)
ELOUISE PEPION COBELL, eta!., )
) No. 1:96CV01285
P!aintiffs, ) (Judge Lamberth)
v. )
) FILED UNDER SEAL
GALE NORTON, et a!., )
)
Defendants. )
___________________________________________________________________________)
Defendants hereby submit the 2005 Federa! Information Security Management Act
("FISMA") reports from the Secretary of the Department of the Interior and the
Department of
the Interior's Office of the Inspector Genera! ("OIG"), as we!! as the proposed
redactions thereto.
In addition, Defendants submit the OIG's report concerning the Department of the
Interior's P!an
of Actions and Mi!estones ("POA&M") process. Defendants submit the reports and
proposed
-2-
CERTIFICATE OF SERVICE
and, without under seal attachments, on the following who is not registered for
Electronic Case
Filing, by facsimile:
WAS I-tIN (3 TO N
OCT 142005
The Honorable Joshua B. Bolten
Director
Executive Office of the President
Office of Management and Budget
Washington. D.C. 20503
* 0MB rated DOEs Enterprise Architecture (EA) the highest among the 25 BA
programs reviewed. The DOl EA was noted as incorporating a security
standards
profile, and aligned to the Technical Reference Model.
* The Department entered into an agreement with USALearning.gov to
deliver a
standardized curriculum for individuals with significant IT security
roles.
* The DOl dO contracted an independent IT security assessment to evaluate
DOl
against the myriad of security policies and guidance. We are pleased to
report
3.63 maturity level out of 5 from this assessment.
IT security has been, and will continue to be, one of my highest priorities,
as evidenced
by the major improvements made throughout the DOT this past year. This
progress builds
on accomplishments of the past. In June 2004, the K) concluded "the DOl POA&M
process is effective and satisfies the pertinent Federal guidance." The IG's
FY 2004
report considered Interior's C&A process as being satisfactory. The
percentage of IT
systems certified and accredited increased from 83 percent for FY 2004 to
over 98
percent in FY 2005. With better accountability and standardization, DOI, and
ultimately
the taxpayers, avoided $17 million in C&A costs. We are pleased with the
return on the
investment 0MB and Congress authorized in our F'! 2004 budget and sustained
in FY
2005. In FY 2005, the IG appropriately raised the bar for evaluating the
security
program, based on DOl's increased maturity in the program. I support his
efforts and his
resources have increased to enable measurements against these higher
standards. Our
collaborative efforts in monitoring our systems through exhaustive
penetration testing
illustrate our commitment to maintaining a constantly improving C&A process.
I understand the 10's opinion that the IT security at DCI is not perfect,
that risks and
vulnerabilities still remain and improvements need to be made. From this he
concludes
DOl has significant weaknesses in complying with FISMA. From this
perspective, the
IG tempered the scores on his report by any weakness seen:
* where a C&A package did not contain all required elements clearly
presented, it was
not counted as a valid package;
* problems in the POA&M process were included in the JO report dated
September 23,
2005, even though subsequently corrected, because the corrections had not
been
verified by the 010; mid
* any deviations from policy or procedures were reported as an inconsistent
and
ineffective policy overall.
The IG's perspective can be supported by the language of the 0MB arid NIST
requirements. It is consistent with the IG's role of being DOl's watch dog
- who clearly
needs to warn of!y potential risks, regardless of the weight or costs. The
ClO believes
the IG's responses to several of the questions iii the FY 2005 reporting
template exceed
the basic requirements of FISMA and do not rake into account improvements
made
during the year in response to the testing the 10 conducted.
Ihave confidence in the ClO's opinion that, while IT security at DO! is not
perfect, risks
and vulnerabilities still remain, and improvements need to be made,
nonetheless, the
policies and processes to address those risks are adequate, improvements
have been and
will continue to be made, and therefore. DOT substantially complies with
FISMA. From
this perspective, when weaknesses are found. DOl corrects them and takes
credit for
having done so. Based on extensive reviews of the IT security program, the
CIO believes
these corrective actions have generally been completed. sufficient to meet
the basic
requirements of FISMA. As required by FISMA, remaining problems are being
addressed through the POA&M process.
The ClO perspective is clearly supported by the language of the 0MB and
NTST
requirements. It is also consistent with the C10s role, which requires him
to balance
risks to DOl's information assets with the costs to address those risks.
The ClO also
appropriately relies on the determinations of competent accountable
officials, including
the 1G. The CTO points out that Interior was successfiul in thwarting over
353 million
potential incidents in contrast to only 33 incidents that could not be
prevented, as
reported during our last quarterly reporting period. None of the successful
incidents have
resulted in any known compromise of sensitive data.
IYiLhF!
! -
Qut!ljnn 1 and 2
1 By FIPS 199 rjik impact ev& Q!gh. modorain F!w, or not !l!orind) and by bureau.
Idonti!j the number O! inTorin3L!ot1 sys!sm$ usad Q !porated by YOL!F agency. and
tile wmaer ol
IrtIcnn!1Jon systems u!d or aper!tS !y a cor�ractDr Cf yaw agency o otho,
or!n!a!on on ben![I at your ag,nc&-
Qcas!jaqj QuinSljfla!
b.
r. a.
FY05 A!ncy F! 05
Contractor FY!-T thAI Number NUmber 01 sy$!ns Nnmb.f o! !.fs'n$ Mu,,thar of
5y!12rTIS Systn!T!
nfSrn!ms !artuIe! an! flctedil.�. for which secuffly I!r wtiich
fl 23 23 1&1O! 231CC.!?
- 1 1
1 I
22 fl!
. ! 22i ! 21 !55!:
12 12
- ! 12! !GDd!1 12
___________________ 3A I! C
as an 35 1O1B! ! 1!O%. !a
- 1
- 1 1 I I
ID 10
C ID! lO1! ! !
-
1! I !
-. ___________________________ ______________________________
_______ - !-1 -.............-......
______________________________________ Ia 12 0
12 !2 II 100Th!- 11 ! 12 oCr
S
-- . 5 S ! U
5
S S .
0: a c!U!, B T!Ea ai ,b3cr
1 1
! I E!W. Ii
- B i 1
e ! ! saBe S aR. &
___________
n
5 S
U !O.O 4]
_____________________________________________________
o ____________________________________
S!b4th.I - 5 5 0- !
S 4 !&Th! ! 8OO* t
I I ! l! ! _J.L_!J!�!
__________________________________ _______________________
I -, ____________________
S!b-I!L!I 1 0 0
1 -t I ! ! :! IDOf.
a i
4 1!CO! 4 IO!.U! 4 !C.
2 2
12 12 12i I!O! fl ci
____________ __
__....................................-!
REDACTED
PUBLIC VERSION
Li
5.
Reported
internally
Number of
Incidents
Type of Incident:
Reported to
US-C ERT
Number of
Incidents
Reported to law
enforcement
Number of
Incidents
a. Unauthorized Access 23 22 2
b. Denial of Service (DoS) - 2 2 0
c. Malicious Code 191 - 171 - 1
d. Improper Usage - 34 28 4
c. Other 36 28 3
Totals: 286! 251 10
Comments:
6. Has the agency ensured security training and awareness of all employees,
including
contractors and those employees with significant IT security responsibilities'
Yes or No.
a, b C. d.
6 e bufit into the system and provides compliance tracking by bureaus and
offices. Specialized training for
! those with "significant secunty responsibilities includes certification
courses. industry and vendor training
classes: internal briefings and awareness seminars (for designated
authorities, senior management.
technical staff, and security representatives; DOl IT security team
meeting training sessions! and online
continuing education.
Comments: DOl has taken step5 to enhance IT security training in FY 2005 by
contracting with USALearning gov to provide role
based training for bureaus and offices, The curriculum provides spectalized
training modules geared towards DAAs. system
owners, ISSO's. and network, database! and system administrat3rs This will
undoubtably raise lntec!ors compliance levels
with respect to training those '!with significant IT security responsibilities'
In FY 2005, the ClO and CISO provided C&A training
to the Secretary and other senior nianagement officials having DAA
responsibilities. This role-based training included a review
of the C&A process and the responsibilities of the DAAs, Certftying Officials,
ISSOs and other individuals assigned C&A roles
and responsibilities. The Bureau IT Security Managers (BITSMs} are constantly
engaging in external training and certification.
Over 80 IT staff, including BITSMs and some of their security staff, have
achieved certifications as Certified Information
Systems Security Professionals (CISSP). In addition, eight employees recently
achieved certification as Certification and
Accreditation Professionals (CAP). These eight ndivuduals are among the first
in the country to receive such certification Sec
It's important to note that the 84159 reported in �a. includes ALL employees
and contractors (per instructions) A percenta!
Question 7
Ba. !Is there an agen cywide secunty configuration po 'icy? Yes or No.
Comments: Policy Diredive Issued by the Office ofthe Chief Information Officer
Yss
Indicate whether ornot the following policies and procedures are in place at
youragency. If appropriate or necessary, include comments in the area provided
aelow.
Yes or No.
Comments: The IGs FISMA repod differs from the Cbs with respect to question 9.b
based on their observation that inS of 12 instances the OIG
Nas not notified. Unlike many other response choices for other questions in the
FISMA template. this is a binary answer and does not enable a
more appropriate selection that would identify the relative frequency where such
incidents are in fact repoded to the IG or consideration of
zircumstances preventing full compliance with established exlernal repoding
procedures. The ClO believes that appropriate policies and
procedures are in place and that there may be other mitigating circumstances that
may have precluded adherence to these general procedures.
*m!flI'
Has the agency documented in its security policies special procedures
for using emerging technologies (including but not limited to wireless
ba. and lPv6) and countering emerging threats (including but not limited to
Yss
spyware, malware, etc.)?
Yes_or No.
Question B
Page 9 of 37
Aflachnient A: �4.a. Incident Detection Capabilities.
