U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Systems General and Application Controls at CACI International, Inc. Report Number 6A-0A-00-16-004 July 21, 2016 -- CAUTION -- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. EXECUTIVE SUMMARY Audit of the Information Systems General and Application Controls at CACI International, Inc. Report No. 6A-0A-00-16-004 July 21, 2016 Why Did We Conduct the Audit? What Did We Find? CACI International, Inc. (CACI) is a Our audit of the IT security controls of CACI and IMSD determined that: service contractor for the U.S. Office of CACI and IMSD have established a security management Personnel Management’s (OPM) Federal program and have implemented a wide variety of security Investigative Services (FIS). The controls to protect sensitive data. Investigation and Managements Service IMSD has implemented controls to prevent unauthorized Division (IMSD) within CACI supports physical access to its facilities, as well as logical controls to OPM’s FIS, which is responsible for protect sensitive information. However, we noted that the helping to ensure that the Federal controls related to removing logical access for terminated Government has a workforce that is employees could be improved. In addition IMSD could benefit worthy of the public trust by providing from adding additional controls related to routinely auditing user both suitability and security clearance access privileges to ensure they remain appropriate. determinations. The Federal Information IMSD could improve its network security program by routinely Security Modernization Act (FISMA) performing firewall configuration reviews. requires that the Office of the Inspector IMSD has implemented a configuration management process to General (OIG) perform an audit of the control changes made to its IT systems, and leverages publically information technology (IT) systems available configuration baseline standards as a guideline to supporting OPM, including those operated securely configure its servers. However, IMSD has not formally by a contractor such as CACI. documented deviations/exceptions to these public standards, and does not perform routine configuration audits to ensure that What Did We Audit? servers are actually in compliance with approved baseline standards. The OIG has completed a performance IMSD’s business continuity and disaster recovery plans contain the audit of CACI to ensure that the CACI elements suggested by relevant guidance and publications. IMSD has information systems supporting OPM’s identified and prioritized the systems and resources that are critical to FIS are managed in compliance with business operations, and has developed detailed procedures to recover security policies, procedures, and those systems and resources. standards established by FISMA, the IMSD has implemented multiple controls surrounding the input, National Institute of Standards and processing, and output of sensitive data related to the background Technology, the Federal Information investigations it performs for OPM. However, when making changes Security Controls Audit Manual and to applications, the person responsible for migrating changes into the OPM’s Office of the Chief Information production environment also has access to the development and test Officer. environments. This situation constitutes a segregation of duties violation. _______________________ Michael R. Esser Assistant Inspector General for Audits i ABBREVIATIONS CACI CACI International, Inc. FIPS Federal Information Processing Standards FIS Federal Investigative Services FISCAM Federal Information System Controls Audit Manual FISMA Federal Information Security Management Act IMSD Investigation and Managements Service Division IT Information Technology iTRAX Investigations, Tracking, Assigning and Expediting NIST National Institute of Standards and Technology OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB U.S. Office of Management and Budget OPM U.S. Office of Personnel Management PII Personally Identifiable Information POA&M Plan of Action and Milestones SP Special Publication ii IV. MAJOR CONTRIBUTORS TO THIS REPORT TABLE OF CONTENTS Page EXECUTIVE SUMMARY ......................................................................................... i ABBREVIATIONS ..................................................................................................... ii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5 A. Security Management .............................................................................................5 B. Access Controls .......................................................................................................5 C. Network Security .....................................................................................................7 D. Configuration Management .....................................................................................8 E. Contingency Planning............................................................................................11 F. Application Controls..............................................................................................11 IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................13 V. APPENDIX: The U.S. Office of Personnel Management’s April 21, 2016 response to the draft audit report, issued February 12, 2016. REPORT FRAUD, WASTE, AND MISMANAGEMENT IV. MAJOR CONTRIBUTORS I. BACKGROUND TO THIS REPORT On December 18, 2014, President Obama signed into law the Federal Information Security Modernization