U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Audit of the Information Technology
Security Controls of the
U.S. Office of Personnel Management's
Multi-State Plan Program Portal
Re p o rt Numbe r 4A-RI-00-15-01 3
May 11 ,201 5
--CAUTION -
This audit r epot·t has been distributed to Federal officials who are n sponsible for the administration of the audited program. T his audit report may
contain pt·opl'ietat·y data which is protected by Federal l aw (18 U.S.C. 1905). Therefot·e, while this audit report is available undet· the Freedom of
Information Act and made available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iu spector-geuernl), caution needs t o be exer cised
before releasing the t·epot·t to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
EXECUTIVE SUMMARY
Audit ofthe Information Technology Security Controls ofthe US. Office of
Personnel ent 's Multi-State Plan Portal
Why Did W e Conduct the Audit? What Did We Find?
The Multi-State Plan Program (MSPP) Our audit of the IT security conu·ols of the MSPP Portal determined that:
Portal is one of the U.S. Office of • A Security Assessment and Authorization (SA&A) of the MSPP P01t al
Personnel Management's (OPM) critical was completed in October 2014. We reviewed the authorization
Inf01mation Technology (IT) systems. As package for all required elements of an SA&A, and determined that the
such, the Federal Information Security package contained all necessary doctunentation.
Management Act (FISMA) requires that • The security categorization of the MSPP Portal is consistent with
the Office of the Inspector General (OIG) Federal Inf01mation Processing Standards (FIPS) 199 and NIST Special
perform an audit of IT security conu·ols of Publication (SP) 800-60 requirements, and we agree with the
this system, as well as all of the agency's categorization of "Low ."
systems on a rotating basis. • The MSPP P01tal System Security Plan contains the critical elements
required by NIST SP 800-18 Revision 1.
What Did W e Audit? • A security conu·ol assessment plan and report were completed in Jtme
and September 2014, respectively, for the MSPP Portal.
The OIG has completed a performance • NHO has perf01med regular security conu·ol self-assessments in
audit of the MSPP P01tal to ensure that the accordance with OPM's continuous monitoring methodology.
system owner, National Healthcare • A contingency plan was developed for the MSPP P01tal that is in
compliance with NIST SP 800-34 Revision 1, and the plan is tested
Operations (NHO), has managed the
annually.
implementation of IT security policies and • A privacy threshold analysis was conducted for the MSPP Portal that
procedures in accordance with the indicated that a Privacy Impact Assessment (PIA) was not required.
standards established by FISMA, the • The MSPP P01tal Plan of Acton and Milestones (POA&M) follows the
National Institute of Standards and f01mat ofOPM's standard template and has been loaded into Tmsted
Technology (NIST), the Federal Agent, the OCIO 's POA&M tracking tool. However, several delayed
Inf01mation Security Controls Audit POA&M items were not updated with new scheduled completion dates
in accordance with OPM guidance.
Manual (FISCAM) and OPM's Office of
• We evaluated the degree to which a subset of the IT security conu·ols
the Chieflnf01mation Officer (OCIO).
outlined in NIST SP 800-53 Revision 4 were implemented for the MSPP
Portal. We detetmined that a majority of tested security controls appear
to be in compliance with NIST SP 800-53 Revision 4. However, we did
note several areas for improvement.
