WIXLIB

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security SystemsBACKGROUNDFederal Information Security Modernization Act of 2014 (FISMA)Federal Information Security Modernization Act of 2014, commonly referred to as FISMA,focuses on improving oversight of federal information security programs and facilitating progressin correcting agency information security weaknesses. FISMA requires Federal agencies todevelop, document, and implement an agency-wide information security program that providessecurity for the information and information systems that support the operations and assets ofthe agency, including those provided or managed by another agency, contractor, or othersource. The act assigns specific responsibilities to agency heads and Inspectors General (IGs)in complying with requirements of FISMA. The act is supported by the Office of Managementand Budget (OMB), Department of Homeland Security (DHS), agency security policy, and riskbased standards and guidelines published by National Institute of Standards and Technology(NIST) related to information security practices.FISMA defines a National Security System (NSS) as any information system used or operatedby an agency or by a contractor of an agency where the function, operation, or use of thatsystem (1) involves intelligence activities, (2) involves cryptological activities related to nationalsecurity, (3) involves command and control of military forces, (4) involves equipment that is anintegral part of a weapon or weapon system, or (5) is critical to the direct fulfillment of military orintelligence missions. This report contains the evaluation of the Treasury’s information securityprogram and practices for its collateral NSS, which are NSS that do not deal with intelligence.The audit of the Treasury’s intelligence NSS will be reported separately by the Treasury Officeof Inspector General (OIG).FY 2017 Inspector General FISMA Reporting MetricsFor Fiscal Year (FY) 2017, OMB, DHS, and the Council of the Inspectors General on Integrityand Efficiency (CIGIE) implemented changes to the IG FISMA Reporting Metrics to organizethem around the five information security functions outlined in the NIST Framework forImproving Critical Infrastructure Cybersecurity (Cybersecurity Framework): Identify, Protect,Detect, Respond, and Recover. In addition, CIGIE implemented maturity models for RiskManagement (RM), Configuration Management (CM), Identity and Access Management (IA),Security Training (ST), and Contingency Planning (CP), which are similar to the InformationSecurity Continuous Monitoring (ISCM) and Incident Response (IR) maturity models that wereinstituted in FY 2015 and FY 2016, respectively. Table 1 shows the alignment between theCybersecurity Framework and the FISMA Metric Domains.Page 5

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security SystemsCybersecurity FrameworkSecurity FunctionsIdentifyProtectDetectRespondRecoverFY 2017 IG FISMA Metric DomainsRisk Management3Configuration ManagementIdentity and Access ManagementSecurity TrainingInformation Security Continuous MonitoringIncident ResponseContingency PlanningIn the past, the ISCM and IR models had maturity levels for people, process, and technology. InFY 2017, CIGIE eliminated specific people, process, and technology elements and instead,issued specific questions. These models have five levels: ad-hoc, defined, consistentlyimplemented, managed and measurable, and optimized. The introduction of the 5-level maturitymodel is a deviation from previous DHS guidance over the CyberScope questions. As such, ayear-to-year comparison of FISMA compliance may not be feasible due to the fundamentalchange in how CyberScope is scored and evaluated.Federal Standards and GuidelinesExcept for systems that meet FISMA’s definition of NSS, the Secretary of Commerce isresponsible for prescribing standards and guidelines pertaining to federal information systemsbased on standards and guidelines developed by NIST. The Committee on National SecuritySystems (CNSS), and Federal agencies that operate systems falling within the definition ofNSS, provide security standards and guidance for NSS. CNSS Instruction No. 1253, SecurityCategorization and Control Selection for National Security Systems, states that the controlsdescribed in NIST Special Publication (SP) 800-53, Revision (Rev.) 4, April 2013, Security andPrivacy Controls for Federal Information Systems and Organizations, shall apply to all NSS. Inaddition, FISMA requires that NIST provide information security controls guidance for systemsidentified as NSS. Treasury used NIST SP 800-59, Guideline for Identifying an InformationSystem as a National Security System (August 2003), to identify its two collateral systems.Treasury is responsible for implementing policies, procedures, and control techniques for itscollateral NSS based on guidance from CNSS. Treasury Directive Publication (TD P) 85-01,Department of the Treasury Information Technology Security Policy, Appendix B, “Classified(National Security Systems),” provides Treasury security policy and standards for all systemsthat process or communicate classified national security information.We reviewed both of the collateral NSS; one managed by the Departmental Offices (DO) andone managed by the Bureau of Engraving and Printing (BEP).3FY 2017 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V.1.0, April17, 2017. In 2017, Contractor Systems was included as part of the Risk Management FISMA metric domainPage 6

