Board Report: 2014-IT-B-021 December 18, 2014
Overall, we found that the Chief Information Officer (CIO) maintains a FISMA-compliant information security program that is consistent with requirements for certification and accreditation established by NIST and OMB; however, we identified some systems that lacked documentation for authorizations to operate (ATOs), some system security plans (SSPs) that lacked recommended elements of NIST, and some information systems that did not receive a security assessment. Additionally, we identified that the IT Security Compliance Unit (ISCU) uses multiple repositories to manage security documentation. Inconsistent documentation of ATOs, SSPs, and security assessments indicates the potential for noncompliance with federal regulations and poses information security risks.
We found that 4 of the 53 systems selected for review did not have a documented ATO either in hard copy or in electronic form in the automated workflow support tool. Additionally, we found that 4 systems with a documented ATO in the automated workflow tool were approved by someone other than the documented authorizing official.
NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53), requires that organizations assign a senior-level executive or manager as the authorizing official for the information system and ensure that the authorizing official authorizes the information system for operation before the system is implemented. By authorizing an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs.
We believe that the varied use of hard copy and electronic form, as well as the use of multiple repositories to house the ATO documentation as discussed below, contributed to these inconsistencies. The Information Security Officer (ISO) stated that until the next version of the workflow tool becomes available, the Board will have to continue to maintain both hard copy and electronic ATOs. A single view of the ATOs will help the ISO monitor the authorization state of all systems.
We found that 10 of the 53 systems we reviewed had SSPs that lacked documentation on the authorization boundaries, and 11 of the 53 systems lacked system environments documentation. Furthermore, we found that the SSP template in the automated workflow tool did not include SP 800-53 requirements for the inclusion of system interconnections.
SP 800-53 requires that organizations develop a security plan for the information system that explicitly defines the authorization boundary for the system, describes the operational context of the information system in terms of missions and business processes, and describes the operational environment for the information system and relationships with or connections to other information systems. Further, the BISP states that SSPs are developed for all information systems in order to fully describe the security environment of the information system.
ISCU staff stated that the exclusion of critical information in some SSPs is a result of lack of understanding by system owners and managers of the requirements of certain fields within the automated workflow tool. Without fully documenting the system interconnections, authorization boundaries, and system environment, the authorizing official may be accepting undocumented risks.
We found that 4 of the 53 systems we reviewed did not undergo annual security testing. SP 800‑53 requires organizations to develop a security assessment plan, assess the security controls in the information system and its environment of operation, and produce a security assessment report that documents the results of the assessment. ISCU staff stated that the security assessments were not completed due to other priority reviews.
Currently, ATOs and SSPs are maintained electronically in one of two repositories or in hard copy. The ISCU uses an automated workflow tool to manage the security documentation for Board information systems, and the Division of Banking Supervision and Regulation developed a separate internal compliance management tool that manages the security documentation for its systems and its Technology Portfolio Management function. The information security–related purpose of Technology Portfolio Management is to secure supervision and regulation information by coordinating, on a national basis, all BISP and other policy compliance requirements for the Division of Banking Supervision and Regulation’s systems.
According to OMB Memorandum M-14-03, Enhancing the Security of Federal Information Systems, in order to fully implement information security continuous monitoring (ISCM) across the federal government, OMB recommends that agencies standardize the requirement to establish ISCM as an agency-wide solution by deploying enterprise ISCM products and services. Further, SP 800-137 recommends that organizations look for automated solutions to lower costs, enhance efficiency, and improve the reliability of monitoring security-related information.
During our audit, the Division of Banking Supervision and Regulation was exploring tools to replace its internally built compliance management tool, which is being phased out due to technical support issues. Additionally, during this audit the ISCU had upgraded its version of the automated workflow tool.
We recommend that the CIO
The Director of the Division of Information Technology stated that the Information Security Compliance Program is currently in the process of enhancing the automated compliance tool and plans to incorporate the areas for improvement defined in our report. Once the automated compliance tool is fully upgraded, the Board plans to use the system as the sole FISMA information system inventory and report generating tool.
In our opinion, the actions described by the Director are responsive to our recommendation. We plan to follow up on the division’s actions to ensure that the recommendation is fully addressed.
