U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
Audit of the Information Systems General and Application
Controls at CACI International, Inc.
Report Number 6A-0A-00-16-004
July 21, 2016
-- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
EXECUTIVE SUMMARY
Audit of the Information Systems General and Application Controls at CACI
International, Inc.
Report No. 6A-0A-00-16-004 July 21, 2016
Why Did We Conduct the Audit? What Did We Find?
CACI International, Inc. (CACI) is a Our audit of the IT security controls of CACI and IMSD determined that:
service contractor for the U.S. Office of CACI and IMSD have established a security management
Personnel Management’s (OPM) Federal program and have implemented a wide variety of security
Investigative Services (FIS). The controls to protect sensitive data.
Investigation and Managements Service IMSD has implemented controls to prevent unauthorized
Division (IMSD) within CACI supports physical access to its facilities, as well as logical controls to
OPM’s FIS, which is responsible for protect sensitive information. However, we noted that the
helping to ensure that the Federal controls related to removing logical access for terminated
Government has a workforce that is employees could be improved. In addition IMSD could benefit
worthy of the public trust by providing from adding additional controls related to routinely auditing user
both suitability and security clearance access privileges to ensure they remain appropriate.
determinations. The Federal Information IMSD could improve its network security program by routinely
Security Modernization Act (FISMA) performing firewall configuration reviews.
requires that the Office of the Inspector IMSD has implemented a configuration management process to
General (OIG) perform an audit of the control changes made to its IT systems, and leverages publically
information technology (IT) systems available configuration baseline standards as a guideline to
supporting OPM, including those operated securely configure its servers. However, IMSD has not formally
by a contractor such as CACI. documented deviations/exceptions to these public standards, and
does not perform routine configuration audits to ensure that
What Did We Audit? servers are actually in compliance with approved baseline
standards.
The OIG has completed a performance IMSD’s business continuity and disaster recovery plans contain the
audit of CACI to ensure that the CACI elements suggested by relevant guidance and publications. IMSD has
information systems supporting OPM’s identified and prioritized the systems and resources that are critical to
FIS are managed in compliance with business operations, and has developed detailed procedures to recover
security policies, procedures, and those systems and resources.
standards established by FISMA, the IMSD has implemented multiple controls surrounding the input,
National Institute of Standards and processing, and output of sensitive data related to the background
Technology, the Federal Information investigations it performs for OPM. However, when making changes
Security Controls Audit Manual and to applications, the person responsible for migrating changes into the
OPM’s Office of the Chief Information production environment also has access to the development and test
Officer. environments. This situation constitutes a segregation of duties
violation.
_______________________
Michael R. Esser
Assistant Inspector General
for Audits
i
ABBREVIATIONS
CACI CACI International, Inc.
FIPS Federal Information Processing Standards
FIS Federal Investigative Services
FISCAM Federal Information System Controls Audit Manual
FISMA Federal Information Security Management Act
IMSD Investigation and Managements Service Division
IT Information Technology
iTRAX Investigations, Tracking, Assigning and Expediting
NIST National Institute of Standards and Technology
OCIO Office of the Chief Information Officer
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
PII Personally Identifiable Information
POA&M Plan of Action and Milestones
SP Special Publication
ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ......................................................................................... i
ABBREVIATIONS ..................................................................................................... ii
I. BACKGROUND ..........................................................................................................1
II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5
A. Security Management .............................................................................................5
B. Access Controls .......................................................................................................5
C. Network Security .....................................................................................................7
D. Configuration Management .....................................................................................8
E. Contingency Planning............................................................................................11
F. Application Controls..............................................................................................11
IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................13
V. APPENDIX: The U.S. Office of Personnel Management’s April 21, 2016
response to the draft audit report, issued February 12, 2016.
REPORT FRAUD, WASTE, AND MISMANAGEMENT
IV. MAJOR CONTRIBUTORS
I. BACKGROUND
TO THIS REPORT
On December 18, 2014, President Obama signed into law the Federal Information Security
Modernization Act of 2014 (P.L. 113.283), which amended the Federal Information Security
Management Act (FISMA) of 2002. FISMA and the Modernization Act require an annual
independent evaluation of each agency’s information security program and practices to
determine the effectiveness of such program and practices. For each agency with an Inspector
General appointed under the Inspector General Act of 1978, the annual evaluation shall be
performed by the Inspector General.