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security SystemsDepartment of the Treasury Information Security Management ProgramTreasury Office of the Chief Information OfficerThe Treasury Chief Information Officer (CIO) is responsible for providing Treasury-wideleadership and direction for all areas of information and technology management, as well as theoversight of a number of IT programs. Among these programs is Cyber Security, which hasresponsibility for the implementation and management of Treasury-wide IT security programsand practices. Through its mission, the Office of the Chief Information Officer (OCIO) CyberSecurity Program develops and implements IT security policies and provides policy complianceoversight for both unclassified and classified systems managed by each of Treasury’s bureaus.The OCIO Cyber Security Program’s mission focuses on the following areas:1. Cyber Security Policy – Manages and coordinates Treasury’s cyber security policy forsensitive (unclassified) systems throughout Treasury, assuring these policies andrequirements are updated to address today’s threat environment, and conducts programperformance, progress monitoring, and analysis.2. Performance Monitoring and Reporting – Implements collection of Federal andTreasury-specific security measures and reports those to national authorities and inappropriate summary or dashboard form to senior management, IT managers, securityofficials, and bureau officials. For example, this includes preparation and submission ofthe annual FISMA report and more frequent continuous monitoring information throughCyberScope.3. Cyber Security Reviews – Conducts technical and program reviews to help strengthenthe overall cyber security posture of the Treasury and meet their oversightresponsibilities.4. Enterprise-wide Security – Works with Treasury’s Government Security OperationsCenter to deploy new Treasury-wide capabilities or integrate those already in place, asappropriate, to strengthen the overall protection of the Treasury.5. Understanding Security Risks and Opportunities from New Technologies –Analyzes new information and security technologies to determine risks (e.g., introductionof new vulnerabilities) and opportunities (e.g., new means to provide secure and originalfunctionality for users). OCIO seeks to understand these technologies, their associatedrisks and opportunities, and share and use that information to Treasury’s advantage.6. Treasury Computer Security Incident Response Capability (TCSIRC) – Providesincident reporting with external reporting entities and conducts performance monitoringand analyses of the Computer Security Incident Response Center (CSIRC) withinTreasury and each bureau’s CSIRC.7. National Security Systems – Manages and coordinates the Treasury-wide program toaddress the cyber security requirements of national security systems through thedevelopment of policy and program or technical security performance reviews.8. Cyber Security Sub-Council (CSS) of the CIO Council – Operates to serve as theformal means for gaining bureau input and advice as new policies are developed,enterprise-wide activities are considered, and performance measures are developed andimplemented; provides a structured means for information-sharing among the bureaus.The Treasury CIO has tasked the Associate Chief Information Officer for Cyber Security(ACIOCS) with the responsibility of managing and directing the OCIO’s Cyber Security program,as well as ensuring compliance with statutes, regulations, policies, and guidance. In this regard,Treasury Directive Publication (TD P) 85-01, Appendix B, serves as the Treasury IT securityPage 7

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security Systemspolicy to provide for information security for all information and information systems that supportthe mission of the Treasury, including those operated by another Federal agency or contractoron behalf of the Treasury. In addition, as OMB periodically releases updates/clarifications ofFISMA or as NIST releases updates to publications, the ACIOCS and the Cyber SecurityProgram have responsibility to interpret and release updated policy for the Treasury. TheACIOCS and the OCIO’s Cyber Security Program are also responsible for promoting andcoordinating a Treasury IT security program, as well as monitoring and evaluating the status ofTreasury’s IT security posture and compliance with statutes, regulations, policies, and guidance.Lastly, the ACIOCS has the responsibility of managing Treasury’s IT Critical InfrastructureProtection (CIP) program for Treasury IT assets.Bureau CIOsOrganizationally, Treasury has established a Treasury CIO and bureau-level CIOs. The bureaulevel CIOs are responsible for managing the IT security program for their respective bureau, aswell as advising the bureau head on significant issues related to the bureau IT security program.The CIOs also have the responsibility for overseeing the development of procedures thatcomply with the Treasury OCIO’s policy and guidance and federal statutes, regulations, policy,and guidance. The bureau Chief Information Security Officers (CISO) are tasked by theirrespective CIOs to serve as the central point of contact for the bureau’s IT security program, aswell as to develop and oversee the bureau’s IT security program. This includes the developmentof policies, procedures, and guidance required to implement and monitor the bureau IT securityprogram.Department of the Treasury – Bureau OCIO CollaborationThe Treasury OCIO has established the CIO CSS, which is co-chaired by the ACIOCS and abureau CIO. The CSS serves as a mechanism for obtaining bureau-level input and advises onnew policies, Treasury IT security activities, and performance measures. The CSS also providesa means for sharing IT security-related information among bureaus. Included on the CSS arerepresentatives from the OCIO and bureau CIO organizations.Page 8

