FISMA requires agencies to perform periodic testing and evaluation of the effectiveness of their information security policies, procedures, and practices. To implement this requirement, guidance issued by the National Institute of Standards and Technology (NIST) and DHS focuses on the process of ISCM to support ongoing system authorization. Specifically, ISCM is defined as the process of maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions. NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations (SP 800-137) notes that ISCM can be efficiently performed using both manual and automated processes. In particular, SP 800-137 emphasizes that automation can enable greater consistency and reliability of ISCM through ongoing security control assessments, reporting of security status, and the collection of security metrics across the organization.
To supplement NIST guidance on ISCM, the Federal CIO Council issued the United States Government Concept of Operations for Information Security Continuous Monitoring (ConOps) in October 2013. The ConOps provides a roadmap for the realization and operationalization of ISCM throughout the federal government using a three-phased approach to be implemented by fiscal year 2017. The phased approach includes performing ISCM for local computing devices (e.g., servers, clients, and the applications that run on them), the network and infrastructure (e.g., routers, switches), and the organization's enclave boundary (e.g., firewalls and remote access connections at the point at which information enters or leaves the organization's network).
The ConOps outlines three options for agencies to implement ISCM: (1) a "do-it-yourself" approach using commercial off-the-shelf or government off-the-shelf tools; (2) the DHS Continuous Diagnostics and Mitigation program; and (3) a hybrid approach combining the first two options. The ConOps notes that agencies should evaluate the pros and cons of each option and consider various criteria, including return on investment, privacy/security concerns, and flexibility, when selecting an implementation strategy.
Our 2013 FISMA audit included a recommendation that the CIO strengthen the CFPB's ISCM program by (1) defining and implementing performance measures to facilitate decisionmaking and improve performance of the agency's continuous monitoring program and (2) identifying additional automated tools to assess security controls and analyze and respond to the results of continuous monitoring activities. In 2014, we found that the CIO has taken several steps to implement an ISCM program that is consistent with SP 800-137 and to respond to our recommendation. For instance, the CFPB is performing ongoing assessment and reporting of security control status for the agency's systems. As part of this process, the agency is tracking performance measures related to the implementation status of security controls. In addition, the CIO has identified a number of tools to assess controls and analyze and respond to the results of continuous monitoring activities. As such, we are closing our continuous monitoring recommendation from last year.
The CIO has recently procured an automated solution to support ISCM activities and security control assessments; however, this tool has not yet been fully implemented across the CFPB. Currently, components of the CFPB's ISCM program rely on manual and labor-intensive processes. For instance, to complete ongoing control assessments, the CFPB's Cybersecurity Office must first individually reach out to system security officials across the agency to schedule testing activities based on the frequencies established in the agency's ISCM strategy. Security officials provide testing results in spreadsheets, which are then manually analyzed and compiled into a monthly report for review by senior management. Due to the manual nature of this process, the CFPB may not be able to provide timely reporting on control effectiveness to senior management. We believe that full implementation of the procured automated solution will provide the CIO with more comprehensive and timely information to make risk-based decisions.
We also found that the CFPB has not formally evaluated and selected how the agency plans to implement ISCM in accordance with the ConOps. One reason is that the CFPB is in the process of transitioning several information technology and telecommunications services from Treasury that will impact this decision. CFPB officials informed us that the agency plans to transition these activities from Treasury by the end of 2014. We believe that by evaluating the ISCM implementation options outlined in the ConOps, the agency will be better informed of the appropriate steps necessary to implement its ISCM strategy.
We recommend that the CIO
In response to recommendation 1, the CIO concurred with our recommendation and stated that the CFPB plans to continue to develop and improve its ISCM automated capabilities.
In response to recommendation 2, the CIO concurred with our recommendation and stated that the agency has taken action to align its ISCM implementation strategy with the ISCM options and guidance outlined in the ConOps.
In our opinion, the actions described by the CIO are responsive to our recommendations. We plan to follow up on the actions to ensure that the recommendations are fully addressed.
From an information security perspective, configuration management refers to establishing and maintaining the integrity of products and systems through control of the processes for initializing, changing, and monitoring their security configurations. FISMA requires agencies to develop and ensure compliance with minimally acceptable security configurations. Best practices for security-focused configuration management programs are outlined in NIST Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems (SP 800-128). SP 800-128 notes that federal agencies should develop and implement common, secure configuration settings for information systems and a robust patch management process to reduce vulnerabilities. SP 800-128 further states that agencies should develop a configuration management plan to describe how these processes will be managed across the organization.
Our 2013 FISMA audit included a recommendation that the CIO develop and implement an organization-wide configuration management plan and a consistent process for patch management. In 2014, we found that the CFPB continues to mature its configuration management program. For instance, the CIO finalized an organization-wide patch management policy to ensure that software patches are installed in a safe and timely manner. As we noted last year, the CIO has also implemented processes and automated tools to assess configuration settings, manage security baseline deviations, and ensure that security impacts to configuration changes are assessed and approved. In addition, as part of our vulnerability scanning of two select CFPB systems, we noted improvements in the implementation of the CFPB's security configuration settings and installation of patches at the operating system level.
