IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ) ELOUISE PEPION COBELL, eta!., ) ) No. 1:96CV01285 P!aintiffs, ) (Judge Lamberth) v. ) ) FILED UNDER SEAL GALE NORTON, et a!., ) ) Defendants. ) ___________________________________________________________________________) DEFENDANTS' NOTICE OF FILING OF THE DEPARTMENT OF THE INTERIOR'S FISCAL YEAR 2005 FISMA REPORTS AND IG REPORT ON THE POA&M PROCESS Defendants hereby submit the 2005 Federa! Information Security Management Act ("FISMA") reports from the Secretary of the Department of the Interior and the Department of the Interior's Office of the Inspector Genera! ("OIG"), as we!! as the proposed redactions thereto. In addition, Defendants submit the OIG's report concerning the Department of the Interior's P!an of Actions and Mi!estones ("POA&M") process. Defendants submit the reports and proposed redactions pursuant to the Court's Apri! 22, 2005 Protective Order. Dated: November 17, 2005 Respectfu!!y submitted, ROBERT McCALLUM, JR. Associate Attorney Genera! PETER D. KEISLER Assistant Attorney Genera! STUART E. SCHIFFER Deputy Assistant Attorney Genera! J. CHRISTOPHER KOHN Dire ctor /s/ Robert E. Kirschman, Jr. ROBERT E. KIRSCHMAN, JR. (D.C. Bar No. 406635) Assistant Director GLENN D. GILLETT Trial Attorney Commercial Litigation Branch Civil Division P.O. Box 875 Ben Franklin Station Washington, D.C. 20044-0875 Telephone: (202) 307-0494 Facsimile: (202) 514-7162 -2- CERTIFICATE OF SERVICE I hereby certif!y that, on November 17, 2005 a copy of the foregoing Defendants 'Notice of Filing of the Department of the Interior's Fiscal Year 2005 FISAL4 Reports andlG Report on the POA&MProcess in PDF Format on CD was served upon: Dennis M Gingold, Esq. Mark K. Bro!i, Esq. Elliot Levitas, Esq 607 - 14th Street, NW, 9th Flr. Washington, DC 20005 and, without under seal attachments, on the following who is not registered for Electronic Case Filing, by facsimile: Earl Old Person (Pro se) Blackfeet Tribe P.O. Box 850 Browning, MT 59417 Fax (406) 338-7530 /s/ Kevin P. Kingston Kevin P. Kingston THE SECRETARY OF THE INTERIOR WAS I-tIN (3 TO N OCT 142005 The Honorable Joshua B. Bolten Director Executive Office of the President Office of Management and Budget Washington. D.C. 20503 Dear Mr. Bolten: The Department of the Interior (DOl) provides the enclosed information technolog! (iT) compliance report, prepared using the guidance contained in the Office of Management and Budget (0MB) memorandum NI-OS-IS. 112005 Reporting instructions for (he Federal information Security Management Act, June 15. 2005. Th.e annual repori includes both the vicws of the agency Chk1 Information Officer (CID) and the Inspector General (IC). a discussion on the differences between those perspectives, and the new privacy requirements. Interior made significant progress in improving its overall security posture in FY 2005, in spite of the extraordinary burden placed on Interior by the ongoing ('obell v. Nor on litigation. In the ('abe/I case, we produced over 4 1/a million pages of documentation. and testified throughout a 59 day evidentiary heariiig. The signifteant demands cm us to respond to the court impacted the annual F[S\I.-\ evaluation., causing delays and limitations for both the C10s staff and the IG's staff I would likc2 to highlight the fojiowing progress made in FY 2005: * DOl made progress toward consolidating 13 networks inth a single Departmental Enterprise Services Network (ESN). Three remaining bureau networks are targeted for consolidation this month. * The ESN architecture incIu!Ths robust network perimeter security controls and enables Interior to manage perimeter controls more consistently, effectively, and cost-efficiently. * The Department is maintaining a continuous monitoring program as part of the Certification and Accreditation (C&A) processes. This includes: o independent third-party review of C&A packages. o roui.ine automated vulnerability scanning and remediation of identified !vcakncsses o internal and external penetration testing of networks and major apphcations, and o an improved Plan of Actions and Milestones (POA&M) system imp1etv1L!nting the changes recommended by the JO. * lincrior initi!tcd state-of-the-art penetration testing. independently conducLed by the Offlait of 10, for DO! 's bureaus and offices. The enhanced monitoring program provided critic& information u!eded to priorit!ze fiarther improvements to our operational security posture. REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 1 of 37 (DId. No. 2937) (Filed April 22, 2005) Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Mr. Joshua B. Bolton Page 2 * 0MB rated DOEs Enterprise Architecture (EA) the highest among the 25 BA programs reviewed. The DOl EA was noted as incorporating a security standards profile, and aligned to the Technical Reference Model. * The Department entered into an agreement with USALearning.gov to deliver a standardized curriculum for individuals with significant IT security roles. * The DOl dO contracted an independent IT security assessment to evaluate DOl against the myriad of security policies and guidance. We are pleased to report 3.63 maturity level out of 5 from this assessment. IT security has been, and will continue to be, one of my highest priorities, as evidenced by the major improvements made throughout the DOT this past year. This progress builds on accomplishments of the past. In June 2004, the K) concluded "the DOl POA&M process is effective and satisfies the pertinent Federal guidance." The IG's FY 2004 report considered Interior's C&A process as being satisfactory. The percentage of IT systems certified and accredited increased from 83 percent for FY 2004 to over 98 percent in FY 2005. With better accountability and standardization, DOI, and ultimately the taxpayers, avoided $17 million in C&A costs. We are pleased with the return on the investment 0MB and Congress authorized in our F'! 2004 budget and sustained in FY 2005. In FY 2005, the IG appropriately raised the bar for evaluating the security program, based on DOl's increased maturity in the program. I support his efforts and his resources have increased to enable measurements against these higher standards. Our collaborative efforts in monitoring our systems through exhaustive penetration testing illustrate our commitment to maintaining a constantly improving C&A process. We recognize that the C&A process is not perfect, particularly in light of the many new or revised standards published by National Institute of Standards and Technology (NIST) within the past year, some of which are still in draft. We recognize that C&A is primarily a process of risk management, requiring application of considerable subjective judgment. Without clear criteria for reporting, the ambiguity leads to subjectivity based on individual perspectives. In preparing this year's report, I am struck by how strongly this subjectivity is impacted by the role of two key executives at DOl: the IG and the ClO. Your guidance for the FY 2005 report asks that I include an analysis of the differences between the ClO's report and the IG's. I hope you will find this useful in reducing the ambiguity of future reporting, and to more fully understand the perspectives presented. Through consistent reporting standards, we can arrive at a fair comparison of government security progress and deficiencies, and achieve or exceed the benchmark leading to adequate security. I understand the 10's opinion that the IT security at DCI is not perfect, that risks and vulnerabilities still remain and improvements need to be made. From this he concludes DOl has significant weaknesses in complying with FISMA. From this perspective, the IG tempered the scores on his report by any weakness seen: REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 2 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Mr. Joshua B. Bolton Page 3 * where a C&A package did not contain all required elements clearly presented, it was not counted as a valid package; * problems in the POA&M process were included in the JO report dated September 23, 2005, even though subsequently corrected, because the corrections had not been verified by the 010; mid * any deviations from policy or procedures were reported as an inconsistent and ineffective policy overall. The IG's perspective can be supported by the language of the 0MB arid NIST requirements. It is consistent with the IG's role of being DOl's watch dog - who clearly needs to warn of!y potential risks, regardless of the weight or costs. The ClO believes the IG's responses to several of the questions iii the FY 2005 reporting template exceed the basic requirements of FISMA and do not rake into account improvements made during the year in response to the testing the 10 conducted. Ihave confidence in the ClO's opinion that, while IT security at DO! is not perfect, risks and vulnerabilities still remain, and improvements need to be made, nonetheless, the policies and processes to address those risks are adequate, improvements have been and will continue to be made, and therefore. DOT substantially complies with FISMA. From this perspective, when weaknesses are found. DOl corrects them and takes credit for having done so. Based on extensive reviews of the IT security program, the CIO believes these corrective actions have generally been completed. sufficient to meet the basic requirements of FISMA. As required by FISMA, remaining problems are being addressed through the POA&M process. The ClO perspective is clearly supported by the language of the 0MB and NTST requirements. It is also consistent with the C10s role, which requires him to balance risks to DOl's information assets with the costs to address those risks. The ClO also appropriately relies on the determinations of competent accountable officials, including the 1G. The CTO points out that Interior was successfiul in thwarting over 353 million potential incidents in contrast to only 33 incidents that could not be prevented, as reported during our last quarterly reporting period. None of the successful incidents have resulted in any known compromise of sensitive data. I ask for your assistance in determining where, between these two perspectives, your intent in measuring FISMA compliance lies. This determination has significant finding and operational implications to DOT, in addition to arriving at a credible determination of "adequate" security. I am obviously concerned about the cost implications of eliminating every defect when risks are not significant to security or operations. We have clearly demonstrated a commitment to maintaining an effective IT security program at funding levels commensurate with the value of Interior's IT assets. I remain committed to continued improvements in DOI's IT security posture. including improvements to the C&A and POA&M processes. As you are aware, continued funding REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 3 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports H IYiLhF! ! - Subject to Protective Order RED!CTED PUBLIC VERSION Regarding I-T Security Information Dol S FY 2005 FISMA Report (D!. No. 2937) (Filed April 22, 2005) Page 4 of 37 Defendants' Notice of Filing of Dol 5 FY 2005 FISMA Reports Section B: ChAd laton. Q{!. Que&Aons 1. L 3. otd 4- Agency ?bff: US D!lrrtnt Cl 'he IaIo!jot Qut!ljnn 1 and 2 1 By FIPS 199 rjik impact ev& Q!gh. modorain F!w, or not !l!orind) and by bureau. Idonti!j the number O! inTorin3L!ot1 sys!sm$ usad Q !porated by YOL!F agency. and tile wmaer ol IrtIcnn!1Jon systems u!d or aper!tS !y a corüractDr Cf yaw agency o otho, or!n!a!on on ben![I at your ag,nc&- !Th'e A!ency systems shalL 'rd!de Iji!onii!bon !y!ern.s used oz ! CcfltrThflOrs!5!ern5 sr.!J: !n!Iude nIorma!on s!sc!nis fts!d arepe ia!ed ! a !fl!ThCWr or an auency or ofti!r urganizabbrl !fl b!&iI or an a!encv fle to!M numDeror s!tern5 sr!aII IncwIJe Dobfl a!erIcy systams and contractor s!iams- To ,n!t Uit r!ui,eme!t ccna!n! a NEST $p!cd!I Pubtat-c! tQ!-2! eview agenoescan 1) Conli,ws rn use WIET Spe![ Pubbcat.on !OO-2, or, ! Conduct a selr-!ssessjnenl a!ai9st the conirnis I.!un! in NIST S!ecat P'.b!a!ionBU!-53 AQen!ios ale r!spun!ib! Ior!t!urgiç In secuply ci J.! n1.et!o!, sptens u5!1! ! h!'rage'cy !rnln8roruantza!on !ri o! thei, a!ncy, !iernf!ce. sell roportr.! by corIIracC!rs does !t rTi!et me requiremenls of ]!vt !eIt e!o'1srlq by anc1n!r F!o!raI a!!ncy. Thr exampe. a. Federal secMce proviDe!. rr!y b! !urlicIent. A!tn! anã 6eiviC! prOnde! fr?veasharedresprn!sibIay forflSMAcompI]anua FIPS I !9, F!der!i ]ntDrnlatmn pr!e!En! aLandard. was pu sh!i1 ! F!raan 2!O4. ir there mE sys!erns wr.!th ha! nct yet bean cai!o&!d, !r. ira risk inpad I!veI ! Ce!m!,i!&O Inrough another method, pieas! e!Lain batON IR item (d.! a. For each p!r! c! flils qLrnstinn. annhtty actual perlormance fl F? OS !y rtsk Lrnpact 'aye! anã bijr!! in thn immat po!idnf below From the Total Number at Sysb!ri!. idrnitiU the numbe, at w!rnms w!lic)1 have: a currcrtt certilicatlrni and actreditai'nn a ctntin!oncy plar' !st!d within ma past year, and security conLra4! t!sLed wIthJr, the past nat. C!nUri!er!Cy pl.iThing , a raqulitneril tDr certit!cataori and !ccr!dItatJ!n, wJO, anrn'aL !nfln!errny pLan tasurig reqtiked thereaftar. the number ci !ntem! with full cerIi!ioIior1 and accredflt!on Is higher than tbD number aI s!s,ems w!th a msthd ccntinyency plan, *!s! expLain. Qcas!jaqj QuinSljfla! b. r. a. FY05 A!ncy F! 05 Contractor FY!-T thAI Number NUmber 01 sy$!ns Nnmb.f o! !.fs'n$ Mu,,thar of 5y!12rTIS Systn!T! nfSrn!ms !artuIe! an! flctedil.ø. for which secuffly I!r wtiich conIro! ha!n atan tcntlngancy plans msthd mid eva]Lmted have bean tntad 1 n the last ynr tccordanc! !!J1 I ;polLcy !rtd !uMance FIPS lag Risk Irn!cL Thml N,!-s! Tm! !-!=frO Ta1! Nus,ifjer ! Peqtarn ! ! Total Perr!n! Total Paweni thn,!. ItTTW L!v!1 Nunthrn Reviw!d '.'.mto: Res!ep.'ad NurS! vImqt! Nqjpiber ToI& Numb. mt!I N!h![ T!I BLA -- - ___________________ 12: 12 2 ¶5- 15] 1! ! _'!. _________________________________ 20 r 2 2 22 22 ICO.O% 22 'QO!7! 22 'OCO! - - a a - !Th!ThO.3% 3 1CC!% S _______________________________ _______________________ ______ I _______________________________ a5 !s ! ! ! 40 ! 97.S% asi !7Se! - - 0: ____________________ 73 23iW!. ! 23 O fl 23 23 1&1O! 231CC.!? - 1 1 1 I 22 fl! . ! 22i ! 21 !55!: 12 12 - ! 12! !GDd!1 12 ___________________ 3A I! C as an 35 1O1B! ! 1!O%. !a - 1 - 1 1 I I ID 10 C ID! lO1! ! ! - 1! I ! -. ___________________________ ______________________________ _______ - !-1 -.............-...... ______________________________________ Ia 12 0 12 !2 II 100Th!- 11 ! 12 oCr S -- . 5 S ! U 5 S S . 0: a c!U!, B T!Ea ai ,b3cr 1 1 ! I E!W. Ii - B i 1 e ! ! saBe S aR. & ___________ n 5 S U !O.O 4] _____________________________________________________ o ____________________________________ S!b4th.I - 5 5 0- ! S 4 !&Th! ! 8OO* t I I ! l! ! _J.L_!J!°! __________________________________ _______________________ I -, ____________________ S!b-I!L!I 1 0 0 1 -t I ! ! :! IDOf. a i 4 1!CO! 4 IO!.U! 4 !C. 2 2 12 12 12i I!O! fl ci ____________ __ __....................................-! REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 5 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Subject to Protective Order Regarding I-T Security Information (DId. No. 2937) (Filed April 22, 2005) REDACTED PUBLIC VERSION Dols FY 2005 FISMA Report Page 6 of 37 Li Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Section B: Chief Information Officer. Question 5. Agency Name: U.S. Department of the Interior QuestIon 5 InFormation gathered in this question will be forwarded to the Department of Homeland Security for validationS For each category of incident listed: identify the total number of successful incidents in FY05, the number of incidents reported to US-CERT. and the number reported to law enforcement. If your agency considers another category of incident type to be high priority, include this information in category e 'Other". If appropriate or necessary. include comments in the area provided below. 5. Number of Incidents, by category: Subject to Protective Order Regarding i-T Security Information (DId. No. 2937) (Filed April 22, 2005) REDACTED PUBLIC VERSION Dols FY 2005 FISMA Report Page 7 of 37 Reported internally Number of Incidents Type of Incident: Reported to US-C ERT Number of Incidents Reported to law enforcement Number of Incidents a. Unauthorized Access 23 22 2 b. Denial of Service (DoS) - 2 2 0 c. Malicious Code 191 - 171 - 1 d. Improper Usage - 34 28 4 c. Other 36 28 3 Totals: 286! 251 10 Comments: Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Section 8: Questions Sand 7 Question 6 6. Has the agency ensured security training and awareness of all employees, including contractors and those employees with significant IT security responsibilities' Yes or No. a, b C. d. Total number of Number of empLoyees that Total number of Number of employees with Total costs for employees in FY05 received IT security awareness employees with significant security providing IT training in FY 05. as described in sign!ficant IT responsibilities that received security training in NIST Special Publication 800-50 security specialized training, as FY05 Building an Information responsibilities described in NIST Special (in 8's) Technology Security Awareness PubhcaUon 800-16, and Training Program (October Information Technology 2003) Security Training Requirements: A Role- and Performance-Based Model _______________ ____________ (anril 1!CQ! Number F Percentage Number Percentage 84,159 82.848 98.44% 2611 1736 66 49% Si 340487 Briefly describe the training provided in b. and d. Employees are trained by usEng a comprehensive 001 University online system. The (raining covers a broad range of IT security subjects incluthng, access controls. passwords, malicious code (viruses). 001 Policy and Federal Regulations. Central reporting is 6 e bufit into the system and provides compliance tracking by bureaus and offices. Specialized training for ! those with "significant secunty responsibilities includes certification courses. industry and vendor training classes: internal briefings and awareness seminars (for designated authorities, senior management. technical staff, and security representatives; DOl IT security team meeting training sessions! and online continuing education. Comments: DOl has taken step5 to enhance IT security training in FY 2005 by contracting with USALearning gov to provide role based training for bureaus and offices, The curriculum provides spectalized training modules geared towards DAAs. system owners, ISSO's. and network, database! and system administrat3rs This will undoubtably raise lntec!ors compliance levels with respect to training those '!with significant IT security responsibilities' In FY 2005, the ClO and CISO provided C&A training to the Secretary and other senior nianagement officials having DAA responsibilities. This role-based training included a review of the C&A process and the responsibilities of the DAAs, Certftying Officials, ISSOs and other individuals assigned C&A roles and responsibilities. The Bureau IT Security Managers (BITSMs} are constantly engaging in external training and certification. Over 80 IT staff, including BITSMs and some of their security staff, have achieved certifications as Certified Information Systems Security Professionals (CISSP). In addition, eight employees recently achieved certification as Certification and Accreditation Professionals (CAP). These eight ndivuduals are among the first in the country to receive such certification Sec It's important to note that the 84159 reported in §a. includes ALL employees and contractors (per instructions) A percenta! Does the agency explain policies regarding peer-to!peer file sharing in IT security awareness training, ethics training, or any other agency wide training? Yes Yes or No. REDACTED PUBLIC VERSION Subject to Protective Order Dol's FY 2005 FISMA Report Regarding I-T Security Information Page 8 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dol's FY 2005 FISMA Reports Question 7 Ba. !Is there an agen cywide secunty configuration po 'icy? Yes or No. Comments: Policy Diredive Issued by the Office ofthe Chief Information Officer Yss Configuration guides are available for theprodu ds listed below. ldenti! which sofiw are is addressed in the agenc ywide security Sb. configuration policy. mdi cate whether ornot an yagency systems run the software. In addition, ap proximate thee!dent of implementation ofthesecurity configuration policy on the systems running the software. Approximate the extent of implementation of the security configuration policy on the systems running the software. Response choices include: - Rarely, or, on approximately 0-50% of the systems running this software - Sometimes, or on approximately 51-70% of Product thesystems runningthis software Addressed in Doany agency ientl!,oroiiimate&71-80%of agencywide policy? syst ems run this - Mostly, or on approximately 8105% ofthe software? sys tems running this software - AlmostAlways, or on approximately96-100% Yes, No, ofthesys tems running this software orN/A. Yes orNo. Windows - Frequently, oron approximately 71-80% oft he syste Yes Yes njnning this software Windows Yes Yes nJnnin! Rar!y, or,on approximately 0-50% ofthesystems Windows Yes Yes njnninq th!s software mately 81-95% oft he syste Windows Yes Yes njnninq oxi mately 51-70% oft he systems Windows Yes Yes njnninq th!s software mately 81-95% oft he syste Solaris - Mostly, or on approximately 81-95% oft he syste Yes Yes ,,Jnning this software HP-UX Yes Yes ,,Jnninq th!s software mately 81-95% oft he syste L - Rarely, or, on approximately 0-50% oft he systems i nux Yes Yes ,,Jnning this software Cisco Router lOS Yes Yes ,,Jnnin! Rar!y, or,on approximately 0-50% oft he systems 0 I - Some!mes, oron approximately 51-70% ofthesystems race Yes Yes njnning this software Other. Specify: 115, SQL Svr, Other Windows, HP MPE, MAC, njnnin ! !appro>1 mately 81-95% oft he Novell, AIX Yes Yes Comments: Interior has established approved security configuration siandards in the form of Security Technical Implementation Guides (STIGs). Interior's policy allows for bureaus to define, document, approve, and implement their own STlGswbicb many have done, or implement Depadmental STIGs. The ClO and IG differ in their perspectives with respect to the level of policy compliance and STIG implementation by Interiors bureaus and offices due to a misunderstanding between our respective interpretations of what the FISMA questions are asking and the IG's understanding of Interior's policy. The OIG appears to be oftbe opinion that bureaus must implement the Depadmental STIGs and does not reflect the same credit and degree of compliance with respect to bureau-level implementation of STIGs as the Cbs FISMA report The OIG has Indicate whether ornot the following policies and procedures are in place at youragency. If appropriate or necessary, include comments in the area provided aelow. The agency follows documented policies and procedures for identifying Y '!' and repoding incidents internally. Yes or No. The agency follows documented policies and procedures for external 9.b. reporfing to law enforcement authorities. Yss Yes or No. The agency follows defined procedures for repoding to the United ! States Computer Emergency Readiness Team (US-CERT). Y C! bttp:/"wi'w.us-ced.gov Yes or No. Comments: The IGs FISMA repod differs from the Cbs with respect to question 9.b based on their observation that inS of 12 instances the OIG Nas not notified. Unlike many other response choices for other questions in the FISMA template. this is a binary answer and does not enable a more appropriate selection that would identify the relative frequency where such incidents are in fact repoded to the IG or consideration of zircumstances preventing full compliance with established exlernal repoding procedures. The ClO believes that appropriate policies and procedures are in place and that there may be other mitigating circumstances that may have precluded adherence to these general procedures. *m!flI' Has the agency documented in its security policies special procedures for using emerging technologies (including but not limited to wireless ba. and lPv6) and countering emerging threats (including but not limited to Yss spyware, malware, etc.)? Yes_or No. 10 b If the answer to 10 a. is !Y?es ' briefly describe the documented procedures. These special procedures could include more frequent control tests & evaluations, specific configuration requirements. additional monitoring. or specialized training. Response: Interior develops. maintains, and updates IT security policies and Security Technical Implementation Guides (STIGs) to respond to !merging threats and technologies. As pad of DOls Cerfification and Accreditation (C&A) continuous monitoring process. systems are routinely assessed to identify and correct weaknesses resulting from newly discovered vulnerabilities. Depending on the nature of the emerging threat or technology. more frequent control testing. specialized training for networl< or system administrators, additional monitoring. or application of STIGs to ensure specific configuration requirements are met may be required for systems. Such requirements are typically specfied through Depadmental or bureau policy or standards, and Designated Approving Authorities have the discretion to identify additional system specific security control requirements depending on agency. risk, threat, and technological factors. Comments: Subject to Protective Order Regarding I-T Security Information (Dkt. No, 2937) (Filed April 22, 2005) REDACTED PUBLIC VERSION Dols FY 2005 FISMA Report Defendantsi Notice of Filing of Dols FY 2005 FISMA Reports Section B: Chief Information Officer. Question 8,9, and ID, Agency Name: U.S. Department ofthelnterior Question B Page 9 of 37 Aflachnient A: §4.a. Incident Detection Capabilities. Response: Incident Response Tools and Technology The Department of the Interior Computer Incident Response Capability (DOI-CIRC) uses a variety of tools to classify, track, and report IT security incidents. E-mail, telephone, and collaborative communication arc the predominate methods used to alert, track and manage incidents. In a network-wide alert, e-mail is used to noti& all employees. iT staff, IT sccurity professionals, or other well-defined groups of an ongoing security incident and the appropriate action to be followed. The incident response teams use e-mail and other collaborative communication tools to cxchange information on an incident through the seven stages of reniediation: detection, classification, containment, reporting, investigation, recovery, and closing. Web technology is used to inform employees of the action to be followed in reporting an incident, as well as to maintain a permanent record of the incident in a response database. A variety of specialized commercial and freeware tools, scripts, manual and automated procedures are used to coHect, review, and correlate IT security system and host logs in the identification and investigation of an IT security incident. For virus and malicious code detection, DOl maintains an Enterprise Anti-Virus/virus protection software contract and uses a variety of commercial host- and network-based intrusion detection capabilities to identify, log, and alert malicious network activities. Incident Detection IT security incidents are reported from internal and external sources including: DO! employees, bureau IT security professionals, other federal agencies, and worldwide IT security organizations. As appropriate, DOT-CIRC alerts bureaus of security threats to the Department's network infrastructure and tracks the security alert from alert and classification through retnediation and closing! in the initial phases of an alert, a security incident handler is assigned to track, record, and communicate information about the incident. Incidents classified high or medium arc reported to the Bureau IT Security Manager (BITSM) and DOI-CIIRC within two hours or two days, respectiv&y. Incidents classified as low are reported to DOI-CIRC monthly. Perimeter and Wide-Area Network Incident Detection Logging is enabled on all security devices, including routers, network- and host-based lirewalls, intrusion detection/prevention and other security systems. These security devices are configured to log access from, and egress to, the public Internet. In some environments, wide-are-network routers are similarly configured to log events between internal network segnients. Network- and hos!