Response:
Incident Detection
Network- and hos!-bascd cvent logs are routinely monitored for indication of
significant security
events and potential malicirnis activity. Security events include network
intrusions, scans, denial
of service attacks, worms, and unauthorized access to network integrated
devices in the DOl
wide-are-network infrastructure. Client initiated (egress) access is routinely
reviewed to dciect
Internal security events are reported to the bureau incident response team or
DOJ-CJRC for
assignment of an event manager to track the event and log all action with the
appropriate
authorities. Viruses and malicious code are detected using anti-virus software
technology
deployed with individual workstations, mail servers, and SMTP e-mail gateway
servers.
Dctcction and quarantine/removal of malicious code is considered a security
event and reported
monthly to DOl. An infected message or other malicious payload inadvertently
launched at the
workstation is reported as a security incident.
DO! and its bureaus maintain Internet e-mail accounts for reporting possible
security incidents
originating from DOl computcr systems. These reports are delivered to the BITSM
and
computer security incident response team (CSIRT). The e-mail address for
reporting security
incidents to DOl is incident!circ.doi.gov.
Introduction
Each year. the Chief Information Officer (CID) and the Inspector General
(IG) complete
different sections of the annual Federal Information Security Management
Act (FISMA)
report. The sections represent the respective viewpoints of the Office of
the Chief
Information Officer (OCIO) and Office of the Inspector General (OIG) with
regard to the
degree to which Interior's Information Technology (IT) Security Program is
compliant
with FISMA.
The OCIO and OIG worked together to develop and implement a cooperative
monitoring
agrecnient on the DOl IT security program. This program, funded by the
Department
($1.1 mi]lion in FY 2005) and independent1! conducted by the 01G. provided
critical
information needed to prioritize further improvements to the DOl
operational IT security
posture. From quarterly updates provided by the OIG as well as penetration
test results,
the OCIO was able to promptly take action to correct vulnerabilitics.
Although additional
corrective actions remain from some JO evaluations, many actions were taken
immediately. including temporary disconnection from Internet access when
warranted.
The OCIO appreciates the efforts of the 010 in pointing out weaknesses or
vulnerabilities. and has utilized the results to make significant
improvements.
General Comments
The OIG report portrays the DOT OCIO as being uncooperative, requiring the
OTG to
"modify various testing techniques" and that "information requested from
the OCIO was
very late in coming." incomplete, or not readable. This does not
acknowledge the
signilicani burden placed on already constrained OCIC resources. They were
simultaneously engaged hi producing over 4 '/2 million pages of
documentation in
response to the court, as well as meeting the new OTG requirements to
produce
VolLinhiflous material in the Cobell litigation (e.g.. CDs and DVDs as well
as other
information) in support of the OIG FISMA evaluation.
The effort by the OtG to obtain, toad, and inspect copies of bureau
hardened and secured
baseline operating system and database images represented a significant new
workload.
The OIG report did not indicate that, for FY 2005, the OCIO provided
funding to the OIG
to participate with the Department in a collaborative but independent
fashion to augment
our compliance program. The report does not mention the significant
progress in
implementing corrective actions for weaknesses identified in the
penetration tests
performed by the OIG as part of the compliance program funded by the OCIO.
In summary, the executive summary of the OIG report does not track with the
analysis
and conclusions provided in the remaining sections of that document. The
Department
acknowledges areas that need improvement. However the OCIO believes that
the OIG's
interpretation of several of the questions asked in the FY 2005 FISMA,
reporting
template exceed the basic requirements of FISMA. For example, the report
does not
indicate:
The 000 believes that, at a minimum. the quality of our C&A process is
satisfactory as
supported by the following analysis and recommendations. The following
analysis
represents the perceived differences between the OCIO's and OIG's
interpretation of
those requirements.
Analysis
The following gap analysis is limited to the areas where the report shows
differences of
opinion between the ClO and 1G. The format used to contrast each area of
difference
will be identification of the relevant question in Section C used to
document the results of
the JO's evaluation, and the corresponding question in Section B used to
document the
results of the ClO's assessment, In responding to each question in the
FISMA reporting
open the weakness for action. While we saw a 25% increase in the
number of rew findings for FY 2005 Q3 and FY 2005 Q4. this
increase is explained by the audits and self-assessments that
occurred during this time period. In short, a 100% audit of 1.389 FY
2005 closed POA&M weaknesses (through Q3) did not conclude the
same level of discrepancy as the 133 item sample in the POA&M
report. Further. the draft POA&M report cites the September and
November 2004 POA&M submission for a majority of its findings.
That data is more than a year old and may not sufficiently
characterize the FY 2005 POA&M program.
The ClO believes that the OIG's criteria used to evaluate the
degree
to which Interior is compliant with this question exceed the
essential
requirements_of FISMA.
requests that the OIG consider whether or not their response was
based on the notion of incorporating "recommendations" vs.
"findings", which might have contributed to a different perspective.
The ClO believes that the 010's criteria used to evaluate the degree
to which Interior is compliant with this question exceed the essential
requirements of FTSMA.
corrective action.
The ClO believes that the OIG's criteria used to evaluate the
degree
to which Interior is compliant with this question exceed the
essential
requirements of FISMA.
1'he dO believes that the OIG's criteria used to evaluate the degree
to which Interior is compliant with this question exceed the essential
requirements of FISMA.
lU's Draft Question 7b
FISMA Section C
Response
ClOs's Draft Question 9b
FISMA Section B
Response
Difference Question 7b asks does "The agency follow documented policies and
procedures for external reporting to law enforcement." The OIG
selected the response choice of"No" based on their observation
that in
8 of 12 instances the OJU was not notified. Unlike many oilier
rcsponse choices for other questions in the FISMA template, this
is a
binary answer and does not enable a more appropriate selection
that
would identify the relative frequency where such incidents are in
fact
reported to the IG or consideration of circumstances preventing
full
compliance with established external reporting procedures. The
ClO
fee]s that appropriate policies and procedures are in place and
that there
may be other mitigating circumstances that may have precluded
adherence to these general procedures.
Discussion Circumstances about why the 8 incidents were purportedly not
reported
via the IG were not sufficiently articulated. It is unclear what
factors
contributed to the lapse in notification for these specific
incidents but it
is clear that notification policies and procedures are in place
and have
successfully been used in other instances.
The CJO acknowledges that interior's policy requires notification
of
the OIG's Office of Investigations when IT security incidents are
reported to external law enforcement. The ClO understands that
the
responsible 010 office was not !veI1 positioned for most of FY
2005 to
receive, or respond to. such notifications. However, it should be
recognized that Interiors bureaus and offices did engage other
appropriate law enforcement officials to respond to incidents
where
appropriate.
The ClO believes that the 010's criteria used to evaluale the degree
to which Interior is compliant with this question exceed the essential
requirements of FISM_A. The OCIO also believes that the IG report
does not reflect the same credit and degree of compliance with
respect to bureau-level Implementation of STIGs as the DO's
FESMA report reflects.
JO's Draft Question S
FISMA Section C
Response
CIO&s FISMA Question 6
Section B
Response
Difference Question 8 asks "1-las the agency ensured security training and
awareness of all employees. including contractors and those
employees with significant IT security responsibilities." The OIG
selected die response choice of "Mostly. or approximately 81-95%
of employees have sufficient training" which is inconsistent with
the
ClO's analysis.
a t
Performance-eased Msder
__________ __________
IA',.41 flr!%
Number Percentage
Number Percentage
d!bo6y 46151
OobbtloO 16042
-..!-
6 b
6 b I
111054 slIySyltsls FVl5061llItll
FYOITIINII!gfM!bsOlyltMM!bl601ybtslsflllIol!bsflyltsls
Systsl,s 1,15666
161llsdlMdlIIlsdltsd ogOiIOssIo II1160tbMlslIypIlls 0665 bogl
OSlsblSMtsMtsdlod tlstsdbMl116ldl0166lltO
FIPSl996iMkIl!pllt TItOIN01HbOITIOOIN01HbOI
46'566461!5 Lsloi 0010b0l6001s0h0d0010b0l6001s0h0dT0t610010b0l
52052602 N0SbOlTIgOIN0SbOlTItOITItOIN0SbOlPOlOOltIlTItO
0050001 11201 010115 High 0
MIlioloto 0
LoS 0
NbtCotogbHooH 1
1100.0% 1100.0% 1 100.0%
Sob-totol 0 0 0 1 I
1 100.054 1 100.0% 1 100.0%
1050001 Lo,d bIg bogoIHolt High 0
M000toto 0
Los 0
hkOlOolI000060 2 2
1 1000%, 01000%- 1 100gb.
Ms,svTotol 4!0 I I I I I
I I I
ModsIots I I I I I
I I I
Lob I I I I I
I I I
lIltlgtslllMsd I 14 I 6 I
17 1
Iblglop5noS%000I00101g000:slgosolht&oobtn%oos%g,d000boo%ooslb0o,to14 *
Th0050bopOllbl%0000bOlhtgbd000bogtlbtbObbolOiblbl%0tlb
%ot0%0000dblbpoltodbgg oo,t,00to,olthoggoboH
ot%o,ogghioot,obo,bohgffolthoogobogsoott%o,ogoi,o 60
,to4Fb0Ml, 205 polioyg,d NbSTgoidoliboo, 1010601 0000'
P0bb0g! old OgObO% p011%. 0011-
lOpbltilgblNISTSp600IPlblbOtll 600- 01 lOgoilO%060 bgo ObltlOOtblblbt%0 105011010
*bbbtblffi02lt! hb2h000l!b0ff-
lp0Hlgbg0bbth0lF0d0l0I0g0b0y%0gb0blffb1i01s.
Sob-toll'
0620 loll
Loos
Loos
4!15011604%50501050655 High
0660 loll
Sob -toll'
%lgtibbgl 502000014600 High
DffsoolSp000lT,ootoo High
0660 lOll
Off IS II Mu
US 0000060gb 00600
50 1011001
0Clbl-N CIII
I
I
I
I
I
I
1
I
I
I
I
I
I
2
2
I
I
III Ill!
1000%
1000%
11115!
111.114
1000%
1000%
11115!
I
C
11115!
1000%
1000%
11115!
07114
00%
1000%
11115!