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security SystemsOVERALL PERFORMANCE AUDIT RESULTSConsistent with applicable Federal Information Security Modernization Act of 2014 (FISMA)requirements, Office of Management and Budget (OMB) policy, the Committee on NationalSecurity Systems (CNSS) policy and guidance, and National Institute of Standards andTechnology (NIST) standards and guidelines, Treasury established and maintained itsinformation system security program and practices for its collateral national security systems(NSSs) for the 5 Cybersecurity functions and 7 FISMA metric domains. The FISMA programareas are outlined in the FY 2017 Inspector General Federal Information Security ModernizationAct of 2014 Reporting Metrics Version 1.0 and were prepared by DHS Office of Cybersecurityand Communications Federal Network Resilience. The 7 program areas are Risk Management,Configuration Management, Identity and Access Management, Security Training, InformationSecurity Continuous Monitoring, Incident Response, and Contingency Planning. However, whilethe security program has been implemented across Treasury for both its collateral NSS, it wasnot fully effective as we identified 4 deficiencies in 3 of the 5 Cybersecurity Functions (identify,protect, detect, respond, and recover) and 4 out of the 7 FISMA program areas (riskmanagement, configuration management, identity and access management, and securitytraining) that needed improvement.We have made 7 recommendations that if effectively addressed by management, shouldstrengthen respective bureau’s, office’s, and Treasury’s information system security programs.The Findings section of this report presents the detailed findings and associatedrecommendations. Additionally, we evaluated prior-year findings from the fiscal year (FY) 2016FISMA performance audit and noted that management closed 5 of 6 findings. See Appendix II,Status of Prior-Year Findings, for additional details.In a written response to this report, the Acting Deputy Assistant Secretary for InformationSystems and Chief Information Officer agreed with our findings and recommendations (SeeManagement Response).Page 9

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security SystemsFINDINGS1. The Treasury Directive Publication (TD P) 85-01, Department of the TreasuryInformation Technology Security Policy, Appendix B, “Classified (NationalSecurity Systems),”and Departmental Offices (DO) Collateral National SecuritySystem (NSS) System Security Plan (SSP) were not updated in accordancewith Committee on National Security Systems (CNSS) No. 1253, SecurityCategorization and Controls Selection for National Security Systems,guidance.The CNSS Instruction No. 1253, the National Institute of Standards and Technology (NIST)Special Publication (SP) 800-53, Revision (Rev.) 4, Security and Privacy Controls forFederal Information Systems and Organizations, and the TD P 85-01, Appendix B, requiresthe organization to develop a security plan for the information system that is consistent withthe organization’s enterprise architecture, provide an overview of the security requirementsfor the system, identify any relevant overlays, if applicable, and describe the securitycontrols in place, or planned, for meeting those requirements including a rationale fortailoring and supplementation decisions. This control falls under the Identify Cybersecurityarea and the Risk Management Federal Information Security Modernization Act of 2014(FISMA) Metric Domain. We noted the following: Office of the Chief Information Officer (OCIO) management did not ensure that the TD P85-01: Appendix B: was updated to address all of the applicable CNSS Instruction No.1253, and NIST SP 800-53, Rev. 4, baseline control enhancements. Specifically, KPMGnoted that two control enhancements were omitted. Due to lack of oversight, OCIOmanagement did not include all required control enhancements within the minimumsecurity baseline for NSS. The lack of documented security control requirements andcontrol enhancements increases the risk that the controls are implemented in a mannerthat does not align to the organizational risk tolerance. Thus, the organization issusceptible to risk they are not willing to accept. (See recommendations #1 & 2.) Through inspection of the DO Collateral NSS System Security Plan (SSP), we found thatthe SSP lacked sufficient descriptions regarding the implementation of each TD P 85-01security control. Specifically, we determined the security controls implementation was notdefined for any security control in accordance with the TD P 85-01, CNSS Instruction No.1253, and NIST 800-53, Rev.4, guidance. Due to competing priorities and change inpersonnel, DO management did not place emphasis on updating the DO Collateral NSSSSP to address how the security controls are implemented within the DO Collateral NSSenvironment. SSPs document the security controls implemented within the DO CollateralNSS environment. Incomplete documentation in the SSP regarding how each securitycontrol is implemented, or planned to be implemented, increases the risk ofmisunderstanding how system controls are implemented, potentially leading to a falsesense of security. (See recommendation #3.)Page 10

Department of the Treasury FISMA Fiscal Year 2017 Performance Audit for the CollateralNational Security SystemsWe recommend that the Acting Deputy Assistant Secretary for Information Systems and CIOensures that DO management do the following:1. Update the TD P 85-01, Appendix B, for NSS, to address all CNSSI Instruction No.1253 and NIST SP 800-53, Rev. 4, control requirements, and control enhancements.Management Response: Treasury management will ensure the TD P85-01 Appe

In brief, KPMG reported that consistent with applicable FISMA requirements, OMB and the Committee on National Security Systems policy and guidance, and the National Institute of Standards and Technology standards and guidelines, Treasury established and maint