-bascd cvent logs are routinely monitored for indication of significant security events and potential malicirnis activity. Security events include network intrusions, scans, denial of service attacks, worms, and unauthorized access to network integrated devices in the DOl wide-are-network infrastructure. Client initiated (egress) access is routinely reviewed to dciect REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 10 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports security incidents, including attempted propagation of malicious code from an infected or othenvise compromised host, inappropriate use of Internet services, or events including misconfigured internal hosts. Internal Incident Detection and Alerting As part of the IT Security Program, each bureau operates a computer security incident team to work closely with the BITSM and DOI-CIRC iii the classification, containment, reporting, and remediation of identified security incidents. Any event classified as a security incident is reported to DOI-CIIRC and is addressed using the standard methodology presented in the Department of the Interior Computer Security Incident Response Handbook. Internal security events are reported to the bureau incident response team or DOJ-CJRC for assignment of an event manager to track the event and log all action with the appropriate authorities. Viruses and malicious code are detected using anti-virus software technology deployed with individual workstations, mail servers, and SMTP e-mail gateway servers. Dctcction and quarantine/removal of malicious code is considered a security event and reported monthly to DOl. An infected message or other malicious payload inadvertently launched at the workstation is reported as a security incident. External ReDollirig of Security Incidents DO! and its bureaus maintain Internet e-mail accounts for reporting possible security incidents originating from DOl computcr systems. These reports are delivered to the BITSM and computer security incident response team (CSIRT). The e-mail address for reporting security incidents to DOl is incident!circ.doi.gov. REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 11 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Discussion of Differences between ClO and IC Sections Introduction Each year. the Chief Information Officer (CID) and the Inspector General (IG) complete different sections of the annual Federal Information Security Management Act (FISMA) report. The sections represent the respective viewpoints of the Office of the Chief Information Officer (OCIO) and Office of the Inspector General (OIG) with regard to the degree to which Interior's Information Technology (IT) Security Program is compliant with FISMA. This document provides a gap analysis between the 010's characterization of Interior's FISMA compliance, as documented in their responses to Section C of the FY 2005 annual report and their Annual Evaluation of the Department oF the interior Information Security Program (Report No. NSM-EV-MOT-0013-2005). and the OCIO's characterization, as documented in their draft responses to Section B of the FY 2005 annual report. The OCIO and OIG worked together to develop and implement a cooperative monitoring agrecnient on the DOl IT security program. This program, funded by the Department ($1.1 mi]lion in FY 2005) and independent1! conducted by the 01G. provided critical information needed to prioritize further improvements to the DOl operational IT security posture. From quarterly updates provided by the OIG as well as penetration test results, the OCIO was able to promptly take action to correct vulnerabilitics. Although additional corrective actions remain from some JO evaluations, many actions were taken immediately. including temporary disconnection from Internet access when warranted. The OCIO appreciates the efforts of the 010 in pointing out weaknesses or vulnerabilities. and has utilized the results to make significant improvements. The primary difference iii the perspectives is a result of the ambigthty in FISMA, and more particularly, differences in the interpretation of the term adequate security." The ClO believes that the criteria the OIG used exceed the basic requirements of FISMA. General Comments The OIG report portrays the DOT OCIO as being uncooperative, requiring the OTG to "modify various testing techniques" and that "information requested from the OCIO was very late in coming." incomplete, or not readable. This does not acknowledge the signilicani burden placed on already constrained OCIC resources. They were simultaneously engaged hi producing over 4 '/2 million pages of documentation in response to the court, as well as meeting the new OTG requirements to produce VolLinhiflous material in the Cobell litigation (e.g.. CDs and DVDs as well as other information) in support of the OIG FISMA evaluation. The effort by the OtG to obtain, toad, and inspect copies of bureau hardened and secured baseline operating system and database images represented a significant new workload. REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 12 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports The varying results (e.g., copies of default manufacturer provided images as opposed to hardened and secure baseline images) in obtaining these copies were partially attributed to insufficient advance notice for the new requirement and insufficient time to clearly communicate what was expected. The OIG report did not indicate that, for FY 2005, the OCIO provided funding to the OIG to participate with the Department in a collaborative but independent fashion to augment our compliance program. The report does not mention the significant progress in implementing corrective actions for weaknesses identified in the penetration tests performed by the OIG as part of the compliance program funded by the OCIO. In summary, the executive summary of the OIG report does not track with the analysis and conclusions provided in the remaining sections of that document. The Department acknowledges areas that need improvement. However the OCIO believes that the OIG's interpretation of several of the questions asked in the FY 2005 FISMA, reporting template exceed the basic requirements of FISMA. For example, the report does not indicate: * lrderiofs Certification and Accreditation (C&A) policy, standards, guidelines, processes. and independent compliance reviews is substantially compliant with FISMA and NIST requirements; * Risk impact !eve1 (e.g., Low, Moderate, and high) deteiminations for confidentiality. integrity, and availability documented in System Security Plans meet or exceed NIST SP 800-60 and FIPS Pub 199 criteria; * Interior's authoritative Departmental Enterprise Architecture Repository (DEAR) has an accurate inventory of all major information systems; * Jnteriofs POA&Ms and POA&M proccss is substantially compliant with 0MB requirements; * Bureaus implemented approved bureau-level STTGs (e.g., security configuration standards) in conformance with Departmental policy; and, * Substantial C&A training was provided to Department and bureau senior management officials (e.g., Designated Approving Authorities (DAAs) via the MIT forum). The 000 believes that, at a minimum. the quality of our C&A process is satisfactory as supported by the following analysis and recommendations. The following analysis represents the perceived differences between the OCIO's and OIG's interpretation of those requirements. Analysis The following gap analysis is limited to the areas where the report shows differences of opinion between the ClO and 1G. The format used to contrast each area of difference will be identification of the relevant question in Section C used to document the results of the JO's evaluation, and the corresponding question in Section B used to document the results of the ClO's assessment, In responding to each question in the FISMA reporting REDACTED PU!JC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 13 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports template, we believe the objecüvc should be to consider whether Interior's iT security program is adequate when measured against the requirements of FISMA. The level of adequacy would include the degree to which Interior has substantially demonstrated compliance with Federal laws, regulations, and standards such as Memoranda and Circulars issued by the Office of Management and Budget (0MB) and Federal Infornrntion Processing Standard Publications (FIPS Pubs) and Special Publications (SPs) issued by the National Institute of Standards and Technology (NIST). Adequacy should be characterized by the degree to which: * Interior has adequate IT security policies, * Processes and procedures are in place to implement those policies, and * Programs and systems have been sufficiently tested to ensure that agreed upon security controls, as approved by senior management officials (e.g.. Designated Approving Authorities (DAAs)) and as documented in security plans, are functioning as intended. IG's FISMA Questions Ia thru !c and 2a thru 2c Section C Response ClOs's FISMA Questions Ia thru Ic and 2a thru 2c Section B Response Difference For each question, actual performance in FY 2005 by risk impact level and bureau are expected to he identified. The FISMA template provides a heading for the second column for these questions that reads 'FIPS 199 Risk Impact Level." Potential risk impact ratings (e.g.. }-ligh Moderate, or Low) for Confidentiality. Integrity, and Availability (CIA) and the resulting overall security categorization of IT systems (e.g.. the high-water mark of the impact ratings for CIA) for each system are documented iii their respective System Security Plans (SSPs). The ClO responses to these FISMA questions are identified by the documented FJPS 199 Risk Impact Levels as required. The OIG does not recognize these documented risk impact levels as they have asserted that the method prescribed by the Department's Asset Valuation Guide (AVG) is not compliant with NTST FIPS Pub 199. However, the OIG also indicated the existing method used by Interior typically meets or exceeds the provisional impact ratings that would he obtained by using the NIST SP 800-60 and FIPS Pub 199 ratings. Discussion The NIST standards provide for flexibility for agencies to define their own common data and information types. The standards also provide guidance for determining risk impact levels using those types, considering other factors unique to each agency, as long as the resulting sensitivity ratings equal or exceed the minimum thresholds and specifications prescribed by NIST. As long as agencies: REDACTED PUBLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 14 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports * identify, select, implement. and test minimum mandatory management, operational. and technical security controls based on the security categorization of each system; * risk impact levels equal or exceed minimum expected sensitivity ratings as identified by the provisional ratings contained for similar data and information types specified in NIST SP 800-60; »=md * security controls are tailored to individual ratings for CIA. as specified by the draft NIST lIPS Pub 200 and the related NIST SP 800-53; then the agency has demonstrated a consistent and adequate methodology used to determine risk impact ratings for IT systems. Agencies aren't expected to have implemented NIST FIPS Pub 200 and SP 800-53 until one year following the final release of FIPS Pub 200, currently still in draft. In an eartier meeting with the 010, the OCIO was inlbrrncd that the sensitivity ratings and security categorizations were not documented in any of the C&A packages (e.g., in the SSP or the Risk Assessment report), The OCIO reviewed the C&A packages in question and found the information documented in the SSPs. In a follow-up conversation with the 01G. the OCIO was informed that the real issue was related to inconsistencies between what was documented in the AVGs compared to the SSPs. Although the AVG sen'es a useful purpose as a tool for the System Owner to develop a recommendation for the ratings to be considered by the DAA, it does not serve as the documentation for the final determination. The final sensitivity ratings for CIA, the overall security categorization and the agreed upon security controls are documented in the DAA- approved final SSP. The OIG report reflects a more narrow interpretation of the NIST standards which we believe is inconsistent in their recognition that Interior's existing process results in sensitivity and impact determinations which equal or exceed the provisional impact ratings identified in NIST SP 800-60. which inherently considers the NIST FIPS Pub 199 minimum impact rating determinations. This interpretation does not recognize the agencys discretion in identifying additional criteria and requirements which may result in higher impact levels being assigned to systems. The OCIO recognizes the need to reevaluate the existing process to ensure that systems are not overly categorized in terms of data and information sensitivity and impact ratings. This is particularly important as there is an associated burden and cost implication to REDACTED PLJ4LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 15 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports IG's FISMA Question 3b Section C - Response ClOs's FJSMA No corresponding question(s) Section B Response Difference Question 3b asks the IG to evaluate the degree to which "The agency has developed an inventory of major information systems (including major national security systems) operated by or under the control of such agency, including identification of the interfaces between each such system and all other systems or networks including those not operated by or under the control of the agency." The IG's response characterizes Interior's inventory of "major information systems" as "approximately 8 1-95% complete" while the CEO remains confident that the Department Enterprise Architecture Repository (DEAR), the authoritative repository for IT system inventory. contains an accurate inventory of the Department's major information systems. Discussion The OlOs evaluation does not identi!' any specific discrepancies with respect to the Department's inventory of major information systems necessary to substantiate their response characterizing Interiors inventory at anything less than 100%. implement die operational, and technical security controls 'appropriate to these ratings. The 010 appeared to base their conclusion on interviews with individuals as to whether they had followed NIST FIPS Pub 199 in determining these ratings. The individuats were not familiar with that NIST publication and had indicated that they had used the AVG process. The OIG did not provide recognition in their report that the sensitivity determinations had been based on consistent application of the AVG methodology. They also did not indicate that the AVG process resulted in sensitivity determinations lower than what they would expect from the FIPS Pub 199 process alone. There is no requirement that individuals be familiar with the specific NIST FIPS Pub 199 reference (e.g.. recognize the name or title of a reference). if they are following an agency-prescribed process that incorporates those requirements. The ClO believes that the OIGs criteria used to evaluate the degrec to which Interior is compliant with these questions exceed the essential requirements of FISMA. REDACTED PU!JC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 16 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports The ClO believes that the OlGs criteria used to evaluate the degree to which Irnerior is compliant with this question exceed the essential requirements_of FISMA. LU's PISMA Question 4a Section C Response CIOs's FISMA No corresponding question(s) Section B Response Difference Question 4a asks the 10 to select from one of several response categories with respect to the degree to which "The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency." The 010 selected the response category of "Sometimes, for example, approximately 5 1-70% of the time" and in their comments on the FISMA response indicated that they "did not determine the amount of unreported IT security weaknesses that were not included in the POA&Ms'. The OCIO has no basis to suggest that weaknesses captured on POA&Ms arc anything less than the highest response category option of "Almost Always, for example, approximately 96-100% of the time." Discussion In FY 2005. the DOl POA&M process tracked 2,895 weaknesses. The OW acknowledges that DOl captures up to 95% of OTG identified weaknesses. The Department has very formal procedures in place. particularly for the financial audit, to ensure 100% of weaknesses are recorded in system POA&Ms. The 000 is at a loss to determine where another 1.000+ (this number would be based on OIG current response indicating that the Department incorporates known weaknesses only !Sometimes. for example. approximately 5 1-70% of the time") weaknesses should be derived. It appears that there is substantial agreement on the nature and number of weaknesses and the POA&M report takes exception to methods of resolution. The remaining findings are based upon the OIG report for the DOl POA&M process that questions the methods by which POA&M items are closed and the nature of prioritization. In response to OIG concerns, the DO! ClO directed (OCIO Directive 2005-007) a complete audit to verify that FY 2005 POA&M items were appropriately closed. Every program official was required to certi!' in writing that closed items met appropriate criteria for closure or re- REDACTED PLJÔLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 17 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports IG's FISMA Question 4b Section C Response Cbs's FISMA No corresponding question(s) Section B Response Difference Question 4b asks the 10 to select from one of several response categories with respcct to the degree to "When ai! IT security weakness is identified, program officials (including CIOs. if they own or operate a system) develop, implement. and manage POA&Ms for their system(s)." The OIG selected the response category of "Rarely. for example. approximately 0-50% of the time" and in their comments on the FISMA response indicated that "Although DOl's POA&M process for IT security weaknesses includes the development, implementation, and management of POA&M for systems. DOl does not adequately manage the weaknesses adequately through its POA&M process." The OCIO has no basis in fact to suggest that program officials do not develop, implement. and manage POA&Ms for thcir systems when IT security weaknesses are identified. Therefore, the OCIU finds that the response category option of "Almost Always. for example, approximately 96-100% of the time" is a more appropriate open the weakness for action. While we saw a 25% increase in the number of rew findings for FY 2005 Q3 and FY 2005 Q4. this increase is explained by the audits and self-assessments that occurred during this time period. In short, a 100% audit of 1.389 FY 2005 closed POA&M weaknesses (through Q3) did not conclude the same level of discrepancy as the 133 item sample in the POA&M report. Further. the draft POA&M report cites the September and November 2004 POA&M submission for a majority of its findings. That data is more than a year old and may not sufficiently characterize the FY 2005 POA&M program. Lastly. every POA&M weakness is prioritized within the system for which it is attributed. Point acknowledged by the OIG team. OCIO staff has discussed this point and commented to the report that a Departmental prioritization scheme is not required and administratively inappropriate. Each system is required to pursue appropriated funds through the relevant investment portfolio. Bureau nrnnagers may not reallocate those resources outside the portfolio based on Departmental priorities. Therefore, the most meaningful and effective prioritization is within each systcrn. Additionally, this meets FISMA requirements and should be acknowledged as such. REDACTED PU!LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 18 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports characterization of compliance with respect to this question. Discussion The FISMA question specifically asks the question as to whether or not program officials (including Cbs) develop. implement. and manage POA&Ms for their systems when weaknesses are identified. The Department has demonstrated that there are POA&Ms for every systelil that is reported quarterly. Ideally, there would be a specific FISMA question, or questions. that inquire about specific quaLity characteristics of the POA&Ms and POA&M process. This particular FISMA question does not inquire about the quality or adequacy of either. and simply asks if program officials are managing weaknesses via their program or system POA&Ms. The ClO believes that the OlGs criteria used to evaluate the degree to which Interior is compliant !!ith this question exceed the essential requirements of FISMA. With respect to any questions regarding quality, raised in the comment section of the lU's FISMA report, the OIG relied on FY 2004 POA&Ms as the basis for their conclusions. The OIG's analysis did not take into consideration the substafflial improvements to the FY 2005 POA&M process resulting From issuance of several OCIO Directives. In FY 2005, bureau CIOs were required to verify and validate completed actions on their POA&Ms and submit a signed certification statement attesting that they have done so with the submission of each of their quarterly POA&Ms. The OIG's report does not consider any FY 2005 progress and actually represents the state of the FY 2004 POA&M process. The characterization of Interior's POA&M process on the FISMA report should more appropriately reflect the effectiveness of the FY 2005 process. The 0MB Memorandum 04-25 states the following with respect to the level of detail used to describe weaknesses in a POA&M: "Detailed descriptions of specific weaknesses are not necessary. but sufficient data is necessary to permit oversight and tracking, For example, to the maximum extent practicable agencies should use the types of descriptions commonly found in reports of the GAO and IC such as "inadequate password controls." "insufficient or inconsistent data integrity contro!s,' "inadequate lirewal I configuration reviews "background investigations not been performed prior to system access.' "physical access controls are insufflcienC' etc." Furthermore. 0MB M-04-25 states that: _________________ "lOs are again asked to assess against minimum requirements REDACTED PL&LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 19 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports IG's Draft Question 4c FISMA Section C Response ClOs's Draft No corresponding question(s) FISMA Section B Response Difference Question 4c asks the IGto select fr0111 one of several response categories with respect to the degree to which "Program officials. including contractors, report to the ClO on a regular basis (at least quarterly) on their remediation progress." The 010 selected the response category of "Sometimes. for example. approxirnatety 51- 70% of the time" and in their comments on the FISMA response indicated that "Although DOI program officials report to the dO on a quarterly basis, we did not find any indications that contractors were reporting security weaknesses to program officials or bureau Cbs and that these security weaknesses were being reported by the program officials on the." This sentence was prematurely terminated but the dO assumes that it was to conclude with the word POA&M. The OCIO has no basis to suggest that program officials. including contractors, do not report to the ClO on a regular basis (at least quarterly) on their rernedianon progress.. Therefore, the OCTO finds that the response category option of "Almost Always, for example, approximately 96-100% of the time" is a more appropriate characterization of compliance with respect to this ctllestion. If the 010's evaluation provides evidence to support their conclusion with respect to contractor reporting. then the OCIO believes that the response category of "Mostly. for example. approximately 8 1-95% of the time" would be appropriate. However. the OCIO is not aware of any specific details with respect to the absence of POA&Ms for contractor systems or any instances of non- reporting of POA&Ms to the ClO for such systems. The OCIO has provided copies of system POA&Ms and signed cei-tification statements from relevant DOs associated with the contractor __________________ systems to the 01G. REDACTED PL!LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 20 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports whether thc agency has developed, implemented, and is managing an agency-wide POA&M process (see Section C of the reporting template)." The IG's report should distinguish between when recommendations exceed the essential requirements of FISMA and 0MB and be consistent in interpreting the adequacy or inadequacy of POA&M processes with respect to those "minimum requirements." IG's Draft Question 4d FISMA Section C Response DOs's Draft No corresponding question(s) FISMA Section B Response Difference Question 4d asks the 10 to select from one of several response categories with respect to thc degree to which the "CR) centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis." The OIG selected the response category of "Rarely, for example. approximately 0-50% of the time" and in their comments on the FISMA response indicated that "Although the ClO tracks and maintains POA&M activities on a quarterly basis we found little evidence that the POA&Ms arc reviewed from the standpoint that weaknesses and related corrective actions were described and could be sufficiently acted upon and that reportedly corrected weaknesses were in fact corrected. There was also little indication dial the DOl ClO sufficiently reviewed POA&M activities to ensure that all known IT security weaknesses were reported on the POA&M. This is demonstrated by the acceptance of risk that can be accomplished by DOl personnel that were not the appropriate officials for accepting such risks." The OCIO has no basis in fact to suggest that POA&M activities are not centrally tracked, maintained, or reviewed by ClOs on at least a quarterly basis. Therefore, the OCIO finds that the response category option of "Almost Always. for example. approximately 96-100% of the time" is a more appropriate characterization of compliance with respect to this question. This level of compliance has been repeatedly demonstrated through Interior's quarterly POA&M reporting. tracking. and rernediation progress and through the additional evidence provided to the OIG with respect to the signed POA&M certification statements by each REDACTED PLMIIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 21 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Discussion We believe the OIG's comments need to bc appropriately verified and validated, quantified in terms of the number of contractor systems for which such circumstances might be true, and compared to the total number of systems (government and contractor) in order to determine a reasonable approximation to use as the basis of the compliance estimation, For example. as the CIO is reporting that there are 10 contractor systems and 157 agency (government) systems, even assuming that the requirement was riot met for any of the contractor systems but it was being met for all agency (government) systems, a more accurate characterization would be 157/1 67 or 94% compliance towards meeting this requirement. dO as part of the last quarterly POA&M submission and reporting cycle. Discussion Assuming that an unauthorized individual was addressing the issue of risk acceptance on their own, without the concurrence of the Designated Approving Authority (DAA), the numbers of such occurrences are not quantified sufficient to suggest noncompliance. Compared to the thousands of weaknesses that are being tracked, managed, and reviewed, it is difficult to see how the OIG could conclude at this point that the number of any such instances could contribute to between 50% and 100% non-compliance with respect to this requirement. To the extent that the IC is aware of a number of such isolated incidents and has not identified such systemic issues on a larger and quantifiable scale it does not appear reasonable, for these occurrences to be used to extrapolate conclusion about noncompliance. The ClO believes that the OIG's criteria used to evaluate the degree to which Interior is compliant with this question exceed the essential requirements_of FISMA. TO's Draft Question 4e FISMA Section C Response ClOs's Draft No corresponding question(s) F1SMA Section B Response Difference Question 4e asks the lOto select from one of several response categories with respect to the degree to which the !OIG findings are incorporated into the POA&M process." The OIG selected the response category of "Mostly, for example, approximately 8 1-95% of the time.' The OCIO has no basis in fact to suggest that OIG findings are not being incorporated into POA&Ms. Therefore. the OCIO finds that the response category option of "Almost Always. for example. approximately 96-100% of the tirne is a more appropriate characterization of compliance with respect to this question as there have been no known instances where OIG findings were not incorporated into the POA&M process. Discussion OIG "findings" are required to be always incorporated into the program- and system-level POA&Ms along with weaknesses identUied from other sources. The CTO feels that the distinction would be that OIG "recommendations' are not always incorporated into the POA&M process as senior management does not always concur with such "recommendations" and has the discretion to consider whether or not such "recommendations" are required to he acted on or not. Forthepurpose of the FISMA report, the ClO REDACTED PIJbLIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 22 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports IG's Draft Question 4f FISMA Section C Response ClOs's Draft No corresponding question(s) FISMA Section B Response Difference Question 4f asks the 10 to select from one of several response categories with respect to the degree to which