2
2
I
I111
10007-
00%
100.0%.
III lb
0:07-
071%
00%
100.0%.
III lb
Page 29 of 37
Dols FY 2005 FISMA Reports
(i!d!di!g , ! by
!d!th ! h!g yi!d!di!g! ! !
! !
Fp!! C!tg&!.
lb. - App i,t,0-50%!&!pI! -
App!!i,t,61-95%!&!pIt
- App!<i,!t !,5l-?0%!,!pIt
- App!<i,!t !/ 71-60%!,!pIt
- App!<i,!t !,61-95!'!&!pIt
- App!<i,!t !,96-100%!,!p!t
i.! !
!
Id. ! bh!ff!fth!g!y.
l! !
if Th!g!yh! !
.!t
Th,ghthi!q!tk!, ! ! db, ! ! !
! i!thd,!pd!! ! If!pp ! !
Fft!4! th!!p!! !
- ! !pp!<i!t !,0-50%&thti,!
-
- F,q!!fly ! ! !
- ! !pp ! 61-95!'!fthti,!
- !
4! ! ! ! ! [tI!thft! ! ! !
4.d. CI I ! -
R!Iy, f& !&!pI, !pp,!<i,!tIy0-50%
4.! ! ! -
M!tIy, f&!!pIpp,<i,!tIy61-95%dthti!
Fp!! C!tg&!.
- E!I!t
Page 30 of 37
Section B: Inspector General. Question 6, 7, 8, and 9.
Agency Name:
Question 6
Yes
Response choic es
include:
. Rarely, or, on
approximately 0.50% ofthe
Question 7
Indicate whether or not the following policies and procedures are in place at your
agency. If appropriate or necessary, include comments in the area provided below.
The agency follows documented policies and procedures for identi!'ing and
reporting
7.a. incidents internally.
Yes
Yes or No.
Question
Question 9
Can your agency demonstrato through documentation that the pnvacy official
participates in all agency nformalion privacy
i. compliance activities (i e pnvacy policy as well as IT information poUcy)?
Yes
Yes or Na
Comments: Concerning Question #3: The DOt dO has do!oga fed fho*RevIowIng
Ofliciar funclion for signing PIAs to (ho tb or oquivalcnl of tha
buroaus/otticos rosponsibft for the
stem. The 00! P14 includes an an! risks when now tochnok
Is considered.
Does your agency have a Iralnino program to ensure Ihal all agency
personnel and coniractors wilh access ID Federal OaIa are
generally familiar with information privacy laws. rogulations and policios
and understand the ramilcations of inappropriate
access and disclosure?
Os
Yes or No.
Yes or No
Minerals Mariaqoniorit Servico N/A 2006 - Yos I N/A 2006 Yos N/A
NM 2006 Yes N/A 2006
NaI!onai ParK Svc NA 2006 N/A 2006 NIA 2006 Yes N/A
U/A 2006 Yos i NIA 2006
Ofcollnspector Coner!l N/A 2006 N/A 2006 N/A 2000 YOS N/A
N/A 2006 N/A 2006 MA 2006
Ok Df the Secrelary N/A 2(106 N/A 2006 NIA 2006 I MA 2000 N/A
N/A 2006 N/A 2006 N/A 2006
US. CooIoqlcnl Syc. Yns N/A 2006 N/A 2000 Yos N/A
Yes Yes N/A 2006
REDACTED PUBLIC
VERSION
Subject to Protective Order Dols FY 2005 FISMA
Report
Regarding I-T Security Information Page 33 of 37
Defendants' Notice of Filing of
(DId. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
.. conducting a PIN?
(ii.) Yes/No
I Yos
REDACTED PUBLIC
VERSION
Subject to Protective Order Dols FY 2005 FISMA
Report
Regarding I-T Security Information Page 34 of 37
Defendants' Notice of Filing of
(DId. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
- Section D: SerfiorAgoncy Official for Privacy. W. Hord lipton,
ChIif Intolmation Officer, Department of the Interior
-! AgencyName:Depa!ntofth.InWdor
C.
FY 05 Systems of Records
Notices: By bureau: number of
systems from which Federally-
owned Information Is retrieved
by ,uImo or unique Identifier
Ft 05 Systems of Rocords
Notices: number of systems
for which one or more
5ystem! of Records NotIce!s
have been pubUshed fl the
rodorai register
a.
b.
Agency Contrnclor
Systenn S!,tenr
Total
nwiibe! of Agency Contr!LAor
Syslerns Systems SystN,n
Bureau N!mo
ijureau 01 Inthan A!Iairs -
Bureau or Lond Manageiron
fluien,j al RoclnniaIl!
Fish and Wildlife Svc
Mrnera!s Managefilent Sic
National Parks Svc
lnsped! General
Othceoftflesecy --
Olficeol SurlncoMinftlQ -
Soricilor __________
USGS
10131
number 0'
Systems
ToLil
Agency Contractor: numbe, of
Systems Systems Sysiem
20 20
o_ U b
o p
24 24
0 2
3 -
4 I S
! 1 3
6
12 12
0
0
0
- - 0
20
0
0
16
2
3
4
2
6
12
Torn' Tolal
Agency Coniraclor number a' Agency Contr!ctcc number 0?
Sys!erns Systents Sys!ens Sys!mn- Syslems Sytems
20
0
0
16
2
3
1 5
2
6
12
U
0
0
0
4
-a
0 0
B 0
2 2
2 2
2 2
2 - 2
1 1
S - 5
'2 12
a
0
-o
0
24
22
24
21
6
4
19
6
ID
24
22
24
IS
19
5
Ia
24
22
24
21
I
6
1 5
1 20
1
0
II
0
0
0
0
24
22
24
18
I 20
S
1 11
0
0
0
0
- 2 -: -- Question 6
0MB policy (Memorandum 03-22) prohibits agencies from using persistent tracking
technology On web sites except in compelling circumstances as determined by the
head ot the
agency (or designee reporling diredly lathe agency head).
Can your agency provide the notica language used or cite to the web
privacy
Gd. policy inlbrn�ng visftcrs about the tracldng?
I Yes
YesorNo.
I
Does your agency use tochnologlos hat allow for continuous ntjdihing ot
compliance 81*11 slated privacy
a. ,olEc!os and prncllcos?
No
Yes or No. (Note: Dolls exploring options for a oopf stand!zrI tracking
system)
4. Does your agency coordinate wilh Ihe agency OUlee of Inspector General on
privacy progmm oversight by providing to OIG The Following materials,
Does your agency submit on onnuol ropotl to ConfirooS (0MB) detailing your
privacy acI!vfties. incIud!ng
! ac1ivi!es under the Privacy Ad and any violations Ihat have occurred?
Yes
YosorNo.
I
Ii) If so. when was this report submitted to 0MB tor clearance?
1216/2004
REDACTED PUBLIC
VERSION
Subject to Protective Order Dols FY 2005
FISMA Report
Regarding I-T Security Information Page 37 of 37
Defendants' Notice of Filing of
(DId. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
United Siates Department of the interior
OFFICE. OF INSPEC[I)R L;[NLRAL
Washingrnn. DC2(L240
OCT
- G 233!
Iuspcc[c'i ( ic:i
the auaclicd report pr!sdn[ the results of our annual cv!t[mttIi,1T aithe
U.S!
Department !'1 itie TiiWi inr! I DOl p Inturtnai!oi I cc1li!*nhi!.y Fl
SCeLifll\ !ii!'Li am.
required h\ the Federdi Information S!curin- \Ianagcnietfl :\Ci (FEN
:lflprOVC tIie security over its information !vsi!nis. The report highlights
a :ii!i!ii'!r
U 'S LI1c!LldIng the Deparrni!nr s tinprovemeri Es lo the Sec ii ri
LV Tiatii I fl! !LI
.A! 1sreness program. and a stgnificaiil effort to lmpLL'nueIII L!v
Euilerpri'! Scn LCCS
NeLwork to bolster securi i efforts.
Ra!cd nj-i the 1rndin!t olour evaluation ni 2U( F5, kowever. WL' bclicve
that [H)] rs iiflt
III CL!I1I!)]I!IIlt'L With iI1I2 requirenient! eli- [SM A.
Inlonuni iOl! Our review iii the 1)0! Pt) -\& \I pwuc! si !nws DOT
caI]!LoI bc as!urcd
thai Lhc [J( )A!NM. in its cwTent stale. car be li$t a! th! !ruthoriijti !
tool to imin!iu ! I I
!ci!riiv ! c:dciies!s. \\ e h!tve recnnttncndcu !1ia! the F b:!1artmcliI
rcpflrl !EiC P( !\&!\t
proccss i! material wc!ikiicss in ii! '! under the Fcckral \t4na!cr!c
Financial Iniegrity
i\ct. We h!ive rated the L)cNrlm!nLs (L!cA !!ro!.1 as poor
I)JSCLI on ! nnrnhcr ol
I'cIuN. lilelLItlilIg failure in apply FCdL-laI Intonuaiicm ]!FUCCSSiI1g
SIUIIthLrd 1 Ly!?. the
flreviflltsF! rnernioncd [lFLil)kms wiTh P( ) *\A Vs. arid cnhilp[eTlnrl UI
St!L !iFi1! hQ!i ;LrIL]
EvaiLlaijon !*r!: sLthhcquetli ti C!cA Hr !onie systems
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review and
comment under any
RED g!Y$RSION
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act. 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review and
comment under any
circumstances
REDACTED PLI?LIC VERSION
Annual Eva1!tion of the
Information Security Program of Dol
Subject to Protective Order Regarding Page 3 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005) Dols
FY 2005 FISMA Reports
Background
Congress enacted FISMA to provide a comprehensive framework to
secure the
federal government's information and IT resources. FISMA requires federal
agencies to
implement security programs that protect information systems and data from
unauthorized access, use, disclosure, disruption, modification, or
destruction.