Act of 2014 (P.L. 113.283), which amended the Federal Information Security Management Act (FISMA) of 2002. FISMA and the Modernization Act require an annual independent evaluation of each agency’s information security program and practices to determine the effectiveness of such program and practices. For each agency with an Inspector General appointed under the Inspector General Act of 1978, the annual evaluation shall be performed by the Inspector General. FISMA compliance is mandated for contractor organizations processing federal data on behalf of a government agency. In accordance with FISMA, we audited the information technology (IT) security controls related to the U.S. Office of Personnel Management (OPM) contractor CACI International, Inc. (CACI). CACI is a contractor that conducts business with a variety of government agencies. The Investigation and Managements Service Division (IMSD) within CACI supports OPM’s Federal Investigative Services (FIS), which is responsible for helping to ensure that the Federal Government has a workforce that is worthy of the public trust by providing both suitability and security clearance determinations. This final report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over CACI and IMSD’s information systems used to process background investigations on behalf of OPM. This was our first audit of IMSD’s organization-wide IT general and application controls. We performed an audit of the IT security controls specific to one of IMSD’s applications in fiscal year 2014 (Report number 4A-IS-00-14-017). All recommendations from that audit are closed. We discussed the results of our audit with OPM and CACI representatives at an exit conference. 1 Report No. 6A-0A-00-16-004 II. OBJECTIVES, SCOPE, AND METHODOLOGY Objectives The objectives of this audit were to evaluate controls over the confidentiality, integrity, and availability of Federal data processed and maintained in CACI’s IT environment. We accomplished these objectives by reviewing the following areas: Security management; Access controls; Network Security; Configuration management; Segregation of duties; Contingency planning; and Application controls. Scope and Methodology The scope of this audit centered on the information systems used by CACI’s IMSD to process and/or store OPM data. IMSD’s network environment is physically and logically segregated from the CACI corporate network. However, the CACI corporate network provides an additional layer of perimeter security and several additional IT security controls to the IMSD environment. The business processes reviewed are primarily located in Chantilly, Virginia. The on-site portion of this audit was performed from September through December, 2015. We completed additional audit work before and after the on-site visit at our office in Washington, D.C. The findings, recommendations, and conclusions outlined in this report are based on the status of information system general and application controls in place at CACI as of December 2015. In conducting our audit, we relied to varying degrees on computer-generated data provided by CACI. Due to time constraints, we did not verify the reliability of the data used to complete some of our audit steps, but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. This performance audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Accordingly, we obtained an understanding of CACI and IMSD’s internal controls through interviews and observations, as well as inspection of various documents, including information technology and 2 Report No. 6A-0A-00-16-004 other related organizational policies and procedures. This understanding of CACI and IMSD’s internal controls was used in planning the audit by determining the extent of compliance testing and other auditing procedures necessary to verify that the internal controls were properly designed, placed in operation, and effective. In conducting this review we: Gathered documentation and conducted interviews; Reviewed CACI and IMSD’s business structure and environment; Performed a risk assessment of CACI’s information systems environment and applications, and prepared an audit program based on the assessment and the Government Accountability Office’s Federal Information System Controls Audit Manual (FISCAM); and Conducted various compliance tests to determine the extent to which established controls and procedures are functioning as intended. As appropriate, we used judgmental sampling in completing our compliance testing. Various laws, regulations, and industry standards were used as a guide to evaluating CACI’s control structure. These criteria include, but are not limited to, the following publications: OPM Information Security and Privacy Policy Handbook; U.S. Office of Management and Budget (OMB) Memorandum M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information”; OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources; E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security Management Act of 2002; FISCAM; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security; NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems; NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems; NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories; NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities; 3 Report No. 6A-0A-00-16-004 Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems; and Other criteria as appropriate. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether CACI’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, CACI was not in complete compliance with all standards as described in the “Audit Findings and Recommendations” section of this report. 4 Report No. 6A-0A-00-16-004 III. AUDIT FINDINGS AND RECOMMENDATIONS A. Security Management CACI and IMSD The security management component of this audit involved the maintain a series examination of the policies and procedures that are the foundation of of thorough IT CACI’s overall IT security program. security policies and procedures. As mentioned above, the IMSD unit within CACI is the organization’s primary user of OPM data. CACI has implemented a security management program and has created IT security policies and procedures that apply specifically to IMSD. However, IMSD is also contractually obligated to adhere to all OPM policies and federal regulations that deviate from CACI’s corporate policies or procedures. We also analyzed CACI’s enterprise and technical risk assessments as well as its security training program. Furthermore, we examined human resources policies and procedures related to hiring, training, transferring, and terminating employees. Nothing came to our attention to indicate that CACI and IMSD do not have an adequate security management program. B. Access Controls Access controls are the policies, procedures, and techniques used to prevent or detect unauthorized physical or logical access to sensitive resources. We examined the physical access controls of IMSD’s facilities and data center located in Chantilly, Virginia. We also examined the logical access controls protecting data in IMSD’s network environment and applications. The access controls observed during this audit include, but are not limited to: Procedures for appropriately granting physical access to facilities and data centers; Procedures for appropriately granting and adjusting logical access; Controls for monitoring user activity; Procedures for routinely auditing user facility access; and Adequate environmental controls over the data center. The following sections document opportunities for improvement related to IMSD’s access controls: 5 Report No. 6A-0A-00-16-004 1) Removal of System Access IMSD has a system access review process to ensure that former employees do not retain access after termination of their employment. To test the effectiveness of this process, we compared a list of employees with active access to IMSD systems to a list of employees that were terminated in the prior two years. We identified several terminated employees whose accounts remained active in IMSD systems. NIST SP 800-53, Revision 4, requires that organizations create, enable, modify, disable, and remove information system accounts. NIST 800-53, Revision 4, also states that, “Conditions for disabling or deactivating accounts include … when individuals are transferred or terminated.” Failure to remove logical access from terminated employees in a timely fashion increases the risk that the information systems could be accessed by unauthorized users. In response to our test work, IMSD created a new procedure document that outlines steps to routinely review logical access accounts for the IMSD domain, the Investigations, Tracking, Assigning and Expediting (iTRAX) system application, and non-system resources to ensure proper account removal. While the new procedure document appears adequate, we would like to see evidence that the process has been successfully implemented. Recommendation 1 We recommend that FIS ensure that IMSD fully implements its new logical access review procedure. Office of the Chief Information Officer (OCIO)/FIS/IMSD Response: “We concur. Following the OIG audit, CACI-IMSD has fully implemented auditing policies for access control which include the new logical access review procedure. CACI- IMSD has provided FIS with an audit report from January and February 2016 as evidence to support closure of this finding. FIS will provide OPM Internal Oversight and Compliance (IOC) a copy of the report to officially close the finding.” 2) Review of User Accounts iTRAX is the primary application used to support the IMSD management team in monitoring the status of background applications. The system contains multiple user groups each with specific access to different types of information. However, IMSD does not have a process in 6 Report No. 6A-0A-00-16-004 place to routinely review each user’s system privileges to ensure they are appropriate for a user’s job function. NIST SP 800-53, Revision 4, states that, “Periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions.” NIST SP 800- 53, Revision 4, also requires the organization to identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Failure to review the appropriateness of iTRAX user access privileges increases the risk that a user could access sensitive or unnecessary information. Recommendation 2 We recommend that FIS require IMSD implement a routine access review process to ensure that iTRAX user access privileges are appropriate for the user’s job function. OCIO/FIS/IMSD Response: “We concur. CACI-IMSD has an existing process in place where proposed user access privilege changes are reviewed and approved by a Functional Area Manager responsible for employee oversight. CACI-IMSD is planning to further formalize this process in coordination with both the iTRAX Development Team Lead and Functional Area Managers. Planned implementation will be a Functional Role Change Committee which will meet once per month to review all functional user access privilege changes proposed during the previous month across the entire program.” OIG Comment: As part of the audit resolution process, we recommend that OCIO/FIS provide OPM’s IOC division with evidence that CACI/IMSD has implemented this recommendation. This statement applies to all subsequent recommendations in this audit report that OCIO/FIS agrees to implement. C. Network Security Network security includes the policies and controls used to prevent or monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. 