Michael R. Esser
Assistant Inspector General
for Audits
ABBREVIATIONS
FIPS Federal Information Processing Standards
FISCAM Federal Information System Controls Audit Manual
FISMA Federal Information Security Management Act
GAO Government Accountability Office
HRTT Human Resources Tools and Technology
IG Inspector General
IOC Internal Oversight and Compliance
IT Information Technology
ITSP Information Technology Security and Privacy Group
MSP Multi-State Plan
MSPP Multi-State Plan Program
NHO National Healthcare Operations
NIST National Institute of Standards and Technology
OCIO Office of the Chief Information Officer
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
PIA Privacy Impact Analysis
POA&M Plan of Action & Milestones
PTA Privacy Threshold Analysis
SA&A Security Assessment & Authorization
SAP Security Assessment Plan
SAR Security Assessment Report
SP Special Publication
SSP System Security Plan
ii
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ......................................................................................... i
ABBREVIATIONS ..................................................................................................... ii
I. BACK GROUND .......................................................................................................... 1
II. OBJECT IVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECO MMENDATIONS................................................ .4
A. Secm ity Assessment and Authorization ................................................................ .4
B. FIPS 199 Analysis ...................................................................................................4
C. System Security Plan ...............................................................................................4
D. Secm ity Assessment Plan and Rep01i ..... ................................................................ 5
E. Continuous Monitoring ............................................................................................6
F. Contingency Planning and Contingency Plan Testing.............................................6
G. Privacy Itnpact Assessment ..................... ................................................................ ?
H. Plan of Action and Milestones Process .................................................................... ?
I. NIST 800-53 Evaluation ..........................................................................................8
IV. MAJOR C ONTRIBUTORS TO TillS REPORT .................................................. 12
APPENDIX: National Healthcare Operations' response to the draft rep01i ............. 13
REPORT FRAUD, WAST E, AND MI SMANAGEMENT .................................... 15
I. BACKGROUND
On December 17, 2002, President Bush signed into law the E-Govemment Act (P.L. 107-347),
which includes Title III, the Federal Infonnation Secmity Management Act (FISMA) . It requires
(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency
rep01iing to the U .S. Office of Management and Budget (OMB) th e results ofiG evaluations for
unclassified systems, and (4) an annual OMB report to Congress summarizing the material
received from agencies. In accordance with FISMA, we audited the inf01mation technology (IT)
secmity controls related to the U.S . Office of Personnel Management' s (OPM) Multi-State Plan
Program (MSPP) Portal.
The MSPP P01ial is one ofOPM ' s critical IT systems. As such, FISMA requires that the Office
of the Inspector General (OIG) perf01m an audit ofiT secmity controls of this system, as well as
all of the agency's systems on a rotating basis.
The MSPP P01ial is a web-based application designed to assist National Healthcar e Operations
(NHO) in receiving, storing and evaluating inf01mation received from applicants who wish to
become ce1iified Multi-State Plan (MSP) Issuers in the MSPP. The system is cunently hosted by
AT&T.
We perf01med preliminruy test work of the MSPP P01ial in April 2013 when the system was first
lalmched. However, this was om first full scope audit of the secmity controls sunmmding th e
system. We discussed the results of om audit with NHO representatives at an exit conference.
At the end of the fieldwork phase of this audit, NHO inf01med us that the MSPP P01ial will no
longer be hosted by AT&T and will be moved to OPM 's data center in Macon, Georgia. This
move is expected to be completed in May 2015 .
1 Rep01i No. 4A-RI-00-1 5-0 13
II. OBJECTIVES, SCOPE, AND METHODOLOGY
Objective
Our objective was to perform an evaluation of the security conu·ols for the MSPP Portal to
ensure that NHO officials have managed the implementation of IT security policies and
procedures in accordance with standards established by FISMA, the National Institute of
Standar ds and Technology (NIST), the Federal Infonnation System Conu·ols Audit Manual
(FISCAM) and OPM's Office of the Chief lnf01mation Officer (OCIO).
OPM's IT security policies require owners of all major infonnation systems to complete a series
of steps to (1) ce1tify that their system's inf01mation is adequately protected and (2) authorize the
system for operations. The audit objective was accomplished by reviewing the degree to which a
variety of security program elements have been implemented for the MSPP P01tal, including:
• Security Assessment and Authorization (SA&A);
• Federal Inf01mation Processing Standards (FIP S) 199 Analysis;
• System Security Plan (SSP);
• Security Assessment Plan and Rep01t (SAP) and (SAR);
• Security Conu·ol Self-Assessment;
• Contingency Planning and Contingency Plan Testing;
• Privacy Impact Assessment (PIA);
• Plan of Action and Milestones Process (POA&M); and
• NIST Special Publication (SP) 800-53 Revision 4 Security Conu·ols.