As part of our follow-up work to our 2013 FISMA audit recommendations, we found that the CIO has not developed and implemented an organization-wide configuration management plan and fully implemented the recently issued patch management policy. Specifically, our 2014 security control reviews of two CFPB systems identified improvements needed in the patching and secure configuration of database and application servers. In addition, we identified application user and system accounts that were granted privileges beyond those that were required. A contributing factor for these issues was that the CFPB has not yet implemented security tools to periodically check for database and application-level misconfigurations. Our specific recommendations for these two CFPB systems will be transmitted under separate, restricted cover.
As we noted in 2013, the full implementation of an organization-wide configuration management plan and consistent patch management process can help ensure that all components of CFPB systems are securely configured. We will leave this recommendation open and continue to follow up on the CIO's actions as part of our future FISMA audits. In addition, we believe that the implementation of additional automated tools and a process to periodically assess and manage database and application-level security misconfigurations can help ensure the confidentiality, integrity, and availability of CFPB systems.
We recommend that the CIO
The CIO concurred with our recommendation and stated that plans to continue the evolution of vulnerability management in the enterprise are underway and are on track for further improvements in FY 2015.
In our opinion, the actions described by the CIO are responsive to our recommendation. We plan to follow up on the actions to ensure that the recommendation is fully addressed.
FISMA requires agencies to develop and implement procedures for detecting, reporting, and responding to security incidents, including mitigating risks of such incidents before substantial damage is done. Best practices for establishing incident detection, reporting, and response capabilities are outlined in NIST Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide (SP 800-61). SP 800-61 states that agencies should create an incident response policy, plan, and procedures. Further, given the multitude of sources and signs of incident activity occurring in organizations' information systems, SP 800-61 emphasizes the importance of using automated correlation and centralized logging tools to analyze incident data. Correlating events among multiple indicator sources can be valuable in detecting whether a particular incident occurred as well as in mitigating risks before substantial damage is done.
Our 2013 FISMA audit included a recommendation that the CIO ensure that audit logs and security incident information from all relevant sources are centrally tracked, analyzed, and correlated. This year, we found that the CFPB continues to take steps to strengthen its capability to detect, report, and respond to security incidents. For instance, the CIO is in the process of procuring an automated solution to perform centralized audit monitoring and incident correlation functions. In addition, CFPB officials informed us that the agency has established a security operations center, as well as relationships with federal incident coordination entities, as the agency prepares for the migration of its wide area network from Treasury.
As part of our follow-up work to our 2013 FISMA audit, we found that the CFPB has not yet developed a capability to correlate audit log and security incident information. As we noted last year, centrally analyzed and correlated information on incident activity will help ensure that the CFPB can fully detect and respond to information security incidents in a timely manner. We will leave our 2013 recommendation open in this area and continue to follow up on the CIO's actions as part of our future FISMA audits.
FISMA requires agencies to provide security awareness training to all information system users and role-based security training to individuals with significant security responsibilities. The primary difference between security awareness training and role-based training is that the former is geared toward focusing all users on overall information security policies, while the latter is geared toward teaching information security skills needed to perform specific information technology functions. Best practices for developing and implementing a security training program are outlined in NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program (SP 800-50). SP 800-50 highlights the important role that training plays in ensuring the effective implementation of an agency's information security program and notes that individuals with significant security responsibilities include system and network administrators, security program managers, and security officers. SP 800-50 also identifies four critical steps in the life cycle of an information technology security awareness and training program. These steps are program design, material development, program implementation, and post-implementation.
Our 2013 FISMA audit included a recommendation that the CIO design, develop, and implement a role-based security training program for individuals with significant information security responsibilities. We also noted that the CFPB had developed and implemented a security awareness training program that was consistent with SP 800-50 and other best practices. This year, we found that the CFPB continues to conduct information security awareness training sessions every two weeks, provides security awareness training in new hire briefings, and provides ongoing security awareness updates on the agency's intranet site and other internal mediums. In addition, the CIO has taken several steps to design and develop a role-based security training program. For instance, the CIO has developed a draft policy detailing the individuals requiring role-based training, along with a specific curriculum for each role. The CFPB is also piloting an automated solution designed to offer and track role-based training for employees and contractors.
As part of our follow-up work to our 2013 FISMA audit, we found that the CIO has not yet fully implemented a role-based security training program. As we noted last year, a role-based security training program will help provide the CFPB with assurance that employees and contractor staff with significant security responsibilities have adequate knowledge and expertise to ensure the effective and efficient implementation of the agency's information security program. We will leave our 2013 recommendation regarding the implementation of a role-based security training program open and continue to follow up on the CIO's actions as part of our future FISMA audits.