Specifically, FTSMA requires, overall, that security programs equip
federal agencies with
mechanisms to accomplish the following:
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review and
comment under any
REDACT!3$1PS!SION
Annual Evalct!flon of the
Information Security Program of Dol
Subject to Protective Order Regarding Page 4 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005) Dols
FY 2005 FISMA Reports
While our comprehensive FISMA evaluation points out significant
weaknesses,
we note that DO! has taken several positive steps to improve its overall
security,
including the following:
5. Security assessments.
6. Security configurations.
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, S U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
REDAC1!!9!SIO N
Annual EvaltiZ!on of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 7 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
Evaluation Results
System Inventory4
We found that DOl does have an inventory system in place but still
relies on
manual efforts to reconcile various system counts, and uses a separate
inventory system
for its security program. After detailed discussions with DOl, we generally
agree with
DOl on the number of systems contained in the inventory. White we did not
observe any
major information systems missing from DEAR. we do not feel that DO! has an
efficient
process in place and are concerned by the various different inventories
used to report
system counts. We will be carrying out a more through review next year.
The policies and procedures for populating the system inventory are
widely accessible via the project's Web
site, hap:/A.nvwdoigov/ociolarchitetzureiinda.htmi Guidelines are in
place to eliminate duplication of
records and define what constitutes a system that should be tracked in
the database,
6 0MB Question C3a.
DO! Memorandum "information Technology Security Requirements for
Acquisition," August 18, 2004.
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this
reason, recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
REDACTamrPUm!tDfl4!SION
Annual Evalu4on of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 9 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
r
We found that the bureaus, acting on their own, have ensured that
oversight
activities are carried out and that the systems have gone through
Certification and
Accreditation. However, each organization handles contract oversight
differently and
with differing levels of rigor. We felt that B!As oversight process
was very effective,
even though it was not aware of DOl's policy and had not formalized it
within the
contract. MMS, however, was not allowed to fuiiy inspect a
subcontractor's production
environment or to test it technically due to contractual issues,
making the overall value of
its oversight process questionable. Our tes�ng efforts of the same MMS
subcontractor
were also hindered by the lack of appropriate language in the
contract. Thus, we were
prevented from physically inspecting the servers hosting the MMS data
or carrying out
any technical testing. Ironically, at essentiaLly the same time period
as our inspection
attempts, hackers compromised this subcontractor-operated system. The
vulnerability
leading to the compromise could very well have been discovered if MMS
or the 010 had
been allowed to carry out testing. We later teamed that this same
application had been
hacked up to four times previously.
* Not all known weaknesses were included in DOT's Plan of Actions and
Milestones.
* Bureaus used differing, and sometimes arbitrary, definitions to
determine
what would be included and excluded from the Plan of Actions and
Milestones. -
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act. 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review and
comment under any
REDA�W'P!MP!'ERSION
Annual S4aluetion of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 11 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dol's FY 2005 FISMA Reports
* Descriptions of weaknesses and the required actions to correct
them were riot
adequate.
In this year's FISMA reporting guidance, 0MB has asked the 010 to
provide a
"qualitative assessment" of the agency's Certification and Accreditation
process, The
assessment required us to determine adherence to existing policy,
guidance, and
standards to determine if DOL is using NIST Special Publication 8OO-37'!
and other
relevant 141ST publications for Certification and Accreditation work
initiated after May
2004. This includes use of Feder& Information Processing Standards (FIPS)
19915 to
designate impact levels to the confidentiality. integrity, and
availability of a system.
In our FY 2004 FISMA report, the OIG gave DOl a satisfactory rating
on its
assessment of the DO! Certification and Accreditation program in part
because DO! had
initiated a quality assurance process to carry out detailed evaluations of
the relevant
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act. 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review and
comment under any
REDACt 9W!M!! RSIO N
Annual Evda4ion of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 12 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
documents. Since DOl's implementation of the Certification and
Accreditation quality
assurance process in FY 2004, the 010 has had a chance to review the
process as well'6.
* Some systems Security Test and Evaluation reports were dated after
the
systems were signed off for full Accreditation.
16 A large number of DOEs systems have been Certified and Accredited and
deemed by DOl to have
effective controls in place to provide adequate security In the OIG annual
FY04 FISMA report, the OIG
gave DO! a satisthctoiy rating on its !ssessment of the DO! C&A program in
part because DO! had
initialized a Quality Assurance process to cariy out detailed evaluations
of the relevant C&A documents.
The 010 was not able to review the process iii the FY 2004 reporting period
as DOl had just undertaken
this effort.
This report is exempt from disclosure to the public under the Freedom of
information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review arid
Comment under any
circumstances
REDACTED !L4BLIC VERSION
Annual EVafijation of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 13 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
DoIs FY 2005 FISMA Reports
FIPS 199 Findings
Overall, FIPS 199 forms the basis for an effective risk assessment and
management program. Failure to implement or achieve compliance !!ith FIPS
199 makes
it difficult for DOl to select and test the most effective security
controls. Furthermore,
not being in compliance with FIPS 199 will make it impossible to be in
compliance with
the upcoming federal standard for selecting minimum security controls,
known as FIPS
'! Memorandum M-05- 15. FY 2005 "Reporting instructions for the Federal
Information Security
Management Act and Agency Privacy Management," June 13. 2005. page 6. item
II.
IS DOl uses an Asset Valuation process to assign risk levels for
Confidentiality. Integrity, and Availability
that was developed prior to the introduction of FIPS 199. The systems we
reviewed did have designations
based on the DOl Asset Valuation process. While this process was acceptable
prior to FIRS 199, it is not
consistent with the curren standard for categorizing federal data and
information systems.
This report is exempt from disclosure to the public under the Freedom of
Infot-mation Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for p 8g!!gt!5 review and
comment under any
!
Information Seo!44!-Program of Dol
Subject to Protective Order Regarding Page 14 of 45
Sensitive I-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005) Dols
FY 2005 FISMA Reports
2OO'!. We anticipate that NTST and 0MB will make FlIPS 200 a federal
standard and
mandatory requirement for Certification and Accreditation early in
calendar year 2006.
* The Fish and Wildlife Service (FWS) Wide Area Network Contingency Plan
notes that it "provides the entirety of network connectivity for every
mission
critical IT system in the Service." DOl's Asset Valuation Guide notes
that Wide
Area Networks- such as the FWS's - trust. and financial systems are
supposed to
be categorized as high risk. However, the DO! Certification and
Accreditation
listing states the security category of FWS Wide Area Network is low
while the
FWS \Vide Area Network Plan of Actions & Milestones for the third
quarter of
FY 2005 states the system is a high. We noted that FIPS 199 is not
specifically
cited in any of the relevant FWS Wide Area Network security documents.
Interviews with FWS staff revealed that FWS is looking to DOl for
guidance.
* BOR's Wide Area Network FIPS categorization is not stated and its
attempts to
classifS' risk are inconsistent:
* The NBC's Federal Personnel and Payroll System (FPPS) NIST SpeciaJ
Publication 800-26 security self-assessment states that FPPS does
not have
any interconnections and thus interconnection agreements are not
necessary.
However, the FPPS system security plan lists numerous
interconnections and
states that the agreements are currently under development.
* The NBC's Reston LAN NIST Special Publication 800-26 security self-
assessment states thli�'management has authorized and integrated
all
interconnection agreements. However, we note that the lack of a
signed
interconnection agreement is identified as a current issue on the
Reston LAN
Plan of Actions and Milestones.
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review and
comment under any
REDA!W!M?5!IERSION
Annual E+atoation of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 17 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
System Security Plan Findings
Page ii. section 2.3.31 of the FWS Wide Area Network system
security plan
states that all major applications and general support systems that
are
interconnected with the Wide Area Network system will sign the
interconnections service a2reement. These agreements have not been
completed.
* Section 1.7 of the NBC FFS system security plan references the
Denver Data
Center Enclave plan for a listing of all interconnections. The FFS
system
security plan also notes that the interconnections are not signed
to date.
* Section 1.8 of the NBC CFS system security plan states that the
only true
interconnection with Hyperion is to the Internet. The system
security plan
also states that CFS clients sign a security services agreement
with the NBC.
However, these agreements are not signed with all clients.
* Section 1.8 of the NBC IDEAS system security plan incJudes a
listing of
interconnected agencies and specifies the logistics of the
interconnections.
However, the plan does not indicate if interconnection agreements
are signed.
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act. 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review and
comment under any
RED!!WJ!?S&JERSION
Annual EIi!ltjation of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 18 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
I
We did note that the system security plans for the NBC that we
reviewed appear
to be updated periodically, but we did observe some out-of-date contact
information.
Specifically, we determined the following contact infonnation has not
been updated:
This report is exempt from disclosure to the public under the Freedom
of Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
* The NBC Denver LAN contingency plan has not been updated since
June
2004, even though NBC has migrated from Novell to Active
Directory and
performed two connectivity tests.
We also found that most of the NBC system contingency plans had
outdated or
incorrect contact information for critical individuals. In order to
verify the accuracy of
the team contact information provided in the contingency plan, we
performed a
comparison to the current NBC directory. Upon comparison, we found the
following
discrepancies:
Security Configurations29
This report is exempt from disclosure to the public under the Freedom
of information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
circumstances
REDACTEDF!LIC VERSION
Annual EvaI!ation of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 22 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
DoIs FY 2005 FISMA Reports
carried out manually. In an environment with limited configuration
management
practices, this can pose additional risks to DOl's assets.
Network Security
However, our penetration testing has revealed other problems with DOt's
Computer Security Incident Response capability. DOl's bureaus. for the most
part, have
been successful in detecting large scale network reconnaissajice activities
and have taken
actions to detect and block these. In most cases. there was a noticeable
time lag between
detection and reporting. Unfortunately, by this time we were able to
penetrate through
other undetected networks. In the instances where we gained unauthorized
access inside
a bureau, we were not detected and had unfettered access for as long as we
needed it.
