US Department of Justice Court Proceedings - 11172005 notice
-
Upload
legalmatters -
Category
Documents
-
view
219 -
download
0
Transcript of US Department of Justice Court Proceedings - 11172005 notice
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
1/235
IN THE UNITED STATES DISTRICT COURTFOR THE DISTRICT OF COLUMBIA
)ELOUISE PEPION COBELL, eta!., )
) No. 1:96CV01285P!aintiffs, ) (Judge Lamberth)
v. )
) FILED UNDER SEALGALE NORTON, et a!., )
)Defendants. )
___________________________________________________________________________)
DEFENDANTS' NOTICE OF FILING OF THE DEPARTMENT OF THE INTERIOR'SFISCAL YEAR 2005 FISMA REPORTS AND IG REPORT ON THE POA&M PROCESS
Defendants hereby submit the 2005 Federa! Information Security Management Act
("FISMA") reports from the Secretary of the Department of the Interior and the
Department of
the Interior's Office of the Inspector Genera! ("OIG"), as we!! as the proposedredactions thereto.
In addition, Defendants submit the OIG's report concerning the Department of theInterior's P!an
of Actions and Mi!estones ("POA&M") process. Defendants submit the reports andproposed
redactions pursuant to the Court's Apri! 22, 2005 Protective Order.
Dated: November 17, 2005 Respectfu!!y submitted,
ROBERT McCALLUM, JR.Associate Attorney Genera!PETER D. KEISLERAssistant Attorney Genera!STUART E. SCHIFFERDeputy Assistant Attorney Genera!J. CHRISTOPHER KOHNDire ctor
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
2/235
/s/ Robert E. Kirschman, Jr.ROBERT E. KIRSCHMAN, JR.(D.C. Bar No. 406635)Assistant DirectorGLENN D. GILLETTTrial AttorneyCommercial Litigation Branch
Civil DivisionP.O. Box 875Ben Franklin StationWashington, D.C. 20044-0875Telephone: (202) 307-0494Facsimile: (202) 514-7162
-2-
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
3/235
CERTIFICATE OF SERVICE
I hereby certif!y that, on November 17, 2005 a copy of the foregoingDefendants 'Noticeof Filing of the Department of the Interior's Fiscal Year 2005 FISAL4 ReportsandlG Report onthe POA&MProcess in PDF Format on CD was served upon:
Dennis M Gingold, Esq.Mark K. Bro!i, Esq.Elliot Levitas, Esq607 - 14th Street, NW, 9th Flr.Washington, DC 20005
and, without under seal attachments, on the following who is not registered forElectronic CaseFiling, by facsimile:
Earl Old Person (Pro se)
Blackfeet TribeP.O. Box 850Browning, MT 59417Fax (406) 338-7530
/s/ Kevin P. KingstonKevin P. Kingston
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
4/235
THE SECRETARY OF THE INTERIOR
WAS I-tIN (3 TO N
OCT 142005The Honorable Joshua B. BoltenDirector
Executive Office of the PresidentOffice of Management and BudgetWashington. D.C. 20503
Dear Mr. Bolten:
The Department of the Interior (DOl) provides the enclosed informationtechnolog! (iT)
compliance report, prepared using the guidance contained in the Office ofManagement
and Budget (0MB) memorandum NI-OS-IS. 112005 Reporting instructions for (heFederal information Security Management Act, June 15. 2005. Th.e annual
repori
includes both the vicws of the agency Chk1 Information Officer (CID) and theInspector
General (IC). a discussion on the differences between those perspectives,and the new
privacy requirements.
Interior made significant progress in improving its overall security posturein FY 2005, in
spite of the extraordinary burden placed on Interior by the ongoing ('obellv. Nor on
litigation. In the ('abe/I case, we produced over 4 1/a million pages ofdocumentation. and
testified throughout a 59 day evidentiary heariiig. The signifteant demands
cm us torespond to the court impacted the annual F[S\I.-\ evaluation., causing
delays andlimitations for both the C10s staff and the IG's staff
I would likc2 to highlight the fojiowing progress made in FY 2005:* DOl made progress toward consolidating 13 networks inth a single
DepartmentalEnterprise Services Network (ESN). Three remaining bureau networks aretargeted for consolidation this month.
* The ESN architecture incIu!Ths robust network perimeter securitycontrols and
enables Interior to manage perimeter controls more consistently,
effectively, andcost-efficiently.