7 Report No. 6A-0A-00-16-004 We evaluated IMSD’s network security program and reviewed the results of several automated vulnerability scans performed during this audit. The network security controls observed during this audit include, but are not limited to: Network monitoring and incident response procedures; Strong remote access controls; and Endpoint device controls over investigator laptops. However, we noted one opportunity for improvement related to IMSD’s network security controls. IMSD has documented the approved communication requirements between all internal and external systems, and these requirements are used to design the firewall rules that control traffic at the network border. IMSD monitors its firewall logs for suspicious activity, such as attempts to make unauthorized changes to the device. Although these are good controls, IMSD could further improve its management of firewalls by performing a periodic review of the actual/current firewall rulesets and comparing them to the previously approved requirements. NIST SP 800-53, Revision 4, states that an organization should monitor and control changes to configuration settings. NIST SP 800-41 states that policy rules “should also be reviewed periodically to ensure they remain in compliance with security policy.” Failure to review firewall security policy rules could allow an insecure configuration to go undetected, potentially exposing the network to unmanaged risk. Recommendation 3 We recommend that FIS ensure that IMSD conduct a periodic review of the configuration rulesets for all firewalls and verify that they are in compliance with the approved requirements. OCIO/FIS/IMSD Response: “We concur. CACI-IMSD has delivered to FIS an updated policy for Firewall auditing to support closure of this finding. This policy includes the periodic review of configuration rulesets for all firewalls and verification of compliance with approved requirements. FIS will provide OPM-IOC a copy of this policy to officially close the finding.” D. Configuration Management Configuration management consists of the policies and procedures used to ensure systems are configured according to approved, risk-based, configuration controls. 8 Report No. 6A-0A-00-16-004 IMSD’s server environment is composed of iTRAX and several other support applications that run on operating systems. These systems are running in an isolated virtual server environment within IMSD’s network. IMSD also utilizes laptop computers for field investigators accessing resources remotely. We reviewed IMSD’s configuration management program and observed the following controls in place: Use of standard configuration baselines for operating systems, and Thorough change management controls. However, we did identify the following opportunities for improvement: 1) Configuration Baselines IMSD uses the United States Government Configuration Baseline and Defense Information Systems Agency Security Technical Implementation Guide standards to create security configuration baselines for its operating systems. As is typical with many organizations, IMSD has business needs that require specific settings to deviate from these standards. However, IMSD has not formally documented these exceptions to the standards. NIST SP 800-53, Revision 4, states that organizations must identify, document, and approve any deviations from established configuration settings based on operational requirements. Failure to adequately document configuration settings could lead to inconsistently applied security configurations. Recommendation 4 We recommend that FIS ensure that IMSD document all approved exceptions to the published standards used for system configuration. OCIO/FIS/IMSD Response: “We concur. CACI-IMSD will add DISA STIG compliance monitoring to the CACI- IMSD group of server assets. Following the OIG audit, CACI-IMSD has obtained an SCAP tool suite and has completed an initial compliance assessment of their servers. CACI-IMSD is now in the process of configuring the servers to STIG standards and formally documenting any deviations that may be required. CACI-IMSD will complete this process by May 31, 2016 at which time they will deliver the list of any requested deviations to FIS for review and or approval.” 9 Report No. 6A-0A-00-16-004 2) Configuration Monitoring The servers in IMSD’s environment are monitored for IMSD does not routinely configuration changes through log and event management audit its servers to ensure software. However, the servers are not audited on a routine they are in compliance basis to ensure that they are in compliance with formally with approved baselines. approved baseline standards. NIST SP 800-53, Revision 4, states that an organization should monitor and control changes to configuration settings. NIST SP 800-128 states that security configuration monitoring may be supported by numerous means, including “Scanning to identify disparities between the approved baseline configuration and the actual configuration for an information system.” NIST SP 800-128 also states that “If an information system is inconsistent with