the "POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a timely manner and receive appropriate resources." The OIG selected the response category of "Rarely, for example. approximately 0-50% of the time" and in their comments on the FISMA response indicated that "Currently bureaus prioritize weaknesses within system POA&Ms. However, we found little evidence that DO! overall prioritizes IT security weaknesses to ensure funding for this project The OCTO finds that the response category option of "Almost Always. for example, approximately 96- 100% of the time" is a more appropriate characterization of compliance with respect to this question. The Department's POA&M process prioritizes IT security weaknesses consistent with OMBs requirements and within die constraints imposed by budgetary and capital planning and investment control (CPIC) processes. Discussion Interior's IT security program- and system-level POA&Ms include the appropriate level of detail and information required by the Office of Management and Budget (0MB) Memorandum 04-25. Prioritization of corrective actions is the responsibility of each Designated Approving Authority's (DAA's). Each DAA ensures that weaknesses are addressed in a timely manner and receives appropriate resources through their review and approval of their respective POA&Ms, which identi!t: . description of each weakness; . risk-level associated with each weakness: * specific corrective action milestones; * scheduled commitments to accomplish each milestone; and * resources (budgetary and staff) required to implement each REDACTED PLJ!LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 23 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports requests that the OIG consider whether or not their response was based on the notion of incorporating "recommendations" vs. "findings", which might have contributed to a different perspective. The ClO believes that the 010's criteria used to evaluate the degree to which Interior is compliant with this question exceed the essential requirements of FTSMA. corrective action. The DAA has the responsibility of making determinations regarding risk acceptance and the duration and conditions under which they will accept any residual risks. Lastly. every POA&M weakness is prioritized within the system for which it is attributed. Point acknowledged by the OJG team. OCIO stafihas discussed this point and commented to the report that a Departmenta' prioritization scheme is not required and administratively inappropriate. Each system is required to pursue appropriated funds through the relevant investment portfolio. Burcau managers may not reallocate those resources outside the portfolio based on Departmental priorities. Therefore, the most nicaningftul and effective prioritization is within each system. Additionally, this meets FISMA requirements and should be acknowledged as such. The ClO believes that the OIG's criteria used to evaluate the degree to which Interior is compliant with this question exceed the essential requirements of FISMA. IG's Draft Question 5 FISMA Section C Response CIOs's Draft No corresponding question(s) FISMA Section B Response Difference Question 5 asks the 10 to "assess the overall quality of the Department's certification and accreditation process." The OIG selected the response category of "Poor" without quali!'ing comments within the FISMA reporting template. The OCTO finds that the response category option of at least "Sacisfactory is a more appropriate characterization of compliance with respect to this question based on our analysis of the current state of the C&A process. Discussion In the OIG's Annual Evaluation report, the IG points to several factors contributing to their characterization of the Dcpaftment S C&A process being rated as poor. The ClO maintains that the Departments Asset Valuation Guide (AVG) process to determine risk impact levels and security categorizations of systems for confidentiality, integrity, and availability equal or exceed any ratings based on the NIST FIPS Pub 199 and NIST SP 800-60 alone. The levels of concern expressed in appendix F of the Departments AVG guide used in determining potential impact ratings (e.g.. Low. REDACTED PL!LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 24 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Moderate, or High) for Confidentiality. Integrity, and Availability (CIA) are consistent with FIPS Pub 199. The AVG guide also identifies 15 sensitive information categories for Interior and the minimum expected impact ratings to be used for Interior's IT systems. The Department's C&A, System Security P]an, Risk Assessment report, Security Test and Evaluation, and Contingency Planning guides substantially address the requirements of applicable NIST standards and guidelines. The OCTO performed independent reviews of the quality of C&A packages and issued compliance reports back to each bureau identifying areas needing improvement, This process has resulted in many C&A packages being revised, resulting in significant improvement in the quality of those packages and 98% of Interior's systems are certified and accredited. The OIG's report indicates that 8 of 17 systems reviewed had ST&E reports that were dated after they were accredited while the OCIO's records in Command Center indicate that approximately 31 of 171 C&A systems of record have ST&E reports dated after the date of the accreditation letter. This represents a potential concern with less than 20% of the C&A packages as opposed to the OIG's information indicating potential concerns with approximately 47% of the packages, These perspectives also don't identify whether or not the ST&Es were actually concluded prior to the DAA's decision to accredit their respective systems and whether or not those decisions were based on vulnerabilities and weaknesses identified in the S1&E. Consideration should be given to the actual dates within which the ST&Es were actually performed and the DAAs having had the benefit of those results as opposed to the date of the ST&E report documentation, which may have subsequently been revised based on feedback from independent reviews performed by the OCIO on the quality of those reports. The JO's report does not contest the merits on which the DAA based their accreditation decision. which suggests that the certifications and accreditation are valid and based on each DAA's understanding and acceptance of any remaining residual risk to their systems. With respect to the 010's characterization of the POA&M process. the 010 relied on FY04 POA&Ms and did not benefit from a more recent study of the FY05 POA&Ms and associated process. The 000 responded to these findings and recommendations iii a separate response indicating that Interior's FY05 process has REDACTED P!4LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 25 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports IG's Draft Question 6 FISMA Section C Response ClOs's Draft Question 8 FISMA Section B Response Difference Question 6a asks 'Is there an agency wide security configuration policy." The OIG selected the response of "Yes" and identified the relevant OCTO Directive. This question (both 6a and 6b) relates to agency policy and implementation of approved Security Technical Implementation Guides (STIGs). Each STIG provides specific security hardening and configuration instructions and parameters for various types of network resources and devices (e.g.. operating systems. databases, routers, etc.) Question 6b asks the IG to "Approximate the extent of implementation of the security configuration policy on the systems running the software." The FISMA reporting template identifies 1 1 products for which the ClO and IG must select a response choice to indicate the degree to which systems have implemented approved ST!Gs. The ClO and IG differ in their response choices as there is a difference between our respective interpretations of what the FISMA questions arc asking and the IG understands of Interior's policy. Discussion The 010 appears to be of the opinion that bureaus must imptement the STIGs specified in Command Center (the Department!s current IT security information dissemination portal) hut acknowledges that bureaus frequently have their own STIGs which they implement. REDACTED P!J!LIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 26 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports substantially improved and that we had proactively taken measures to improve the process which already had addressed the tO's recommendations. The OCIO recognizes the need to make some additional updates to C&A guidance in light of the significant number of new or revised standards and guidelines issued by NIST. which should be implemented in FY06 to implement FIN Pub 200 and related SP 800-53 and 53a. Nonetheless, the ClO maintains that Ibr FY05 the C&A process within Interior remains satisfactory. Beginning one year after the issuance of the FIPS Pub 200 by NIST, the ClO recognizes that existing System Security Plans and ST&E processes !vil1 be in jeopardy if these new requirements are not effectivcly implemented. 1'he dO believes that the OIG's criteria used to evaluate the degree to which Interior is compliant with this question exceed the essential requirements of FISMA. lU's Draft Question 7b FISMA Section C Response ClOs's Draft Question 9b FISMA Section B Response Difference Question 7b asks does "The agency follow documented policies and procedures for external reporting to law enforcement." The OIG selected the response choice of"No" based on their observation that in 8 of 12 instances the OJU was not notified. Unlike many oilier rcsponse choices for other questions in the FISMA template, this is a binary answer and does not enable a more appropriate selection that would identify the relative frequency where such incidents are in fact reported to the IG or consideration of circumstances preventing full compliance with established external reporting procedures. The ClO fee]s that appropriate policies and procedures are in place and that there may be other mitigating circumstances that may have precluded adherence to these general procedures. Discussion Circumstances about why the 8 incidents were purportedly not reported via the IG were not sufficiently articulated. It is unclear what factors contributed to the lapse in notification for these specific incidents but it is clear that notification policies and procedures are in place and have successfully been used in other instances. The CJO acknowledges that interior's policy requires notification of the OIG's Office of Investigations when IT security incidents are reported to external law enforcement. The ClO understands that the responsible 010 office was not !veI1 positioned for most of FY 2005 to receive, or respond to. such notifications. However, it should be recognized that Interiors bureaus and offices did engage other appropriate law enforcement officials to respond to incidents where appropriate. REDACTED PIILIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 27 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports The GO disagrees with the 10's interpretation as Jnterior!s policy allows for bureaus to define, document, approve, and implement their own STIGs. which many have done. Bureaus are only required to implement the Department's STIGs avai[ab]e through Command Center whenever the bureau does not have their own approved STIG. The ClO believes that the 010's criteria used to evaluale the degree to which Interior is compliant with this question exceed the essential requirements of FISM_A. The OCIO also believes that the IG report does not reflect the same credit and degree of compliance with respect to bureau-level Implementation of STIGs as the DO's FESMA report reflects. JO's Draft Question S FISMA Section C Response CIO&s FISMA Question 6 Section B Response Difference Question 8 asks "1-las the agency ensured security training and awareness of all employees. including contractors and those employees with significant IT security responsibilities." The OIG selected die response choice of "Mostly. or approximately 81-95% of employees have sufficient training" which is inconsistent with the ClO's analysis. Discussion The OCIO's performance metrics with respect to annual awareness training and role-based training identifies the following relevant metrics in question 6 of the CIO's response: a t Total number of Nuniber of employees that Total number of Number of employees with employees in FY05 received IT security awareness employees with significant security flaming in FY05. as described significant IT responsiblithes that recerved in NIST Special Pub!cabon OC( security speciahzed training, as SO. Building an Information responsibilities described in NIST Spectal Technology Security Publicabon 800-16, Awareness and TrEining lntormaUon Technology Program (October 2003) Security Train!ng Requirements! A Role. and Performance-eased Msder __________ __________ IA',.41 flr!% Number Percentage Number Percentage 84,159 82818 YB 44% 2611 1736 6649% The ClO is advocating that the progress in the areas of awareness and role-based training be equally weighted. which would result in the selection of "Almost Always, or approximately 96-100% of employees have sufficient training" based on the resulting weighted average of 97.48%. Additional credit should include recognition of the C&A training provided to the Secretary and Designated Approving Authorities (DAAs) by the CEO and CISO regarding the C&A process and each of their respective roles and responsibilities. Interior also has over 80 individuals who have achieved and are maintaining certification as a Certified Information Systems Security Professional (CISSP) from the International Information Systems _________________ Security Consortium. Inc., or (JSC)2. REDACTED PIJkIC VERSION Subject to Protective Order Dols FY 2005 FISMA Report Regarding I-T Security Information Page 28 of 37 Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports SSltl6011IobpbOtolOboblli 065ti512460d5 d!bo6y 46151 OobbtloO 16042 I 46 tbqoitbd IISMO thbI050lIIbSlIolt 15551 tsbbo bt605yMtblSloOIodo15 tioM ybtsos osbdoto p51654 by sooyo, 06 tIoltolof 065 6t06!6tbb06If60660b06y ByFIPSllllMklMpbdIbSbI l0l4%lMdblltOgIolbolootoltblol!bd) !dbybo,blgldbMtl06thbloMb ofMyMtblMlbSSogbd iotho bS6k!tl6Mf61b6th1I6bMlfi66t!0MbbI6l2l6!b 0410 odooti,ggNISTSpogIPobIbogtil, 600-2110006 006 61. lCbltiltblSl.NSTSplOigIPlbIilgtkbl 000-21, Il: llCbldOOtg 56! lbSblltgggi%tthl OlltllllbdilNISTSplOlIPObIblgtibb600-bS lg 56 po,HbIl 6' gthb yblillb 1,1,st 0Sdbgg OlltMOtllblthli glboyllbthlllggliogfllblblhgfflfthlilggllOg, thlllll56fflyolilgbgObltlOtbl%dllblbtlltthllgOillbll bllOh. SlIllpOltilgbgglbthllFldllgIgglbo6lb 606650, 6FdlIb,oio 51100161, lggblbOffbOillt. lgOlbgldSl%iOlpbhgolgbhgldlbpO%ibiIi%IFISM401%pIigbOl. 2 F46thplltlftl!1 qobltll%ldtl06lltolIpbOolS011llFVllby kl4plltIbllilMdboblg lMthbf l4ltp56lldbdbbIlS FM4thblbplblbltltl blbt601yMtbllIoltbdldtfytl ttho, oOMyMtst,1 50110 OllbllSpIolbd tOsfoIIosiog. 66616156 loltlfllltl MdllllbdltltlS! 61611605015 pigo tsltsd 621Mb 665 p1655611 god 1016lty 16111111 tSltld ogithil Ms pglt p561 -..!- 6 b 6 b I 111054 slIySyltsls FVl5061llItll FYOITIINII!gfM!bsOlyltMM!bl601ybtslsflllIol!bsflyltsls Systsl,s 1,15666 161llsdlMdlIIlsdltsd ogOiIOssIo II1160tbMlslIypIlls 0665 bogl OSlsblSMtsMtsdlod tlstsdbMl116ldl0166lltO sllioltsd bMtOsIlstysll plIbIylMd6odl016 FIPSl996iMkIl!pllt TItOIN01HbOITIOOIN01HbOI 46'566461!5 Lsloi 0010b0l6001s0h0d0010b0l6001s0h0dT0t610010b0l 52052602 N0SbOlTIgOIN0SbOlTItOITItOIN0SbOlPOlOOltIlTItO 0050001 11201 010115 High 0 MIlioloto 0 LoS 0 NbtCotogbHooH 1 1100.0% 1100.0% 1 100.0% Sob-totol 0 0 0 1 I 1 100.054 1 100.0% 1 100.0% 1050001 Lo,d bIg bogoIHolt High 0 M000toto 0 Los 0 hkOlOolI000060 2 2 1 1000%, 01000%- 1 100gb. Ms,svTotol 4!0 I I I I I I I I ModsIots I I I I I I I I Lob I I I I I I I I lIltlgtslllMsd I 14 I 6 I 17 1 Iblglop5noS%000I00101g000:slgosolht&oobtn%oos%g,d000boo%ooslb0o,to14 * Th0050bopOllbl%0000bOlhtgbd000bogtlbtbObbolOiblbl%0tlb%ot0%0000dblbpoltodbgg oo,t,00to,olthoggoboH ot%o,ogghioot,obo,bohgffolthoogobogsoott%o,ogoi,o 60 ,to4Fb0Ml, 205 polioyg,d NbSTgoidoliboo, 1010601 0000' P0bb0g! old OgObO% p011%. 0011-lOpbltilgblNISTSp600IPlblbOtll 600- 01 lOgoilO%060 bgo ObltlOOtblblbt%0 105011010 *bbbtblffi02lt! hb2h000l!b0ff-lp0Hlgbg0bbth0lF0d0l0I0g0b0y%0gb0blffb1i01s. ! 0551065010 H0-b0%bltho 1150 - 15000110- lo,000sp0 !0pp50i%0t00 11- 60%ol 166 1166 - 00501150% - 110100144 10,210560- oppsoisotoIg 11-60% bltho 450 - MobIlL 11000556 - opp,sgisotopo O1-bb%olthotiso - lIsootlIohgyo! 10,00050-, Sob-toll' 0620 loll Loos Fibhold 15101140 0010000 High Loos Not Co logo0 601 4!15011604%50501050655 High 0660 loll Not Co 10gb 601 Sob -toll' 0660 lOll Sob -toll' %lgtibbgl 502000014600 High Not Co logo0 601 DffsoolSp000lT,ootoo High 0660 lOll Not Co logo0 601 Sob -toll' Off IS II Mu US 0000060gb 00600 01051 012 1511565: 50 1011001 0Clbl-N CIII I I I I I 2 I I I I 7 I I I 1 I I I I I I I I I I I 2 I 2 2 0 I I I III Ill! 1000% 1000% 11115! 111.114 1000% 1000% 11115! I C I 11115! 1000% 1000% 11115! 07114 00% 1000% 11115! 2 0 2 2 7 0 I I111 10007- 00% 100.0%. III lb 0:07- 071% 00% 100.0%. III lb Subject to Protective Order Regarding I-T Security Information (Dkt. No. 2937) (Filed April 22, 2005) REDACTED PUBLIC VERSION Dols FY 2005 FISMA Report Defendants' Notice of Filing of Page 29 of 37 Dols FY 2005 FISMA Reports (i!d!di!g , ! by !d!th ! h!g yi!d!di!g! ! ! ! ! Fp!! C!tg&!. lb. - App i,t,0-50%!&!pI! - App!!i,t,61-95%!&!pIt - App! 54y1!!J Iuspcc[c'i ( ic:i !LlbieCC AflIILLLII Iv;lLu!tiou o.Hlu_' IIIri'[HREtIL11I "_!L it11\ F!rnL'I.Lin nr 11w 1).[1.IIirIw]It o [the 1 !Report :! U. NS\ i - EV- MO)* !iui 3 :i Jr.! I the auaclicd report pr!sdn[ the results of our annual cv!t[mttIi,1T aithe U.S! Department !'1 itie TiiWi inr! I DOl p Inturtnai!oi I cc1li!*nhi!.y Fl SCeLifll\ !ii!'Li am. required h\ the Federdi Information S!curin- \Ianagcnietfl :\Ci (FEN A!aili Ihis year, we t:Ii]1CILL.Llth[ ihat the I)eiunrnent conilnues in nt.4! !fOViCS! hi :lflprOVC tIie security over its information !vsi!nis. The report highlights a :ii!i!ii'!r U 'S LI1c!LldIng the Deparrni!nr s tinprovemeri Es lo the Sec ii ri LV Tiatii I fl! !LI .A! 1sreness program. and a stgnificaiil effort to lmpLL'nueIII L!v Euilerpri'! Scn LCCS NeLwork to bolster securi i efforts. Ra!cd nj-i the 1rndin!t olour evaluation ni 2U( F5, kowever. WL' bclicve that [H)] rs iiflt III CL!I1I!)]I!IIlt'L With iI1I2 requirenient! eli- [SM A. )ir rcstin!i and L! Iii !on of I H s IT !itc itri !v prograni kr 1- !scal V .ar 2[)L indic»=tLcs th!ti DOt ]iiis w!akjtcsse! in flirce enLical art.l! p!c1'.'.c'rk SQL'[irltv. P[an! ul .\cLinns !]1(I \ iLestones ( I'( \&M kind Ctii tEcacion L\_ .\LLILUWI1WLJ ( !&\ Our pt'ne(ralton tesihig prc'!rarn ! nCR\ b infrastructure thdl tvas vitiner!inIe to WI1LILLLI¾&lruzcd JCC CSS allil :L![Ln\ ed us It' c!rnprornise some ofD( P1's mosL sensidve Inlonuni iOl! Our review iii the 1)0! Pt) -\& \I pwuc! si !nws DOT caI]!LoI bc as!urcd thai Lhc [J( )A!NM. in its cwTent stale. car be li$t a! th! !ruthoriijti ! tool to imin!iu ! I I !ci!riiv ! c:dciies!s. \\ e h!tve recnnttncndcu !1ia! the F b:!1artmcliI rcpflrl !EiC P( !\&!\t proccss i! material wc!ikiicss in ii! '! under the Fcckral \t4na!cr!c Financial Iniegrity i\ct. We h!ive rated the L)cNrlm!nLs (L!cA !!ro!.1 as poor I)JSCLI on ! nnrnhcr ol I'cIuN. lilelLItlilIg failure in apply FCdL-laI Intonuaiicm ]!FUCCSSiI1g SIUIIthLrd 1 Ly!?. the flreviflltsF! rnernioncd [lFLil)kms wiTh P( ) *\A Vs. arid cnhilp[eTlnrl UI St!L !iFi1! hQ!i ;LrIL] EvaiLlaijon !*r!: sLthhcquetli ti C!cA Hr !onie systems hLL'!t2 J1!\ L]UCSILU]TS .ditiiit tIit! rc]ftuJ1_ !iIi!ast Inc ii I !IF2! !!!.S74S REDACTED PUBLIC VERSION Annual Evaluation of the Information Security Program of Dol Subject to Protective Order Regarding Page 1 of 45 Sensitive l-T Security Information (Dkt. No. 2937) (Filed April 22, 2005) Defendants Notice of Filing of Dols FY 2005 FISMA Reports Table of Contents Executive Summary. 3 Background......................................................................4 Evaluation Results..............................................................8 System Inventory..............................................................8 Contractor Operations and Oversight...........................................9 Plan of Actions and Milestones Program.......................................10 Certification and Accreditation Program......................................12 Risk Assessment Firdings...................................................15 Security Self-Assessment Findings..........................................1 6 System Security Plan Findings..............................................18 Security Test and Evaluation Findings......................................19 System Contingency Plan Findings...........................................19 Plan of Actions and Milestones Findings....................................20 DO! Certification and Accreditation Quality Assurance Findings.............21 Security Configurations......................................................22 Computer Security Incident Response Capability...............................25 Training and Awareness.......................................................26 Recommendations................................................................28 System Inventory.............................................................28 Contractor Oversight.........................................................28 Plan of Actions and Milestones...............................................28 Certification and Accreditation..............................................28 Security Configurations......................................................29 Network Security.............................................................29 Computer Security Incident Response Capability...............................29 Training and Awareness.......................................................29 0MB OIG FISMA MATRIX...........................................................30 Appendix I FY 2005 FISMA System Sub Set Evaluation Findings....................35 Appendix TI NIST Framework for Certification and Accreditation.................38 Appendix Ill Penetration Testing Scorecard.....................................39 References.....................................................................40 Laws.........................................................................40 Office of Management and Budget Publications.................................40 Government AccountabiIity! Office Reports and Documents......................40 OIG Reports..................................................................40 DO! Polices, Procedures, and Other Documents.................................41 NIST Special Publications and Federal Information Processing Standards.......43 Other References.............................................................43 Acronyms List................................................................44 This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any RED g!Y$RSION Information Sect2ty Program of Dol Subject to Protective Order Regarding Page 2 of 45 Sensitive I-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Executive Summary This report presents the results of our evaluation of the U.S. Department of the Interior's (1)01) information security program for Fiscal Year (FY) 2005. The objective of our evaluation was to (I) determine whether DOl's information security program satisfied the requirements of the Federal Information Security Management Act of 2002 (FJSMA)1 and (2) obtain information necessaiy to respond to Office of Management and Budget (0MB) questions2 about DOI's security program. We have determined that there are significant weaknesses in DOl's compliance with FISIv1A as well as its IT security program as a whole. Our audits, evaluations, and technical testing of DOl's systems and IT security program show that bureaus are not implementing DOl policies and are not complying with 0MB requirements for Certification and Accreditation. Additionally, problems in DON overall Plan of Actions and Milestones program, which is designed to manage and prioritize remediation activities, indicate that DO! management cannot be assured that IT security risk is properly identified, understood, prioritized, and mitigated. As such, DOl should report its Plan of Actions and Milestones program as a material weakness under the Federal Managers' Financial Integrity Act of 1982 in tile 2005 Performance and Accountability Report. Our penetration testing program revealed poor network and application security, inadequate network segmentation, and poor security configurations. These weak security controls make DOl vulnerable to unauthorized access from internal and external threats. Perhaps most troubling has been tile lack of an effective agency-wide strategy to implement and oversee the various DOl-issued polices and procedures. Fieldwork continues to demonstrate that bureaus do not adhere to DOl policy - and in many cases are unaware of its existence - and self report IT security metrics with little validation. White DOT has taken a number of positive steps to address the various deficiencies that we have uncovered in the past, unfortunately, our fieldwork and evaluation activities reveal significant problems continue to exist with the overall DOl IT security program. '44 U.S.C. Chapter 35. / 2 Memorandum M-05- 15, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, June 13. 2005 This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTED PLI?LIC VERSION Annual Eva1!tion of the Information Security Program of Dol Subject to Protective Order Regarding Page 3 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Background Congress enacted FISMA to provide a comprehensive framework to secure the federal government's information and IT resources. FISMA requires federal agencies to implement security programs that protect information systems and data from unauthorized access, use, disclosure, disruption, modification, or destruction. Specifically, FTSMA requires, overall, that security programs equip federal agencies with mechanisms to accomplish the following: * Assess risks and implement policies and procedures to reduce risks. * Test and evaluate security controls. * Plan for continuity of operations. * Maintain subordinate plans for providing information security. * Plan for security throughout the life cycle of systems. * Plan corrective actions. * Train employees and contractors. * Detect, report, and respond to security incidents. Prior to the enactment of FISMA, DOl lacked a format IT Security program. There was inadequate funding, little management focus, and certainly no accountability. The lack of agency-wide policy and procedures only compounded the confusion within the bureaus and offices making implementation problematic. The IT management within the bureaus was nonresponsive to various efforts made by DOl's Office of the Chief Information Officer (OCIO) to improve DOl's overall IT Security program Overtime, the OCIO has created a large assemblage of policies and procedures for IT operations and security that complement the government standards established by 0MB and the National Institute of Standards and Technology (NIST). Prior to FISMA, our work found such a lack of policies and guidance that we simply pointed to inadequate IT security as our major finding. Since the enactment of FISMA, DOl's IT Security program has seen increased management awareness, involvement, focus, and funding. IT security staffing has also increased and adequate training has been made available to the general workforce, During FY 2004 and 2005, DOl essentially established a body of policy and guidance and invested in various security technologies - at an estimated cost of S 100 million - needed to create a control environment that allows testing of the networks, systems, and programs comprising DO!' s IT assets. This has allowed our evaluation efforts to evolve from an essentially general controls-based auditing approach to one where technical experts conduct valid and real-world tests on the security of DOl's networks and computer infrastructure. I This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDACT!3$1PS!SION Annual Evalct!flon of the Information Security Program of Dol Subject to Protective Order Regarding Page 4 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports While our comprehensive FISMA evaluation points out significant weaknesses, we note that DO! has taken several positive steps to improve its overall security, including the following: linpiementation of the DOl-wide Enterprise Services Network to provide a more secure computing and networking environment. * Enhancing the DOT vulnerability scanning program beyond just the SANS Top 2O! list of vulnerabilities. * Implementation of Active Directory and the use of group policy for enforcing Microsoft-based security configurations. * Significant improvements in content and usability of the DO! End User IT Securityjraining and Awareness Program. * Completing its E-Authentication risk assessments. See !p!//www.sans.org/top2O/ for the latest expert consensus on the top twenty security vulnerabilities facing Windows and UNIX based systems. This report is exempt from disclosure to the public under the Freedom of lnfonnarion Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDACT k!9!SIO N Annual Eval!