Scope and Methodology
This perfonnance audit was conducted in accordance with Government Auditing Standards,
issued by the Compu·oller General of the United States. Accordingly, the audit included an
evaluation of related policies and procedures, compliance tests, and other auditing procedures
that we considered necessa1y. The audit covered FISMA compliance eff01ts ofNHO officials
responsible for the MSPP P01tal, including IT security conu·ols in place as of Janumy 2015.
We considered the MSPP Portal internal conu·ol sti11cture in planning our audit procedures.
These procedures were mainly substantive in nature, although we did gain an lmderstanding of
management procedures and conu·ols to the extent necessmy to achieve our audit objectives.
To accomplish our objective, we interviewed representatives of OPM's NHO progratn office
with MSPP Portal security responsibilities, reviewed documentation and system screenshots,
viewed demonsu·ations of system capabilities, and conducted tests directly on the system. We
also reviewed relevant OPM IT policies and procedures, federal laws, OMB policies and
guidance, and NIST guidance. As appropriate, we conducted compliance tests to dete1mine the
extent to which established conu·ols and procedures m·e ftmctioning as required.
Details of the security conu·ols protecting the confidentiality, integrity, and availability of the
MSPP P01tal are located in the "Results" section of this rep01t . Since our audit would not
2 Rep01t No. 4A-RI-00-15-013
necessarily disclose all significant matters in the internal control structure, we do not express an
opinion on the MSPP Portal of internal controls taken as a whole.
The criteria used in conducting this audit include:
OPM’s Information Security and Privacy Policy Handbook;
OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;
E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
Management Act of 2002;
The Federal Information System Controls Audit Manual;
NIST SP 800-12, An Introduction to Computer Security;
NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information
Systems;
NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to
Federal Information Systems;
NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations;
NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories;
NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities;
FIPS Publication 199, Standards for Security Categorization of Federal Information and
Information Systems; and
Other criteria as appropriate.
In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe that the data was
sufficient to achieve the audit objectives. Except as noted above, the audit was conducted in
accordance with generally accepted government auditing standards issued by the Comptroller
General of the United States.
The audit was performed by the OPM OIG, as established by the Inspector General Act of 1978,
as amended. The audit was conducted from October 2014 through January 2015 in OPM’s
Washington, D.C. office.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether NHO management of the
MSPP Portal is consistent with applicable standards. Nothing came to our attention during this
review to indicate that NHO is in violation of relevant laws and regulations.
3 Report No. 4A-RI-00-15-013
II. AUDIT FINDINGS AND RECOMMENDATIONS
A. Security Assessment and Authorization
The Security Assessment and Authorization (SA&A) of the MSPP Portal was completed in
October 2013. OPM’s Chief Information Security Officer reviewed the MSPP Portal SA&A
package and signed the system’s authorization letter on October 24, 2013. The system’s
authorizing official signed the letter and authorized the operational status of the system on
October 25, 2013.
NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal
Information Systems, provides guidance to federal agencies in meeting security accreditation
requirements. The MSPP Portal SA&A appears to have been conducted in compliance with
NIST requirements.
B. FIPS 199 Analysis
FIPS Publication 199, Standards for Security Categorization of Federal Information and
Information Systems, requires federal agencies to categorize all federal information and
information systems in order to provide appropriate levels of information security according to a
range of risk levels.
NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems
to Security Categories, provides an overview of the security objectives and impact levels
identified in FIPS Publication 199.
The MSPP Portal FIPS Publication 199 Security Categorization analyzes information processed
by the system and its corresponding potential impacts on confidentiality, integrity, and
availability. The MSPP Portal is categorized with a low impact level for confidentiality,
moderate for integrity, moderate for availability, and an overall categorization of “low.”