This indicates that there is inadequate attention being paid to suspicious
network activiw
This report is exenipt from disclosure to the public under the Freedom of
information Act, under
Exemption 2 of the Act. 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
RED!8S!1?! VERSION
AnnuatEdaluation of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 27 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
Recommendations
System Inventory
Contractor Oversight
Tins report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act. 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review and
comment under any
circumstances
REDACTED!IJBLIC VERSION
Annual!7Muation of the
Information Security Program of
Dol
Subject to Protective Order Regarding Page 28 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
5) DOl should improve its Certification and Accreditation quality
assurance process
by doing the following:
Security Configurations
Network Security
10) Follow standard DO! procedures to report incidents with potential law
enforcement implications to the OIG's Office of Investigations.
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason, recipients
of this report must not
show or re!ease its contents for purposes other than official review and
comment under any
REDflTJ*!Wj!sVERSIO N
Annual - Luation of the
Information S cuhty Program of Dol
Subject to Protective Order Regarding Page 29 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
0MB OIG FISMA MATRIX
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act. 5 U.s.c. � 552(b) (2). For this reason, recipients
of this report must not
show or release its contents for purposes other than official review and
comment under any
circumstances
REDACTED !BLIC VERSION
Annual EQdtliation of the
Information Security Program of Dol
Subject to Protective Order Regarding Page 30 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(DId. No. 2937) (Filed April 22, 2005) Dols
FY 2005 FISMA Reports
. .! - - ! ,., ,
- - - - - - __y - - t!
-. - I*!d - SMd !
e!a..d P1 ! k! - p!IEy d a!.
____ -! I
b ! O_ I.
- -- -j
-
- . S I
I U
-
___ - --. -
I
0 I
TrC! ___
- -, _________
- - j
Lo..
- -
s.]b-I!I I S I
-
Lbs I
I
-! ________________________ S I S -
US $!.
c!q -.
- ,-
- XD%
2 S*' I
0
-
C
C.
I
a
--
!
a
____ G 1
o! 3-
I!
a
a
0
- - Hj!b s -!
_____________________
- I s ______ d ________________
- ____________ r * ! ! 0 6 0
______________
- I 1* Dl * S. - - __-!Ij_ - --
T_ S 14 I S * 17 II ii
t t. t t_ *!t! 1
TI.. -! ! - *-t' ! - - - w * ! !
SIS et n 1flfl T!M. O! PSd ?1a S4 !
- n !,cy - 5S-! ! S! PCtfl! !-Z t*4*!n br -
* t!4 idtart r.!!*s 1St,G b! ! ! ! - b* !t
R C!S!(S!
- - ! .y!flof!n
- tomsin.. Or .rk w!S 5t-'O% ol w!. --
- fl__tv ! _,_ - fl-s. _v. !
- ._ - _c. ! t .!% ! 'at.
- MTa! fl.q.. be! ! %I!% QI **
t
FT $! Ay 1y' Fin C!*.t
g jt.- M1w
!-
I-
I-
- !M 'Uttt
R.! Nu?! P!!-e! I! P*.tt !
,!_ !.t_ - -!
! T! IA!- T! T! ka p.!1sr
- F- -
!.:1L.
"on
I I!fl
on
2 I!O*t
I -
'Xe'-
Sfl I
S :!s!i
I-fl
- -1!
e_ I!n! nfl, -
I !fl% I IT1%
!
I
______ !
I."
- 7 17fl
! 114%
-n
4
- -1- I
II l!Q.I
P0MM ! r!tV - !t iT ! - !
sa, st-7O% ! - a S ! IT !n -* !!
0 We PQ!1a 4* a.*a R.!!Io% A1!*! !t P0MM !M IT
! .fl t tt !awt!f P0MM I! sr... DCI - ?
Ta. b POAZJS p Tht a d !. !Mt S..!a -
- tt- - - ! !I - �d em -! ! f!d
t,!E WSfl PS S - - ! - - , -
! 4 fi..O!.1.. nb,.. - Sm' At.q! OCt ! 1t - qs!. -
ttn - p!r
! p !eIca1 4 d *!.* !* *!4! !
* *! *OASM - a'. ! - b!'d
U. - -. !a e a .e fea ee. a!
- .! - ! - ! *.d tW e.pcd.d! ! !n ma - c! ?l.
DCI 00 .!m PQ*&A -b ! d !!%
raf.....!. m�d 1 POUt fl*! by t l!& tS - ! Da !
t! !* - - ka.
!*.&- - G!% 4' !4.9a'. R.SyG! C!,* ! !fl.. 1 PCAM b!t
at t PW ry "!.ev w.dqa.. b.fl
! II' .c.tg. .!, I. .y rC ,nn �7. .' , fl ! S
! td !an aft d d
Sn,. b as ft!,e.l. S Soc o!. .!..n t Me CS!4 god W0.d W%O fld S fl*
wiad ! - �**! W!!d A Cai,w* uo
& .La. P0MW b me o! ! C..t! $Ap a!. U. aol co d. D..a. l.qtfln..
.!biw.. paJ *! '!d VSWY St
! **sM Mt c!d,.clw *M! r! o!,.d Mal W. 1. !d Un L r -.
d -
- -
-
0- -
-
-
.p-
FI
-S. Cd!t
A!'.!.*!da4 GIO% !S
* A!!SI .70% -
AJw!l!7I*!% -
- al-a -
* A__ -'oQ%!
St
1!
ml ! ! - - g - .n!
11! -! P- - - -
*t41. ! !(I-
Ii! -
11
PlOWIm srtMs. pcasco oca!4t ! OjO on. mM. bs . - .!I,.E 1 F!I - ! !a w,!Sy 51-
10% S !
- - - - ! !
Queslio9 S
Agency Name:
QuesLico 6
I
I
Unux
. . Rarely, ct, on approximate! 0-50% of the syslerns
! Yos
Yes runninq th! wftware
Cis! Router lOS
Rarely, o, on approxirnate!O-5O% of U,e systems
! Yes ,
Yes iPJnhingth!scftwere
Oracle
. Rarely, or, on approximata! 0-50% oF thB syStaln5
Yos
Yes j runnpnq Oils software
Oilier Specify:
- Rarery,or.onapproxrn!ate!o-5o%otthosystems
Yes
Yes rwlnirul (lips software
Comments: Other: AD(. Apache Web Servers, Remote Access Servers
Question I
indicate whether or not the following policies and procedures are in place at yo&#
agency If appropriate or necessary, Include comments in the am p�4ded beiow.
The agency foliows documented policies end procedures for identifying and
reporting
l.a. inodents intemal!/
Yes
Yes or No,
The agency fo'lows documented pohcies &!aocedures for external reporling
to law
lb. enforcement authoriI!es.
No
Yes or No,
The agency bRows defined procedures for reporting to the United States
Computer
ic. Emergency Readiness Team (US-CER1).!http:/tMvw.us-ceagov
Yes
Yes or No
Comrnenis: 7.b. We identified Eight (8) instances of non-ctrnpiianoe from November
2034 through August 2005. Training was provided.
Qutst!fl S
This report is exempt from disclosure to the public under the Freedom
of Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
REDft!h!J!L%WERSIO N
Annual E!uation of the
Information Se!O'hty Program
of Dol
Subject to Protective Order Regarding Page 35 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
Appendix 1 FY 2005 FISMA System Sub Set Evaluation Findings43
circumstances
REDACTED PUBLIC VERSION
Annual E!Ib�tion of the
Information Security Program of Dol
Page 36 of45
Awareness
I BIA TrustAssetand X X X
X X
(Contractor) Accounting
Management System
2 X X X
X X
When an
Is observed, this signifies issues in our annual evaluation HiM have a negative
impact to thc overall assessment area.
This report is exempt from disclosure to the public under the Freedom of
Information Act, under Exemption 2 of the Act, 5 U.S.C. � 552(b) (2).
For this reason, recipients of this report must not show or release its conlents
Ihr purposes other than official review and comment tinder any
Awareness
12 05 / NBC Federal Personnel and X X X
X X
Payroll_System
13 os/NBC InteriorDepartmcnt X X X X
X X
Electronic Acquisition
System
14 OS/NBC DenverflataCenter X X X
X X
Local Area Network
15 OS/NBC Consolidated Financial X X X X
X X
Statement System
! (IJYPERION)
16 OS/NBC Alaska I!gionaI X
TelecommunicatIon
Network
17 OST Wide Area Nctwork X
X X
'p
-I
This report is exempt from disclosure to the public under thc Freedom of
Information Act, under Exemption 2 oithe Act. 5 u.S.C. � 552(b) (2).
For this reason, recipients of this report must not show or release its
contents for purposes oilier than official review and comment under any
circumstances
REDACTED PJiflIJC
VERSION
Annual Evaluation of
the
Information Security
Program of Dol
Subject to Protective Order Regarding Page 37 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(DId. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
C
* -
I-
Ca
Sc
C
* -
* n
E
-J
I-
-F.
L-.
I-
t.
-F
In
d
-c
r'1
It
C
F"
tk
I!
rF.
oII!o
I 01
Ct
a -
It.
-
(%1T
-
-
- z
LI -
I,.
-!
-
(1 6!
=
-
0
-,
Q! Q:II!Ij
a
V
>
ci
=1
E *n
.2 C
Sn!
ii
-r
- !-, I -
!
L:!I! ZZ
References
Laws
1' Public Law 107-347. Title III, Federal Information Security
Management Act
(FISMA) of 2002, December 17, 2002.
O!G Reports
This report is exempt from disclosure to the public under the Freedom
of Information Act, tinder
Exemption 2 of the Act, S U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official
review and comment under any
REDA!a1wSax!c!RSIO N
Annual Ev! tion of the
Information Secun y Program of
Dol
Subject to Protective Order Regarding Page 40 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
+ NSM-EV-BLM-0020-2005-Penetration Testing" External Penetration
Testing of
Bureau of Land Management, April 6.2005.
+ NSM-EV!OSSOO252OO5713O5NBC Penetration Testing External
Penetration Testing of NBC, July 13, 2005.
+ NSM-EV-MOI-0003-2005-Information Security Assessment: Central
Valley
Operations. Sacramento. California National Critical
Infrastructure Information
Systems Bureau of Reclamation, September 7,2005.
+ NSM-EV-MOI-0003-2005-Information Security Assessment: Hoover Dam,
National Critical Infrastructure Information Systems Bureau of
Reclamation,
September 7. 2005.