&on of the Information Security Program of Dol Subject to Protective Order Regarding Page 5 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Evaluation Methodology We performed our evaluation, as applicable, in accordance with Quality Standards for Inspections issued by the President's Council on Integrity and Efficiency. We focused on validating the implementation of various DOl policies and procedures within the bureaus and answering OMB's questions for Inspectors Genera! for the FY 2005 FISMA report. Unfortunately, in implementing this approach, we experienced a number of difficulties carrying out our FISMA evaluations this year. Coordinating our testing activities with DOT was hindered by the OCIO's lack of initiat cooperation. This required us to modify various testing techniques, particularly those related to our technical evaluations. In one instance, our team was not allowed to connect to the Mineral ManagemeQt Service (MMS) network based on instructions MMS received from the OCLO. Additionally. OCLO provided information late. and the information was often incomplete and unreadable. These delays caused us to exclude two bureaus - Office of Surface Mining and the U.S. Geological Survey - from our annual evaluation in order to meet OMB's repordng deadline. To accomplish our evaluation we did the following: Conducted FISMA-specific evaluations on 17 systems, including three systems operated by contractors (see Appendix 1), according to instructions from 0MB. * Conducted penetration testing on all of DOl's major networks to identilS, document, and attempt exploitation of vulnerabilities that could be used to gain access to DOt systems. as well as evaluated DOT's incident response capabilities. * Conducted fieldwork to assess the effectiveness of management, operational. and technical controls in use at DOPs National Critical Infrastructure Information Systems. * Integrated our FISMA evaluation activities with the ongoing financial audit. * Reviewed and evaluated DOIs Plan of Actions and Milestones Program. * Reviewed and evaluated relevant IT security documentation related to DOIs Certification and Accreditation program. We did not evaluate security controls on DOl's national security information systems because they are subject to review by the Central Intelligence Agency. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTED PU!LIC VERSION Annual Evafl!fftion of the Information Security Program of Dol Subject to Protective Order Regarding Page 6 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Specifically, we conducted our technical compliance testing throughout the year to test the effectiveness of deployed controls across networks, applications, servers, and workstations. We also carded out field inspections and general control reviews in the following seven FISMA compliance areas: I. System inventory, including contractor-operated systems. 2, Certification and Accreditation, including system security planning. interconnections, and contingency planning. 3. Plan of Actions and Milestones. 4. Computer security incident response. 5. Security assessments. 6. Security configurations. 7. Security training and awareness. This year we also established a quarterly FISMA update reporting process. We initiated this process to provide DOl's management with an integrated view' of our findings through various investigations, audits, and IT-related evaluations regarding the state of IT security on a quarterly basis. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, S U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDAC1!!9!SIO N Annual EvaltiZ!on of the Information Security Program of Dol Subject to Protective Order Regarding Page 7 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Evaluation Results System Inventory4 FISMA requires that agencies have an inventory of their major IT systems, whether operated by the agency or third parties, such as contractors, who are working on behalf of the agency. The inventory must be maintained and updated at least annually and system interfaces must be identified. DOl's official inventory system is the Departmental Enterprise Architecture Repository (DEAR). DOl's bureaus use a localized version known as the Bureau Enterprise Architecture Repository (BEAR) to manage their system inventories. We found that DOl does have an inventory system in place but still relies on manual efforts to reconcile various system counts, and uses a separate inventory system for its security program. After detailed discussions with DOl, we generally agree with DOl on the number of systems contained in the inventory. White we did not observe any major information systems missing from DEAR. we do not feel that DO! has an efficient process in place and are concerned by the various different inventories used to report system counts. We will be carrying out a more through review next year. Our findings are noted below: * National Security Systems are neither identified in DEAR nor are there place holders for shell records. * Bureaus had significantly more information available on their system components than what was reported in DEAR. * Individuals with significant security responsibilities were not aware of DEAR or BEAR. * For IT Security reporting purposes. DOl maintains a separate inventory system that is not integrated with DEAR. raising additional concerns for all subsystems being fully identified and their interfaces documented. * Using multiple inventories for reporting makes it difficult to maintain an accurate system co!inl. DOl is working on linking lesser systems to their respective "parent" system. known as an enclave. The odiO is currently in the process of matching Certification and (0MB Questions CIa, b, c and 3b, c, d, e). This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDA!EW?n!MWWERSIO N Annual Eva!jation of the Information Secunty Program of Dol Subject to Protective Order Regarding Page 8 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Accreditation systems, which are maintained in a separate inventory, to the member DEAR system. Also, enclave to subsystem reconciliation is not yet complete and relies on manual processes. As these manual reconciliation efforts go on, discrepancies in the inventory should be reduced, but for the time being. DOl cannot be assured of a completely accurate system inventory. Additionally, we inspected the security plans to verify that systems and General Support Systems/Enclave subsystems were properly included. Upon inspection, we noted the following discrepancies: * The National Business Center (NBC) Denver Data Center mainframe is detailed separately in the Denver Data Center Enclave System Security Plan documentation. However, it is not listed in the system inventory, as are the other member systems documented in the system security plan and the system inventory. * The NBC Reston Local Area Network (LAN) lists the Travel Management System. Consolidated Financial System (CFS), and Interior Department Electronic Acquisition System (IDEAS) as member systems in the system inventory. However, they are not detailed separately in the Reston LAN system security plan documentation. We also note that differing definitions are sometimes used to determine what exactly constitutes a system, a subsystem, or an enclave. While there is guidance from DO! to define and track systems, DOl should enforce a consistent definition and methodology5. Contractor Operations and Oversight6 FISMA, 0MB. and DO! policy requires contractor-operated systems to meet the same minimum security requirements as systems operated by the federal government. On August IS, 2004, DO! issued a policy document concerning IT security for its acquisitions and contracts7. This policy establishes very clear requirements and guidelines to assist business managers in ensuring that adequate IT security requirements are part of the contracting process. None of the personnel involved with the three contractor-operated systems - the Bureau of Indian Affairs, the NBC/the Office of the Secretary, and the MMS - we reviewed were aware of this policy. DOt staff- including contracting officers, contracting officer's technical representatives, security liaisons, and the contractors' staff- had n&v!r seen the policy. The policies and procedures for populating the system inventory are widely accessible via the project's Web site, hap:/A.nvwdoigov/ociolarchitetzureiinda.htmi Guidelines are in place to eliminate duplication of records and define what constitutes a system that should be tracked in the database, 6 0MB Question C3a. DO! Memorandum "information Technology Security Requirements for Acquisition," August 18, 2004. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDACTamrPUm!tDfl4!SION Annual Evalu4on of the Information Security Program of Dol Subject to Protective Order Regarding Page 9 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports r Of the three contracts we reviewed, none included DOl's requirements or were reviewed for compliance with DOl's guidance. Additionally, none of the bureaus had reported back to DO! on their contracts' compliance with DOl's guidance, as prescribed in the policy document. We found that the bureaus, acting on their own, have ensured that oversight activities are carried out and that the systems have gone through Certification and Accreditation. However, each organization handles contract oversight differently and with differing levels of rigor. We felt that B!As oversight process was very effective, even though it was not aware of DOl's policy and had not formalized it within the contract. MMS, however, was not allowed to fuiiy inspect a subcontractor's production environment or to test it technically due to contractual issues, making the overall value of its oversight process questionable. Our tesüng efforts of the same MMS subcontractor were also hindered by the lack of appropriate language in the contract. Thus, we were prevented from physically inspecting the servers hosting the MMS data or carrying out any technical testing. Ironically, at essentiaLly the same time period as our inspection attempts, hackers compromised this subcontractor-operated system. The vulnerability leading to the compromise could very well have been discovered if MMS or the 010 had been allowed to carry out testing. We later teamed that this same application had been hacked up to four times previously. While oversight is occurring at the bureau level, DOEs management cannot be assured of its effectiveness or compliance with DOPs own policy for IT Security in acquisitions. Even when a bureau concurs with an audit recommendation pertaining to contracting, DOl cannot be assured that it has been carried out. For example, in a follow up to an IT security audit in FY 2004, we notified DOl on August 29. 2OO5!, that one of its bureaus had failed to carry out modii!ing all IT contracts to require position sensitivity designation and the appropriate background investigation. These were actions that the bureau director had advised would be corrected by September 30, 2004. Plan ofActions and Milestones Pro gram9 FISMA requires federal executive branch agencies to develop a process for planning, implementing. evaluating, and documenting remedial actions to address any deficiencies in information security policies, procedures, and practices. 0MB designed the Plan of Actions and Milestones to meet this requirement.1 The guidance requires 010 Memorandum "Status Report on One Recommendation From the Audit Report Titled Jmprovernents Needed in Managing Information Technology System Security, National Park Service' (AssigmnentNo. A-ST-NPS-0005&2005),' August 29. 2005. 90M8 Question C4. !° 0MB Memorandum M-02-O1. Guidance for Preparing and Submitting Security Plan of Actions and Milestones,' issued October 17, 2001. This guidance was updated by OlvlB Memorandum M-03- 19, This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDAC1!Q9!SIO N Annual EvatJ!kn of the Information Security Program of Dol Subject to Protective Order Regarding Page 10 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports that Plan of Actions and Milestones (1) include all security weaknesses found during any review done by, for, or on behalf of the organization; (2) prioritize remediation activities; (3) be tied to the organization's budget submission through the unique project identifier of a system; and (4) be used as the authoritative project management tool for tracking and correcting security weaknesses. DOl's bureaus are required to prepare Plan of Actions and Milestones for each of their systems and programs where security weaknesses have been identified. The OCIO, using the bureaus' data, prepares a DOl-wide Plan of Actions and Milestones that is submitted to 0MB. It is also used to report progress on remediation efforts to correct security weaknesses to 0MB and the Congress. OCIO has stated that the Plan of Actions and Milestones is DOt's authoritative tool for managing IT security weaknesses. We have been assessing DON Plan of Actions and Milestones process since 2002 and have noted that although DOl !mp1emented a process. challenges remain in ensuring its effectiveness and accuracy. Weaknesses !!ith the process indicate that the Plan of Actions and Milestones Program. in its present state, cannot be viewed as an agency process that (1) incorporates all known IT security weaknesses, (2) has program officials who are held accountable for managing their processes. (3) prioritizes weaknesses, and (4) has an OCIO that exercises adequate oversight and review of the process. Our work in FY 2005 was our most comprehensive effort to date. We examined a sample of 344 items and tested 133 for compliance, which revealed systemic problems with the Ptan of Actions and Milestones process!. Given our findings. DOl should report its Plan of Actions and Milestones program as a material weakness under the Federal Managers' Financial Integrity Act of 1982 in the 2005 Performance and Accountability Report. Summaries of our major findings from the evaluation are noted below: * Sixty-four items out of 133, or roughly 48 percent, that had been reported as corrected were in fact not corrected. * Not all known weaknesses were included in DOT's Plan of Actions and Milestones. * Bureaus used differing, and sometimes arbitrary, definitions to determine what would be included and excluded from the Plan of Actions and Milestones. - "Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting.' issued on August 6. 2003. '' Report: A-EV-MOA-0001-2005 "Evaluation Report on the Department of the Interior's Process to Manage Information Technology Security Weaknesses," September 2005. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDAëW'P!MP!'ERSION Annual S4aluetion of the Information Security Program of Dol Subject to Protective Order Regarding Page 11 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dol's FY 2005 FISMA Reports * Descriptions of weaknesses and the required actions to correct them were riot adequate. * The OCIO has not instituted adequate quality assurance and verification measures to ensure the accuracy of its Plan of Actions and Milestones. * Responsible officials are not held accountable for the accuracy of the information and for correcting the weaknesses. * There is no effective DOl-wide process to ensure that weaknesses are prioritized based on the risk to DOl. * There is insufficient documentation orjustification for accepting risk as a means to close out a Plan of Actions and Milestones item. We note that the OCIO has issued policy and instructions to signiflcant!y improve DOl's Plan of Actions and Milestones process and address the O!G's findings'. We observed fast responsiveness in the field to carry out DOl's new guidance. We will validate the implementation, accuracy, and completeness of these new guidelines in FY 2006. Certification and Accreditation Program'3 In this year's FISMA reporting guidance, 0MB has asked the 010 to provide a "qualitative assessment" of the agency's Certification and Accreditation process, The assessment required us to determine adherence to existing policy, guidance, and standards to determine if DOL is using NIST Special Publication 8OO-37'! and other relevant 141ST publications for Certification and Accreditation work initiated after May 2004. This includes use of Feder& Information Processing Standards (FIPS) 19915 to designate impact levels to the confidentiality. integrity, and availability of a system. In our FY 2004 FISMA report, the OIG gave DOl a satisfactory rating on its assessment of the DO! Certification and Accreditation program in part because DO! had initiated a quality assurance process to carry out detailed evaluations of the relevant 2 ! Dkective 2005-007. FY 2005 Plan of Actions and Milestones Process Verification. May 3. 2005, and OCIO Memorandum "Implementing OCIO Directive 2005-007 for 4th Quarter Plan of Actions and Milestones (POA&M) and 4th Quarter Federal Information Security Act Performance Measures, August 18. 2005. / 13 0MB Questions C2 and CS. 14 Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004. IS Standards for Security Categorization of Federal Information and Information Systems, February 2004. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDACt 9W!M!! RSIO N Annual Evda4ion of the Information Security Program of Dol Subject to Protective Order Regarding Page 12 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports documents. Since DOl's implementation of the Certification and Accreditation quality assurance process in FY 2004, the 010 has had a chance to review the process as well'6. Overall, based on this year's evaluation work, we have rated the Department's Certification and Accreditation program as POOR. To carry out this assessment, we reviewed Certification and Accreditation documentation for the 17 systems that made up our FISMA subset analysis, four National Critical Infrastructure Information Systems, selected systems reviewed by the OCIO in its quality assurance reviews, and relevant DO! Certification and Accreditation documents. Overall, we found that DO! has a large body of procedures and documentation in place to assist system owners in accomplishing their Certification and Accreditation activities. While these procedures helped DOl initially achieve Certification and Accreditation on their systems, the overall process is poor because of the following: * Very link or no work has been done on meeting FTPS 199 requirements. * DOT Certification and Accreditation process is inconsistent with the NIST framework. * DOl documentation has not been updated sufficiently. * DOl "how-to" guides are out of date. * Weaknesses in the Plan of Actions and Milestones process directly impact the DOT Certification and Accreditation program. * Some systems Security Test and Evaluation reports were dated after the systems were signed off for full Accreditation. * Employees, especially approving officials, were not trained adequatety. We observed that bureaus. such as the Bureau of Land Management, that had strong, dedicated project managers assigned to oversee the various complexities of the processes, had much better control over maintaining their systems Certification and Accreditation. 16 A large number of DOEs systems have been Certified and Accredited and deemed by DOl to have effective controls in place to provide adequate security In the OIG annual FY04 FISMA report, the OIG gave DO! a satisthctoiy rating on its !ssessment of the DO! C&A program in part because DO! had initialized a Quality Assurance process to cariy out detailed evaluations of the relevant C&A documents. The 010 was not able to review the process iii the FY 2004 reporting period as DOl had just undertaken this effort. This report is exempt from disclosure to the public under the Freedom of information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review arid Comment under any circumstances REDACTED !L4BLIC VERSION Annual EVafijation of the Information Security Program of Dol Subject to Protective Order Regarding Page 13 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) DoIs FY 2005 FISMA Reports FIPS 199 Findings For FY 2005, 0MB asked agency chief information officers and Inspectors General to determine the extent to which agencies are in compliance with FIPS 199. As 0MB explains in this year's reporting instructions: "FISMA tasked NIST to develop a standard to categorize all information and information systems based upon the need to provide appropriate levels of information security according to a range of risk levels. FIPS Publication 199, "Federal Information Processing Standard 199: Standards for Security Categorization of Federal Information and Information Systems" (February 2004) defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These impact levels are: low, moderate, and high. All agencies must categorize their information and information systems using one of these three categories in order to detennine which securitr controls inNIST Special Publication 800-53 should be implemented. !' By understanding, evaluating, and assigning the appropriate impact levels to a given system and its information, DO! can assign the appropriate security safeguards. Tn our fieldwork, we discovered that 15 of the 17 systems lacked a FIPS 199 impact designation'8, even though this has been a federal standard and requirement since February 2004. Most of these systems were accredited after May 2004. Through our reviews of Certification and Accreditation documentation and interviews with security staff, we determined that very little or no work has been carried out to meet FIPS 199 standards and that bureaus are looking for guidance from DO!. For example, the BOR Wide Area Network and the NBC/Office of the Secretary Dnig Testing system had been recertified and accredited, respectively, in FY 2005, but still lacked FIPS 199 categorizations. Overall, FIPS 199 forms the basis for an effective risk assessment and management program. Failure to implement or achieve compliance !!ith FIPS 199 makes it difficult for DOl to select and test the most effective security controls. Furthermore, not being in compliance with FIPS 199 will make it impossible to be in compliance with the upcoming federal standard for selecting minimum security controls, known as FIPS '! Memorandum M-05- 15. FY 2005 "Reporting instructions for the Federal Information Security Management Act and Agency Privacy Management," June 13. 2005. page 6. item II. IS DOl uses an Asset Valuation process to assign risk levels for Confidentiality. Integrity, and Availability that was developed prior to the introduction of FIPS 199. The systems we reviewed did have designations based on the DOl Asset Valuation process. While this process was acceptable prior to FIRS 199, it is not consistent with the curren standard for categorizing federal data and information systems. This report is exempt from disclosure to the public under the Freedom of Infot-mation Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for p 8g!!gt!5 review and comment under any ! Information Seo!44!-Program of Dol Subject to Protective Order Regarding Page 14 of 45 Sensitive I-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports 2OO'!. We anticipate that NTST and 0MB will make FlIPS 200 a federal standard and mandatory requirement for Certification and Accreditation early in calendar year 2006. To effectively address these federal standards and 0MB requirements, DOT will have to revamp its Certification and Accreditation process to ensure that it is compliant with NIST's Certification and Accreditation framework (see Appendix IF) and 0MB guidance. Additional areas for improvement and updating are discussed in the following sections. Risk Assessment Findinzs The risk assessment process is used to help managers and operators understand vulnerabilities and threats to their systems, consider the probability and impact of occurrence, and identify appropriate safeguards. DOl has documentation and "how-to' guides available for carrying out risk assessments; however, the majority of them are in need of updates to reflect changes in 0MB guidance and NTST's Certification and Accreditation framework. DOT issued its Risk Assessment Guide2° on April 30, 2002, which has been used for the majority of DOUs Certification and Accreditation. While the guide was published pdor to NIST finalizing its Risk Management Guide21, DO! needs to formalize the requirement to use NIST's Risk Management Guide for IT Systems (800- 30) for its own risk assessments. We found that the Bureau of Reclamation (BOR) had re-certified a system in February 2004 using a risk assessment that was nearly 2 years old. Systems that undergo recertification should also undergo a new risk assessment. We also found that the following risk assessments for NBC systems did not meet the requirements ofNTST 800- 30 because the risk assessments did not include a control analysis and control recommendation section: * Consolidated Financial System (CFS/ Hyperion) * Denver Data Center (DDC) General Support System * Interior Department Electronic Acquisition System (IDEAS) * Reston LAN General Support System * ARTNET General Support System22 19 Federal Infonnation Processing Standard 200 (draft), !'N1inimum Security Requirements for Federal Information and Information Systems', July 2005. 20 Interior Risk Assessment Guide, April 30, 2002. 21 NTST Special Publication 800-30, "Risk Management Guide for Information Technology Systems ! According to a memorandum from the NBC Bureau IT Security Manager to the OCIO on August 10, 2005, ARTNET was tmnsitioned to the Enterprise Service Network effective August 10, 2005. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDAthR!P!!RSION Annual EVdI!tion of the Information Security Program of Dol Subject to Protective Order Regarding Page 15 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Additionally, the Federal Financial System (FFS) risk assessment did not meet the requirements of NIST 800-30 because it did not include a control analysis, likelihood determination, impact analysis. risk recommendation, or control recommendations. An important part of DOJ 's risk assessment process is its asset valuation process. DOT uses an Asset Valuation Guide23 to help those involved in the Certification and Accreditation process determine a systems value, data sensitivity, information categories, and capture other relevant information. The Asset Valuation Guide is not consistent with FIPS 199 and NIST guidance for determining security categorization levels for various types of federal data (SP 8OO!6O24). We noted discrepancies for risk designation between various security documents, including the following: * The Fish and Wildlife Service (FWS) Wide Area Network Contingency Plan notes that it "provides the entirety of network connectivity for every mission critical IT system in the Service." DOl's Asset Valuation Guide notes that Wide Area Networks- such as the FWS's - trust. and financial systems are supposed to be categorized as high risk. However, the DO! Certification and Accreditation listing states the security category of FWS Wide Area Network is low while the FWS \Vide Area Network Plan of Actions & Milestones for the third quarter of FY 2005 states the system is a high. We noted that FIPS 199 is not specifically cited in any of the relevant FWS Wide Area Network security documents. Interviews with FWS staff revealed that FWS is looking to DOl for guidance. * BOR's Wide Area Network FIPS categorization is not stated and its attempts to classifS' risk are inconsistent: o The June 24, 2005 System Security Plan makes no mention of FIPS 199. o The third quarter Plan of Actions & Milestones for FY 2005 states that BOR's Wide Area Network is a medium category system. o The Certification and Accreditation listing states BOWs Wide Area Network is mission critical and yet does not determine the security category for the system. Security Self-Assessment Findings Annual security self-assessments are required by FISMA and DO! policy. DOT carries out NIST 800_2625 security self-assessments and other forms of security testing. such as scanning. We found a number of inconsistencies in this area, including the following: Fm ! 'DOl IT Asset VaLuation Guideline', March 4, 2003. 24 NIST Special Publication 800-60. "Guide for Mapping Types of Information and Information Systems to Security Categorization Levels'. 25 NIST Special Publication 800-26, !Security Self-Assessment Guide for IT Systems. Tifis report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDA!P?'WL?!