The security categorization of the MSPP Portal appears to be consistent with FIPS Publication
199 and NIST SP 800-60 requirements, and we agree with the categorization of “low.”
C. System Security Plan
Federal agencies must implement on each information system the security controls outlined in
NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information systems and
Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal
Information Systems, requires that these controls be documented in a system security plan (SSP)
for each system, and provides guidance for doing so.
4 Report No. 4A-RI-00-15-013
The SSP for the MSPP Portal was created using the OCIO’s template that utilizes NIST SP 800-
18 Revision 1 as guidance. The template requires that the following elements be documented
within the SSP:
System Name and Identifier;
System Categorization;
System Owner;
Authorizing Official;
Other Designated Contacts;
Assignment of Security Responsibility;
System Operational Status;
Information System Type;
General Description/Purpose;
System Environment;
System Interconnection/Information Sharing;
Laws, Regulations, and Policies Affecting the System;
Security Control Selection;
Minimum Security Controls; and
Completion and Approval Dates.
We reviewed the MSPP Portal SSP and determined that it adequately addresses each of the
elements required by NIST. Nothing came to our attention to indicate that the system security
plan of the MSPP Portal has not been properly documented and approved.
D. Security Assessment Plan and Report
A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were completed for
the MSPP Portal in June 2013 and September 2013, respectively, as a part of the system’s SA&A
process. The SAP and SAR were completed by a contractor that was operating independently
from NHO. We reviewed the documents to verify that a risk assessment was conducted in
accordance with NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments. We also
verified that appropriate management, operational, and technical controls were tested for a
system with a “low” security categorization according to NIST SP 800-53 Revision 4,
Recommended Security Controls for Federal Information Systems.
The SAR identified four control weaknesses; these weaknesses were appropriately added to the
MSPP Portal POA&M. All weaknesses identified were classified with a low risk rating.
5 Report No. 4A-RI-00-15-013
Nothing came to our attention to indicate that the security controls of the MSPP Portal have not
been adequately tested by an independent source, or that weaknesses identified have not been
properly documented.
E. Continuous Monitoring
OPM’s Information Security and Privacy Policy Handbook states that continuous monitoring
security reports must be provided to the OCIO’s Information Technology Security and Privacy
Group (ITSP) at least semiannually. The OCIO also creates continuous monitoring plans each
fiscal year that clearly describe the type and frequency of NIST SP 800-53 Revision 4 security
controls that must be tested throughout the year.
In FY 2014, NHO submitted adequate evidence of continuous monitoring security control testing
for the MSPP Portal to the ITSP in a timely manner.
Nothing came to our attention to indicate NHO’s continuous monitoring activities were not in
compliance with OPM guidelines.
F. Contingency Planning and Contingency Plan Testing
NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems,
states that effective contingency planning, execution, and testing are essential to mitigate the risk
of system and service unavailability. OPM’s security policies require all major applications to
have viable disaster recovery and contingency plans, and that these plans be annually reviewed,
tested, and updated.
Contingency Plan
The MSPP Portal contingency plan documents the functions, operations, and resources necessary
to restore and resume the MSPP Portal operations when unexpected events or disasters occur.
The MSPP Portal contingency plan follows the format suggested by NIST SP 800-34 Revision 1
and contains the required elements.
Contingency Plan Test
NIST SP 800-34 Revision 1 provides guidance for testing contingency plans and documenting
the results. Contingency plan testing is a critical element of a viable disaster recovery capability.
A contingency plan test of the MSPP Portal was conducted in August 2014. The test involved a
discussion-based exercise of recovering the system at the backup data center and then returning
operations to the regular data center. The testing documentation contained adequate analysis and
review of the test results.
