistent with FIPS Publication 199 and NIST SP 800-60 requirements, and we agree with the categorization of “low.” C. System Security Plan Federal agencies must implement on each information system the security controls outlined in NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information systems and Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, requires that these controls be documented in a system security plan (SSP) for each system, and provides guidance for doing so. 4 Report No. 4A-RI-00-15-013 The SSP for the MSPP Portal was created using the OCIO’s template that utilizes NIST SP 800- 18 Revision 1 as guidance. The template requires that the following elements be documented within the SSP: System Name and Identifier; System Categorization; System Owner; Authorizing Official; Other Designated Contacts; Assignment of Security Responsibility; System Operational Status; Information System Type; General Description/Purpose; System Environment; System Interconnection/Information Sharing; Laws, Regulations, and Policies Affecting the System; Security Control Selection; Minimum Security Controls; and Completion and Approval Dates. We reviewed the MSPP Portal SSP and determined that it adequately addresses each of the elements required by NIST. Nothing came to our attention to indicate that the system security plan of the MSPP Portal has not been properly documented and approved. D. Security Assessment Plan and Report A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were completed for the MSPP Portal in June 2013 and September 2013, respectively, as a part of the system’s SA&A process. The SAP and SAR were completed by a contractor that was operating independently from NHO. We reviewed the documents to verify that a risk assessment was conducted in accordance with NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments. We also verified that appropriate management, operational, and technical controls were tested for a system with a “low” security categorization according to NIST SP 800-53 Revision 4, Recommended Security Controls for Federal Information Systems. The SAR identified four control weaknesses; these weaknesses were appropriately added to the MSPP Portal POA&M. All weaknesses identified were classified with a low risk rating. 5 Report No. 4A-RI-00-15-013 Nothing came to our attention to indicate that the security controls of the MSPP Portal have not been adequately tested by an independent source, or that weaknesses identified have not been properly documented. E. Continuous Monitoring OPM’s Information Security and Privacy Policy Handbook states that continuous monitoring security reports must be provided to the OCIO’s Information Technology Security and Privacy Group (ITSP) at least semiannually. The OCIO also creates continuous monitoring plans each fiscal year that clearly describe the type and frequency of NIST SP 800-53 Revision 4 security controls that must be tested throughout the year. In FY 2014, NHO submitted adequate evidence of continuous monitoring security control testing for the MSPP Portal to the ITSP in a timely manner. Nothing came to our attention to indicate NHO’s continuous monitoring activities were not in compliance with OPM guidelines. F. Contingency Planning and Contingency Plan Testing NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems, states that effective contingency planning, execution, and testing are essential to mitigate the risk of system and service unavailability. OPM’s security policies require all major applications to have viable disaster recovery and contingency plans, and that these plans be annually reviewed, tested, and updated. Contingency Plan The MSPP Portal contingency plan documents the functions, operations, and resources necessary to restore and resume the MSPP Portal operations when unexpected events or disasters occur. The MSPP Portal contingency plan follows the format suggested by NIST SP 800-34 Revision 1 and contains the required elements. Contingency Plan Test NIST SP 800-34 Revision 1 provides guidance for testing contingency plans and documenting the results. Contingency plan testing is a critical element of a viable disaster recovery capability. A contingency plan test of the MSPP Portal was conducted in August 2014. The test involved a discussion-based exercise of recovering the system at the backup data center and then returning operations to the regular data center. The testing documentation contained adequate analysis and review of the test results. 6 Report No. 4A-RI-00-15-013 G. Privacy Impact Assessment FISMA requires agencies to perform a screening of federal information systems to determine if a PIA is required for that system. OMB Memorandum M-03-22 outlines the necessary components of a PIA. The purpose of the assessment is to evaluate any vulnerabilities of privacy in information systems and to document any privacy issues that have been identified. NHO completed an initial privacy screening or Privacy Threshold Analysis (PTA) of the MSPP and determined that a PIA was not required for this system. The PTA for the MSPP Portal appears consistent with FISMA and OPM requirements, and we agree a PTA was sufficient and a PIA is not required. H. Plan of Action and Milestones Process A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for IT security weaknesses. OPM has implemented an agency- wide POA&M process to help track known IT security weaknesses associated with the agency’s information systems. We evaluated the MSPP Portal POA&M and verified that it follows the format of OPM’s standard template and has been loaded into Trusted Agent, the OCIO’s POA&M tracking tool, for evaluation. We determined that the weaknesses discovered during the SA&A security assessment were included in the POA&M. However, we noted four items on the POA&M that were over 180 days overdue with a status of “delayed” that did not indicate a new scheduled completion date. OPM POA&M Standard Operating Procedures state that “If the weakness is not addressed by the scheduled completion date, the new scheduled completion date must be addressed in the Milestone Changes column, along with the updated milestones and dates necessary to achieve the new scheduled completion date.” Failure to update a system’s POA&M with material changes increases the likelihood of weaknesses not being addressed in a timely manner and therefore exposing the system to malicious attacks exploiting those unresolved vulnerabilities. Recommendation 1 We recommend that NHO update the MSPP Portal POA&M with new scheduled completion dates for all delayed items. 