FISMA compliance is mandated for contractor organizations processing federal data on behalf of
a government agency. In accordance with FISMA, we audited the information technology (IT)
security controls related to the U.S. Office of Personnel Management (OPM) contractor CACI
International, Inc. (CACI).
CACI is a contractor that conducts business with a variety of government agencies. The
Investigation and Managements Service Division (IMSD) within CACI supports OPM’s Federal
Investigative Services (FIS), which is responsible for helping to ensure that the Federal
Government has a workforce that is worthy of the public trust by providing both suitability and
security clearance determinations. This final report details the findings, conclusions, and
recommendations resulting from the audit of general and application controls over CACI and
IMSD’s information systems used to process background investigations on behalf of OPM.
This was our first audit of IMSD’s organization-wide IT general and application controls. We
performed an audit of the IT security controls specific to one of IMSD’s applications in fiscal
year 2014 (Report number 4A-IS-00-14-017). All recommendations from that audit are closed.
We discussed the results of our audit with OPM and CACI representatives at an exit conference.
1 Report No. 6A-0A-00-16-004
II. OBJECTIVES, SCOPE, AND METHODOLOGY
Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of Federal data processed and maintained in CACI’s IT environment. We
accomplished these objectives by reviewing the following areas:
Security management;
Access controls;
Network Security;
Configuration management;
Segregation of duties;
Contingency planning; and
Application controls.
Scope and Methodology
The scope of this audit centered on the information systems used by CACI’s IMSD to process
and/or store OPM data. IMSD’s network environment is physically and logically segregated
from the CACI corporate network. However, the CACI corporate network provides an
additional layer of perimeter security and several additional IT security controls to the IMSD
environment. The business processes reviewed are primarily located in Chantilly, Virginia.
The on-site portion of this audit was performed from September through December, 2015. We
completed additional audit work before and after the on-site visit at our office in Washington,
D.C. The findings, recommendations, and conclusions outlined in this report are based on the
status of information system general and application controls in place at CACI as of December
2015.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
CACI. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps, but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of CACI and IMSD’s internal controls through interviews and
observations, as well as inspection of various documents, including information technology and
2 Report No. 6A-0A-00-16-004
other related organizational policies and procedures. This understanding of CACI and IMSD’s
internal controls was used in planning the audit by determining the extent of compliance testing
and other auditing procedures necessary to verify that the internal controls were properly
designed, placed in operation, and effective.
In conducting this review we:
Gathered documentation and conducted interviews;
Reviewed CACI and IMSD’s business structure and environment;
Performed a risk assessment of CACI’s information systems environment and applications,
and prepared an audit program based on the assessment and the Government Accountability
Office’s Federal Information System Controls Audit Manual (FISCAM); and
Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, we used judgmental sampling in
completing our compliance testing.
Various laws, regulations, and industry standards were used as a guide to evaluating CACI’s
control structure. These criteria include, but are not limited to, the following publications:
OPM Information Security and Privacy Policy Handbook;
U.S. Office of Management and Budget (OMB) Memorandum M-07-16, “Safeguarding
Against and Responding to the Breach of Personally Identifiable Information”;
OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;
E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
Management Act of 2002;
FISCAM;
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An
Introduction to Computer Security;
NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information
Systems;
NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;
NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;
NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to
Federal Information Systems;
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations;
NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories;
NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities;
3 Report No. 6A-0A-00-16-004
Federal Information Processing Standards (FIPS) Publication 199, Standards for Security
Categorization of Federal Information and Information Systems;
FIPS Publication 200, Minimum Security Requirements for Federal Information and
Information Systems; and
Other criteria as appropriate.
Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether CACI’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
CACI was not in complete compliance with all standards as described in the “Audit Findings and
Recommendations” section of this report.
4 Report No. 6A-0A-00-16-004
III. AUDIT FINDINGS AND RECOMMENDATIONS
A. Security Management
CACI and IMSD
The security management component of this audit involved the maintain a series
examination of the policies and procedures that are the foundation of of thorough IT
CACI’s overall IT security program. security policies
and procedures.
As mentioned above, the IMSD unit within CACI is the organization’s
primary user of OPM data. CACI has implemented a security management program and has
created IT security policies and procedures that apply specifically to IMSD. However, IMSD is
also contractually obligated to adhere to all OPM policies and federal regulations that deviate
from CACI’s corporate policies or procedures.
We also analyzed CACI’s enterprise and technical risk assessments as well as its security
training program. Furthermore, we examined human resources policies and procedures related to
hiring, training, transferring, and terminating employees.