6 Report No. 4A-RI-00-15-013
G. Privacy Impact Assessment
FISMA requires agencies to perform a screening of federal information systems to determine if a
PIA is required for that system. OMB Memorandum M-03-22 outlines the necessary
components of a PIA. The purpose of the assessment is to evaluate any vulnerabilities of privacy
in information systems and to document any privacy issues that have been identified.
NHO completed an initial privacy screening or Privacy Threshold Analysis (PTA) of the MSPP
and determined that a PIA was not required for this system. The PTA for the MSPP Portal
appears consistent with FISMA and OPM requirements, and we agree a PTA was sufficient and
a PIA is not required.
H. Plan of Action and Milestones Process
A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring
the progress of corrective efforts for IT security weaknesses. OPM has implemented an agency-
wide POA&M process to help track known IT security weaknesses associated with the agency’s
information systems.
We evaluated the MSPP Portal POA&M and verified that it follows the format of OPM’s
standard template and has been loaded into Trusted Agent, the OCIO’s POA&M tracking tool,
for evaluation. We determined that the weaknesses discovered during the SA&A security
assessment were included in the POA&M.
However, we noted four items on the POA&M that were over 180 days overdue with a status of
“delayed” that did not indicate a new scheduled completion date. OPM POA&M Standard
Operating Procedures state that “If the weakness is not addressed by the scheduled completion
date, the new scheduled completion date must be addressed in the Milestone Changes column,
along with the updated milestones and dates necessary to achieve the new scheduled completion
date.”
Failure to update a system’s POA&M with material changes increases the likelihood of
weaknesses not being addressed in a timely manner and therefore exposing the system to
malicious attacks exploiting those unresolved vulnerabilities.
Recommendation 1
We recommend that NHO update the MSPP Portal POA&M with new scheduled completion
dates for all delayed items.
7 Report No. 4A-RI-00-15-013
HI Response:
“The POA&M has been updated for all delayed items. The estimated completion date for MA-
4 is now 2015-06-30. All other weaknesses have been completed. Staff in OPM’s Chief
Information Officer/IT Security Policy office updated Trusted Agent (see attached).”
OIG Reply:
Evidence was provided in response to the draft audit report to indicate that new scheduled
completed dates have been updated for delayed items or have been remediated since the issuance
of the draft report; no further action is required.
I. NIST SP 800-53 Evaluation
NIST SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems
and Organizations”, provides guidance for implementing a variety of security controls for
information systems supporting the federal government. As part of this audit, we evaluated
whether a subset of these controls had been implemented for the MSPP Portal. We tested
approximately 50 security controls outlined in NIST SP 800-53 Revision 4 that were identified
as being system specific or a hybrid control. Controls identified as common or inherited were
omitted from testing because another system or program office is responsible for implementing
the control. We tested one or more controls from each of the following control families:
Access Control Maintenance
Audit and Accountability Media Protection
Security Assessment and Authorization Planning
Configuration Management Risk Assessment
Contingency Planning System and Communications Protection
Identity and Authentication System and Information Integrity
Incident Response
These controls were evaluated by interviewing individuals with the MSPP Portal security
responsibilities, reviewing documentation and system screenshots, viewing demonstrations of
system capabilities, and conducting tests directly on the system.
We determined that the tested security controls appear to be in compliance with NIST SP 800-53
Revision 4 requirements with a few exceptions. The following recommendations are directed at
the current version of the system hosted by AT&T. However if these issues are not remediated
before the system is moved to OPM’s internal data center, the recommendations should still be
implemented on the new platform, as moving to the new platform does not inherently resolve
these issues.
8 Report No. 4A-RI-00-15-013
1. RA-5 Vulnerability Scanning
We independently performed automated vulnerability scans on a sample of servers, databases
and web applications. The detailed results of the scans were provided to NHO, but for
security purposes will not be described in this report. A high level summary of the results is
below.
System Patching
The vulnerability scans performed during the audit indicate that critical patches and service
packs are not always implemented in a timely manner for the operating platforms supporting
the MSPP Portal.