7 Report No. 4A-RI-00-15-013 HI Response: “The POA&M has been updated for all delayed items. The estimated completion date for MA- 4 is now 2015-06-30. All other weaknesses have been completed. Staff in OPM’s Chief Information Officer/IT Security Policy office updated Trusted Agent (see attached).” OIG Reply: Evidence was provided in response to the draft audit report to indicate that new scheduled completed dates have been updated for delayed items or have been remediated since the issuance of the draft report; no further action is required. I. NIST SP 800-53 Evaluation NIST SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations”, provides guidance for implementing a variety of security controls for information systems supporting the federal government. As part of this audit, we evaluated whether a subset of these controls had been implemented for the MSPP Portal. We tested approximately 50 security controls outlined in NIST SP 800-53 Revision 4 that were identified as being system specific or a hybrid control. Controls identified as common or inherited were omitted from testing because another system or program office is responsible for implementing the control. We tested one or more controls from each of the following control families: Access Control Maintenance Audit and Accountability Media Protection Security Assessment and Authorization Planning Configuration Management Risk Assessment Contingency Planning System and Communications Protection Identity and Authentication System and Information Integrity Incident Response These controls were evaluated by interviewing individuals with the MSPP Portal security responsibilities, reviewing documentation and system screenshots, viewing demonstrations of system capabilities, and conducting tests directly on the system. We determined that the tested security controls appear to be in compliance with NIST SP 800-53 Revision 4 requirements with a few exceptions. The following recommendations are directed at the current version of the system hosted by AT&T. However if these issues are not remediated before the system is moved to OPM’s internal data center, the recommendations should still be implemented on the new platform, as moving to the new platform does not inherently resolve these issues. 8 Report No. 4A-RI-00-15-013 1. RA-5 Vulnerability Scanning We independently performed automated vulnerability scans on a sample of servers, databases and web applications. The detailed results of the scans were provided to NHO, but for security purposes will not be described in this report. A high level summary of the results is below. System Patching The vulnerability scans performed during the audit indicate that critical patches and service packs are not always implemented in a timely manner for the operating platforms supporting the MSPP Portal. FISCAM states that “Software should be scanned and updated frequently to guard against known vulnerabilities.” NIST SP 800-53 Revision 4 states that the organization must identify, report, and correct information system flaws and install security-relevant software and firmware updates promptly. Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive information could be stolen. Recommendation 2 We recommend that NHO implement procedures and controls to ensure that servers and databases are installed with appropriate patches, service packs, and hotfixes on a timely basis. HI Response: “We concur. The MSP Application Portal migrated from AT&T’s hosting environment in Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015 rather than May 2015. OPM’s Chief Information Officer/Operations Technology Management has the lead now for installing patches, service packs, hotfixes, as well as conducting vulnerability scans, on a timely basis.” OIG Reply: The response to the draft report indicated that the MSPP has migrated to OPM’s Macon, Georgia hosting environment and is now managed by OPM’s OCIO. However, the transition alone is not sufficient evidence to close the recommendation. The intent of the recommendation was for the program office to establish a control methodology to ensure servers and databases are routinely updated with patches, service packs, and hotfixes. As part of the audit resolution process, we recommend that NHO provide OPM’s Internal Oversight and Compliance (IOC) division with additional evidence to support that a methodology has been implemented to ensure that servers and databases are updated in a timely manner. 9 Report No. 4A-RI-00-15-013 Noncurrent Software The results of the vulnerability scans indicated that several servers supporting the MSPP Portal contained noncurrent software applications that were no longer supported by the vendors, and have known security vulnerabilities. FISCAM states that “Procedures should ensure that only current software releases are installed in information systems. Noncurrent software may be vulnerable to malicious code such as viruses and worms.” Failure to promptly remove outdated software increases the risk of a successful malicious attack on the information system. Recommendation 3 We recommend that NHO implement a methodology to ensure that only current and supported versions of system software are installed on the production servers. HI Response: “We concur. The MSP Application Portal migrated from AT&T’s hosting environment in Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015. OPM’s Web Team verified that no outdated system software migrated with the MSP Application Portal to Macon, Georgia, and verified that there is no