* The Department is maintaining a continuous monitoring program as partof the
Certification and Accreditation (C&A) processes. This includes:o independent third-party review of C&A packages.o roui.ine automated vulnerability scanning and
remediation of identified!vcakncsses
o internal and external penetration testing ofnetworks and major
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
5/235
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
6/235
Mr. Joshua B. Bolton Page2
* 0MB rated DOEs Enterprise Architecture (EA) the highest among the 25 BAprograms reviewed. The DOl EA was noted as incorporating a security
standardsprofile, and aligned to the Technical Reference Model.
* The Department entered into an agreement with USALearning.gov todeliver a
standardized curriculum for individuals with significant IT securityroles.
* The DOl dO contracted an independent IT security assessment to evaluateDOl
against the myriad of security policies and guidance. We are pleased toreport
3.63 maturity level out of 5 from this assessment.
IT security has been, and will continue to be, one of my highest priorities,as evidenced
by the major improvements made throughout the DOT this past year. This
progress buildson accomplishments of the past. In June 2004, the K) concluded "the DOl POA&Mprocess is effective and satisfies the pertinent Federal guidance." The IG's
FY 2004report considered Interior's C&A process as being satisfactory. The
percentage of ITsystems certified and accredited increased from 83 percent for FY 2004 to
over 98percent in FY 2005. With better accountability and standardization, DOI, and
ultimatelythe taxpayers, avoided $17 million in C&A costs. We are pleased with the
return on theinvestment 0MB and Congress authorized in our F'! 2004 budget and sustained
in FY2005. In FY 2005, the IG appropriately raised the bar for evaluating the
securityprogram, based on DOl's increased maturity in the program. I support his
efforts and hisresources have increased to enable measurements against these higher
standards. Ourcollaborative efforts in monitoring our systems through exhaustive
penetration testingillustrate our commitment to maintaining a constantly improving C&A process.
We recognize that the C&A process is not perfect, particularly in light ofthe many new
or revised standards published by National Institute of Standards andTechnology (NIST)
within the past year, some of which are still in draft. We recognize that C&Ais primarily
a process of risk management, requiring application of considerablesubjective judgment.
Without clear criteria for reporting, the ambiguity leads to subjectivitybased on
individual perspectives. In preparing this year's report, I am struck by howstrongly this
subjectivity is impacted by the role of two key executives at DOl: the IG and
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
7/235
the ClO.Your guidance for the FY 2005 report asks that I include an analysis of the
differencesbetween the ClO's report and the IG's. I hope you will find this useful in
reducing theambiguity of future reporting, and to more fully understand the perspectives
presented.Through consistent reporting standards, we can arrive at a fair comparison of
governmentsecurity progress and deficiencies, and achieve or exceed the benchmark
leading toadequate security.
I understand the 10's opinion that the IT security at DCI is not perfect,that risks and
vulnerabilities still remain and improvements need to be made. From this heconcludes
DOl has significant weaknesses in complying with FISMA. From thisperspective, the
IG tempered the scores on his report by any weakness seen:
REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 2 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
8/235
Mr. Joshua B. Bolton Page3
* where a C&A package did not contain all required elements clearlypresented, it was
not counted as a valid package;* problems in the POA&M process were included in the JO report dated
September 23,2005, even though subsequently corrected, because the corrections had not
beenverified by the 010; mid
* any deviations from policy or procedures were reported as an inconsistentand
ineffective policy overall.
The IG's perspective can be supported by the language of the 0MB arid NISTrequirements. It is consistent with the IG's role of being DOl's watch dog
- who clearlyneeds to warn of!y potential risks, regardless of the weight or costs. The
ClO believes
the IG's responses to several of the questions iii the FY 2005 reportingtemplate exceed
the basic requirements of FISMA and do not rake into account improvementsmade
during the year in response to the testing the 10 conducted.
Ihave confidence in the ClO's opinion that, while IT security at DO! is notperfect, risks
and vulnerabilities still remain, and improvements need to be made,nonetheless, the
policies and processes to address those risks are adequate, improvementshave been and
will continue to be made, and therefore. DOT substantially complies with
FISMA. Fromthis perspective, when weaknesses are found. DOl corrects them and takes
credit forhaving done so. Based on extensive reviews of the IT security program, the
CIO believesthese corrective actions have generally been completed. sufficient to meet
the basicrequirements of FISMA. As required by FISMA, remaining problems are beingaddressed through the POA&M process.