FISCAM states that “Software should be scanned and updated frequently to guard against
known vulnerabilities.” NIST SP 800-53 Revision 4 states that the organization must
identify, report, and correct information system flaws and install security-relevant software
and firmware updates promptly.
Failure to promptly install important updates increases the risk that vulnerabilities will not be
remediated and sensitive information could be stolen.
Recommendation 2
We recommend that NHO implement procedures and controls to ensure that servers and
databases are installed with appropriate patches, service packs, and hotfixes on a timely
basis.
HI Response:
“We concur. The MSP Application Portal migrated from AT&T’s hosting environment in
Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015
rather than May 2015. OPM’s Chief Information Officer/Operations Technology
Management has the lead now for installing patches, service packs, hotfixes, as well as
conducting vulnerability scans, on a timely basis.”
OIG Reply:
The response to the draft report indicated that the MSPP has migrated to OPM’s
Macon, Georgia hosting environment and is now managed by OPM’s OCIO. However, the
transition alone is not sufficient evidence to close the recommendation. The intent of the
recommendation was for the program office to establish a control methodology to ensure
servers and databases are routinely updated with patches, service packs, and hotfixes. As
part of the audit resolution process, we recommend that NHO provide OPM’s Internal
Oversight and Compliance (IOC) division with additional evidence to support that a
methodology has been implemented to ensure that servers and databases are updated in a
timely manner.
9 Report No. 4A-RI-00-15-013
Noncurrent Software
The results of the vulnerability scans indicated that several servers supporting the MSPP
Portal contained noncurrent software applications that were no longer supported by the
vendors, and have known security vulnerabilities.
FISCAM states that “Procedures should ensure that only current software releases are
installed in information systems. Noncurrent software may be vulnerable to malicious code
such as viruses and worms.”
Failure to promptly remove outdated software increases the risk of a successful malicious
attack on the information system.
Recommendation 3
We recommend that NHO implement a methodology to ensure that only current and
supported versions of system software are installed on the production servers.
HI Response:
“We concur. The MSP Application Portal migrated from AT&T’s hosting environment in
Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015.
OPM’s Web Team verified that no outdated system software migrated with the MSP
Application Portal to Macon, Georgia, and verified that there is no outdated software
saved on the Macon, Georgia production server that hosts the MSP Application Portal.”
OIG Reply:
The response to the draft report indicated that OPM’s Web Team verified that no outdated
system software was migrated along with the application portal to the OPM Macon, Georgia
hosting environment. However, the intention of this recommendation was for the program
office to establish a routine audit process to ensure that only current, supported versions of
the system software are installed on production servers going forward. As part of the audit
resolution process, we recommend that NHO provide OPM’s IOC division with evidence
that controls that address this issue are in place in the system’s new environment.
Insecure Configurations
The results of the vulnerability scans also indicated that the web application for the MSPP
Portal is insecurely configured in a manner that is susceptible to several malicious attack
methods.
These malicious activities include, but are not limited to:
10 Report No. 4A-RI-00-15-013
Failure to remediate these vulnerabilities increases the risk of not only the web application
and backend data to hackers, but the organization as a whole, as a breach in a single access
point could lead to the whole network environment being exposed.
Recommendation 4
We recommend that NHO immediately remediate vulnerabilities discovered as a result of
the vulnerability scans conducted during this audit.
HI Response:
“We concur. The MSP Application Portal migrated from AT&T’s hosting environment in
Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015.
OPM’s Chief Information Officer/Operations Technology Management has the lead now
for conducting vulnerability scans on a regular basis.
Since the MSP Application Portal is now hosted in Macon, Georgia, we would welcome
the OIG to perform a vulnerability scan and we would commit to resolving any
vulnerabilities detected.”
OIG Reply:
Moving the application from one data center to another does not have an impact on the web
application code or the vulnerabilities we identified; the original recommendation remains
applicable.