*) NSM-EV-MO1-0003-2005-Information Security Assessment: Grand
Coulee Darn.
National Critical Infrastructure Information Systems Bureau of
Reclamation,
September 7. 2005.
* NSM-EV-FWS-0022-2005-Penetration Testing External Penetration
Testing of
Fish and Wildlife Service, September 7, 2005.
4 NSM-EV-MMS-002 I -2005-Penetration Testing External Penetration
Testing of
Mineral Management Service, August 5, 2005.
4 NSM-EV-NPS-0023-2005-Penetration Testing External Penetration
Testing of
National Park Service, September 7. 2005.
** NSM-EV-OSM-OO 17-2005-Penetration Testing External Penetration
Testing of
Office of Surface Mining. September 7, 2005.BLM IT Security
Penetration
Testing-Notice of Potential Findings and Recommendadons, April 6,
2005.
+ NBC IT Security Penetration Testing-Notice of Potential Findings
and
Recommendations. April 19, 2005.
C* NSM-EV-MOI-0012-2005 "Fiscal Year 2005 First Quarter Information
Technology Security Update in Support of the Federal information
Security
Management Act," January 24, 2005
C* NSM-EV-MOI-0012-2005 "Fiscal Year 2005 Second Quarter Information
Technology Security Update in Support of the Federal Information
Security
Management Act," May 10. 2005.
C! NSM-EV-MOI-0012-2005 "Fiscal Year 2005 Third Quarter Information
Technology Security Update in Support of the Federal Information
Security
Management Act," July 29, 2005.
c* A-EV-MOA-000 1-2005 "Evaluation Report on the Department of the
Interior's
Process to Manage Information Technology Security Weaknesses,!
August 2005.
This report is exempt from disclosure to the public under the Freedom
of Information Act, under
Exemption 2 of the Act, 5 U.S.C. � 552(b) (2). For this reason,
recipients of this report must not
show or release its contents for purposes other than official review
and comment under any
REDAGI!J!Ifl!�!RSIO N
Annual Ev lI#ation of the
Information Sec rfty Program
of Dol
Subject to Protective Order Regarding Page 41 of 45
Sensitive l-T Security Information
Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
+ Securing DOl's Network and Computer Infrastructure. Memorandum
issued by
DOEs Chief Information Officer on July 22, 2002.
* OCIO Directive 2004-005 Reporting of Medium and Low Priority
Computer
Security Incidents, December 19. 2003.
+ Plan of Actions and Milestones (POA&M! Process Verification. IRM
Bulletin
2005-07, issued on May 3, 2005.
+ Revised POA&M Reporting Instructions. IRM Bulletin 2004-04.
issued on
November 24, 2003.
+ Reporting of Medium and Low Priority Computer Security
Incidents. IRM
Bulletin 2004-05, issued on December 19, 2003.
! Standardized System Security Configuration. IRM Bulletin 2004-
07, issued on
March 5, 2003.
+ Revised POA&M Reporting Instructions. IRM Bulletin 2004-09.
issued on
February 2, 2004.
+ Prohibition on Use ofWirelessNetworkTechnology. IRM
BuIIetin2004-l8.
issued on ApilI 4. 2004.
4' System Audit Logs. IRM Bulletin 2004-20. issued on July 17.
2004,
+ E-Authentication Agency Ramp-up Plans. 1kM Bulletin 2004-2L
issued on July
6, 2004.
*) Interim Guidance for Certification and Accreditation on
Information Technology
Systems. IRM Bulletin 2003-03. issued on April II, 2003.
C Computer Incident Response Capability. IRM Bulletin 2003-13,
issued on August
4, 2003.
** Interior Computer Security Incident Response Handbook (vi).
issued on August
4. 2003.
! DOl ClO Memorandum on Peer-to-Peer file sharing restriction,
issued on July 28.
2003.
4 OCIO Bulletin 2002-007 Interim Guidance for basic End-User
Information
technology Security Training and Awareness. May 13, 2002.
t OCIO Directive 2005-007. FY 2005 Plan of Actions and Milestones
(POA&M)
Process Verification. May 3. 2005
t OCIO Memorandum "Implementing OCIO Directive 2005-007 for 4t1!
Quarter
Plan of Actions and Milestones (POA&M) and 4th Quarter Federal
Information
Security Act (FISMA) Performance Measures, August 18, 2005.
c* Part 375 Departmental Manual. Chapter 19. Information
Technology Security
Program, April 15, 2002.
*> Interior Information Technology Security Plan. Version 2, April
15, 2002.
C* Interior System Security GSS Planning Guide and Template. April
30, 2002.
*> Interior System Security MA Planning Guide and Template, April
30, 2002.
C* Interior Risk Assessment Guide, April 30, 2002.
* Interior IT System Contingency Planning Guide. April 30. 2002.
<* DOl IT Asset Valuatjon Guideline. March 4. 2003.
Other References
Abbreviations:
BIA BureauoflndianAffairs
BLM Bureau of Land Management
BOR Bureau of Reclamation
C&A Certification & Accreditation
CSIRC Computer Security Incident Response Capability
DM Departmental Manual
DOl Department of the Interior
FIPS Federal Information Processing Standard
FISMA Federal Information Security Management Act
FMFIA Federal Managers Financial Integrity Act
FWS Fish & Wildlife Service
GAO Government Accountability Office
MMS Minerals Management Service
NBC National Business Center
NTST National Institute of Standards and Technology
NPS National Park Service
OTO Office of Inspector General, Department of the Interior
0MB Office of Management and Budget
OST Office of the Special Trustee
OSM Office of Surface Mining
SP Special Publication
SSP System Security Plan
ST&E Security test and Evaluation
USGS United States Geological Survey
U.S.C. United States Code
FPPS
IDEAS
DTS
PARKNET
System
*
This report is exempt from disclosure to the public under the Freedom of
Information Act, under
Exemption 2 of the Act, S U.S.C. �!552!) (2). For this reaso! recipients
of this report must not
show or release its contents forpurposes other thaji official review and
comment under any
- -cJrcumsta!,!!..
REDACTED P!L1UvtRSION
-! --C. AnnuaI-!Ecf1l!ation of the
information Security Program of Dol
V !age45 of45
...
-______
OST OSTNct
OST LAN/WAN
Evaluation Report
SEPTEMBER 2005
7 Officc of Inspcctor
Washington. D.C 20240
1
MemorandLim
In the Sepwrnher 14. 2005 response to the draft report, the Department's
Chief
Information Officer did not specifically concur or non-concur with our findings
and
recommendations. The response indicaled that the Department had fully implemented
three of the five recommendations and that no further action was needed to
implement the
remaining two recommendations. Although we acknowledge reccnL steps taken by the
Department to improve the POA&M process, the actions taken have not fully
addressed
our recommendations. Accordingly, we consider all five reconiniendations
unresolved.
Attachment
RESULTS EN BRIEF
To improve
recommend
reported and
INTRODEJCTJON . i
Background........................................................
Prior Reviews.....................................................i
Objective and Scope...............................................2
RESULTS OF EVALUATION..................................................3
Department's POA&M Was Not Reliable...............................3
Management Oversight Was Not Effective............................4
The Department Lacks Assitranec Its IT Systems Arc Secure.........8
APPENHCES
1. Office of Inspector General Prior Reports with Findings
Related to the Department of the Interior's Plan of Action
and Milestones................................................16
2. Scope. Methodology, and Criteria.............................18
3. Summary Results of Weaknesscs 'lested from Bureaus'
Plans of Actions and Milestones, Sepleniher 15. 2004
and December 15. 2004.........................................21
4. POA&M Practices and Automatcd System Capabilities From
Department of the Il1tcrior Burcaus and the Environmental
Protection Agency.............................................22
5. Department Response..........................................25
6. Status of Evaluation Recommendations.........................32
III
iv
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 6 of 38 Defendants' Notice of Filing of
Dols FY 2005 FISMA Reports
INTRODUCTION
O!WB Memorandum M-02-O1, "Guidance for Preparing and Submitting Security Plans of
Action and
Mflestones.' issued October 17,200]. This Guidaiice was updated by 0MB Memorandum
M-03-19,
"Rcponing Instructions for the Federal Informat!ori Security Management Act and
Updated Guidance on
Quarterl! IT Security Reporting."
1
DoI-OIG Annual I-T
Security Program Evaluation
Page 7 of 38 Defendants'
Notice of Filing of
Dols FY 2005
FISMA Reports
whether the process was properly iniplerncnted. In that same
report. we concluded that all weaknesses were not recorded in
the POA&M, priorities were not assigned to correct all
weaknesses, and costs for actions to rcniedv weaknesses were
not always identified.
OBJECTIVE AND The objective of our evaluation was to determine whether the
Department s POA&M process to manage IT sccurity
SCOPE weaknesses was adequate. To accomplish our objective, we
interviewed personnel involved with the process. analyzed thc
DepartrnenFs POA&Ms ofScptember 15 and December 15.
2004, and conducted tests of weaknesses reported as corrected.
In performing our tests, we judgrnenta!]v selected 133
weaknesses iii 20 IT systems and I SCCL!rity program. These
systems and program were owned by the Office of the Secretary
(OS). the Assistant Secrctary of Indian Affairs (IA). the Bureau
of Land Management (BLM), the Bureau of Reclamation (BOR),
the GeoLogical Survey (GS). the Minerals Management Service
(MMS), and the National Park Service (NPS), (See Appendix 2
for more details on scope, methodology, and the criteria used in
this evaluation.)
3
Dol-OIG Annual l-T
Security Program Evaluation
Page 9 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
!- Five corieelive actions required a new Ii' system he
implemented, but the system had not been implemented.