Nothing came to our attention to indicate that CACI and IMSD do not have an adequate security
management program.
B. Access Controls
Access controls are the policies, procedures, and techniques used to prevent or detect
unauthorized physical or logical access to sensitive resources.
We examined the physical access controls of IMSD’s facilities and data center located in
Chantilly, Virginia. We also examined the logical access controls protecting data in IMSD’s
network environment and applications.
The access controls observed during this audit include, but are not limited to:
Procedures for appropriately granting physical access to facilities and data centers;
Procedures for appropriately granting and adjusting logical access;
Controls for monitoring user activity;
Procedures for routinely auditing user facility access; and
Adequate environmental controls over the data center.
The following sections document opportunities for improvement related to IMSD’s access
controls:
5 Report No. 6A-0A-00-16-004
1) Removal of System Access
IMSD has a system access review process to ensure that former employees do not retain
access after termination of their employment. To test the effectiveness of this process, we
compared a list of employees with active access to IMSD systems to a list of employees that
were terminated in the prior two years. We identified several terminated employees whose
accounts remained active in IMSD systems.
NIST SP 800-53, Revision 4, requires that organizations create, enable, modify, disable, and
remove information system accounts. NIST 800-53, Revision 4, also states that, “Conditions
for disabling or deactivating accounts include … when individuals are transferred or
terminated.”
Failure to remove logical access from terminated employees in a timely fashion increases the
risk that the information systems could be accessed by unauthorized users.
In response to our test work, IMSD created a new procedure document that outlines steps to
routinely review logical access accounts for the IMSD domain, the Investigations, Tracking,
Assigning and Expediting (iTRAX) system application, and non-system resources to ensure
proper account removal. While the new procedure document appears adequate, we would
like to see evidence that the process has been successfully implemented.
Recommendation 1
We recommend that FIS ensure that IMSD fully implements its new logical access review
procedure.
Office of the Chief Information Officer (OCIO)/FIS/IMSD Response:
“We concur. Following the OIG audit, CACI-IMSD has fully implemented auditing
policies for access control which include the new logical access review procedure. CACI-
IMSD has provided FIS with an audit report from January and February 2016 as evidence
to support closure of this finding. FIS will provide OPM Internal Oversight and
Compliance (IOC) a copy of the report to officially close the finding.”
2) Review of User Accounts
iTRAX is the primary application used to support the IMSD management team in monitoring
the status of background applications. The system contains multiple user groups each with
specific access to different types of information. However, IMSD does not have a process in
6 Report No. 6A-0A-00-16-004
place to routinely review each user’s system privileges to ensure they are appropriate for a
user’s job function.
NIST SP 800-53, Revision 4, states that, “Periodic review of assigned user privileges is
necessary to determine if the rationale for assigning such privileges remains valid. If the
need cannot be revalidated, organizations take appropriate corrective actions.” NIST SP 800-
53, Revision 4, also requires the organization to identify audit events as those events which
are significant and relevant to the security of information systems and the environments in
which those systems operate in order to meet specific and ongoing audit needs.
Failure to review the appropriateness of iTRAX user access privileges increases the risk that
a user could access sensitive or unnecessary information.
Recommendation 2
We recommend that FIS require IMSD implement a routine access review process to ensure
that iTRAX user access privileges are appropriate for the user’s job function.
OCIO/FIS/IMSD Response:
“We concur. CACI-IMSD has an existing process in place where proposed user access
privilege changes are reviewed and approved by a Functional Area Manager responsible
for employee oversight. CACI-IMSD is planning to further formalize this process in
coordination with both the iTRAX Development Team Lead and Functional Area
Managers. Planned implementation will be a Functional Role Change Committee which
will meet once per month to review all functional user access privilege changes proposed
during the previous month across the entire program.”
OIG Comment:
As part of the audit resolution process, we recommend that OCIO/FIS provide OPM’s IOC
division with evidence that CACI/IMSD has implemented this recommendation. This
statement applies to all subsequent recommendations in this audit report that OCIO/FIS
agrees to implement.
C. Network Security
Network security includes the policies and controls used to prevent or monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.
7 Report No. 6A-0A-00-16-004
We evaluated IMSD’s network security program and reviewed the results of several automated
vulnerability scans performed during this audit. The network security controls observed during
this audit include, but are not limited to:
Network monitoring and incident response procedures;
Strong remote access controls; and
Endpoint device controls over investigator laptops.