outdated software saved on the Macon, Georgia production server that hosts the MSP Application Portal.” OIG Reply: The response to the draft report indicated that OPM’s Web Team verified that no outdated system software was migrated along with the application portal to the OPM Macon, Georgia hosting environment. However, the intention of this recommendation was for the program office to establish a routine audit process to ensure that only current, supported versions of the system software are installed on production servers going forward. As part of the audit resolution process, we recommend that NHO provide OPM’s IOC division with evidence that controls that address this issue are in place in the system’s new environment. Insecure Configurations The results of the vulnerability scans also indicated that the web application for the MSPP Portal is insecurely configured in a manner that is susceptible to several malicious attack methods. These malicious activities include, but are not limited to: 10 Report No. 4A-RI-00-15-013 Failure to remediate these vulnerabilities increases the risk of not only the web application and backend data to hackers, but the organization as a whole, as a breach in a single access point could lead to the whole network environment being exposed. Recommendation 4 We recommend that NHO immediately remediate vulnerabilities discovered as a result of the vulnerability scans conducted during this audit. HI Response: “We concur. The MSP Application Portal migrated from AT&T’s hosting environment in Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015. OPM’s Chief Information Officer/Operations Technology Management has the lead now for conducting vulnerability scans on a regular basis. Since the MSP Application Portal is now hosted in Macon, Georgia, we would welcome the OIG to perform a vulnerability scan and we would commit to resolving any vulnerabilities detected.” OIG Reply: Moving the application from one data center to another does not have an impact on the web application code or the vulnerabilities we identified; the original recommendation remains applicable. 11 Report No. 4A-RI-00-15-013 IV. MAJOR CONTRIBUTORS TO THIS REPORT Information Systems Audit Group , Auditor-In-Charge , Lead IT Auditor , IT Auditor , IT Auditor ______________________________________________________________________________ , Group Chief 12 Report No. 4A-RI-00-15-013 Appendix UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 Healthcare and Insurance March 10, 2015 MEMORANDUM FOR Chief, Information Systems Audit Group Office of the Inspector General FROM: Deputy Assistant Director Healthcare and Insurance National Healthcare Operations SUBJECT: Reply to Draft Audit Report No. 4A-RI-00-15-013 Thank you for providing us the opportunity to respond to the U.S. Office of Personnel Management’s Office of the Inspector General (OIG) draft report, Audit of the Information Technology Security Controls of the OPM's Multi- State Plan Program Portal (Report No. 4A-RI-00-15-013). We recognize that even the most well run programs benefit from external evaluations, and we appreciate your input as we continue to enhance our programs. Responses to your recommendations are provided below. Recommendation 1: We recommend NHO update the MSPP Portal POA&M with new scheduled completion dates for all delayed items. Management Response: We concur. The POA&M has been updated for all delayed items. The estimated completion date for MA-4 is now 2015-06-30. All other weaknesses have been completed. Staff in OPM’s Chief Information Officer/IT Security Policy office updated Trusted Agent (see attached). Recommendation 2: We recommend that NHO implement procedures and controls to ensure that servers and databases are installed with appropriate patches, service packs, and hotfixes on a timely basis. Management Response: We concur. The MSP Application Portal migrated from AT&T’s hosting environment in Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015 rather than May 2015. OPM’s Chief Information Officer/Operations Technology Management has the lead now for installing patches, service packs, hotfixes, as well as conducting vulnerability scans, on a timely basis. 13 Report No. 4A-RI-00-15-013 Recommendation 3 We recommend that NHO implement a methodology to ensme that only cm1·ent and suppmt ed versions of system softv.•are are installed on the production servers. Managem ent R espons e: We concm. The MSP Application Portal migrated from AT&T' s hosting environment in Ashburn, Virginia to OPM's Macon, Georgia hosting environment on Febmaty 25, 2015. OPM 's Web Team verified that no outdated system softv.•are migrated with the M SP Application Pmta.l to Macon, Georgia, and verified that there is no outdated software saved on the Macon, Georgia. production server that hosts the M SP Application Portal. Recommendation 4 We recommend that NHO immediat ely remedia.te vulnerabilities discovered as a result ofthe vulnerability scans conducted dming this audit. Managem ent R esp ons e: We concm. The MSP Application Portal migrat ed from AT&T' s hosting environment in Ashburn, Virginia to OPM's Macon, Georgia hosting environment on Febmaty 25, 2015. OPM 's Chieflnfonnation Officer/Operations Technology Management has the lead now for conducting vulnerability scans on a regular basis. Since the MSP Application Pmtal is now hosted in Macon, Georgia, we w ould w elcome the OIG to perform a vulnerability scan and we would commit to resolving any vulnerabilities detected. Ifyou have any questions regarding om response, please c.c.: CIO!Infonnation Technology System Policy Cl<J/llllionu:ah c•n T eclmology System Polic.y , MSAC!Intemal Oversight and Compliance 14 Rep01i No. 4A-RI-00-15-013 Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100 15 Report No. 1C-54-00-14-061
Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Multi-State Plan Program Portal
Published by the Office of Personnel Management, Office of Inspector General on 2015-05-11.
Below is a raw (and likely hideous) rendition of the original report. (PDF)