MANAGENIENT The Departrnenis Office of the CR) had issued some policies
O and procedures regard Jig the POA&M process. However, the
VERSIGHT vv AS Office did not oversee the process to ensure that the
NOT EFFECTIVE Dcpanrnenrs POA&M could he used to effectively manage IT
security weakness rernediation and was accurate, timely, and
resulted in safeguarding IT resources. Spcciflcaily, the
Office of
the ClO did not institute adequate qLtality assurance and
verification methodologies and did not require that
responsible
officials, such as bureau heads, be accountable for the
accuracy
of reported information and for correcting IT security
weaknesses. The DepartmcnCs (10 also had not instituted an
effective process to ensure that weaknesses were prioritized
based on the risk to the Department. In addition, the
Department's Office of the CJO had not ensured that the
automated system used for the POA&M CoLild he used as an
effective management tool.
4
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 10 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
No Quality Assurance Process
The Office of' the ClO had not established an effective quality
assurance process to review information submitted in the
bureaus' quarterly POA&Ms to ensure accurate and complete
information was included in the Departmcnts POA&M.
Although the Office of the dO performed a limited review of
the count of weaknesses reported by the bureaus, this review was
not comprehensive and did not ensure that (I) a!! systems in the
Department's IT system inventory were included: (2) IT security
weaknesses were clearly described so that weaknesses were
understood: and (3) reported planned corrective actions would
correct the weaknesses. For example, the Departnient's
September 15, 2004 POA&M:
5
Dol-OIG Annual l-T
Security Program Evaluation
Page 11 of 38 Defendants' Notice of Filing of
Dols FY 2005 FISMA Reports
Without a quality assurance process, the Departnients ClO is
not able to improve the quality and reliability of the
Departmenfs POA&M and the Department cannot ensure that
its POA&M process is effective.
No Verification Process
6
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 12 of 38 Defendants Notice of Filing of
Dols FY 2005 FISMA Reports
Without a verification process, the Department has littic
assurance that its IT security weakness rernediation process is
effective. Appendix 4 describes good bureau practices that 'we
believe could also be used by the Department as part ofa
verification process.
7
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 13 of 38 Defendants' Notice of Filing of
Dols FY 2005 FISMA Reports
Automated POA&M Information System Not Effective
Bureau stqfj indicated that The Department's automated POA&M system could not
be used
the De!!artnienj Ic a,,fo,natetj to monitor, prioritize, and report on IT
security wcaknesses. For
POA&Msycte,,, has example, thc Department's automated system, as it
was
difficult to use and that implemented, does not:
usable it y'ormci/ ion could
not be produced. > contain standardized descriptions of weaknesses
and
related corrective actions so that the
Department could
accurately prioritize all the weaknesses:
THE DEPARTMENT The Department's CO has stated that the POA&M is the
! CKS A SSUR NCF Department's tool to manage IT security weaknesses.
As such,
A the Department is relying on information that we
found to be
ITS IT SYSTEMS inaccurate, incomplete, and untimely. Without
reliable
ARE SECURE information in the POA&M, the Department cannot
identify
8
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 14 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
systemic problems and monitor corrective actions. Also,
management may make inappropriate decisions regarding the
1)epart]llenf s information security program. Therefore, the
Department cannot ensure that the most significant weaknesses
are corrected first and that its systems and data are adequately
safeguarded.
9
Dol-OIG Annual l-T
Security Program Evaluation
Page 15 of 38 Defendants' Notice of Filing of
Dols FY 2005 FISMA Reports
RECOMMENDATIONS, DEPARTMENT OF THE
INTERIOR'S CHIEF INFORMATION OFFICER
RESPONSE, AND OFFICE OF INSPECTOR GENERAL
REPLY
01 Reply The Department has taken recent steps to improve the POA&M
process including the issuance of more detailed guidance.
However, WC believe that further steps are needed to
implement
an effective quality assurance process. While the recent
guidance communicates the requirement to include all
weaknesses in the POA&M. it does not describe a Department
level quality assurance process to ensure that all weaknesses
are
actLlaily reported. The working draft Plan of Actions and
Milestones Process Standard does state that the Department
Chief Informat ion Officer (ClO) and the Chief Information
Security Officer (CEO) will be required to review the
!'OA&Ms to ensure compliance with policies and procedures.
The (iSO will also he responsible for instituting a quality
assurance process to ensure all systems are accounted for.
weaknesses arc adequately described, and corrective action
plans appropriate!! address the weakness. However, these
Standards will not be implemented until fiscal year 2006.
016 Reply The Department has taken some steps to improve the
verification process including the requirement that the
bureaus
conduct verifications that the weaknesses reported as
corrected
were in fact corrected However, the continued reliance on
self
reporting by the bureaus makes compliance verification
virtually impossible from a Department-wide management
standpoint, fri its response, the Department indicated that
the
Plan of Actions and MiJestones Process Standard would provide
for an additional quality assurance to be performed by the
000 which !vilI include an "inspection and review of a sample
set of completed POA&M corrective actions each fiscal year.'
However, the current draft does not include this additional
process. The Department will not have an effective POA&M
process until these verification reviews are established and
implemented. Additionally, we included the cost benefit
ana!ysis in our report as a promising practice that could be
used
by the Department in its POA&M process.
DOL Response The Department responded that the quality assurance and
verification process initiated by the OCIO Directive 2005-
007
and further darified in a memorandum dated August 18, 2005
requires senior management officials to ensure and verify
information in the bureau's POA&M is accurate. The
Department believes the implementation of the verification
process fully implements this recommendation.
DO! Response The Department did not agree wfth this recommendation. The
Department stated that the IT budget is under the authority
of
multiple appropriations and with spcciflc restrictions on
the
movement of appropriated funds. Thus, prioritization across
bureaus is not a relevant issue. Additiortaily, the
Department
makes the Ibilowing points:
NIST SP 800-57 requires the Designated Approving
Authority (DAJ\) to make the final decision arid beheld
accountable for accepting risks to their systems. I
laying
higher levels of management make changes to the
13
Dol-OIG Annual l-T
Security Program Evaluation
Page 19 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
DAAs determination would undermine the DAA's
authority and accountability.
'4
Dol-OIG Annual l-T
Security Program Evaluation
Page 20 of 38 Defendants
Notice of Filing of
Dols FY 2005
FISMA Reports
DO! Response The Department recognizes the benefits of using POA&M
automation tools and plans to evaluate tools for prospective
use
in thc Department They may not be able to immediately
irnplcnient the recommendation or find it cost effective to do
so.
The Department believes that the current POA&M rcporting
format, while not optimal, meets basic requirements. A new
automated POA&M system could not bc funded untfl fiscal
year 2008. The Department stated that the implementation ola
single-purpose system for POA&Ms would not be benefleiai
because the functional requirements, SLICh as automation of
forms and workflow. are common to other Departmental and
OCIO processes. Those requirements should be rnc! with
common software service components.
15
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 21 of 38 Defendants' Notice of Filing
of
Dols FY 2005 FISMA Reports
Appendix 1
A\NUAI. EVALI:ATIO\ OF
THE Sri urn ii PROGR.flI
AND PRACIICES OVER
NON- NATIONAL
SECIRIT\ SssrE\Is, L.S.
DEPARTMENT OF TIff
INFERIOR
(Report No. 2002-1-0049)
ANM'.%I. EVALi:A'FION OF
THE INFORMATION
SECURIF\ PnoGRt!1 OF
THE DEPARTMr!T OF
TIlE INTERIOR
(Report No. 2003-1-0066)
REPORTS
16
DoI-OIG Annual I-T
Security Program Evaluation
Page 22 of 38
strate
gic plan should encompass
the
corrective actions in the
POA&Ms
and should be
approv
ed hy the dO.
17
Dol-OIG Annual l-T
Security Program Evaluation
Page 23 of 38
Defendants' Notice of Filing of
D
ols FY 2005 FISMA Reports
Appendix 2
r reviewed the Department's and the bureaus' policies and procedures related to
reporting IF sceLirity weaknesses and rernediation activities on the POA&Ms;
> analyzed bureaus IT systems and program quarterly POA&Ms that were submitted
to the Department and the Department's quarterly POA&Ms that were submitted
to
the Office of Management and BLidget (0MB) dated September 15 and Deceniber
15.
2004;
> We chose weaknesses that were related to access controls because of the
significance
of these controls in safeguarding IT resources and data and because these
controls are
included in most types of IT systems.
18
DoI-OIG Annual I-T
Security Program Evaluation
Page 24 of 38 Defendants' Notice of Filing
of
Dols FY 2005 FISMA Reports
Management. the I3ureau of Reclamation, the Geological Survey, the Minerals
Management
Service, and the National Park Service. (See Appendix 3 for the specific systems
tested.)
EVALUATION CRITERIA
19
Dol-OIG Annual l-T
Security Program Evaluation
Page 25 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
* The agency head should direct the Chief
Information
Officer to monitor agency compliance with the
policies,
procedLires, and guidance in this Circular. The
Chief
Information Officer should develop internal
information
policies and procedures and oversee, evaluate,
and
otherwise periodically review agency
information
resources management activities for conformity
with the
policies set forth in this Circular.
20
Dol-OIG Annual l-T
Security Program Evaluation
Page 26 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
Appendix 3
Number or
Corrected
Weaknesses
Reported
Number of
Corrected
Weaknesses
Tested
Nurn her of
Corrected
Weaknesses
Determined Not
Corrected
104
15
12
26
16
8
30
20
Bureau of Rec!amation
Denver Office Genera! Support System
(DOGSS)
Columbia Basin Supen'isorv Control and Data
Acquisition (CBP SCADA)
Hydrological and Meteorological Information
System IIMIS)
Mid-Pacific Regional General Suppon System
(MPG SS)
Safety_and Security_Information_System_(SSIS)
48
17
Geological Survey
National Map
81
40
21
23
16
32
4
i'ota!
344
133
64
2!
Dol-OIG Annual l-T
Security Program Evaluation Defendants' Notice
of Filing of
Page 27 of 38 Dols FY 2005 FISMA
Reports
Appendix 4
AREA PRACTICE
Keeping svqe,,, miners updaied The Nationa' Business Center's LI' Security
Manager
vii the star/is of security sends a monthly POA&M report to system
owners.
iieaknecses. The report shows the status of the
corrective actions for
IT security weaknesses that are ongoing and
on target
for completion and of each weakness that is
ongoing
but not on target for completion.