However, we noted one opportunity for improvement related to IMSD’s network security
controls.
IMSD has documented the approved communication requirements between all internal and
external systems, and these requirements are used to design the firewall rules that control traffic
at the network border. IMSD monitors its firewall logs for suspicious activity, such as attempts
to make unauthorized changes to the device. Although these are good controls, IMSD could
further improve its management of firewalls by performing a periodic review of the
actual/current firewall rulesets and comparing them to the previously approved requirements.
NIST SP 800-53, Revision 4, states that an organization should monitor and control changes to
configuration settings. NIST SP 800-41 states that policy rules “should also be reviewed
periodically to ensure they remain in compliance with security policy.”
Failure to review firewall security policy rules could allow an insecure configuration to go
undetected, potentially exposing the network to unmanaged risk.
Recommendation 3
We recommend that FIS ensure that IMSD conduct a periodic review of the configuration
rulesets for all firewalls and verify that they are in compliance with the approved requirements.
OCIO/FIS/IMSD Response:
“We concur. CACI-IMSD has delivered to FIS an updated policy for Firewall auditing to
support closure of this finding. This policy includes the periodic review of configuration
rulesets for all firewalls and verification of compliance with approved requirements. FIS will
provide OPM-IOC a copy of this policy to officially close the finding.”
D. Configuration Management
Configuration management consists of the policies and procedures used to ensure systems are
configured according to approved, risk-based, configuration controls.
8 Report No. 6A-0A-00-16-004
IMSD’s server environment is composed of iTRAX and several other support applications that
run on operating systems. These systems are running in an isolated virtual server
environment within IMSD’s network. IMSD also utilizes laptop computers for field
investigators accessing resources remotely.
We reviewed IMSD’s configuration management program and observed the following controls
in place:
Use of standard configuration baselines for operating systems, and
Thorough change management controls.
However, we did identify the following opportunities for improvement:
1) Configuration Baselines
IMSD uses the United States Government Configuration Baseline and Defense Information
Systems Agency Security Technical Implementation Guide standards to create security
configuration baselines for its operating systems. As is typical with many organizations,
IMSD has business needs that require specific settings to deviate from these standards.
However, IMSD has not formally documented these exceptions to the standards.
NIST SP 800-53, Revision 4, states that organizations must identify, document, and approve
any deviations from established configuration settings based on operational requirements.
Failure to adequately document configuration settings could lead to inconsistently applied
security configurations.
Recommendation 4
We recommend that FIS ensure that IMSD document all approved exceptions to the
published standards used for system configuration.
OCIO/FIS/IMSD Response:
“We concur. CACI-IMSD will add DISA STIG compliance monitoring to the CACI-
IMSD group of server assets. Following the OIG audit, CACI-IMSD has obtained an
SCAP tool suite and has completed an initial compliance assessment of their servers.
CACI-IMSD is now in the process of configuring the servers to STIG standards and
formally documenting any deviations that may be required. CACI-IMSD will complete
this process by May 31, 2016 at which time they will deliver the list of any requested
deviations to FIS for review and or approval.”
9 Report No. 6A-0A-00-16-004
2) Configuration Monitoring
The servers in IMSD’s environment are monitored for IMSD does not routinely
configuration changes through log and event management audit its servers to ensure
software. However, the servers are not audited on a routine they are in compliance
basis to ensure that they are in compliance with formally with approved baselines.
approved baseline standards.
NIST SP 800-53, Revision 4, states that an organization should monitor and control changes
to configuration settings.
NIST SP 800-128 states that security configuration monitoring may be supported by
numerous means, including “Scanning to identify disparities between the approved baseline
configuration and the actual configuration for an information system.” NIST SP 800-128
also states that “If an information system is inconsistent with approved configurations as
defined by the organization’s baseline configurations … the organization may be unaware of
potential vulnerabilities and not take actions that would otherwise limit those vulnerabilities
and protect it from attacks.”
Failure to identify unknown vulnerabilities could lead to system compromise and the loss of
sensitive data.
Recommendation 5
We recommend that FIS ensure that IMSD implements a process to audit systems for
compliance with approved baseline configuration settings.
OCIO/FIS/IMSD Response:
“We concur. CACI-IMSD will add the Defense Information Systems Agency (DISA)
Security Technical Implementation Guide (STIG) compliance component to its existing
United States Government Configuration Baseline (USGCB) compliance auditing policy,
leveraging the Security content Automation Protocol (SCAP) tool suite they have recently
acquired.”