The ClO perspective is clearly supported by the language of the 0MB andNTST
requirements. It is also consistent with the C10s role, which requires him
to balancerisks to DOl's information assets with the costs to address those risks.
The ClO alsoappropriately relies on the determinations of competent accountable
officials, includingthe 1G. The CTO points out that Interior was successfiul in thwarting over
353 millionpotential incidents in contrast to only 33 incidents that could not be
prevented, asreported during our last quarterly reporting period. None of the successful
incidents have
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
9/235
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
10/235
H
IYiLhF!
! -
Subject to Protective Order RED!CTED PUBLIC VERSIONRegarding I-T Security Information Dol S FY 2005 FISMA Report(D!. No. 2937) (Filed April 22, 2005) Page 4 of 37Defendants' Notice of Filing ofDol 5 FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
11/235
Section B: ChAd laton. Q{!. Que&Aons 1. L 3. otd 4-
Agency ?bff: US D!lrrtnt Cl 'he IaIo!jot
Qut!ljnn 1 and 2
1 By FIPS 199 rjik impact ev& Q!gh. modorain F!w, or not !l!orind) and by bureau.Idonti!j the number O! inTorin3L!ot1 sys!sm$ usad Q !porated by YOL!F agency. andtile wmaer olIrtIcnn!1Jon systems u!d or aper!tS !y a cor ractDr Cf yaw agency o otho, or!n!a!on on ben![I at your ag,nc&-
!Th'e A!ency systems shalL 'rd!de Iji!onii!bon !y!ern.s used oz! CcfltrThflOrs!5!ern5 sr.!J: !n!Iude nIorma!on s!sc!nis fts!d arepe ia!ed ! a !fl!ThCWr or an
auency or ofti!r urganizabbrl !fl b!&iI or an a!encv fle to!M numDerors!tern5 sr!aII IncwIJe Dobfl a!erIcy systams and contractor s!iams-
To ,n!t Uit r!ui,eme!t ccna!n! a NEST $p!cd!I Pubtat-c! tQ!-2! eviewagenoescan
1) Conli,ws rn use WIET Spe![ Pubbcat.on !OO-2, or,! Conduct a selr-!ssessjnenl a!ai9st the conirnis I.!un! in NIST S!ecat
P'.b!a!ionBU!-53
AQen!ios ale r!spun!ib! Ior!t!urgi In secuply ci J.! n1.et!o!, sptens u5!1! ! h!'rage'cy !rnln8roruantza!on !ri o! thei, a!ncy, !iernf!ce. sell roportr.! by
corIIracC!rs does !t rTi!et me requiremenls of ]!vt !eIt e!o'1srlq byanc1n!r F!o!raI a!!ncy. Thr exampe. a. Federal secMce proviDe!. rr!y b! !urlicIent. A!tn! an 6eiviC! prOnde!
fr?veasharedresprn!sibIay forflSMAcompI]anua
FIPS I !9, F!der!i ]ntDrnlatmn pr!e!En! aLandard. was pu sh!i1 ! F!raan2!O4. ir there mE sys!erns wr.!th ha! nct yet bean cai!o&!d, !r. ira risk inpadI!veI ! Ce!m!,i!&O
Inrough another method, pieas! e!Lain batON IR item (d.!
a. For each p!r! c! flils qLrnstinn. annhtty actual perlormance fl F? OS !y rtskLrnpact 'aye! an bijr!! in thn immat po!idnf below From the Total Number at Sysb!ri!. idrnitiU thenumbe, at w!rnms w!lic)1 have: a currcrtt certilicatlrni and actreditai'nn actntin!oncy plar' !st!d within ma past year, and security conLra4! t!sLed wIthJr,the past nat. C!nUri!er!Cy
pl.iThing , a raqulitneril tDr certit!cataori and !ccr!dItatJ!n, wJO, anrn'aL !nfln!errny pLan tasurig reqtiked thereaftar. the number ci !ntem! with fullcerIi!ioIior1 and accredflt!on Ishigher than tbD number aI s!s,ems w!th a msthd ccntinyency plan, *!s! expLain.
Qcas!jaqj QuinSljfla!
b.r. a.