/ERSION Annual EtMOation of the Information Security Program of Dol Subject to Protective Order Regarding Page 16 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports * The MMS Wide Area Network's NIST Special Publication 800-26 security self-assessment was incomplete, with many areas not addressed. * The NBC's Federal Personnel and Payroll System (FPPS) NIST SpeciaJ Publication 800-26 security self-assessment states that FPPS does not have any interconnections and thus interconnection agreements are not necessary. However, the FPPS system security plan lists numerous interconnections and states that the agreements are currently under development. * The NBC's FPPS NIST Special Publication 800-26 security self-assessment states that system administrators periodically review user privileges to ensure they remain in line with duties. However, the Financial Statement Audit revealed that not all user accounts are reviewed. A Notice of Finding and Recommendation (NFR) has been issued by KPMG on this subject in this year's financial audit. * The NBC's FFS NIST Special Publication 800-26 security self-assessment states that policy and procedures dictate system administrators perform periodic reviews of user account privileges. However, the Financial Statement Audit revealed that Office of the Secretary user accounts are not reviewed. An NFR has been issued by KPMG on this subject in this year's financial audit. * The NBC's FFS NIST Special Publication 800-26 security self-assessment states that FFS auditing has been integrated. However, the Financial Statement Audit revealed that audit capabilities were not turned on at the Office of the Secretary application. As such, Office of the Secretary system administrators were not reviewing FFS audit trails. An NFR has been issued by KPMG on this subject in this years financial audit. * The NBC's IDEAS NIST Special Publication 800-26 security self-assessment states that various account management policies, procedures, and controls are integrated. However, the FY 2005 Financial Statement Audit revealed that formal account management practices were not implemented. AnNFR has been issued by KPMG on this subject in this year's financial audit. This finding is repeated from FY 2004. * The NBC's Reston LAN NIST Special Publication 800-26 security self- assessment states thli±'management has authorized and integrated all interconnection agreements. However, we note that the lack of a signed interconnection agreement is identified as a current issue on the Reston LAN Plan of Actions and Milestones. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDA!W!M?5!IERSION Annual E+atoation of the Information Security Program of Dol Subject to Protective Order Regarding Page 17 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports System Security Plan Findings System security plans are an important part of the Certification and Accreditation process. They provide an overview of a system's security requirements and document the controls used to secure the system. We found a number of issues with the system security plans we reviewed. Several of them had not been updated to reflect current changes to the system's infrastructure. No plan we reviewed was well positioned to address NIST control requirements26 or to be in compliance with the upcoming security control standard27. NIIST Special Publication 800-53 helps agency system owners select the security controls for their system based on the system's FIPS 199 categorization. while FIPS 200, when finalized by the end of this calendar year, will make NIST Special Publication 800-53 a federal standard for selecting controls. System interconnections issues also continue to be weaknesses in DOl's system security plans. including the follow! rig: Page ii. section 2.3.31 of the FWS Wide Area Network system security plan states that all major applications and general support systems that are interconnected with the Wide Area Network system will sign the interconnections service a2reement. These agreements have not been completed. Section 1.1.1 of the NBC FPPS system security plan includes information on the various interconnections of FPPS. The system security plan also includes information on the status of interconnections agreemerus. The plan notes that many of the agreements have not been developed and/or signed to date. * Section 1.7 of the NBC FFS system security plan references the Denver Data Center Enclave plan for a listing of all interconnections. The FFS system security plan also notes that the interconnections are not signed to date. * Section 1.8 of the NBC CFS system security plan states that the only true interconnection with Hyperion is to the Internet. The system security plan also states that CFS clients sign a security services agreement with the NBC. However, these agreements are not signed with all clients. * Section 1.8 of the NBC IDEAS system security plan incJudes a listing of interconnected agencies and specifies the logistics of the interconnections. However, the plan does not indicate if interconnection agreements are signed. ! MIST Specith Publication 8OO!53.26 27 Federal Information Processing Standard 200. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any RED!!WJ!?S&JERSION Annual EIi!ltjation of the Information Security Program of Dol Subject to Protective Order Regarding Page 18 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports I * Section 1.6. of the mainframe portion of the NBC Denver Data Center Enclave system security plan includes a listiiw of all connected agencies. However, the plan does not indicate the status of interconnection agreements. * Appendix A of the NBC Reston LAN system security plan includes a listing of the interconnected systems. However, the plan does not indicate the status of interconnection agreements. We did note that the system security plans for the NBC that we reviewed appear to be updated periodically, but we did observe some out-of-date contact information. Specifically, we determined the following contact infonnation has not been updated: * An NBC employee listed as the program manager, system manager and security manager for FFS, retired from the NBC earlier in FY 2005. The same employee is listed as the program manager for IDEAS and in the Denver Data Center Enclave is listed as the system manager and security manager for the Albuquerque LAN. * Another NBC employee is listed as the point of contact for the Reston LAN in section 4.1.1 regarding resets of passwords; however, this employee retired in FY 2004. Security Test and Evaluation Findings The security test and evaluation report provides validation on the effectiveness of deployed controls and is an essential component of understanding system risk. We noted that eight of the 17 systems we reviewed had security test and evaluation reports that were dated after they were accredited. NIST and DOl policy requires that these reports be completed before a system is given a full accreditation. This raises questions regarding the completeness and accuracy of the information provided to approving officials during the Certification and Accreditation process. The OIG Office of Investigations is continuing to investigate this issue as a separate matter. System Contin2encv Plan Findin2s IT system contingency plans are an essential component of the Certification and Accreditation process. They provide system operators with the guidance and procedures needed to recover from an emergency or system level outage. Accuracy, timeliness. testing, and consistent docuthérnation are critical for an effective contingency pian. We observed that only 4 out of the 15 systems that need to have their contingency plans tested this year actually have updated contingency plans, making it difficult to determine what was done or the effectiveness of the test: This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any Annual EvahJ!on of the Information Security Program of Dol Subject to Protective Order Regarding Page 19 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Pr * The NBC Denver LAN contingency plan has not been updated since June 2004, even though NBC has migrated from Novell to Active Directory and performed two connectivity tests. * The MMS Wide Area Network contingency plan has a number of errors. including use of "sample" data and incomplete contact information. * The Bureau of Reclamation Wide Area Network contingency plan test was conducted on May 17, 2005. The report that was provided documenting the test does not provide any results. The report does state that the revised contingency plan will be available June 30. 2005. However, the revision history in the plan dated June, 24, 2005. does not reflect any changes to the plan and the results of the test are not noted in the test plan report or the contingency plait We also found that most of the NBC system contingency plans had outdated or incorrect contact information for critical individuals. In order to verify the accuracy of the team contact information provided in the contingency plan, we performed a comparison to the current NBC directory. Upon comparison, we found the following discrepancies: * The person listed as the team leader of the emergency management team is no longer employed. The alternate point of contact remains accurate. * Another employee listed as a member of the emergency management team and the team leader of the operations team is no longer employed. The alternate point of contact remains accurate. * The person listed as the FPPS contact has transferred to the financial division. Additionally, this person's contact information is incorrect. * The employee listed as the IDEAS contact resigned in FY 2004. Plan of Actions and Milestones Findiries The Plan of Actions and Milestones is an essential component of the Certification and Accreditation process. Weaknesses within the DOl Plan of Actions and Milestones process directly affect the overall integrity and validity of DOl's Certification and Accreditation program. Our fihctings over the past 3 years indicate significant issues for DOl's Certification and Accreditation process, including the following: * Clear and consistent understanding of the remaining risks, their levels and their priority for remediation efforts are needed to maintain a system's accreditation. This report is exempt from disclosure to the public under the Freedom of information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release us contents for purposes other than official review and comment under any REDACS!89M!N!f!RSIO N Annual EVa!6'alion of the Information Security Program of Dol Subject to Protective Order Regarding Page 20 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports * Accurate and well-managed schedules for correction, resource requirements, and budgetary allocation to ensure adequate security throughout the life cycle of the system are alt needed to maintain a system's accreditation. * Overall accountability for managing the process and correcting the weakness is not weEl defined, is not standardized, is not well understood, and is not fully integrated into the continuous monitoring phase of the system accreditation. DO! Certification and Accreditation Oualitv Assurance Findings Also, as part of our evaluation of the Certification and Accreditation program, we reviewed the quality assurance process that evaluated Certification and Accreditation process for the OCIO in FY 2005. While DOl has implemented a quality assurance process and shoffid be commended for these revtews. we identified several issues that need to be implemented Tto improve the process and ensure Certification and Accreditation stakeholders are fully aware of the quality of DOl's efforts: * The DO! Quality Assurance program reviewed three principle Certification and Accreditation documents: the system security plan, the risk assessment, and the security test and evaluation report.28 It did not, however, review in detail the Plan of Actions and Milestones, the system contingency plan, and DOl's asset valuation guide for each system. These documents are essential for a fult understanding of the system's overall security posture. * A critical component of any acerediting decision is understanding the risk acceptance of vulnerabilities made by the aecrediting official, particularly high-risk items. The present quality assurance process lacks an independent analysis of risk acceptance. * The quality assurance work we reviewed lacked recommendations for updating the critical Certification and Accreditation documents to reflect FIPS 199 requirements. * When problems are discovered that require a change in the accreditation status, timely notification to appropriate officials within DOT and outside DOl - such as the Department of Justice, 0MB, and the Government Accountability Office- must be made prior to reporting official Certification and Accreditation mefi-its. 28 We found the methodology and questions used to review these three documents to be quite good. including the overall summaries. We did note, however, that some contractors provided more substantial comments and recommendations than others. This report is exempt from disclosure to the public under the Freedom of information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other thax! official review and comment under any ! VERSION Annuaf!3!luation of the Information Security Program of Dol Subject to Protective Order Regarding Page 21 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports I We noted that DO! provided Certification and Accreditation-specific training in FY 2004 in the form of national workshops, but we could not determine if any training was provided in FY 2005, especially to DOT's designated approving authorities or approving officials. Given changes to OMB's Certification and Accreditation guidance and NIST's development of a robust set of Certification and Accreditation guides and standards. DOl needs to provide updated training !o staff. Security Configurations29 FISMA requires that each agency "develop minimally acceptable system configuration" requirements for technologies such as Windows, UNIX, and Oracle. In this year's report, 0MB has asked OlOs to determine if agency-wide security configuration policies have been developed. DO! developed guidance to assist its bureaus in implementing standard security configurations for major software deployments30 in 2004. Our FISMA review indicates that bureaus are using various security configurations but none appear to be the ones prescribed by DOt policy. As such, we cannot provide a definitive answer to the specific 0MB question due to a lack of consistency across the Department with a DOL-wide perspective on the use of security configurations, their effectiveness, or the percentage deployed for any of the agency-wide security configurations. We requested information from OCIO on this question and only received responses from 4 out of 10 bureaus. Even from those responses, we are not clear on what process is used to ensure that the bureaus' security configurations are actually deployed, are working effectively, or arc integrated with the DOT-wide configuration management process. We do have a higher level of confidence, however, for those bureaus who have fully implemented Microsoft's Active Directory31 technology to distribute security configurations through its group policy feature. Group policy "pushes" down the security configurations for various Microsoft technologies, which are the main operating systems for workstations and servers in DOl. and allows us to audit it rather than individual servers or workstations, However, Microsoft's Active Directory is of limited or no value for non-Microsoft technologies, such as Oracle, Linux, Solaris, or Cisco lOS. Bureaus that are not using Microsoft's Active Directory. or have limited deployments, should be of particular concern to DO!, since much or all of the security configuration must be 29 0MB Question C6. !° 0CC) Directive 2004-007. "Standardized System Security Configurations', March 5, 2004. ! !Active Directory is a central component of the Windows environment that provides the means to manage the identities and relationships that make up network environments, allowing applications to find. use, and manage directory resources! such as user names, network printers, servers. etc." ht!://www.mkmsoft.com/wh1dowsserver2OO3/technobgiesJdirectorv/activedirectory/defauI!.msDx and httpj/www.2eneous-software,co.ukMossarv.htrn This report is exempt from disclosure to the public under the Freedom of information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTEDF!LIC VERSION Annual EvaI!ation of the Information Security Program of Dol Subject to Protective Order Regarding Page 22 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) DoIs FY 2005 FISMA Reports carried out manually. In an environment with limited configuration management practices, this can pose additional risks to DOl's assets. DOl's e-mail infrastructure proved to be particularly vulnerable to exploitation. In addition to inadequate encryption for Lotus Notes Internet-based passwords32, unclear trust relationships exist amongst bureaus' Lotus Notes implementations. These trust relationships allowed us to bypass Lotus Notes access control features when using user IDs from one bureau on another bureaus e-mail infrastructure, giving us unauthorized user rights to various databases, address books, and other Lotus resources. We also discovered Oracle configuration weaknesses during our penetration testing and in the annual Financial Statement Audit. These vulnerabilities allowed for unauthorized access to some of DOl's most sensitive systems and information. During our penetration testing, we did not observe any Oracle security configurations in use. Network Security In November 2004, we began penetration testing33 of DOl's publicly accessible networks and systems. With the exception of three tests, we have been able to compromise the tested bureaus' IT infrastructure. Penetration testing carried out this fiscal year revealed significant DOl-wide configuration issues with DOEs Web applications arid servers. The majority of our successful penetrations were due to vulnerabilities in the Structured Query Language34. These Structured Query Language vulnerabilities resulted in successful exploitation of the applications, the hosting server, and intern& networks. Also, some Web servers were con±!gured with default vendor's settings, indicating that adequate security configurations were not being used. Most troubling, we were able to access some of DOl's most sensitive information such as financial and privacy-related data. Our network security testing work is summarized in the penetration testing scorecard included as Appendix Ill. Major findings for our penetration testing are outlined below: The majority of DOl's Web applications that were tested were vulnerable to Structured Query Language injection attacks. This vulnerability is a systemic and material weakness throughout DO!. 32 010 Memorandum to DOr "Vulnerabitities in Lotus Notes R4 Password Enciypt[on in Address Books," December 23, 2004. ! A fonn of testing conducted by skilled security engineers with little or no knowledge of DOT that attempts to identi&. exploit, and document vulnerabilities that can be used to gain unauthorized access to DOT systems. This type of test tries to/replicate the actions that a hacker would undertake to compromise systems and information so that DOl can take the proper corrective steps to prevent unauthorized access. N Structured Query Lang!iage is "A database sublanguage used in querying, updating. and managing relational databases; it is the de facto standard for database products." www.oneii.com/cfmklossarv.cfit This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, S U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any RED!!S!JERSION Annual !3Itjation of the Information Security Program of Dol Subject to Protective Order Regarding Page 23 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports * DOl's bureaus do not have adequate demilitarized zones35. o We were able to compromise systems intended for public access to gain unauthorized access to a bureaus internal networks and Intranet during our testing. * Weak passwords, including several on system administrator level accounts, continue to plague DOl and were exploited frequently in our technical tesdng. o We were able to obtain username and passwords on bureau public resources. * Oracle databases host some of DOl's most sensitive information, such as privacy and financial data. o We discovered and exploited significant conflguration weakness in DOl's Oracle implementations. * There was no separation between the various local area networks that comprise the bureaus overall network. o In each successful penetration. we gained access to internal networks. This allowed us to carry out our testing undisturbed, undeterred, with unfettered access to bureaus' systems, networks, and information. * DOT's e-mail infrastructure, once compromised, proved to be particularly vulnerable to further exploitation, indicating that additional controls and a DOl-wide e-mail security configuration are needed. * DOEs bureaus were successful in discovering our initial attacks and, for the most part, initiated the appropriate computer security incident response. 1-lowever, with the exception of the USGS, none of our secondary attacks, which were the most damaging to the bureaus. were detected. In most cases. there was a time lag of several days to a week or more from detection to reporting to DOl. * DO! has been slow to respond and implement recommendations. o Configuration issues identified in April were still present in July at NBC. " A network with security devices, such as firewalls and intrusion detection systems, used to protect internal networks and sysLems from public networks, such as the Internet. This report is exempt from disclosure to the pubtic under the Freedom of information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTED!JBLIC VERSION Annual E4!Oation of the Information Security Program of Dol Subject to Protective Order Regarding Page 24 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports o Weaknesses with Lotus Notes identified in December 2004 were not conveyed agency-wide until some time in April 2005. Computer Security Incident Response Capability36 FISMA requires agencies to have a formal process in place to deect. report, and respond to security incidents, noti!'ing and coordinating with the Federal Incident Response Center. Additionally, agencies must noti!' and consult with law enforcement agencies and the respective agency DIG when they suspect criminal activity. DOl has established formal procedures for reporting security incidents and for sharing information regarding common vulnerabilities. The procedures require thai bureaus report incidents to the DOt Computer Incident Response Center, which provides agency-wide computer and network systems incident response and coordination capability. In turn, the Response Center provides incident information to the Department of Homeland Security's U.S. Computer Emergency Readiness Team, which is responsible for coordinating an incident response for federal agencies. In reviews conducted earlier this year37. we advised DOT that bureaus were not submitting all required reports on IT security incidents, including event reporting. to the Response Center per OCIO Directive 2OO4!OO5!. Only two bureaus, the National Park Service and the USGS, had reported consistently; two bureaus, the Office of Surface Mining and the BLM, had not reported at all: and the remaining six bureaus and offices fell somewhere in between. Earlier this year we advised DOl that its senior officials lacked incident information on a department-wide basis arid that DOT had underreported incidents to the U.S. Computer Emergency Readiness Team. Since then, DOl has taken appropriate action to address this and we have seen improvements in the bureaus' reporting procedures. However, our penetration testing has revealed other problems with DOt's Computer Security Incident Response capability. DOl's bureaus. for the most part, have been successful in detecting large scale network reconnaissajice activities and have taken actions to detect and block these. In most cases. there was a noticeable time lag between detection and reporting. Unfortunately, by this time we were able to penetrate through other undetected networks. In the instances where we gained unauthorized access inside a bureau, we were not detected and had unfettered access for as long as we needed it. This indicates that there is inadequate attention being paid to suspicious network activiw 36 0MB Question C7. " NSM-EV-MOI-0012-2005 "Fiscal Year 2005 Second Quarter Information Technology Sectirity Update in Support of the Federal Information Security Management Act,' May 10. 2005. OCIO Dtrective 2004-005 Reporting of Medium and Low Priority Computer Security Inciderns. December 19.2003. This report is exempt from disclosure to the public under the Freedom ol Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason. recipients of this report must not show or release its contents for purposes other than official review and comment under any RE!!ffi! VERSION Annuatt!aluation of the Information Security Program of Dol Subject to Protective Order Regarding Page 25 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports within internal networks. We did not observe the use of intrusion detection devices39 within internal networks, and we did not we see any kind of reat-time correlation being done between various network and security devices that would alert incident responders. As such, internal networks and assets are not only at risk from unauthorized users but also would fail under the radar of DOl's Computer Incident Response Center. Another area for management concern is the failure to consistently notify the OIG Office of Investigations of incidents reported to law enforcement. DOl's Computer Security Incident Response Handbook and policy instructs bureau personnel to contact the 010 should a potential issue requiring law enforcement arise. To date, we are not seeing consistent adherence to this requirement as bureaus are reporting directly to local or federal law enforcement, without any notification to the 010. Training and Awareness40 DO! policy4' requires all users of IT systems. including contractors, to receive annual security awareness training. The Departmental Manual for the IT Security program42 also requires training for all levels of personnel involved with IT systems. including system managers. system owners, operators. IT security staff, and executives. We found that DOT provided adequate annual security awareness training to its personnel and began a new process to provide specialized training to staff with significant information security responsibilities. However, DOl still lacks a standard way to identilS' alt contractors with access to DO! systems and relies on contractors to self-report their annual security awareness training. Specifically we found the following: Through completion of fieldwork for the Federal Information System Controls Audit Manual portion of our FY 2005 financial statement audit, we determined that NBC does not have a process to monitor whether employees and contractors complete specialized iT training related to job functionality. During our FISMA review, we found that the NBC/Office of the Secretaiy contractor for the Drug Testing System had not yet taken DOIs IT security training, and the contractor had not been advised that (hey needed to take the course by a given date. ! An intrusion detection system insp!t! all inbound and outbound network activity and identifies suspicious pattenis that may indicate a network or system attack from someone anempting to break into or compromise a system. Htt!://www.webopedia.comTFERM/1/intrusion detection system.htnil. !° 0MB Questions CS and C9. " OCIC Bulletin 2002-007 Interim GuMance for Basic End-User Information Technology Security Training and Awareness'. May 13, 2002. 42 Part 375 Departmental Manual, Chapter 19. "Information Technology Security Program", April 15. 2002. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTED !LIC VERSION Annual E!thWi!tion of the Information Security Program of Dol Subject to Protective Order Regarding Page 26 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dol's FY 2005 FISMA Reports Likewise, DO! still does not have an accurate record for all individuals with significant information security responsibilities and does not maintain a system to keep track of their training. Although some key NBC IT personnel have attended specialized I training in the past year. training plans do not exist for all employees. As such, NBC cannot ensure a]! key IT personnel have attended appropriate training. Our audit team notes that a Notice of Finding and Recommendation was re-issued in FY 2005 regarding j this issue. t In response to an FY 2004 Financial Statement Audit Notice of Finding and ¶ Recommendation, DOT has established a department-wide learning management system. This system is to provide full functionality to assign certain courses or curricula to DOl employees based on position titles. These courses would be automatically placed in individual development plans and training plans. Completion of training would be tracked, whether the training is internal or external to DOl training programs. The vendor has been chosen and migration and testing has begun. When fully implemented. this should assist DOl in managing specific, role-based training requirements. This report is exenipt from disclosure to the public under the Freedom of information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any RED!8S!1?! VERSION AnnuatEdaluation of the Information Security Program of Dol Subject to Protective Order Regarding Page 27 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Recommendations System Inventory 1) DOl needs to fully reconcile, consolidate, and integrate its IT security system inventory with the Departmental Enterprise Architecture Repository to ensure consistency and to accurately and fully meet FISMA's system inventory requirements. Contractor Oversight 2) DOT needs to ensure that existing IT and telecommunications contracts have been reviewed for compliance and updated as necessary to incorporate the required practices prescribed in DOl's memorandum titled. "Information Technology Security Requirements for Acquisition," issued on August 18. 