approved configurations as defined by the organization’s baseline configurations … the organization may be unaware of potential vulnerabilities and not take actions that would otherwise limit those vulnerabilities and protect it from attacks.” Failure to identify unknown vulnerabilities could lead to system compromise and the loss of sensitive data. Recommendation 5 We recommend that FIS ensure that IMSD implements a process to audit systems for compliance with approved baseline configuration settings. OCIO/FIS/IMSD Response: “We concur. CACI-IMSD will add the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) compliance component to its existing United States Government Configuration Baseline (USGCB) compliance auditing policy, leveraging the Security content Automation Protocol (SCAP) tool suite they have recently acquired.” 3) Patch Management We performed several automated vulnerability scans and configuration compliance audits as part of our test work. Our vulnerability scans identified several systems with out of date software. We provided scan results to IMSD and they informed us that they were already 10 Report No. 6A-0A-00-16-004 aware of the issue and are implementing a new tool to more effectively manage the patch management process for system and third-party software. We believe that IMSD’s solution will address the issues we identified in our scans, but we had initial concerns that there was not a formal Plan of Action and Milestones (POA&M) to track this weakness and the associated remediation efforts. At the conclusion of our field work, IMSD provided evidence that a POA&M has been created; no further action is required. E. Contingency Planning We reviewed the following elements of IMSD’s contingency planning IMSD has program to determine whether controls are in place to prevent or documented minimize interruptions to business operations when disastrous events contingency plans occur: that are tested Disaster recovery plan regularly. Business continuity plan Disaster recovery plan tests Emergency response procedures We determined that the contingency planning documentation contained the critical elements suggested by NIST SP 800-34, Revision 1. IMSD has identified and prioritized the systems and resources that are critical to business operations, and has developed detailed procedures to recover those systems and resources. Nothing came to our attention to indicate that IMSD has not implemented adequate controls related to contingency planning. F. Application Controls 1) Investigative Case Management Process We reviewed the applications and business processes supporting CACI’s efforts to perform background investigations on behalf of OPM. IMSD performs basic work assignment and scheduling tasks through the iTRAX system. IMSD has designed its entire investigative case management process in a manner that does not require it to extract or store personally identifiable information (PII) related to background investigations from OPM systems. We evaluated the input, processing, and output controls associated with IMSD’s case management process. We determined that IMSD has implemented policies and procedures to help ensure that: Case tracking data contains minimal PII and is handled securely; Sensitive case information is transmitted only through secure connections; and 11 Report No. 6A-0A-00-16-004 Case material is tracked and disposed of in a secure manner. Nothing came to our attention to indicate that IMSD has not implemented adequate controls over its case processing systems. 2) Application Change Control We evaluated the policies and procedures governing application development and change control of IMSD’s case processing systems. IMSD has documented system development life cycle procedures for software modifications. All changes require formal approval and undergo testing prior to migration to the production environment. However, the person responsible for migrating changes into the production environment also has access to the development and test environments. This situation constitutes a segregation of duties violation. NIST SP 800-53, Revision 4, states that the organization should document the separation of duties of individuals, and define information system access authorizations to support separation of duties. NIST SP 800-53, Revision 4, also states that “Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion.” Failure to ensure proper separation of duties between development, test, and production environments increases the risk that unauthorized changes could be made to the system. Recommendation 6 We recommend that FIS ensure that IMSD implements proper segregation of duties within the application change control process. OCIO/FIS/IMSD Response: “We concur. CACI-IMSD is in the process of restructuring its system development team and creating a new ‘Release Manager’ position which will have no access to change any Development/Test system code, and will only have authorization to update production system code. As part of this transition, CACI-IMSD is creating a new policy which will document the user role control processes and how separation of duties will be achieved.” 