3) Patch Management
We performed several automated vulnerability scans and configuration compliance audits as
part of our test work. Our vulnerability scans identified several systems with out of date
software. We provided scan results to IMSD and they informed us that they were already
10 Report No. 6A-0A-00-16-004
aware of the issue and are implementing a new tool to more effectively manage the patch
management process for system and third-party software. We believe that IMSD’s solution
will address the issues we identified in our scans, but we had initial concerns that there was
not a formal Plan of Action and Milestones (POA&M) to track this weakness and the
associated remediation efforts. At the conclusion of our field work, IMSD provided evidence
that a POA&M has been created; no further action is required.
E. Contingency Planning
We reviewed the following elements of IMSD’s contingency planning IMSD has
program to determine whether controls are in place to prevent or documented
minimize interruptions to business operations when disastrous events contingency plans
occur: that are tested
Disaster recovery plan regularly.
Business continuity plan
Disaster recovery plan tests
Emergency response procedures
We determined that the contingency planning documentation contained the critical elements
suggested by NIST SP 800-34, Revision 1. IMSD has identified and prioritized the systems and
resources that are critical to business operations, and has developed detailed procedures to
recover those systems and resources.
Nothing came to our attention to indicate that IMSD has not implemented adequate controls
related to contingency planning.
F. Application Controls
1) Investigative Case Management Process
We reviewed the applications and business processes supporting CACI’s efforts to perform
background investigations on behalf of OPM. IMSD performs basic work assignment and
scheduling tasks through the iTRAX system. IMSD has designed its entire investigative case
management process in a manner that does not require it to extract or store personally
identifiable information (PII) related to background investigations from OPM systems.
We evaluated the input, processing, and output controls associated with IMSD’s case
management process. We determined that IMSD has implemented policies and procedures
to help ensure that:
Case tracking data contains minimal PII and is handled securely;
Sensitive case information is transmitted only through secure connections; and
11 Report No. 6A-0A-00-16-004
Case material is tracked and disposed of in a secure manner.
Nothing came to our attention to indicate that IMSD has not implemented adequate controls
over its case processing systems.
2) Application Change Control
We evaluated the policies and procedures governing application development and change
control of IMSD’s case processing systems.
IMSD has documented system development life cycle procedures for software modifications.
All changes require formal approval and undergo testing prior to migration to the production
environment. However, the person responsible for migrating changes into the production
environment also has access to the development and test environments. This situation
constitutes a segregation of duties violation.
NIST SP 800-53, Revision 4, states that the organization should document the separation of
duties of individuals, and define information system access authorizations to support
separation of duties. NIST SP 800-53, Revision 4, also states that “Separation of duties
addresses the potential for abuse of authorized privileges and helps to reduce the risk of
malevolent activity without collusion.”
Failure to ensure proper separation of duties between development, test, and production
environments increases the risk that unauthorized changes could be made to the system.
Recommendation 6
We recommend that FIS ensure that IMSD implements proper segregation of duties within
the application change control process.
OCIO/FIS/IMSD Response:
“We concur. CACI-IMSD is in the process of restructuring its system development team
and creating a new ‘Release Manager’ position which will have no access to change any
Development/Test system code, and will only have authorization to update production
system code. As part of this transition, CACI-IMSD is creating a new policy which will
document the user role control processes and how separation of duties will be achieved.”
12 Report No. 6A-0A-00-16-004
IV. MAJOR CONTRIBUTORS TO THIS REPORT
Information Systems Audit Group
, IT Auditor
, IT Auditor
, IT Auditor
, Senior Team Leader
, Group Chief
13 Report No. 6A-0A-00-16-004
V. APPENDIX
April 21, 2016
MEMORANDUM FOR NORBERT E. VINT
Acting Inspector General
Office of the Inspector General
THRU:
Lead IT Auditor-in-Charge
Office of the Inspector General
FROM: LISA SCHLOSSER
Acting Chief Information Officer
Office of the Chief Information Officer
MERTON W. MILLER
Associate Director
Federal Investigative Services
SUBJECT: Draft Audit Report of Information Systems General Application
Controls at CACI International, Inc. Report Number: 6A-0A-00-16-004
Thank you for providing us the opportunity to respond to the Office of the Inspector General
(OIG) draft report, Audit of Information Systems General and Application Controls at CACI
International, Inc. 6A-0A-00-16-004.