CAPABILITY DESCRIPTION
Class/fy ITs!smnns as either a The POA&M system asks questions that whcn
answered
major application or a general by the user the system helps the user to
classify the IT
support system, system as either a major application or a
general support
system. A major application requires a
different set of
controls than a general support system to
safeguard
information.
Track requirements fur ciii IT The POA&M system tracks whether a system meets
the
svylc'n to he ecu/fled and requirenlerits for itto be certified and
accredited as
accredited as adequate/v adequately safeguarding data. These req Li
irernents
protecting ck,/u. include: the system I11LISI have undergone a
risk
assessment, the system must have undergone a
self-
asscssnierit, the system must have a security
plan
describing afl the controls that protect the
system, and the
system must have a contingency plan to recover
in the
event ofa system failure or disaster
23
DoI-OIG Annual I-T
Security Program Evaluation
Page 29 of 38 Defendants' Notice
of Filing of
Dols FY 2005 FISMA
Reports
CAPABILITY DEscRipTioN
Allows queries ofueakness The POA&M system allows queries to obtain data
data. regarding IT security weaknesses including the
progress
of corrective actions. In addition. the system
can generate
POA&M reports in OMB's required format.
24
Dol-OIG Annual l-T
Security Program Evaluation
Page 30 of 38 Defendants' Notice
of Filing of
Dols FY 2005 FISMA
Reports
Appendix 5
1 hank you for thy opponunit> to respond to the "Dm8 Evaluanon kepon on the
Departrnetu cf Ihc Intcrior's Process Ic Manage lnfbrmation Teduxilo!zy
Sceurity
Weaknesses (Assignment No A-hV-MOA.QOOJ!2o(j$y' i'he Plan of Action and
Mitesiones (POA&M) proccss is a vital component of the Depanmenfs Tnfonmnion
!rtch!)k!gy (IT) secunty program, As you know, Interior made significant
progress in
estabbshing and irnp!emer!ing !t dcparunern.-wk3e POA&M prucess, to Ihe point
whcrc
the Office of Inspcctor Gcnaal concluded in 2004. "Basal on our cxarn.ination
of the
Dcpanmoiit's instructions for the development and itnpkmcntation o(POA&Ms, we
concbdcd thftr as designed, the POA&M process is effective and satisfies the
pertinent
Federal gtiidancc presented in Anachrnarn C of Office of Management !md Budget
Mernonrndurn 031)9 Rq!orgiszg Inslrw::ions for the Federal Information Secwniy
*Icrnagcrncn: Act and (4da!ed Guidance on Quarterly IT Security Reposiing
issued
Augu!s! & 21KB."
We tiole ibm, as our program has matured, OK) evaluations have become more
rigorous
!is wetI. We appi-eciate th& this incitased lcvcl of evaluation will allow us
to continue to
mature and improve our processes, and thus our IT secwity! beyond rnhiinmm
requirements. Pkase now that improvem!jit of IT security beyond docurncntcd 0MB
or
NIST requirements may not he our h!ghcst priority for availahk critical IT
security
funding. However! as we evaluate our overafl IT security landing needs acid
available
resourcet !e will cnn!�der recommenthtions in Iigl.u o(priorftks in the
program.
\Vc appr!ciated meeting with 016 staff and management early in this cvaluation
prnce!s.
These meetings provided us an oppotlunity to begin immediate implementation of
proposed recommendations. Our imrnediatt action siguificanuy improvcd our
proccsscs
durins this fiscal year. We aJso appreciate that 130k, MMS, NBC, and BLM wcre
specifically rioted for effbctivc implementation of POA&M practices. These and
other
practices served as the basis tot improved guidance Departrncnr-wjde.
25
Dol-OIG Annual l-T
Security Program Evaluation
Page 31 of3B
To:
Recommewiatlon 1:
h) Weaknnses are compinely describe ci and the respeaxve copreclive actions would
adequwdy air/-cc! the weaknesses. Thth could be paniatly addzyssed throt4gh
esrtthhshrng stundardszed desenpuons of common '! eahiessct and iciased
corrective
actions,
kespon!e:
0MB guidance may not have kcpi pace with incident mamsgancnt rcquirenicrns and
YuIner4bihIy monitodng took or c!pahUitics o!en empbycd by Federal agencics.
Incidczjt numa!emern procedures at many Federal agencies reqwre officials to empbv
mrncdiate action to safcguard systems aM data from outside threats or
vaLnerabilides.
The management of such rapidly handkd changes may be better addressed through
other
processes, Furthermore, it may not he prudent to disdosv such vutnaabiijty details
in
POA&Ms. The use of vulnerability morntoring tools should tilso be considered as an
acctplable !zzJjunct !o the POA&M. Since thcsc tools often provide misleading
re!u!t! or
false-poaitives and other errors, thc infonnafion r!eeds to be screened bcfore
putting
information in POA&Ms and should still be sunmw-jzcd,
0MB M-04-25 slates that "scnsuh!s deser 4it ions of the !pcci/k nakncss ar! not
necesswy" (p. iS) and endorses the use of gencral or brcfdescriptions! A template
2
26
Dol-OIG Annual l-T
Security Program Evaluation
Page 32 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports
altachcd to the 0MB memorandum also provided examples on the type of descriptive
inlormation requinxi on IT security weaknesses, The example illustrates that
high-level
descriptions aliT secunty weaknesses is !tcccp[abie. Separate source documents
and
reports detail moit fully each finding described in the POA&M, and provides
adcquatc
traceability.
Reconinjendatico 2:
Respunse
However, we also intend to issue a na QUO Directive and POA&M Process Standard
for imp1ernentatioi! in FY 2006 to Iwiher eahanee the POA&M process. ibis
additional
guidance has been developed by a team of specialists from throughout the
flepartmcn!
and will pruvide much of the recommended standardization. The POA&M Process
Standard wili provide for an additional qualiiy assurance process, to be perfonned
by the
0(10, which will includc inspection and review of a sample set of completed POA&M
corrective actions cach fiscal year.
The use of cost henclit analyses is recommended along with other factors tn be
considered when making such dec1s3on!. Flowcvcr, it is not cost effective for
agencies to
complek cost4,cuefit analyses for every security weakness tha fa1i! thto thc risk
acceptance category
Recommendation 3:
Requh-r! st!aiar bnreau managemeiu to cart/ft that informazion in Ike bureaus
PO4&M is
!awute and true.
27
Dol-OIG Annual l-T
Security Program Evaluation
Page 33 of 38 Defendants' Notice of Filing
of
Dols FY 2005 FISMA Reports
Response:
The quality assuran!x and vedikation pnccss initia!vd by OCR) Directive 2OU5-OO7!
May 3, 2005, and further darified by memorandum of Auguci 18, 2005, requires
senior
management officials to ensare and verify information in the bureaus POA&M is
accuratc,
flecommtndatjen 4:
pause
Inienor agrees with the spirit of this recommendation, but not the recommended
curreeftyt action, for the foliowin! reasons:
2. NiST SF 800-37 requires the DAft to nwke the fina! dccIsion, and be held
accowitahle! tbr acccpting risks to their systems. If c'fficials at other levels
in the
Department make changes to the OAKs dctcn,jnation, it would undcrnijnc both the
DAKs authority and accountability Thc DAM and othcr senior ma!sgenienl
officials rdy on a variety DffQctors in establishins scheduled cornmitmcnt! to
correct
weanes!!
28
5. Interior meets the 0MB requirements4 as risk IeveTh and severity of weaknesses
are
identified in Risk Assessment rvporls and other source documentation. As
described
in DOl IRM Directive 2004-009 Appendix A, each bureau and office is required
to
eswblish a priority procc! for addrcssirnj UI system stcurity wc4kncsscs based
o! the
significance of the vuincrthiliiy (Sce page C!4). Each system security
weakness is
assiprnd a priority level of High, Medium, or Low. The Deparnnenr also
established
a requirement to address all high pdorfty IT security weaknc!scs withth 180-
days.
The Dep!rtnj!!i! priority seUing proceM, thcrefi,re, i& adequaie mid flifly
cumphes
with 0MB guidance.
Recogrnwjjdatiop 5:
lrnprQve the Department !s cued PO.4&A1 system. To dcl cnn/nc the httvt
auiamo:rd
system for the [k!partrnea:. consu/t with bureaus IT operi4iotu4 staff sys&nn
owners.
program n"rnagers, and others that are involved with IT5ecurfty weaknesi remt!diw
ion.
ALm! c!n!tc other Federal agenexes thai haw implemented au(orna led svnems to
rnwj age POA&Ms.
Response:
I The current POA&M reporting format, while not optimal, meets basic program
requirtrnans. At this point, thvcstiig in a diikrcnt POA&M toot xnay not be
the
highest priority for Limited resources.
29
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 35 of 38 Defendants Notice of
Filing of
Dols FY 2005 FISMA
Reports
fundcd until FY 201)8, We arc investigatIng opporninifles for workflow
improvement within apprnved !T security npennions and maintcruujcc fiiMing!
Wc behcvc we !we compliant with 0MB-specified POA&M reporting using the existing
spreadsheci fonuat, and therefore meet the requirements of this recommendation
30
Dol-OIG Annual l-T
Security Program Evaluation
Pa e 36 of 38 Defendants'
Notice of Filing of
Dols FY 2005
FISMA Reports
presecfted here, such that they can now he considered M!y implemented, I believe
the
POA&M process, following 0MB directions provides a sound pmgram for managing the
rernediajion of IT security weaknesses. I look forward to a continued positive
rchitiouslup with your office as we further mature our IT sccu�ty programs.
Attachments
3!
Dol-OIG Annual l-T
Security Program Evaluation
Page 37 of 38 Defendants' Notice of Filing of
Dols FY 2005 FISMA Reports
Appendix 6
32
Dol-OIG Annual l-T
Security Program Evaluation
Page 38 of 38 Defendants' Notice of
Filing of
Dols FY 2005 FISMA
Reports