Skip to Navigation
Skip to Main content
OIG Home
OIG Home

IN THIS SECTION

Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report: 2014-IT-B-021 December 18, 2014

Opportunities Exist to Improve the Operational Efficiency and Effectiveness of the Board's Information Security Life Cycle

available formats

Finding 2: BISP Policies and Procedures Are Not Consistently Updated

We found that the ISO developed a program to implement the requirements of NIST’s RMF and issued the Risk Management Program and Risk Assessment Standard document in June 2014. The document, however, is not intended to include all of the recommended NIST requirements. Some of the processes are documented in BISP appendixes, but the appendixes have not been updated to reflect the new RMF process as well as new NIST guidance. ISCU staff stated that IT policy updates, including to the BISP, occur every three years, but due to other priority compliance matters as well as limited staff, the BISP has not been updated. Without up-to-date guidance, individuals responsible for managing Board systems may be unaware of their roles and responsibilities.

BISP Policies Have Not Been Updated to Reflect All Components of the New RMF

As previously noted, SP 800-37 transformed the traditional certification and accreditation process into the six-step RMF. SP 800-37 outlines risk management tasks that begin early in the system development life cycle and are important in shaping the security capabilities of the information system. If these tasks are not adequately performed during the initiation, development, and acquisition phases of the system development life cycle, the tasks will, by necessity, be undertaken later in the life cycle and be more costly to implement.

To bring the Board’s program into compliance with NIST guidance, the ISO has developed and finalized the Risk Management Program and Risk Assessment Standard, which covers the enterprise, business, and information system level risks. This document is not intended to include all recommended NIST requirements and relies on previously established components of the BISP; however, these appendixes and templates have not been updated to reflect the changes in the new standard.

For example, the Board’s Appendix H—Certification & Accreditation Standard addresses several SP 800-37–recommended tasks included in the Board’s RMF, such as common control identification, security control implementation, assessment preparation, and ongoing control assessments; however, this appendix also includes processes of the prior certification and accreditation program. Because the Risk Management Program and Risk Assessment Standard was issued without concurrent full updates of the BISP policy document and its appendixes, system owners may follow outdated procedures.

In addition to issuing the Risk Management Program and Risk Assessment Standard, the ISO has started transitioning some BISP processes from appendixes and templates to standalone documents. The ISO recently finalized several standalone procedure documents, including the Inventory Standard; however, the BISP policy document has not been updated since 2010. Appendix H was also last updated in 2010 to fully reflect the program changes, even though NIST subsequently issued additional guidance around the certification and accreditation process. Without proper alignment with NIST guidance, individuals responsible for managing Board systems may be unaware of their roles and responsibilities. Further, the Board will not have assurance that its information systems will be appropriately managed throughout their life cycle, which could lead to security risks.

In 2014, NIST issued Supplemental Guidance on Ongoing Authorizations, which states that when an RMF has been effectively applied across an organization and the organization has effectively implemented a robust ISCM program, organizational officials, including authorizing officials, are provided with a view of the organizational security and risk posture, and each information system’s contribution to that security and risk posture, on demand. Thus, organizational information systems may move from a static, point-in-time authorization process to a dynamic, near-real-time ongoing authorization process.

Without up-to-date guidance, individuals responsible for managing Board systems may be unaware of their roles and responsibilities, which could lead to noncompliance with federal regulations and limit the effectiveness of the authorization process. ISCU staff stated that information technology policies are updated every three years, but due to other priority compliance matters and staffing limitations, the BISP has not been updated.

Recommendation

We recommend that the CIO

  1. Perform a thorough reconciliation between the existing policy documents and the new Risk Management Program and Risk Assessment Standard to determine which processes remain relevant and update the applicable policy documents.

Management’s Response

The Director of the Division of Information Technology stated that for the 2015 FISMA program year, the ISCU plans on performing a reconciliation between existing policy documents and will look for opportunities to consolidate or provide further clarification to current policies and procedures.

OIG Comment

In our opinion, the actions described by the Director are responsive to our recommendation. We plan to follow up on the division’s actions to ensure that the recommendation is fully addressed.