2004. Plan ofActions and Milestones 3) DOl needs to carry out the recommendations prescribed to improve DOI's Plan of Action and Milestones process in the OIG report titled. 'Evaluation Report on the Department of the Interior's Process to Manage !nfommtion Technology Security Weaknesses," issued in September 2005. Cert!i cation and Accreditation 4) DO! needs to update its Certification and Accreditation guides and process to comply with the NIST Certification and Accreditation framework and the latest 0MB guidance to include the following: a. Use FIPS 199 to categorize systems and understand potential impacts to DOl information and information systems. b. Use NIST Special Ppblication 800-60 for mapping information types to appropriate security categorization levels. c. Standardize on NJS.T Special Publication 800-30 for risk assessments and management. d. Standardize on NIST Special Publication 800-53 for selecting system security controls. e. Standardize an I!1IST Special Publication SP 800-53a for testing security controls. Tins report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTED!IJBLIC VERSION Annual!7Muation of the Information Security Program of Dol Subject to Protective Order Regarding Page 28 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports 5) DOl should improve its Certification and Accreditation quality assurance process by doing the following: a) Conducting the reviews prior to a system being authorized to operate. b) Including a thorough review of the system Plan of Actions and Milestones. c) Incorporating a review and analysis of the IT system contingency pian. d) Validating FIPS 199 compliance and ensuring that NIST Speci& Publication 800-53 is being used for selecting controls. 6) OCIO should provide standard, DOl-wide training to staff with Certification and Accreditation responsibilities. 7) DOl's approving officials should receive enhanced training on the Certification and Accreditation process, be well briefed prior to making an authorized to operate decision, and fully understand any risk they choose to accept. Security Configurations 8) Implement and adhere to DOl's standard security configurations and test systems against these baselines standards for compliance. Network Security 9) Implement the various strategic and tactical recommendations made in the 0113's penetration testing reports and associated Notices of Potential Findings and Recommendations. Computer Security Incident Response Capability 10) Follow standard DO! procedures to report incidents with potential law enforcement implications to the OIG's Office of Investigations. Training and Awareness I) Establish a reliable method for identifying contractors, and DO! employees with significant security responsibilities, needing IT security training. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or re!ease its contents for purposes other than official review and comment under any REDflTJ*!Wj!sVERSIO N Annual - Luation of the Information S cuhty Program of Dol Subject to Protective Order Regarding Page 29 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports 0MB OIG FISMA MATRIX This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act. 5 U.s.c. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any circumstances REDACTED !BLIC VERSION Annual EQdtliation of the Information Security Program of Dol Subject to Protective Order Regarding Page 30 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (DId. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports . .! - - ! ,., , - - - - - - __y - - t! -. - I*!d - SMd ! e!a..d P1 ! k! - p!IEy d a!. ____ -! I b ! O_ I. - -- -j - - . S I I U - ___ - --. - I 0 I TrC! ___ - -, _________ - - j Lo.. - - s.]b-I!I I S I - Lbs I I -! ________________________ S I S - US $!. c!q -. - ,- - XD% 2 S*' I S 0 - 0 0 C C. I a -- ! a ____ G 1 o! 3- I! a a 0 - - Hj!b s -! _____________________ - I s ______ d ________________ - ____________ r * ! ! 0 6 0 ______________ - I 1* Dl * S. - - __-!Ij_ - -- T_ S 14 I S * 17 II ii t t. t t_ *!t! 1 TI.. -! ! - *-t' ! - - - w * ! ! SIS et n 1flfl T!M. O! PSd ?1a S4 ! - n !,cy - 5S-! ! S! PCtfl! !-Z t*4*!n br - * t!4 idtart r.!!*s 1St,G b! ! ! ! - b* !t R C!S!(S! - - ! .y!flof!n - tomsin.. Or .rk w!S 5t-'O% ol w!. -- - fl__tv ! _,_ - fl-s. _v. ! - ._ - _c. ! t .!% ! 'at. - MTa! fl.q.. be! ! %I!% QI ** REDACTED PUBLIC VERSION Annual Evaluation of the Subject to Protective Order Regarding Sensitive l-T Security Information (Dkt. No. 2937) (Filed April 22, 2005) Information Security Program of Dol Page 31 of45 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports E ytlO. U.S nS!4IO * 0' ! !OISO ! S b!lt .t, ! Sk - ! ,otqa I!*. n!t c!C - by !%fl I&!lIy In. jalt., q- '- -! ..a, ..! - _., - !i. 1! - t- s! b !a. !cS- $!a !- ! - - 1 Cat. ! A* !ST 50 P!% !a Z a!-!- - ! ! !td LLST k.!S frt! ! Awe 1 *!fly d *!t!7c!l !!v_ aI4 ! &7*! .r!ya vcn, t-! - 1W! ty - ! !I S! 5W .c!dkvb, rd F sg*ifl ía ! p ! P!. n.!.d .o0.tltf ! FI!IAA !,S ! - - - q!os ! pfl.,,..,!. b' FY16 by - SWfl MM bnm - F!%! - ! - ! ! - flS if! d i!. Ct 'IS ! S.- ! - ps..* Sn. ! c! - !-j!,cy p'. Wd d p** 7W. - -!tY -- - - p y.W t FT $! Ay 1y' Fin C!*.t g jt.- M1w :!. S Lr4 I!c-! !- I- I- - !M 'Uttt R.! Nu?! P!!-e! I! P*.tt ! ,!_ !.t_ - -! ! T! IA!- T! T! ka p.!1sr - F- - !.:1L. "on I I!fl on 2 I!O*t I - 'Xe'- Sfl I S :!s!i I-fl - -1! e_ I!n! nfl, - I !fl% I IT1% ! I ______ ! I." - 7 17fl ! 114% -n 4 - -1- I II l!Q.I F .qst, Ic! n! ! 7'401. Cl 1w -'p. ! 0.50% 01 ! ! - nT!. ffi!%SSy SI-Th% tin ,,.t, - .!p.. r7'an .. t j-, s - rSI!% ! *!!t !a'!- -!-! V&I!% St. P0MM ! r!tV - !t iT ! - ! sa, st-7O% ! - a S ! IT !n -* !! 0 We PQ!1a 4* a.*a R.!!Io% A1!*! !t P0MM !M IT ! .fl t tt !awt!f P0MM I! sr... DCI - ? Ta. b POAZJS p Tht a d !. !Mt S..!a - - tt- - - ! !I - £d em -! ! f!d t,!E WSfl PS S - - ! - - , - ! 4 fi..O!.1.. nb,.. - Sm' At.q! OCt ! 1t - qs!. - ttn - p!r ! p !eIca1 4 d *!.* !* *!4! !* *! *OASM - a'. ! - b!'d U. - -. !a e a .e fea ee. a! - .! - ! - ! *.d tW e.pcd.d! ! !n ma - c! ?l. DCI 00 .!m PQ*&A -b ! d !!% raf.....!. mçd 1 POUt fl*! by t l!& tS - ! Da ! t! !* - - ka. !*.&- - G!% 4' !4.9a'. R.SyG! C!,* ! !fl.. 1 PCAM b!t at t PW ry "!.ev w.dqa.. b.fl ! II' .c.tg. .!, I. .y rC ,nn ¶7. .' , fl ! S ! td !an aft d d Sn,. b as ft!,e.l. S Soc o!. .!..n t Me CS!4 god W0.d W%O fld S fl* wiad ! - ø**! W!!d A Cai,w* uo & .La. P0MW b me o! ! C..t! $Ap a!. U. aol co d. D..a. l.qtfln.. .!biw.. paJ *! '!d VSWY St ! **sM Mt c!d,.clw *M! r! o!,.d Mal W. 1. !d Un L r -. d - ! Ais.!t St. c.tj!cIwl is Ma.dI$th, p!!- !a .4j10 'Ga ! * !!!?!1dfl ! S Vfl, Ut!!-t! ! n!I! fl! fl - fl! MM - ! !7 ta Iue! Scar CWEIJS, IM Mcnd!' S !S ! tTt*!!n* !tS! ZO! SC s! - ,.a S MW. !)4 ThS a at Ot!! fl ! !c.s! !- 1IM.th ki !.w% C#.gco, dr.d.. 1s,ta. M n !-. !T aid.. psvt. 'a a...t i'd ! - A! ! !flsS !* *!('_ *!S - - - 0- - - - .p- REDACTED PUBLIC VERSION Subject to Protective Order Regarding Sensitive l-T Security Information (DId. No. 2937) (Filed April 22, 2005) Annual Evaluation of the Information Security Program of Dol Page 32 of 45 FI Tb. !y - d Iwa! dr.qct ! .$-!- a. - - - ! (a3.( U'* offid S -! !e%y I!S !1 01 t. !1.ta. b..se . , I! Sn !-. - ! ! - ,!c t! -S. Cd!t A!'.!.*!da4 GIO% !S * A!!SI .70% - AJw!l!7I*!% - - al-a - * A__ -'oQ%! St Ti. O*G !Sj *e't. !o a! .'. S - - 1! C Th* 0*0 t -. t! ! tl!*- i!!?s ada !ofl.4 by. !. ! - ! flu ,.cwc, ml ! ! - - g - .n! U F 11! -! P- - - - *t41. ! !(I- I - ! ffi. .OflS !Sd bSw. *e, *qltvwr. 17 M dsnpd m!l.'.t V.0 - d! d ! POMJJ) ! E! rndCt.. b W!t' I*.W! !ns !. IaN t! sq w!os! ftw! *.ç!.a.d .,II,. S!p ! * içc !, . Ii! - Tht PO&*M lQVfl - ! .!paC. fl .!o..UT !At! ! -, its, - a aØe*!d ! - ty! !* !t y !w. fl 5! 11 14?-! s' II .-a -an- * et p!n!- ! e!ø! U *! ! ! p!*ta!t-,fl 1 00 ©tIfld! !. re a!*, P0MM Idtl ! t PlOWIm srtMs. pcasco oca!4t ! OjO on. mM. bs . - .!I,.E 1 F!I - ! !a w,!Sy 51-10% S ! - - !!4-v 040% CIt! fl 010 jQI ! .t ? PCASU pvtc*a - - - - ! ! Defendants' Notice of Filing of Dols FY 2005 FISMA Reports I I Queslio9 S REDACTED PUBLIC VERSION Subject to Protective Order Regarding Sensitive l-T Security Information (DId. No. 2937) (Filed April 22, 2005) Annual Evaluation of the Information Security Program of Dol Page 33 of 45 Section 8: Inspector General. Quesllori 6, 7. 8, and 9. Agency Name: QuesLico 6 I I I I 6 a Is there an agency wide se!inty configurabon pdicyl Yes * Yes or Na Comments: OClO DirecI!ve 2004-007. Mardi 05. 2!4, Standardized SpsIem Seasily Configura6on Configuration giides are available for the produds listea below. IdenlifywNdi sofiwaje Is Eddrs5sed in the agency !de security configuradon PO!CY. Sb. Indicate whether a. not any agency syslems nm the so!wate. in additon. appro!mate the extent oflmplementation of the securit!configumUOo pd!cy On the systems running the software. Approxirnale the extent or implementation of the acurity configuration policy on the systems running the soft*am. Response choice, Include: - Rarely, or. on approzIm!teiy 0.50% of the systems running this software Product - Sorn!IImes, oron approximately 81.70% of the systems running this software . Frequontiy, or on approxialataly 71-80% of Addressed in agencywide the systems running this software pohey? Do any agency systems . Mostly, or on approximatoly 81-96% of the run this softwaro? systems running this software - Almost Always, or cr1 approxinateiy 86-100% ci the Yos, No, systems runnIng this software orN/A. YesorNo. ! Rar* or on approximately 0-50% of the systems Windbw5 , - Yes - Yes mnnng tNs ! Windows - Rar&y.occnappoxknamty O-5G% of the systems Yes Y!. ..!o!!!ssolware Windows - Rar4. or on appioximateiy O-5C% of the systems . - yes - Yes - ifirHiria Ints software Windows - Rarely, or. on approximately D-5!% ofthe systems Ye5 Yes rurving this software Windows - Rareiy, or. 01 appioxlmateiy 0-50% of The systems - - Yes nir!it!y INs sofr!re Solaris . Rar&y, or. on approximate!G-5O% of the systems ! Yes Yes mrmh,Q INs software HP-UX . . Rarely, Or, o4! apptoximate! 0-50% or Vie systems Yos Yes FUJUlPflQ us SOUWaJB Unux . . Rarely, ct, on approximate! 0-50% of the syslerns ! Yos Yes runninq th! wftware Cis! Router lOS Rarely, o, on approxirnate!O-5O% of U,e systems ! Yes , Yes iPJnhingth!scftwere Oracle . Rarely, or, on approximata! 0-50% oF thB syStaln5 Yos Yes j runnpnq Oils software Oilier Specify: - Rarery,or.onapproxrn!ate!o-5o%otthosystems Yes Yes rwlnirul (lips software Comments: Other: AD(. Apache Web Servers, Remote Access Servers Question I indicate whether or not the following policies and procedures are in place at yo&# agency If appropriate or necessary, Include comments in the am pø4ded beiow. The agency foliows documented policies end procedures for identifying and reporting l.a. inodents intemal!/ Yes Yes or No, The agency fo'lows documented pohcies &!aocedures for external reporling to law lb. enforcement authoriI!es. No Yes or No, The agency bRows defined procedures for reporting to the United States Computer ic. Emergency Readiness Team (US-CER1).!http:/tMvw.us-ceagov Yes Yes or No Comrnenis: 7.b. We identified Eight (8) instances of non-ctrnpiianoe from November 2034 through August 2005. Training was provided. Defendants Notice of Filing of Dols FY 2005 FISMA Reports Has the ngen! ensur! s!uri! !ain!ng and a!mness of all employees induding I !ntractors and those employees with significant IT seajnty respaflibillties? Response Choices ndude - Rarely, or, appqoximat&Y 0-50% of employees have sufficient training 8 - Sometimes or approximately 51-70% of employees have suffloent t,ainlng Mostly, orapprOXdllateIY SI g5% of emp!oyOes have - Frequenily, ocappcoxlmaLeIY 71.80% of employees have suffloent training suffloentifaruflu - Mostly or approximatelY 81-95% of employees have sufficient umnng - Almost Always or appoximatelY 96-100% ci employees have sufficient trarning Qutst!fl S Does the agency e!a.fl pohcies regarding peer-to-Peer file sbarmg ri IT security Yes 9 awareness training ethics training, or any other agency !de trBIr!n9? Yes or No REDACTED PUBLIC VERSION Annual Evaluation of the Information Security Program of Dol Subject to Protective Order Regarding Page 34 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports APPENDIXES I This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDft!h!J!L%WERSIO N Annual E!uation of the Information Se!O'hty Program of Dol Subject to Protective Order Regarding Page 35 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Appendix 1 FY 2005 FISMA System Sub Set Evaluation Findings43 p Subject to Protective Order Regarding Sensitive I-T Security Information (DId. No. 2937) (Filed April 22, 2005) circumstances REDACTED PUBLIC VERSION Annual E!Ibëtion of the Information Security Program of Dol Page 36 of45 Bureau System Name FIN 199 C&A POA&M Incident Security Security Sccuri!' Conflguration Reporting Assessments Training and Awareness I BIA TrustAssetand X X X X X (Contractor) Accounting Management System 2 X X X X X BLM National Irficragency Fire Center Net 3 BLM BLM Enclave X X X X X 4 130k Wide Area Network X X X X X X S rws SWAN-ScrykeWftje X X X X X X X Area Network 6 MMS Minerals Revenue X X X X X X (Contractor) Management Support System 7 MMS Wide Area Network X X X X X X X 8 NPS NPS WAN X X X X X X X 9 05 / NBC Drug Testing System X X X X X (Coniractor) 10 X X X X X X OS / NBC Reston Local Area Network I 1 05 / NRC Federal Financial X X X X X X ± System When an Is observed, this signifies issues in our annual evaluation HiM have a negative impact to thc overall assessment area. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its conlents Ihr purposes other than official review and comment tinder any Defendants' Notice of Filing of Dols FY 2005 FISMA Reports - Rurcau System Name FIPS 199 C&A POA&M Inddcnt Security Secuilty Security Configuration Reporting Assessments Training and Awareness 12 05 / NBC Federal Personnel and X X X X X Payroll_System 13 os/NBC InteriorDepartmcnt X X X X X X Electronic Acquisition System 14 OS/NBC DenverflataCenter X X X X X Local Area Network 15 OS/NBC Consolidated Financial X X X X X X Statement System ! (IJYPERION) 16 OS/NBC Alaska I!gionaI X TelecommunicatIon Network 17 OST Wide Area Nctwork X X X 'p -I This report is exempt from disclosure to the public under thc Freedom of Information Act, under Exemption 2 oithe Act. 5 u.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes oilier than official review and comment under any circumstances REDACTED PJiflIJC VERSION Annual Evaluation of the Information Security Program of Dol Subject to Protective Order Regarding Page 37 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (DId. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports C * - I- Ca Sc C * - * n U E - S E -J I- -F. = U L-. I- t. -F In d -c r'1 It C F" tk I! U rF. U Defendants' Notice of Filing of Dols F't' 2005 FISMA Reports Subject to Protective Order Regarding Sensitive l-T Security Information (DId. No. 2937) (Filed April 22, 2005) REDACTED PUBLIC VERSION Annual Evaluation of the Information Security Program of Dol Page 38 of 45 Subject to Protective Order Regarding Sensitive l-T Security Information (DId. No. 2937) (Filed April 22, 2005) REDACTED PUBLIC VERSION Annual Evaluation of the Information Security Program of Dol Page 39 of 45 Defendants' Notice of Filing of Dols F't' 2005 FISMA Reports oII!o p 0 I 01 0 Ct a - C It. - (%1T - - - - z LI - I,. - -! - (1 6! = - 0 -, - I a Q! Q:II!Ij a V > ci =1 E *n .2 C Sn! ii -r - !-, I - ! L:!I! ZZ References Laws 1' Public Law 107-347. Title III, Federal Information Security Management Act (FISMA) of 2002, December 17, 2002. Office of Management and Budget Publications + 0MB Circular No. A-130. Management of Federal Information Resources. November 28, 2000. Government Accountability Office Reports and Documents + GAO-04-376 Information Security - Agencies Need to Implement Consistent Processes in Authorizing Systems for Operation, June 2004. 4. GAO-05-552 Information Security - Weaknesses Persist at Federal Agencies Despite Progress Made in Implementing Related Statutory Requirements, July 2005. c* Federal Information System Controls Audit Manual, January 1999. ! GAO-04-354 Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, March 2004. 4* GAO-04-140T Critical Infrastructure Protection: Challenges in Securing Control Systems! October I, 2003. Testimony of Robert F. Dacey. O!G Reports *) NSM-EV-BIA-0014-2005 - Testing Bureau of Indian Affairs and Office of the Special Trustee Networks from the Internet. December 10, 2004. *) NSM-EV-BIA-0016-2005 - Testing Bureau of Indian Affairs Offline Internet Gateway, December 23, 2004. + NSM-EV-GSV-OO 15 and 0017-2005 External Penetration Testing of the United States Geological Service, January 3.2005. + Vulnerabilities in Lotu!Notes R4 Password Encryption Address Books", issued on December 23, 2004. 9 Evaluation Report: Department of the Interior's Use of Wireless Technologies. Report No. A-IN-MOA-0004-2004. December 2004. C. NSM-EV-BOR-0019-2005-Penetration Testing" External penetration Testing of Bureau of Reclamation. March 4,2005. This report is exempt from disclosure to the public under the Freedom of Information Act, tinder Exemption 2 of the Act, S U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDA!a1wSax!c!RSIO N Annual Ev! tion of the Information Secun y Program of Dol Subject to Protective Order Regarding Page 40 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports + NSM-EV-BLM-0020-2005-Penetration Testing" External Penetration Testing of Bureau of Land Management, April 6.2005. + NSM-EV!OSSOO252OO5713O5NBC Penetration Testing External Penetration Testing of NBC, July 13, 2005. + NSM-EV-MOI-0003-2005-Information Security Assessment: Central Valley Operations. Sacramento. California National Critical Infrastructure Information Systems Bureau of Reclamation, September 7,2005. + NSM-EV-MOI-0003-2005-Information Security Assessment: Hoover Dam, National Critical Infrastructure Information Systems Bureau of Reclamation, September 7. 2005. *) NSM-EV-MO1-0003-2005-Information Security Assessment: Grand Coulee Darn. National Critical Infrastructure Information Systems Bureau of Reclamation, September 7. 2005. * NSM-EV-FWS-0022-2005-Penetration Testing External Penetration Testing of Fish and Wildlife Service, September 7, 2005. 4 NSM-EV-MMS-002 I -2005-Penetration Testing External Penetration Testing of Mineral Management Service, August 5, 2005. 4 NSM-EV-NPS-0023-2005-Penetration Testing External Penetration Testing of National Park Service, September 7. 2005. ** NSM-EV-OSM-OO 17-2005-Penetration Testing External Penetration Testing of Office of Surface Mining. September 7, 2005.BLM IT Security Penetration Testing-Notice of Potential Findings and Recommendadons, April 6, 2005. + NBC IT Security Penetration Testing-Notice of Potential Findings and Recommendations. April 19, 2005. C* NSM-EV-MOI-0012-2005 "Fiscal Year 2005 First Quarter Information Technology Security Update in Support of the Federal information Security Management Act," January 24, 2005 C* NSM-EV-MOI-0012-2005 "Fiscal Year 2005 Second Quarter Information Technology Security Update in Support of the Federal Information Security Management Act," May 10. 2005. C! NSM-EV-MOI-0012-2005 "Fiscal Year 2005 Third Quarter Information Technology Security Update in Support of the Federal Information Security Management Act," July 29, 2005. c* A-EV-MOA-000 1-2005 "Evaluation Report on the Department of the Interior's Process to Manage Information Technology Security Weaknesses,! August 2005. DO! Polices, Procedures, and Other Documents + Notification of Potential Findings and Recommendations: Confidentiality. Integrity, and Availability of Sensitive Financial and Privacy Data Managed by the NBC Is at Risk. N1ay 05. 2005. *. Memorandum from Assistant Secretary for Policy, Management and Budget, "Penetration Testing Results at the NBC." June 15. 2005. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDAGI!J!Ifl!è!RSIO N Annual Ev lI#ation of the Information Sec rfty Program of Dol Subject to Protective Order Regarding Page 41 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports + Securing DOl's Network and Computer Infrastructure. Memorandum issued by DOEs Chief Information Officer on July 22, 2002. * OCIO Directive 2004-005 Reporting of Medium and Low Priority Computer Security Incidents, December 19. 2003. + Plan of Actions and Milestones (POA&M! Process Verification. IRM Bulletin 2005-07, issued on May 3, 2005. + Revised POA&M Reporting Instructions. IRM Bulletin 2004-04. issued on November 24, 2003. + Reporting of Medium and Low Priority Computer Security Incidents. IRM Bulletin 2004-05, issued on December 19, 2003. ! Standardized System Security Configuration. IRM Bulletin 2004-07, issued on March 5, 2003. + Revised POA&M Reporting Instructions. IRM Bulletin 2004-09. issued on February 2, 2004. + Prohibition on Use ofWirelessNetworkTechnology. IRM BuIIetin2004-l8. issued on ApilI 4. 2004. 4' System Audit Logs. IRM Bulletin 2004-20. issued on July 17. 2004, + E-Authentication Agency Ramp-up Plans. 1kM Bulletin 2004-2L issued on July 6, 2004. *) Interim Guidance for Certification and Accreditation on Information Technology Systems. IRM Bulletin 2003-03. issued on April II, 2003. C Computer Incident Response Capability. IRM Bulletin 2003-13, issued on August 4, 2003. ** Interior Computer Security Incident Response Handbook (vi). issued on August 4. 2003. ! DOl ClO Memorandum on Peer-to-Peer file sharing restriction, issued on July 28. 2003. 4 OCIO Bulletin 2002-007 Interim Guidance for basic End-User Information technology Security Training and Awareness. May 13, 2002. t OCIO Directive 2005-007. FY 2005 Plan of Actions and Milestones (POA&M) Process Verification. May 3. 2005 t OCIO Memorandum "Implementing OCIO Directive 2005-007 for 4t1! Quarter Plan of Actions and Milestones (POA&M) and 4th Quarter Federal Information Security Act (FISMA) Performance Measures, August 18, 2005. c* Part 375 Departmental Manual. Chapter 19. Information Technology Security Program, April 15, 2002. *> Interior Information Technology Security Plan. Version 2, April 15, 2002. C* Interior System Security GSS Planning Guide and Template. April 30, 2002. *> Interior System Security MA Planning Guide and Template, April 30, 2002. C* Interior Risk Assessment Guide, April 30, 2002. * Interior IT System Contingency Planning Guide. April 30. 2002. <* DOl IT Asset Valuatjon Guideline. March 4. 2003. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any ! N Annual Evalffthron of the Information Security Program of Dol Subject to Protective Order Regarding Page 42 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports NIST Special Publications and Federal Information Processing Standards *+ NIST Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook. + NIST Special Publication 800-14, Generally Accepted Principles And Practices For Securing Information Technology Systems. + NIST Special Publication 800-18, Guide for Developing Security Plans for Information Tecimology Systems. + NIST Special Publication 800-26, Security Self-Assessment Guide for IT Systems. C* NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems. *. NIST Special Publication 800-34. Contingency Planning Guide for IT Systems. + NIST SpeciaFPublication 800-40, Procedures for Handting Security Patches, Draft, April 1, 2002. C. NIST Special Publication 800-42, Guideline on Network Security Testing. C. NTST Special Publication 800-47, Security Guide for interconnecting IT Systems. <* NIST SP 800-53, Recommended Security Controls for Federal Information Systems. * NIST SP 800-60, Guide for Mapping Types of Information and information Systems to Security Categorization Levels. + NIST SF 800-65, Integrating Security into the Capital Planning and Investment Control Process. *) FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. c! FIPS 200 (draft), Minimum Security Requirements for Federal Information and Information Systems, July 2005 Other References *) "21 Steps to Improve Cyber Security of SCADA Networks," Joint Publication of the President's Critical Infrastructure Protection Board and the Department of Energy, September 2002. + Practices for Securing Critical Information Assets. Critical Infrastructure Assurance Office. This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment under any REDAc!g6'!!RsloN Annual Ev!1Ij!tion of the Information Security Program of Dol Subject to Protective Order Regarding Page 43 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports Acronyms List Abbreviations: BIA BureauoflndianAffairs BLM Bureau of Land Management BOR Bureau of Reclamation C&A Certification & Accreditation CSIRC Computer Security Incident Response Capability DM Departmental Manual DOl Department of the Interior FIPS Federal Information Processing Standard FISMA Federal Information Security Management Act FMFIA Federal Managers Financial Integrity Act FWS Fish & Wildlife Service GAO Government Accountability Office MMS Minerals Management Service NBC National Business Center NTST National Institute of Standards and Technology NPS National Park Service OTO Office of Inspector General, Department of the Interior 0MB Office of Management and Budget OST Office of the Special Trustee OSM Office of Surface Mining SP Special Publication SSP System Security Plan ST&E Security test and Evaluation USGS United States Geological Survey U.S.C. United States Code System Abbreviation Names: BR TAAMS Trust Asset and Accounting Management System BLM BLM Enclave GSS Bureau of Land Management Enclave BLM NIFC National Interagency Fire Center BOR RecNet Reclamation Perimeter and Backbone Wide Area Network FWS SWAN Service Wide Area Network MMS MRMSS Minerals Revenue Management Support System MMS MMSNet MMS Network (excludes the WAN backbone) NBC CFS/ Hyperion Consolidated financial System NBC DDC Denver Data Center Local Area Network NBC RESTON-LAN Reston Local Area Network NBC DC-LAN Washington DC Local Area Network NBC FFS Federal Financial System This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, 5 U.S.C. § 552(b) (2). For this reason, recipients of this report must not show or release its contents for purposes other than official review and comment tinder any * circumstances REDACTED PUBjj! VERSION Annual EvalO!uitfn of the Information Security Program of Dol * Subject to Protective Order Regarding Page 44 of 45 Sensitive l-T Security Information Defendants' Notice of Filing of (Dkt. No. 2937) (Filed April 22, 2005) Dols FY 2005 FISMA Reports NBC NBC NBC NPS FPPS IDEAS DTS PARKNET System * This report is exempt from disclosure to the public under the Freedom of Information Act, under Exemption 2 of the Act, S U.S.C. §!552!) (2). For this reaso! recipients of this report must not show or release its contents forpurposes other thaji official review and comment under any - -cJrcumsta!,!!.. REDACTED P!L1UvtRSION -! --C. AnnuaI-!Ecf1l!ation of the information Security Program of Dol V !age45 of45 ... -______ OST OSTNct Federal Personnel and Payroll System Interior Department Electronic Acquisition System Drug Testing System WWw.nøseov-ParkNet PIMS-Park Information Management OST LAN/WAN / Subject to Protective Order Regarding Sensitive I-T Security Information (Dkt. No. 2937) (Filed April 22, 2005) Defendants' Notice of Filing of Dols FY 2005 FISMA Reports U.S. Department of the Interior Office of Inspector General Evaluation Report THE DEPARTMENT OF THE INTERIOR'S PROCESS TO MANAGE INFORMATION TECHNOLOGY SECURITY WEAKNESSES REPORT No. A-EV-MOA-OOO!!2çjØ5 Security Program Evaluation Page 1 of3B SEPTEMBER 2005 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports United States Department of the Interior 7 Officc of Inspcctor Washington. D.C 20240 1 MemorandLim Assistant Secretan' for Policy. Management a]1d Budgct From: Earl F. Devaney Inspector Genera! Subject: Department of the Interior's Process to Manage Information Security Weaknesses (Report No A-EV-\ OA-000I -2005) The attached report presents the results of our evaluation of the Departmenrs process to manage information technology security weaknesses. We conciLided that the Department had not implemented an effective plan of actions and milestones (POA&M) process and as a result, the process should be reported as a material weakness under the Fcderal Managers' Financial Integrity Act oil 982 in the 2005 Performance and Accountability ReporL Our report presents recommendations that are designed to assist the Department in improving its POA&M process. In the Sepwrnher 14. 2005 response to the draft report, the Department's Chief Information Officer did not specifically concur or non-concur with our findings and recommendations. The response indicaled that the Department had fully implemented three of the five recommendations and that no further action was needed to implement the remaining two recommendations. Although we acknowledge reccnL steps taken by the Department to improve the POA&M process, the actions taken have not fully addressed our recommendations. Accordingly, we consider all five reconiniendations unresolved. To resolve the report, we would appreciate your spccffic comments on actions taken or planned. including target dates and titles of responsible officials, to implement the recommendations Therefore, as required by Departrne]ltaI Manual (360 DM). picase provide us with your written response to the report by October 23. 