We recognize that even the most well run programs benefit from external evaluations and we
appreciate your input as we continue to enhance our programs. The Federal Investigative
Services (FIS), Office of the Chief Information Officer (OCIO) and the CACI Investigations and
Management Service Division (IMSD) collective responses to your recommendations follow.
Report No. 6A-0A-00-16-004
OIG Recommendation #1: “We recommend that FIS ensure that IMSD fully implements its
new logical access review procedure.”
FIS/OCIO/IMSD Response:
We concur. Following the OIG audit, CACI-IMSD has fully implemented auditing policies for
access control which include the new logical access review procedure. CACI-IMSD has
provided FIS with an audit report from January and February 2016 as evidence to support
closure of this finding. FIS will provide OPM Internal Oversight and Compliance (IOC) a copy
of the report to officially close the finding.
OIG Recommendation #2: “We recommend that FIS ensure that IMSD implement a routine
access review process to ensure that iTRAX user access privileges are appropriate for the user's
job function.”
FIS/OCIO/IMSD Response:
We concur. CACI-IMSD has an existing process in place where proposed user access privilege
changes are reviewed and approved by a Functional Area Manager responsible for employee
oversight. CACI-IMSD is planning to further formalize this process in coordination with both
the iTRAX Development Team Lead and Functional Area Managers. Planned implementation
will be a Functional Role Change Committee which will meet once per month to review all
functional user access privilege changes proposed during the previous month across the entire
program.
OIG Recommendation #3: “We recommend that FIS ensure that IMSD conduct a periodic
review of the configuration rulesets for all firewalls and verify that they are in compliance with
the approved requirements.”
FIS/OCIO/IMSD Response:
We concur. CACI-IMSD has delivered to FIS an updated policy for Firewall auditing to
support closure of this finding. This policy includes the periodic review of configuration rulesets
for all firewalls and verification of compliance with approved requirements. FIS will provide
OPM-IOC a copy of this policy to officially close the finding.
OIG Recommendation #4: “We recommend that FIS ensure that IMSD document all approved
exceptions to the published standards used for system configuration.”
Report No. 6A-0A-00-16-004
FIS/OCIO/IMSD Response:
We concur. CACI-IMSD will add DISA STIG compliance monitoring to the CACI-IMSD
group of server assets. Following the OIG audit, CACI-IMSD has obtained an SCAP tool suite
and has completed an initial compliance assessment of their servers. CACI-IMSD is now in the
process of configuring the servers to STIG standards and formally documenting any deviations
that may be required. CACI-IMSD will complete this process by May 31, 2016 at which time
they will deliver the list of any requested deviations to FIS for review and or approval.
OIG Recommendation #5: “We recommend that FIS ensure that IMSD implements a process
to audit systems for compliance with approved baseline configuration settings.”
FIS/OCIO/ISMD Response:
We concur. CACI-IMSD will add the Defense Information Systems Agency (DISA) Security
Technical Implementation Guide (STIG) compliance component to its existing United States
Government Configuration Baseline (USGCB) compliance auditing policy, leveraging the
Security content Automation Protocol (SCAP) tool suite they have recently acquired.
Recommendation #6: “We recommend that FIS ensure that IMSD implements proper
segregation of duties within the application change control process.”
FIS/OCIO/ISMD Response:
We concur. CACI-IMSD is in the process of restructuring its system development team and
creating a new "Release Manager" position which will have no access to change any
Development/Test system code, and will only have authorization to update production system
code. As part of this transition, CACI-IMSD is creating a new policy which will document the
user role control processes and how separation of duties will be achieved.
We appreciate the opportunity to respond to this draft report. We believe all recommendations to
be requirements within scope of the existing contract between OPM and CACI-IMSD. We will
solicit support from the OPM Office of Procurement Operations (OPO) as necessary. If you
have any questions regarding our response, please contact , ,
@opm.gov OR , , @opm.gov.
Report No. 6A-0A-00-16-004
cc: Kathy McGettigan
Chief Management Officer
Chief Information Security Officer
Janet Barnes
Director, Internal Oversight and Compliance
Nina Ferraro
Senior Procurement Executive
Report No. 6A-0A-00-16-004
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
-- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
Audit of the Information Systems General and Application Controls at CACI International, Inc.
Published by the Office of Personnel Management, Office of Inspector General on 2016-07-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)