12 Report No. 6A-0A-00-16-004 IV. MAJOR CONTRIBUTORS TO THIS REPORT Information Systems Audit Group , IT Auditor , IT Auditor , IT Auditor , Senior Team Leader , Group Chief 13 Report No. 6A-0A-00-16-004 V. APPENDIX April 21, 2016 MEMORANDUM FOR NORBERT E. VINT Acting Inspector General Office of the Inspector General THRU: Lead IT Auditor-in-Charge Office of the Inspector General FROM: LISA SCHLOSSER Acting Chief Information Officer Office of the Chief Information Officer MERTON W. MILLER Associate Director Federal Investigative Services SUBJECT: Draft Audit Report of Information Systems General Application Controls at CACI International, Inc. Report Number: 6A-0A-00-16-004 Thank you for providing us the opportunity to respond to the Office of the Inspector General (OIG) draft report, Audit of Information Systems General and Application Controls at CACI International, Inc. 6A-0A-00-16-004. We recognize that even the most well run programs benefit from external evaluations and we appreciate your input as we continue to enhance our programs. The Federal Investigative Services (FIS), Office of the Chief Information Officer (OCIO) and the CACI Investigations and Management Service Division (IMSD) collective responses to your recommendations follow. Report No. 6A-0A-00-16-004 OIG Recommendation #1: “We recommend that FIS ensure that IMSD fully implements its new logical access review procedure.” FIS/OCIO/IMSD Response: We concur. Following the OIG audit, CACI-IMSD has fully implemented auditing policies for access control which include the new logical access review procedure. CACI-IMSD has provided FIS with an audit report from January and February 2016 as evidence to support closure of this finding. FIS will provide OPM Internal Oversight and Compliance (IOC) a copy of the report to officially close the finding. OIG Recommendation #2: “We recommend that FIS ensure that IMSD implement a routine access review process to ensure that iTRAX user access privileges are appropriate for the user's job function.” FIS/OCIO/IMSD Response: We concur. CACI-IMSD has an existing process in place where proposed user access privilege changes are reviewed and approved by a Functional Area Manager responsible for employee oversight. CACI-IMSD is planning to further formalize this process in coordination with both the iTRAX Development Team Lead and Functional Area Managers. Planned implementation will be a Functional Role Change Committee which will meet once per month to review all functional user access privilege changes proposed during the previous month across the entire program. OIG Recommendation #3: “We recommend that FIS ensure that IMSD conduct a periodic review of the configuration rulesets for all firewalls and verify that they are in compliance with the approved requirements.” FIS/OCIO/IMSD Response: We concur. CACI-IMSD has delivered to FIS an updated policy for Firewall auditing to support closure of this finding. This policy includes the periodic review of configuration rulesets for all firewalls and verification of compliance with approved requirements. FIS will provide OPM-IOC a copy of this policy to officially close the finding. OIG Recommendation #4: “We recommend that FIS ensure that IMSD document all approved exceptions to the published standards used for system configuration.” Report No. 6A-0A-00-16-004 FIS/OCIO/IMSD Response: We concur. CACI-IMSD will add DISA STIG compliance monitoring to the CACI-IMSD group of server assets. Following the OIG audit, CACI-IMSD has obtained an SCAP tool suite and has completed an initial compliance assessment of their servers. CACI-IMSD is now in the process of configuring the servers to STIG standards and formally documenting any deviations that may be required. CACI-IMSD will complete this process by May 31, 2016 at which time they will deliver the list of any requested deviations to FIS for review and or approval. OIG Recommendation #5: “We recommend that FIS ensure that IMSD implements a process to audit systems for compliance with approved baseline configuration settings.” FIS/OCIO/ISMD Response: We concur. CACI-IMSD will add the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) compliance component to its existing United States Government Configuration Baseline (USGCB) compliance auditing policy, leveraging the Security content Automation Protocol (SCAP) tool suite they have recently acquired. Recommendation #6: “We recommend that FIS ensure that IMSD implements proper segregation of duties within the application change control process.” FIS/OCIO/ISMD Response: We concur. CACI-IMSD is in the process of restructuring its system development team and creating a new "Release Manager" position which will have no access to change any Development/Test system code, and will only have authorization to update production system code. As part of this transition, CACI-IMSD is creating a new policy which will document the user role control processes and how separation of duties will be achieved. We appreciate the opportunity to respond to this draft report. We believe all recommendations to be requirements within scope of the existing contract between OPM and CACI-IMSD. We will solicit support from the OPM Office of Procurement Operations (OPO) as necessary. If you have any questions regarding our response, please contact , , @opm.gov OR , , @opm.gov. Report No. 6A-0A-00-16-004 cc: Kathy McGettigan Chief Management Officer Chief Information Security Officer Janet Barnes Director, Internal Oversight and Compliance Nina Ferraro Senior Procurement Executive Report No. 6A-0A-00-16-004 Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100 -- CAUTION -- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Audit of the Information Systems General and Application Controls at CACI International, Inc.
Published by the Office of Personnel Management, Office of Inspector General on 2016-07-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)