FY05 A!ncy F! 05Contractor FY!-T thAI Number NUmber 01 sy$!ns Nnmb.f o! !.fs'n$ Mu,,thar of
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
12/235
5y!12rTIS Systn!T!nfSrn!ms !artuIe! an! flctedil. . for which secuffly I!r wtiichconIro! ha!n atan tcntlngancy plansmsthd mid eva]Lmted have bean tntad 1
n the last ynr tccordanc! !!J1I ;polLcy !rtd !uMance
FIPS lag Risk Irn!cL Thml N,!-s! Tm! !-!=frOTa1! Nus,ifjer ! Peqtarn ! ! Total Perr!n! Total Pawenithn,!. ItTTW L!v!1 Nunthrn Reviw!d '.'.mto:
Res!ep.'ad NurS! vImqt! Nqjpiber ToI& Numb. mt!I N!h![ T!IBLA -- - ___________________ 12: 12 2
5- 15] 1! ! _'!._________________________________ 20 r 2 2
22 22 ICO.O% 22 'QO!7! 22 'OCO!
- - a a- !Th!ThO.3% 3 1CC!% S_______________________________ _______________________
______ I_______________________________ a5 !s ! !
! 40 ! 97.S% asi !7Se!- -
0:____________________ 73
23iW!. ! 23
O
fl 23 23 1&1O! 231CC.!?
- 1 11 I
22 fl!. ! 22i ! 21 !55!:
12 12- ! 12! !GDd!1 12
___________________ 3A I! Cas an 35 1O1B! ! 1!O%. !a
- 1
- 1 1 I IID 10
C ID! lO1! ! !-
1! I !-. ___________________________ ______________________________
_______ - !-1 -.............-......______________________________________ Ia 12 0
12 !2 II 100Th!- 11 ! 12 oCr
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
13/235
S
-- . 5 S ! U5
S S .0: a c!U!, B T!Ea ai ,b3cr
1 1! I E!W. Ii
- B i 1e ! ! saBe S aR. &
___________n
5 SU !O.O 4]_____________________________________________________
o ____________________________________
S!b4th.I - 5 5 0- !
S 4 !&Th! ! 8OO* tI I ! l! ! _J.L_!J! !
__________________________________ _______________________I -, ____________________
S!b-I!L!I 1 0 01 -t I ! ! :! IDOf.
a i4 1!CO! 4 IO!.U! 4 !C.
2 2
12 12 12i I!O! fl ci____________ __
__....................................-!
REDACTEDPUBLIC VERSION
Subject to Protective Order Dols FY 2005FISMA Report
Regarding I-T Security Information Page 5of 37 Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
14/235
Subject to Protective OrderRegarding I-T Security Information(DId. No. 2937) (Filed April 22, 2005)
REDACTED PUBLIC VERSIONDols FY 2005 FISMA Report
Page 6 of 37
Li
Defendants' Notice of Filing ofDols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
15/235
Section B: Chief Information Officer. Question 5.
Agency Name: U.S. Department of the InteriorQuestIon 5
InFormation gathered in this question will be forwarded to the Departmentof Homeland Security for
validationS
For each category of incident listed: identify the total number ofsuccessful incidents in FY05, the
number of incidents reported to US-CERT. and the number reported to lawenforcement. If your
agency considers another category of incident type to be high priority,include this information in
category e 'Other". If appropriate or necessary. include comments in thearea provided below.
5.
Number of Incidents, by category:
Subject to Protective OrderRegarding i-T Security Information(DId. No. 2937) (Filed April 22, 2005)
REDACTED PUBLIC VERSIONDols FY 2005 FISMA Report
Page 7 of 37
Reportedinternally
Number ofIncidents
Type of Incident:
Reported toUS-C ERT
Number ofIncidents
Reported to lawenforcement
Number ofIncidents
a. Unauthorized Access 23 22 2b. Denial of Service (DoS) - 2 2 0c. Malicious Code 191 - 171 - 1d. Improper Usage - 34 28 4
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
16/235
c. Other 36 28 3Totals: 286! 251 10
Comments:
Defendants' Notice of Filing ofDols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
17/235
Section 8: Questions Sand 7Question 6
6. Has the agency ensured security training and awareness of all employees,including
contractors and those employees with significant IT security responsibilities'Yes or No.
a, b C. d.