11 Report No. 4A-RI-00-15-013
IV. MAJOR CONTRIBUTORS TO THIS REPORT
Information Systems Audit Group
, Auditor-In-Charge
, Lead IT Auditor
, IT Auditor
, IT Auditor
______________________________________________________________________________
, Group Chief
12 Report No. 4A-RI-00-15-013
Appendix
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Healthcare and
Insurance
March 10, 2015
MEMORANDUM FOR
Chief, Information Systems Audit Group
Office of the Inspector General
FROM:
Deputy Assistant Director
Healthcare and Insurance
National Healthcare Operations
SUBJECT: Reply to Draft Audit Report No. 4A-RI-00-15-013
Thank you for providing us the opportunity to respond to the U.S. Office of Personnel Management’s Office of the
Inspector General (OIG) draft report, Audit of the Information Technology Security Controls of the OPM's Multi-
State Plan Program Portal (Report No. 4A-RI-00-15-013).
We recognize that even the most well run programs benefit from external evaluations, and we appreciate your input
as we continue to enhance our programs. Responses to your recommendations are provided below.
Recommendation 1: We recommend NHO update the MSPP Portal POA&M with new scheduled completion
dates for all delayed items.
Management Response: We concur. The POA&M has been updated for all delayed items. The estimated
completion date for MA-4 is now 2015-06-30. All other weaknesses have been completed. Staff in OPM’s
Chief Information Officer/IT Security Policy office updated Trusted Agent (see attached).
Recommendation 2: We recommend that NHO implement procedures and controls to ensure that servers and
databases are installed with appropriate patches, service packs, and hotfixes on a timely basis.
Management Response: We concur. The MSP Application Portal migrated from AT&T’s hosting
environment in Ashburn, Virginia to OPM’s Macon, Georgia hosting environment on February 25, 2015 rather
than May 2015. OPM’s Chief Information Officer/Operations Technology Management has the lead now for
installing patches, service packs, hotfixes, as well as conducting vulnerability scans, on a timely basis.
13 Report No. 4A-RI-00-15-013
Recommendation 3
We recommend that NHO implement a methodology to ensme that only cm1·ent and suppmt ed versions of
system softv.•are are installed on the production servers.
Managem ent R espons e: We concm. The MSP Application Portal migrated from AT&T' s hosting
environment in Ashburn, Virginia to OPM's Macon, Georgia hosting environment on Febmaty 25, 2015.
OPM 's Web Team verified that no outdated system softv.•are migrated with the M SP Application Pmta.l to
Macon, Georgia, and verified that there is no outdated software saved on the Macon, Georgia. production server
that hosts the M SP Application Portal.
Recommendation 4
We recommend that NHO immediat ely remedia.te vulnerabilities discovered as a result ofthe vulnerability
scans conducted dming this audit.
Managem ent R esp ons e: We concm. The MSP Application Portal migrat ed from AT&T' s hosting
environment in Ashburn, Virginia to OPM's Macon, Georgia hosting environment on Febmaty 25, 2015.
OPM 's Chieflnfonnation Officer/Operations Technology Management has the lead now for conducting
vulnerability scans on a regular basis.
Since the MSP Application Pmtal is now hosted in Macon, Georgia, we w ould w elcome the OIG to perform a
vulnerability scan and we would commit to resolving any vulnerabilities detected.
Ifyou have any questions regarding om response, please
c.c.: CIO!Infonnation Technology System Policy
Cl<J/llllionu:ah c•n T eclmology System Polic.y
, MSAC!Intemal Oversight and Compliance
14 Rep01i No. 4A-RI-00-15-013
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
15 Report No. 1C-54-00-14-061
Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's Multi-State Plan Program Portal
Published by the Office of Personnel Management, Office of Inspector General on 2015-05-11.
Below is a raw (and likely hideous) rendition of the original report. (PDF)