2005. The legislation, as amended, creating the Office of Inspector General requires that we report to Congress semiannually on a!] audit reports issued, actions taken to implement our reconiniendations, and recommendations that have not been implemented. We appreciate the cooperation provided by the Department and agency staff during our evaluation. If you have any questions regarding this report, please call meat (202) 208-5745. Attachment Dol-OIG Annual l-T Security Program Evaluation Page 2 of 38 Defendants Notice of Filing of Dols FY 2005 FISMA Reports EXECUTIVE SUMMARY RESULTS EN BRIEF We found that the Department had not impknicnted an effective POA&M process. Specifically, our evaluation determined that the Departrnents POA&M: * did not contain all known weaknesses * included weaknesses reported as corrected which in thct were not corrected; and * insufficiently described weaknesses and planned corrective actions. These problems occurred because the Department's Office of the ('10 had not instituted effective quality assurance and verification processes to ensure that bureaus and offices reported complete, accurate, and reliable information. The process, as inipierncnted, did not hold responsible officials accountable for reporting accurate and reliable information in the POA&M. Further, the process did not require weaknesses be prioritized on a Departmenta! basis. Additionally, the automated system used for the Departmental POA&M did no! contain standardized information or provide for easy information queries or reporting. which limited its usefulness as a management tool. As a result, the Department jacks assurance that the most critical security weaknesses are being corrected first and that its systems and data are adequateiy safeguarded furthermore, the Department is reporting inaccurate and misleading information to 0MB and Congress. In our opinion, the POA&M process should be reported as a material weakness under the Federal Managers' Financial Integrity Act of 1982 in the Departniencs 2005 Performance arid Accountability Report. DoI-OIG Annual l-T Security Program Evaluation Page 3 of 38 Win' WE DID THIS EVALUATION The 0111cc oF Ma nagcmcn I and l3udaet (0M13)rcqwrcs kciera! agencies to mainlain a p1 ml ac Uon an ci iii C '!toti Cs I'OA& NI) to as!isl in identifting. assessing. prioritig_ arid nion itoring pmi!ress to corrcc! information iechnoIo!z' !ecu H t\ !\ !ah flCS'!c!S k)L!Ild in 'y! slern ! rid prow'ams. I he ['OA& N'! il !o used h report progress on i'emed iat ion e !Thrts to Correct seeurit! \veaknesses to OMH and Congress. 1 he Deparinieni of the Interiors (Department) Chief ii tonnat ion Officer (C [0) has stated that the P( )r\ & M i lie [)epa fine ft - s am br i rat j ye too I or ma nau !l1! Iii ft'rn I alt on tee Iwo logy (II) wc un weaknesses. [he objective of ()UV evaluation %\aS to dekrnhjrie whether the Duparuiien(s I'OA&M process \\a!, adequate. To improve recommend reported and the Department's POA&M process, we that all identified IT security weaknesses he prioritized: the status of corrective actions be Defendants' Notice of Filing of Dols FY 2005 FISMA Reports monitored and verified: and responsible officials be held accountable for the accuracy of their data in the POA&M. Additionally, we are recommending that the Department upgrade its automated system to be a useful management tool. Dol-OIG Annual l-T Security Program Evaluation Page 4 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports TABLE OF CONTENTS INTRODEJCTJON . i Background........................................................ Prior Reviews.....................................................i Objective and Scope...............................................2 RESULTS OF EVALUATION..................................................3 Department's POA&M Was Not Reliable...............................3 Management Oversight Was Not Effective............................4 The Department Lacks Assitranec Its IT Systems Arc Secure.........8 RECOMMENDATIONS, DEPARTMENT OF THE INTERIOR'S CHIEF INFORMATION OFFICER REPLY, AND OFFICE OF INSPECTOR GENERAL REPLY........................................................in APPENHCES 1. Office of Inspector General Prior Reports with Findings Related to the Department of the Interior's Plan of Action and Milestones................................................16 2. Scope. Methodology, and Criteria.............................18 3. Summary Results of Weaknesscs 'lested from Bureaus' Plans of Actions and Milestones, Sepleniher 15. 2004 and December 15. 2004.........................................21 4. POA&M Practices and Automatcd System Capabilities From Department of the Il1tcrior Burcaus and the Environmental Protection Agency.............................................22 5. Department Response..........................................25 6. Status of Evaluation Recommendations.........................32 III Dol-OIG Annual l-T Security Program Evaluation Page 5 of 38 Defendants Notice of Filing of Dols FY 2005 FISMA Reports ACRONYMS AND TERMS fiLM Bureau of Land Management BOR Bureau of Reclamation bureau Department ofthc Interior's bureaus and offices CLO Chief Information Officer Department E)epartnient of the Interior FISMA Federal Information Security Management Act of 2002 GS Geological Survey IA Indian Affairs if Information technology MMS Minerals Management Service NPS National Park Service 010 Office of Inspector General 0MB Office of' Management and Budget OS Office olihe Secrc!ary POA&M Plan of aclion and miiestones iv Dol-OIG Annual l-T Security Program Evaluation Pa e 6 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports INTRODUCTION BACKGROUND The Federal Information Security Management Act of 2002 (FISMA) requires federal executive branch agencies to dcvclop a process for planning, impLementing, evaluating, and A plan of ac/ion aid documenting remedial actions to address any deficiencies in nn/eswne,s is used to information security policies, procedures, and practices of the identifi! !Lcsess, prioritize, agency. The Office of Management and Budget (0MB) and monitor the progress of designed' tile plan of action and milestones (POA&M) to meet GO) TecH ye efthrts regard/i zg this requirement. inforniation tec/ino/o!' !edurjfl' weaknesse,c u1entiJw!J in a si's/c/fl or 0MB policy requires a POA&M be prepared for each system and program where information technology (IT) secLlrity Jn?!grun1. weaknesses have been found .!A POA&M should identi!' each weakness including the related corrective actions., the scheduled completion date for correcting each weakness, and the status for correcting each weakness. Thc Department of the Interior's (Department) bureaus and offices (bureaus) should preparc POA&Ms for each of their systems and programs where security weaknesses have been identified. The Departrnents Office of the Chief Information Officer (CEO). using the bureaus' data, prepares a POA&M for the Department that is submitted to 0MB. In the Department's September 15. 2004 POA&M, the Department reported that it had 157 Ii systems and 13 programs. that there were 2,243 IT security weaknesses, and that 883 of these 2,243 weaknesses had been corrected. The Departrne]1t also reported that it wou'd cost approxima!eIy $125 million to correct the total 2.243 weaknesses (including the funds already spent to correct the 883 weaknesses). PRIOR REVIEWS The Government Accountability Office has not issued any reports related to the specific objective olthis evaluation. The Office of Inspector General (OIG) has issued three reports on the Departmenfs information security program that included findings related to the Depanmerils POA&M process. (See Appendix I for summaries of these findings.) In the most recent report. Annual Evaluation of the Jnjbrmation Security Program of the Department of the Interior (Report No. A-EV-MOA-0006- 2004), we noted that the Department had established a POA&M process consistent ! ith 0MB guidance. However, the evaluation was limited and did not ifleiLide tests to determine O!WB Memorandum M-02-O1, "Guidance for Preparing and Submitting Security Plans of Action and Mflestones.' issued October 17,200]. This Guidaiice was updated by 0MB Memorandum M-03-19, "Rcponing Instructions for the Federal Informat!ori Security Management Act and Updated Guidance on Quarterl! IT Security Reporting." 1 DoI-OIG Annual I-T Security Program Evaluation Page 7 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports whether the process was properly iniplerncnted. In that same report. we concluded that all weaknesses were not recorded in the POA&M, priorities were not assigned to correct all weaknesses, and costs for actions to rcniedv weaknesses were not always identified. OBJECTIVE AND The objective of our evaluation was to determine whether the Department s POA&M process to manage IT sccurity SCOPE weaknesses was adequate. To accomplish our objective, we interviewed personnel involved with the process. analyzed thc DepartrnenFs POA&Ms ofScptember 15 and December 15. 2004, and conducted tests of weaknesses reported as corrected. In performing our tests, we judgrnenta!]v selected 133 weaknesses iii 20 IT systems and I SCCL!rity program. These systems and program were owned by the Office of the Secretary (OS). the Assistant Secrctary of Indian Affairs (IA). the Bureau of Land Management (BLM), the Bureau of Reclamation (BOR), the GeoLogical Survey (GS). the Minerals Management Service (MMS), and the National Park Service (NPS), (See Appendix 2 for more details on scope, methodology, and the criteria used in this evaluation.) Dol-OIG Annual l-T Security Program Evaluation Page 8 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports RESULTS OF EVALUATION DEPARTMENT'S We concluded that the Department's POA&M could not he used Po A &'! ! !Tcv! to effectively manage the Departmenfs IT security weakness ! AS ! rernediation process. The POA&M was incomplete, inaccurate. RELIABLE and misleading. Known Weaknesses Were Not Reported We found that not all known weaknesses were included in the Department's POA&M. For example, bureau staff indicated that: r unless a weakness was Jetennined to he "material" it nould not be reported (GS and NPS). r weaknesses were not reported (I) when identified through day-to-day operations. (2) which could be corrected within short time frames, or (3) when the security risks were determined to be Tow and accepted by levels of management at or below bureau IT svsteni owners (OS, IA. BOR. GS. and NPS). In addition, we found that the Department did not have POA&Ms in place for II systems that were not yet certified and accredited. Lack of certification and accreditation isa known weakness that must be addressed and should be documented in a POA& M. Weaknesses Reported as Corrected Were Not Corrected About half(64 oCt33) of the weaknesses reported as corrected which we tested werc not corrected. (See Appendix 3 for a summary of the results of the IT security weaknesses we tested.) Specifically, we determined that corrective actions were either not performed or were not sufficient to correct weaknesses. For example. > Three corrective actions required the purchase of computer equipment, but the equipment had not been ordered. !> Nine corrective actions required that contingency plans be developed, tested. and updated. but the plans were nonexistent, were still in draft, or had not been updated. 3 Dol-OIG Annual l-T Security Program Evaluation Page 9 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports !- Five corieelive actions required a new Ii' system he implemented, but the system had not been implemented. r Seven corrective actions required the issuance of polides, hut the policies issued did not adequately address the weaknesses. .- Fourteen corrective actions required that managenient accept the security risks associated with the weaknesses. EIowe!cr, the documentation supporting managements acceptance of risk was nonexistent, did not adequately justi!! risk acceptance, or was not created until after our request for the documentatiorn Descriptions of \Veaknesses and Actions to Correct Weaknesses Were Not Adequate l]1 our analysis of the intbrmation reported in the Departrnenfs POA&M, we also found that wcaknesses and actions to correct weaknesses were not always adequately dcscribed. Weakness descriptions such as "data integrity, ""user passwords cracked2 and "insufficient auditing capability" were used. For example, in a weakness described as "insufficient aitditiiig capabi1ity! the planned corrective action was to "implement controk for sufficient auditing capabi]ity.' We believe that these descriptions did not cicarly convey the significance of the weakness being reported or what specifle actions were planned to correct the weakness. MANAGENIENT The Departrnenis Office of the CR) had issued some policies O and procedures regard Jig the POA&M process. However, the VERSIGHT vv AS Office did not oversee the process to ensure that the NOT EFFECTIVE Dcpanrnenrs POA&M could he used to effectively manage IT security weakness rernediation and was accurate, timely, and resulted in safeguarding IT resources. Spcciflcaily, the Office of the ClO did not institute adequate qLtality assurance and verification methodologies and did not require that responsible officials, such as bureau heads, be accountable for the accuracy of reported information and for correcting IT security weaknesses. The DepartmcnCs (10 also had not instituted an effective process to ensure that weaknesses were prioritized based on the risk to the Department. In addition, the Department's Office of the CJO had not ensured that the automated system used for the POA&M CoLild he used as an effective management tool. 4 Dol-OIG Annual l-T Security Program Evaluation Pa e 10 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports No Quality Assurance Process The Office of' the ClO had not established an effective quality assurance process to review information submitted in the bureaus' quarterly POA&Ms to ensure accurate and complete information was included in the Departmcnts POA&M. Although the Office of the dO performed a limited review of the count of weaknesses reported by the bureaus, this review was not comprehensive and did not ensure that (I) a!! systems in the Department's IT system inventory were included: (2) IT security weaknesses were clearly described so that weaknesses were understood: and (3) reported planned corrective actions would correct the weaknesses. For example, the Departnient's September 15, 2004 POA&M: ! Did not inciLEde an Office of Surface Mining Reclamation and Enforcement (OSM) system. This happened because OSM did not include the system in its quarterly submission to the Department and the Department did not compare ()SM's submission to the Department's IT system inventory to ensure completeness. ! Included more than 300 vague or incomplete IT security weakness descriptions. These vague descriptions included nine U.S. Fish and Wildlife Service (FWS) weaknesses of "contingency plans." four BOR weaknesses of "insufficient auditing," and an MMS and an NPS weakness of 'auditing 1he Department did not request clarification from the bureaus ibr vague descriptions. r Included approximately 700 IT security weaknesses that did not have sufficient planned actions that would correct the respective weaknesses. For these weaknesses, all of the bureaus reported that only one corrective action was planned, SLICh as to implement a policy but did not include information describing how the policy would be implemented. For example. a BLM IT security weakness was described as the lack of separation of duties among security and administration personnel. The planned corrective action did not identify what would be done to separate the duties. Rather, the only planned corrective action was to report the weakness to a ClO Council. 'Ilie Department did not require bureaus to clarify planned corrective actions. 5 Dol-OIG Annual l-T Security Program Evaluation Page 11 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Without a quality assurance process, the Departnients ClO is not able to improve the quality and reliability of the Departmenfs POA&M and the Department cannot ensure that its POA&M process is effective. No Verification Process We found that the 00 relied on bureaus to develop and maintain the documentation supporting corrected weaknesses and did not have a process to verify that actions were taken as reported. When we reviewed bureau procedures, we found that bureau IT security weaknesses were often considered corrected based on individuals stating they had corrected the weaknesses. Tim bureaus did nut verj& that weaknesses were corrected or that documentation, such as a cost benefit analysis had been prepared to support acceptance of risk. Therefore, the Department's September 15. 2004 POA&M inaccurately reported that weaknesses were corrected. Further, this process did not prevent IT security risks from being accepted inappropriately. For cxamplc r MMS had reported that 15 security weaknesses for one of its systems had been corrected; however, in our tests of the 5 reportedly corrected !!eaknesses, no supporfing documentation existed to demonstrate that the corrective actions were implemented and tested. Further, we determined that 8 of these weaknesses had not been corrected. ! E3OR reported that a security weakness for one of its ii. systems was !1nsufficient user access controls.' BOR reported that the weakness would not he corrected because "nianagement accepted risk." BOR planned to accept the risk because (1) there were limited controls available in the system and (2) BOR would limit the number of users with direct access to the system through Rules of Behavior and oversight. BOR's documentation was not sufficient to support the acceptance of the risk because it did not include inforrnat!on such as a cost-benefit analysis or an adequate description of the planned mitigating controls such as oversight. The documcntation also did not identiI\! the position and title ofthc individual deciding to accept the risk. 6 Dol-OIG Annual l-T Security Program Evaluation Pa e 12 of 38 Defendants Notice of Filing of Dols FY 2005 FISMA Reports Without a verification process, the Department has littic assurance that its IT security weakness rernediation process is effective. Appendix 4 describes good bureau practices that 'we believe could also be used by the Department as part ofa verification process. Inappropriate Accountability for Accurate Information in POA&Ms Bureau heads and bureau IT system owners were not accountable for true and accurate securhy weakness information. instead the Department CJO had established inappropriate accountability for reporting accurate and reliable information in the bureaus' POA&Ms. The responsibility was placed on organizations that originally identified the weakness, which could include the OIG or contractors. For example, we were told by the IzVs Deputy for IT Security and Privacy that its contractors' were responsible for accurate IT security weakness descriptions in IA's POA&Nls. Neither the (JIG nor contractors should be responsible for the accuracy of the Departnienfs and bureaus' I'OA&M data. We believe that aceoLintability should be established through a certification process where appropriate bureau officials, such as bureau heads, certil\' that POA&M information is accurate Weaknesses Were Not Prioritized Departmentwide The Department's POA&M process required that weaknesses be prioritized only at the bureau level rather than Departmentwide. 1 hat is, the Department CR) did not always intervene in the prioritizat ion of fl security weaknesses to ensure that the most critical weaknesses to the Department's mission and goals were corrected first. Consequently. we found that medium priority weaknesses for less critical systems were being corrected before high priority weaknesses for more critical systems. For example, two medium priority security weaknesses in an Office of [he Secretary business essc]ltiaI IT system were corrccted belore two high priority security weaknesses ofan MMS mission critical IT system. 7 Dol-OIG Annual l-T Security Program Evaluation Pa e 13 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Automated POA&M Information System Not Effective Bureau stqfj indicated that The Department's automated POA&M system could not be used the De!!artnienj Ic a,,fo,natetj to monitor, prioritize, and report on IT security wcaknesses. For POA&Msycte,,, has example, thc Department's automated system, as it was difficult to use and that implemented, does not: usable it y'ormci/ ion could not be produced. > contain standardized descriptions of weaknesses and related corrective actions so that the Department could accurately prioritize all the weaknesses: r allow br monitoring the status of specific weaknesses without extensivc searching through the system; - allow for querying information tbr management purposes: or - produce a report that could be submitted to 0MB without extensive editing. Because of deficiencies in the current automated POA&M system, one bureau implemented its own system and other bureaus manually prepare their POA&M information. Generally, bureau system personnel gather and organize the information for weaknesses related to their IT systems based on bureau practices. The system personnel then submit the information to the bureau POA&M coordinator who compiles [lie POA&M information for all of the bureau's systems, Each bureau then submits its POA&M information to the Departnienr. The Departnicnt must manually compile this inforniation on approxirnate]y 2.200 weaknesses with about 2%900 corrective actions from at least 170 IT systems and progran-is. This compilation process begins almost 2 months belore the information is sent to 0MB and is repeated by the bureaus and the Department on a quarterly basis. This is not cost effective for the Department and needs to he 'addresscd before each bureau implements its own automated system. In Appendix 4, we describe capabilities we found in reviewing POA&M automated tools at IA and the Environmental Protection Agency that the Department could use to improve its POA&M system. THE DEPARTMENT The Department's CO has stated that the POA&M is the ! CKS A SSUR NCF Department's tool to manage IT security weaknesses. As such, A the Department is relying on information that we found to be ITS IT SYSTEMS inaccurate, incomplete, and untimely. Without reliable ARE SECURE information in the POA&M, the Department cannot identify 8 Dol-OIG Annual l-T Security Program Evaluation Pa e 14 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports systemic problems and monitor corrective actions. Also, management may make inappropriate decisions regarding the 1)epart]llenf s information security program. Therefore, the Department cannot ensure that the most significant weaknesses are corrected first and that its systems and data are adequately safeguarded. If the Department does not correct its process, it !vil! continue to provide inaccurate and incomplete information to 0MB and Congress. The Department should report this condition as a material weakness under the Federal Managers Financial Tutegrity Act of 1982 in the Departmenfs 2005 Performance and Accountahiliiy Report. 9 Dol-OIG Annual l-T Security Program Evaluation Page 15 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports RECOMMENDATIONS, DEPARTMENT OF THE INTERIOR'S CHIEF INFORMATION OFFICER RESPONSE, AND OFFICE OF INSPECTOR GENERAL REPLY In the September 14, 2005 response, the I)eparuiienrs Chief Information Officer (CEO) did not specifically concur or non- concur with our findings and recommendations. The response indicated that the Department had fully implemented recomrnenjmjons 1. 2, and 3, and that no further action was needed to implement recommendations 4 and 5. Overafl, the CO stated that it had addressed all recommendations. eliminating any riced to elevaw concerns to the level of materia' weakness 11w this fiscal year. Although we acknowledge recent steps taken by the Office of the Chief Information Officer (OCIO) to improve the POA&M prncess, we continue to bclieve that [he current process needs to be improved and that the POA&M process should still he reported as a material weakness, Based on the ('10 response. we consider all five recommendations unresolved. We recommend that the Department Chief Information Officer. considering the bureaLt and the Environmental Protection Agency promising practices in Appendix 4: Recommendation I Ins/flute a qua//fl' assurance process to ensure: a. aft ii*'eaknesscs are '-eported. b. ueakness'es are completely described and the respective correct/ic actions ivouldadeq:eate/i correc.1 the iieaknes!ces. Thtc could bepw-eiaIlv addressed through establishing standardized descriptions of common weaknesses and related CUrfl'c/jve ac/ions. DO! Response The Department described additional quality assurance processes in place as a result of our evaluation that it believes frilly implements this recommendation. Speciflcallv, * The Department issued guidance requiring !Fach IT security weakness identified in any review of a program or system must be entered on the authoritative POA&M. 10 Dol-OIG Annual l-T Security Program Evaluation Page 16 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports * The Department initiated a quality assurance process through OCIO Directive 2005-007 dated May 3, 2005 in which the Department stated that all bureaus complied. The Department refined and clan fled its procedures in an August 18, 2005 memorandum. Additional guidance in 'a new OCIO Directive and POA&M Procecs Standard for impIemcnta!ion in FY 2006 will fUrther enhance the POA&M processes. * The Department also noted that 0MB 04-25 does not require sensitive weakness descriptions, but endorses the use of general or brief descriptions. Separate source documents and reports should detail more fully information provided in the POA&M. 01 Reply The Department has taken recent steps to improve the POA&M process including the issuance of more detailed guidance. However, WC believe that further steps are needed to implement an effective quality assurance process. While the recent guidance communicates the requirement to include all weaknesses in the POA&M. it does not describe a Department level quality assurance process to ensure that all weaknesses are actLlaily reported. The working draft Plan of Actions and Milestones Process Standard does state that the Department Chief Informat ion Officer (ClO) and the Chief Information Security Officer (CEO) will be required to review the !'OA&Ms to ensure compliance with policies and procedures. The (iSO will also he responsible for instituting a quality assurance process to ensure all systems are accounted for. weaknesses arc adequately described, and corrective action plans appropriate!! address the weakness. However, these Standards will not be implemented until fiscal year 2006. We agree that 0MB M 04-25 endorses the use of brief descriptions and found that the 0MB examples provided enough detail to understand the weakness However, in our evaluation we identified weakness descriptions that did not meet 0MB requirements. A quality assurance process would ensure weakness descriptions are adequate. We consider this recommendation unresolved. We are requesting that the Department reconsider the recommendation and provide the information requested in Appendix 6. DoI-OIG Annual I-T Security Program Evaluation Page 17 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Recommendation 2 Inst itule a verification procecs to ensure that weaknesses reporied as corrected are, in fact. corrected that supporting documentation is rnainkinc'cI and thai management ! acceptance of risk is appropriately jz.'.siified and docuniepteci DO! Response The Department described an additional quality assurance process and verification process that it has put in place as a result of our evaluation that they believe fully implements this recommendation. The Department specifically cites 000 Directive 2005-007 with which it states that all bureaus complied. The bureaus and offices provided verifications that weaknesses that were reported as corrected were in fact corrected. The Department plans to issue an additional Directive and POA&.M Process Standard for implementation in 2006 to provide further process guidance. Abe POA&M Process Standard will provide for an additional quahry assurance process, to be performed by the ()CJO, which will include inspection and review ofa sample set of completed POA&M corrective actions each fiscal year. I'he Department also stated that it is not cost effective to complete a cost-benefit analysis for every security weakness in which the risk is accepted. 016 Reply The Department has taken some steps to improve the verification process including the requirement that the bureaus conduct verifications that the weaknesses reported as corrected were in fact corrected However, the continued reliance on self reporting by the bureaus makes compliance verification virtually impossible from a Department-wide management standpoint, fri its response, the Department indicated that the Plan of Actions and MiJestones Process Standard would provide for an additional quality assurance to be performed by the 000 which !vilI include an "inspection and review of a sample set of completed POA&M corrective actions each fiscal year.' However, the current draft does not include this additional process. The Department will not have an effective POA&M process until these verification reviews are established and implemented. Additionally, we included the cost benefit ana!ysis in our report as a promising practice that could be used by the Department in its POA&M process. We consider this recommendation unresolved We are requesting that [lie Department reconsider the recommendation and provide the information requested in Appendix 6. 12 Dol-OIG Annual l-T Security Program Evaluation P e 18 of 38 Defendants Notice of Filing of Dols FY 2005 FISMA Reports Recommendation 3 Require senior bureau management to certift that infdnnation in the bureaus' POA&Mc is accurate anti true. In the certification, bureau manage/Hen! should acknowledge tutu each PQ!4&1if includes all known ueaknc'ssc's, that weulcnesses are adequately describea that correc.ijve actions would adequate/v correct the weaknesses and that completed actions are in fact completed." DOL Response The Department responded that the quality assurance and verification process initiated by the OCIO Directive 2005-007 and further darified in a memorandum dated August 18, 2005 requires senior management officials to ensure and verify information in the bureau's POA&M is accurate. The Department believes the implementation of the verification process fully implements this recommendation. ou; Reph The Departmeni requires that remediation actions he certified by the applicable system owner and documented. We received certification statements thr some otthe bureaus' system POA&Ms. the certification statements only certified the completion of corrective actions to correct weaknesses, it does not certify that all known weaknesses are reported and that all required milestone tasks are included. Our recommendation was intended to require bL!reau officials to CCrtI!' the entire POA&M and not just those weaknesses that were completed. We reviscd our recommendation accordingly. Based on the Department response, we conclude that this recommendation is unresolved. We are requesting that the Department reconsider the recommendation and provide the information requested in Appendix 6. Recommendation 4 Institute a practice to review all Depari!nent ITsvsten, and program weaknesses to ensure the most critical !t'eaknesses for the maci crilical svstenis of the Depart me in are being addressed first. DO! Response The Department did not agree wfth this recommendation. The Department stated that the IT budget is under the authority of multiple appropriations and with spcciflc restrictions on the movement of appropriated funds. Thus, prioritization across bureaus is not a relevant issue. Additiortaily, the Department makes the Ibilowing points: NIST SP 800-57 requires the Designated Approving Authority (DAJ\) to make the final decision arid beheld accountable for accepting risks to their systems. I laying higher levels of management make changes to the 13 Dol-OIG Annual l-T Security Program Evaluation Page 19 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports DAAs determination would undermine the DAA's authority and accountability. * Interior prioritizes corrective actions as indicated by the "Scheduled Completion Date" column. * Sequential prioritization based on risk level alone does not make sense in an operational arid budgetary context where some weaknesses are more easily and quickly corrected than others. Adhering to a strictly sequential work-otIpian could leave a larger number of weaknesses unresolved, which could increase the overall risks to individual systems, potentially raising the system risk to unacceptable levels. OIG Reply Wc recognize that there are budgetary restrictions prohibiting movement of funds between bureaus in most cases. However, we were made aware that the Department has available funds to address certification and accreditation of bLlreaij and office systems. The Department can use the POA&M as a management too! in setting priorities for allocating these funds Department-wide and ensuring the most critical weaknesses for the most critical systems arc being addressed first. Based on the Department response, we conclude that this recommendation is unresolved. We are rcquesting that the Department reconsider the recommendation and provide the information requested in Appendix 6. Recommendation S Implement an effècnve a,ao,nated POA&M sv!e,n. This can be accomplished by either improving the curreni sjwtern or implementing a ne't' cvstem. In eskzhlislung an effective sj!ilem. the Departinetit should define the requ/renlents based on consultation with bureaus 'IT operational staff system miners, progra!n managers, and others [lice! are involved with the IT security weakness remedial ion process and canvass oilier fec/c'mi agencies Jbr best practices. '4 Dol-OIG Annual l-T Security Program Evaluation Page 20 of 38 Defendants Notice of Filing of Dols FY 2005 FISMA Reports DO! Response The Department recognizes the benefits of using POA&M automation tools and plans to evaluate tools for prospective use in thc Department They may not be able to immediately irnplcnient the recommendation or find it cost effective to do so. The Department believes that the current POA&M rcporting format, while not optimal, meets basic requirements. A new automated POA&M system could not bc funded untfl fiscal year 2008. The Department stated that the implementation ola single-purpose system for POA&Ms would not be benefleiai because the functional requirements, SLICh as automation of forms and workflow. are common to other Departmental and OCIO processes. Those requirements should be rnc! with common software service components. OIG Reply The Department already has an automated POA&M system. Our review identified numerous deficiencies which resulted in one bureau purchasing and implementing its own system and other bureaus manually preparing their POA&M information. This is not cost effective for the Department. Our recommendation was intended to encourage the Department to irnprovc its automated system to prevent thc need for bureaus to manually prepare the information and allow for a unified Departmental process. This can be accomplished through either improving the current system or the in1p!cmentation of a replacement system. In making its decision, the Department should take into consideration best practices used within the bureaus and by other federal agencies. We revised our reconimendadon to locus on the DepartrnenCs need to identify the requirements olan effective POA&M system. Based on the Department response, we conclude that this recommendation is unresolved. We are requesting that the Department reconsider [lie recommendation and provide the information requested in Appendix 6. 15 Dol-OIG Annual l-T Security Program Evaluation Pa e 21 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Appendix 1 OFFICE OF INSPECTOR GENERAL PRIOR REPORTS WITH FINDINGS RELATED TO THE DEPARTMENT OF THE INTERIOR'S PLAIN OF ACTION AND MILESTONES A\NUAI. EVALI:ATIO\ OF THE Sri urn ii PROGR.flI AND PRACIICES OVER NON- NATIONAL SECIRIT\ SssrE\Is, L.S. DEPARTMENT OF TIff INFERIOR (Report No. 2002-1-0049) ANM'.%I. EVALi:A'FION OF THE INFORMATION SECURIF\ PnoGRt!1 OF THE DEPARTMr!T OF TIlE INTERIOR (Report No. 2003-1-0066) Hold program officials accountable for earning out their information security responsibilities. Hold subordinates of bureau heads accountable for fiu]flhling their information security responsibi htics. Establish a !rocess to validate that all bureaus have effectively implemented federal and Department security policies arid procedures, standards, and guidelines for all systems. Include in the POA&N4s all necessary' steps and specific completion dates. REPORTS FINDINGS SUGGESTED IMPROVEMENTS AND RECOMMENDATIONS a We noted the following deficiencies iii the Department of the Interior's (Department) and the bureaus' and offices' (bureaus) July 3!. 2002 plans of action and miiestones (POA&\ls) to correct information technology (IT) security weaknesses: * Specific weaknesses were grouped. together as overall general wcaknesses. System weaknesses were rolled into one weakness and incremental steps to address the specific system weaknesses were not included. * Only a final completion date was given for corrective actions that involved multipie years. Incremental milestone dates had not been established to effectively measure progress. * Milestone dates or resources required to accomplish corrective actions were not always presented. Overall. POA&Ms developed by bureaus were if Include tests to validate that not complete or used effectively, information reported by bureaus Specifically, the POA&Ms did not: is adequate and that controls are * Include all H systems owned and operating as planned or intended operated by the Department that had in the Chief Information weaknesses. Officer's ((10) information Include all weaknesses whether identified security program revicws of through the organization's intcrnal bureaus. reviews or by orgallizations such as the * Require that POA&Ms contain Office of Inspector Genera!. detailed steps for correcting * Inc]ude incremental steps lot correcting reported weaknesses when the weaknesses especially when milestone milestone dates exceed 6 months. dates were in excess of 6 months. * Ensure that POA&Ms include all * Always include costs for correcting costs necessary to correct weaknesses, reported weaknesses, establish * Prioritize weaknesses in order of' priorities, and integrate costs into significance the IT investment plans. Require each bureau to present to the ClO a strategic plan with increrncntai steps 10 achieve am institutionalized information security program that meets the rc!uiretflents of the Federal Information Security Also, costs identified in the POA&Ms to correct security weaknesses were not always included in bureau capita! investment plans. j!naRement Act ftJSMA). The! 16 DoI-OIG Annual I-T Security Program Evaluation Page 22 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports SUGGESTED IMPROVEMENTS REPORTS FINDINGS AND RECOMMENDATIONS strategic plan should encompass the corrective actions in the POA&Ms and should be approved hy the dO. ANM.AL EvAt.lATIw! o! The Department established a POA&M The Department 00 shou[d institute TilE IY.IORj\IATIO\ process consistent with Office of Management an oversight process to ensure SECIRITY PROGRAM OF and Iftidget !OMB) guidance. We found that bureaus effectively implcnient the TUE DEPART\! *1E!!!F OF bureaus recorded known weaknesses in their Departments security program filE INTERIOR POA&Ms most of the time. However, we also requirements. Specifically, the GO (Report No. found a need to ensure Ibat all !!caknesses are must ensure that: A-EV-MOA-0006-2004) reported. priorities are assigned to correct a!! * POA&Ms not only reflect weaknesses, and costs of actions needed to prioritization of weaknesses but remedy weaknesses are al!!ays identified, also identify the resources I Specifically, %!e found: uecessarv to address the higher Agreed-upon weaknesses identified during prioritized weaknesses so that the Office of Inspector Genera! tOIG) audits corrections of high priority of bureau financial statements were not weaknesses are perlbrmed first! always included in the POA&Ms. budget documentation and Burcaus did not incorporate at! POA&Ms can be directly weaknesses identified through risk correlated through 0MB assessments and security tests and project1system identifiers to evaluations into their POA&Ms. ensure funding addresses security * Rernediation activities were not prioritiicd weaknesses; and in the POA&Ms. weaknesses identified during * Resources %!ere not always allocated OIG and other internal or based on priorhization of the weaknesses. external reviews arc included ri * Resources required to complete remedial the applicable POA&Ms at the actions were not tied to budget documents, time the weaknesses are * POA&Ms did not include all of the idcntified and agreed to by the weaknesses in a system. bureau. 17 Dol-OIG Annual l-T Security Program Evaluation Page 23 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Appendix 2 SCOPE, METHODOLOGY, AND CRITERIA We conducted our cvaiuation in accordance with the Quality' Standards/br Inspections issued by the Prcsident's Council on Integrity and Efficiency. Our review was conducted from November 2004 through April 2005. To accomplish our objective, we: r interviewed Department of the Intcrior (Department) and bureau and office (bureau) personnel involved in the plan of action and milestones (POA&M) process, including Chielinformaijon Officers (ClO), informaUori technology (IT) security managers. POA&M coordinators, and IT staff: r reviewed the Department's and the bureaus' policies and procedures related to reporting IF sceLirity weaknesses and rernediation activities on the POA&Ms; > analyzed bureaus IT systems and program quarterly POA&Ms that were submitted to the Department and the Department's quarterly POA&Ms that were submitted to the Office of Management and BLidget (0MB) dated September 15 and Deceniber 15. 2004; r identified practices within the Department and at other federal agencies to determine if methodologies arc available to tile Department for improving its POA&M reporting and rernediation processes. We also conducted tests of corrective actions for weaknesses reported as corrected in the POA&Ms. The Department's September 1 5, 2004 POA&M reported 57 IT systems and 13 programs with a total of 883 corrected weaknesses. The bureaus had reported to the Department for the same period 173 systems and 13 programs with 923 correctcd weaknesses. We chose to select our sample from the bureaus' POA&Ms because these contained more detail. From the uni!crse of 923 reportedly corrected weaknesses. we judgmenta!Jy selected weaknesses to test using the following methodology: > We excluded financial and linancial-related applications because the respective weaknesses are subject to review during the annual linancial statements audits. > We chose weaknesses that were related to access controls because of the significance of these controls in safeguarding IT resources and data and because these controls are included in most types of IT systems. Based on this methodology, we identified an initial universe of 139 reportedly corrected IT security weaknesses for 3911 systems and I program. Next wejudgmentallv selected 39 weaknesses in iS systems and I program to test. We expanded our testing to include other weaknesses reported as corrected in the bureaus' POA&Ms of September 15 and December 15, 2004, for 6 of the IS systems selected. We also included two additional IT systems with corrected weaknesses owned by the Office oldie Secretai-y to ensure our review adequately covered the Departmental level process. In total, we tested 133 reportedly eoi-rected weakncsses of 20 IT systems and I program These systems and program were owned by the Office olthe Secretary. the Assistant Secretary of indian Affairs, the Bureau of Land 18 DoI-OIG Annual I-T Security Program Evaluation Page 24 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Management. the I3ureau of Reclamation, the Geological Survey, the Minerals Management Service, and the National Park Service. (See Appendix 3 for the specific systems tested.) EVALUATION CRITERIA Public Law 107-347 Federal Information Security Management Act of 2002 (FISMA). This Act requires federal executive branch agencies to develop a process for planning. implementing, evaluating, and documenting rcniedial actions to address any deficiencies in information security policies, procedures, and practices. Office of Managemeiit and Circular A-130 "Management of Federal Information Budget Circular and Management Resources." This Circular among other issues Memoranda related to IT states that: Application of up-to-date information technology presents opportunities to promote fundamental changes in agency structures and work processes that improve the effectiveness and efficiency of federal agencies. Plannthg for information systems should include intended uses of the system. budgeting, and acquisition. * Government information should he protected commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information, * Sufficient information should be recorded, preserved. and made accessible to ensure the management and accountability of agency programs. * Improvements to existing information systems and the development of planned iiformaiion systems should not unnecessarily duplicate IT capabilities within the same agency. from other agendes. or from the private sector. * A selected system or process should maximize the usefulness of information and preserves the appropriate integrity, usability, availability, and confldentialitv of information throughout the life cycle of the infbrrnation. * IT needs should be met through cost effective intra- agency and interagency sharing before acquiring new IT resources. * The agency head should appoint a Chief Information Officer who must rcport directly to the agency head to carry out the responsibilities of the agency. The Chief Information Officer must he an aciive participant throughout the annual agency budget process in establishing investment priorities for agcncy information resources. 19 Dol-OIG Annual l-T Security Program Evaluation Page 25 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports * The agency head should direct the Chief Information Officer to monitor agency compliance with the policies, procedLires, and guidance in this Circular. The Chief Information Officer should develop internal information policies and procedures and oversee, evaluate, and otherwise periodically review agency information resources management activities for conformity with the policies set forth in this Circular. Memorandum M-03-19, "Reporting Instructions for the Federal Information Security Management Act [FISMAI and Updated Guidance on Quarterly IT Security Reporting." This Memorandum describes the requirements for quarterly IT security reporting through OMWs POA&M. This guidance is applicable to POA&M reporting during fiscal year 2004. Memorandum M-04-25, "FY 2004 Reporting Instructions for the Federal Information Security N'lanageinent Act" (FISMA). This Memorandum describes the requirements for quarterly IT sccurity reporting through OMB's POA&M. This guidance is applicable to POA&M reporting during fiscal year 2005. Department of the Interior Departmental Manual (375 DM 19) "Information Policy and Guidance Technology Security Program." This Manual chapter establishes policies, assigns organizational and management roles and responsibilities, and establishes minimum requirements for the development, implementation. maintenance, and oversight ofan II security program for protecting the Depanments information and IT systems that store, process, or transmit unclassified information. IRM linformation Resou rces Management! Directive 2004-009 "Revised Reporting Instructions for flOPs POA&M." This directive includes the Department's t!meIines for fiscal year 2004 POA&M reporting. In addition, the directive inc!udes attachments that describe the Department's POA&M process and reporting gLildance. Instructions for POA&M Reporting. The Department provided an Excel spreadshcct with instructions for each data field to the bureaus for POA&M reporting. 20 Dol-OIG Annual l-T Security Program Evaluation Page 26 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Appendix 3 Summary Results of Weaknesses Tested from Bureaus' Plans of Actions and Milestones, September 15, 2004 and December 15, 2094 Bureau and System Plans of Action and Milestones Number or Corrected Weaknesses Reported Number of Corrected Weaknesses Tested Nurn her of Corrected Weaknesses Determined Not Corrected Office of the Secretary Security Program Aircraft Management local Area Network Genera! Support System (AM LAN) Alaskan Regional Telecornniunicatiori! Network (ARTN VU) Denver Data Center General Support System Enclave (DDCGSS) interagency Aircraft Services Local Area Network Genera] Support System (lAS LAN) Quarters Management Inlbrniation System (QM ES) Reston Local Area Network General Support System (Reston LAN) Safety_Office_Local_Area_Network_(SO-LAN) 104 15 12 Assistant Secretary of Indian Affairs Asset Management System (AMS) Educational Native American Nctwork 2 (ENAN-2) Fee to Trust (FTT) 26 16 8 Bureau of Land Management BLM Enclave Genera! Support System 30 20 5 Bureau of Rec!amation Denver Office Genera! Support System (DOGSS) Columbia Basin Supen'isorv Control and Data Acquisition (CBP SCADA) Hydrological and Meteorological Information System IIMIS) Mid-Pacific Regional General Suppon System (MPG SS) Safety_and Security_Information_System_(SSIS) 48 17 6 Geological Survey National Map 81 40 21 Minerals Management Service Technical Information Managenient System (TIMS) MMS_Net!Drk_(MMSNetJ 23 16 8 National Park Service NPS One General Support System 32 9 4 i'ota! 344 133 64 2! Dol-OIG Annual l-T Security Program Evaluation Defendants' Notice of Filing of Page 27 of 38 Dols FY 2005 FISMA Reports Appendix 4 POA&M PRACTICES AND AUTOMATED SYSTEM CAPABILITIES FROM DEPARTMENT OF THE INTERIOR BUREAUS AND THE ENVIRONMENTAL, PROTECTION AGENCY During our evaluation we identified promising practices that we believe could be used by the Department of the Interior (Department) to improve its plan of action and milestones (POA&M) process. We also identified capabilities from two automated systems that would improve the Department's automated POA&M system. AREA PRACTICE Documenting 'nanc!genienr The Bureau of Rectamations (BOR) "System Security accepted risks ofsecuritv Risk Acceptance Form" provides a standard template weaknesses, for senior management to document acceptance of low risk weaknesses. Low risk weaknesses are those that do not impact the certification and accrecfltation that the system adequately safeguards data or that do not adversely impact operations. BOWs guidance, as it relates to the Form, requires that the information technology (II') system owner, regional IT security manager, and BOWs Chief Information Officer review accepted security weaknesses no less than annually. The Minerals Management Service includes a cost/benefit analysis as part of' its justification for acceptance of risk. Keeping svqe,,, miners updaied The Nationa' Business Center's LI' Security Manager vii the star/is of security sends a monthly POA&M report to system owners. iieaknecses. The report shows the status of the corrective actions for IT security weaknesses that are ongoing and on target for completion and of each weakness that is ongoing but not on target for completion. Using POA&Ms as a For one of the Bureau of Land Management's (ELM) manage!ueizf tool at a/I levels iii ii' systems, "working POA&Ms" are maintained for a bureau. subsets of the system. in this case there is a subset for each of J3LM's 13 state offices. Each "working POA&M" has a description of each weakness in that subsefs part of the system as well as a description of the respective corrective actions. Each state office uses the 'working POA&M" to manage the IT security weaknesses in its state. BLM. because the subset weaknesses have common identifiers, uses the !working POA&Ms" to prepare BEM's quai-terry POA&M which is submitted to the Department. Dol-OIG Annual l-T Security Program Evaluation Page 28 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports As part of our evaluation, we interviewed personnel ('rum the Assistant Secretary for Indian Affairs and the Environmental Protection Agency who demonstrated effective capabilities in their automated POA&M systems that the Department could use to improve its automated POA&M system. CAPABILITY DESCRIPTION Class/fy ITs!smnns as either a The POA&M system asks questions that whcn answered major application or a general by the user the system helps the user to classify the IT support system, system as either a major application or a general support system. A major application requires a different set of controls than a general support system to safeguard information. k/cnn/p weaknesses and 'F'he POA&M system contains the National Institute of update POA&Ai. Standards and Technology's Special Publication 800-26, Security SeI/L .4 ssesspnent Guide/br Information Technology 55sens, self-assessment questionnaire. At the same time as the user completes the qLlestionnairc. the system automatically identifies weaknesses and updates the POA&M. Track requirements fur ciii IT The POA&M system tracks whether a system meets the svylc'n to he ecu/fled and requirenlerits for itto be certified and accredited as accredited as adequate/v adequately safeguarding data. These req Li irernents protecting ck,/u. include: the system I11LISI have undergone a risk assessment, the system must have undergone a self- asscssnierit, the system must have a security plan describing afl the controls that protect the system, and the system must have a contingency plan to recover in the event ofa system failure or disaster Associate controls w The POA&M system associates tile controls in a general app/icatwns supported hi a support system to the major applications supported by that general support system. generaJ support system. Contains slunc/tjrcjjzec/ data on The POA&M system contains standardized descriptions security weaknesses, of weaknesses and related corrective actions. When necessary unique weaknesses can also bc added to the system. Tracks the completion of The POA&M system tracks the completion of corrective corrective ac/ions, actions for standardized weaknesses. The system ensures that the scheduled corrective actions are in an appropriate order and does not allow weaknesses to be reported as corrected before all information supporting the completion of the corrective actions has been input into the system. 23 DoI-OIG Annual I-T Security Program Evaluation Page 29 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports CAPABILITY DEscRipTioN Allows queries ofueakness The POA&M system allows queries to obtain data data. regarding IT security weaknesses including the progress of corrective actions. In addition. the system can generate POA&M reports in OMB's required format. Maintain hLNf ory of weaknesses. Maintains records of weaknesses that were corrected and allows corrected weaknesses to be re-opened if necessary. 24 Dol-OIG Annual l-T Security Program Evaluation Page 30 of 38 Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Appendix 5 United Srazc'! Depanncnc of thc Inrc:!or ! ! xi: <>! FF1, !FCR!flRY W!IH!. !h TAKC PRIDE' t!%AM ERICA SEP I 4 2(05 Assistant inspector General for Ai! its ornce of inspecrnr Cc p10111 W. Hcwd Thpkm Ch!ef1nfonnauop I cer Subject: Response to "Draft Eva1uatiar! Rtport ott the Ikpanuern of the lntcnor's Process rn Managc Enfonnanon Technology Security \Veaknesscs (Assignment Na AtV!MOA!QOO1 !2OO5)" 1 hank you for thy opponunit> to respond to the "Dm8 Evaluanon kepon on the Departrnetu cf Ihc Intcrior's Process Ic Manage lnfbrmation Teduxilo!zy Sceurity Weaknesses (Assignment No A-hV-MOA.QOOJ!2o(j$y' i'he Plan of Action and Mitesiones (POA&M) proccss is a vital component of the Depanmenfs Tnfonmnion !rtch!)k!gy (IT) secunty program, As you know, Interior made significant progress in estabbshing and irnp!emer!ing !t dcparunern.-wk3e POA&M prucess, to Ihe point whcrc the Office of Inspcctor Gcnaal concluded in 2004. "Basal on our cxarn.ination of the Dcpanmoiit's instructions for the development and itnpkmcntation o(POA&Ms, we concbdcd thftr as designed, the POA&M process is effective and satisfies the pertinent Federal gtiidancc presented in Anachrnarn C of Office of Management !md Budget Mernonrndurn 031)9 Rq!orgiszg Inslrw::ions for the Federal Information Secwniy *Icrnagcrncn: Act and (4da!ed Guidance on Quarterly IT Security Reposiing issued Augu!s! & 21KB." We tiole ibm, as our program has matured, OK) evaluations have become more rigorous !is wetI. We appi-eciate th& this incitased lcvcl of evaluation will allow us to continue to mature and improve our processes, and thus our IT secwity! beyond rnhiinmm requirements. Pkase now that improvem!jit of IT security beyond docurncntcd 0MB or NIST requirements may not he our h!ghcst priority for availahk critical IT security funding. However! as we evaluate our overafl IT security landing needs acid available resourcet !e will cnn!ñder recommenthtions in Iigl.u o(priorftks in the program. \Vc appr!ciated meeting with 016 staff and management early in this cvaluation prnce!s. These meetings provided us an oppotlunity to begin immediate implementation of proposed recommendations. Our imrnediatt action siguificanuy improvcd our proccsscs durins this fiscal year. We aJso appreciate that 130k, MMS, NBC, and BLM wcre specifically rioted for effbctivc implementation of POA&M practices. These and other practices served as the basis tot improved guidance Departrncnr-wjde. 25 Dol-OIG Annual l-T Security Program Evaluation Page 31 of3B To: Defendants' Notice of Filing of Dols FY 2005 FISMA Reports Our responses to the raeomtncnthaiorts are outlined bekw, Recommewiatlon 1: Jnstituie a quality #jsurnn!! process to flislin: b) All it'eafr!tesscs arc reported h) Weaknnses are compinely describe ci and the respeaxve copreclive actions would adequwdy air/-cc! the weaknesses. Thth could be paniatly addzyssed throt4gh esrtthhshrng stundardszed desenpuons of common '! eahiessct and iciased corrective actions, kespon!e: s) Quthty !ssarancc programs are an important part of a maluring procc!s. Based on 01(3 recommendation, the Department issued guidance requiring, !tach IT security weakness idajti tied in any review of a program or system must be cntcred on the authoritafive POA&M