Total number of Number of empLoyees that Total number of Number ofemployees with Total costs for
employees in FY05 received IT security awareness employees withsignificant security providing IT
training in FY 05. as described in sign!ficant ITresponsibilities that received security training in
NIST Special Publication 800-50 securityspecialized training, as FY05
Building an Information responsibilities describedin NIST Special (in 8's)
Technology Security Awareness PubhcaUon800-16,
and Training Program (OctoberInformation Technology
2003) SecurityTraining
Requirements: A Role- and
Performance-Based Model
_______________ ____________ (anril1!CQ!
Number F Percentage NumberPercentage
84,159 82.848 98.44% 2611 1736 66 49% Si 340487
Briefly describe the training provided in b. and d. Employees aretrained by usEng a comprehensive 001
University online system. The (raining covers a broad range of ITsecurity subjects incluthng, access
controls. passwords, malicious code (viruses). 001 Policy and FederalRegulations. Central reporting is
6 e bufit into the system and provides compliance tracking by bureaus andoffices. Specialized training for! those with "significant secunty responsibilities includes certification
courses. industry and vendor trainingclasses: internal briefings and awareness seminars (for designated
authorities, senior management.technical staff, and security representatives; DOl IT security team
meeting training sessions! and onlinecontinuing education.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
18/235
Comments: DOl has taken step5 to enhance IT security training in FY 2005 bycontracting with USALearning gov to provide role
based training for bureaus and offices, The curriculum provides spectalizedtraining modules geared towards DAAs. system
owners, ISSO's. and network, database! and system administrat3rs This willundoubtably raise lntec!ors compliance levels
with respect to training those '!with significant IT security responsibilities'In FY 2005, the ClO and CISO provided C&A training
to the Secretary and other senior nianagement officials having DAAresponsibilities. This role-based training included a review
of the C&A process and the responsibilities of the DAAs, Certftying Officials,ISSOs and other individuals assigned C&A roles
and responsibilities. The Bureau IT Security Managers (BITSMs} are constantlyengaging in external training and certification.
Over 80 IT staff, including BITSMs and some of their security staff, haveachieved certifications as Certified Information
Systems Security Professionals (CISSP). In addition, eight employees recentlyachieved certification as Certification and
Accreditation Professionals (CAP). These eight ndivuduals are among the firstin the country to receive such certification Sec
It's important to note that the 84159 reported in a. includes ALL employees and contractors (per instructions) A percenta!
Does the agency explain policies regarding peer-to!peer file sharing in ITsecurity
awareness training, ethics training, or any other agency wide training?Yes
Yes or No.
REDACTED PUBLIC VERSIONSubject to Protective Order Dol's FY 2005 FISMA ReportRegarding I-T Security Information Page 8 of 37
Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dol's FY 2005 FISMA Reports
Question 7
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
19/235
Ba. !Is there an agen cywide secunty configuration po 'icy? Yes or No.
Comments: Policy Diredive Issued by the Office ofthe Chief Information Officer
Yss
Configuration guides are available for theprodu ds listed below. ldenti!
which sofiw are is addressed in the agenc ywide securitySb. configuration policy. mdi cate whether ornot an yagency systems run thesoftware. In addition, ap proximate thee!dent of implementation
ofthesecurity configuration policy on the systems running the software.
Approximate the extent ofimplementation of the security
configuration policy on the systemsrunning the software.
Response choices include:- Rarely, or, on approximately 0-50%
of thesystems running this software- Sometimes, or on approximately 51-
70% ofProduct thesystems runningthis software
Addressed in Doany agency ientl!,oroiiimate&71-80%of
agencywide policy? syst ems run this - Mostly, or onapproximately 8105% ofthe
software? sys tems running this software- AlmostAlways, or on
approximately96-100%
Yes, No, ofthesys tems running this softwareorN/A. Yes orNo.
Windows - Frequently, oron approximately71-80% oft he syste
Yes Yes njnning this software
Windows Yes Yes nJnnin! Rar!y, or,on approximately 0-50% ofthesystems
Windows Yes Yes njnninq th!s software mately 81-95%oft he syste
Windows Yes Yes njnninq oxi mately 51-70% oft he systems
Windows Yes Yes njnninq th!s software mately 81-95%oft he syste
Solaris - Mostly, or on approximately 81-95% oft he syste
Yes Yes ,,Jnning this software
HP-UX Yes Yes ,,Jnninq th!s software mately 81-95%
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
20/235
oft he syste
L - Rarely, or, on approximately 0-50% oft he systems
i nux Yes Yes ,,Jnning this software
Cisco Router lOS Yes Yes ,,Jnnin! Rar!y, or,on approximately0-50% oft he systems
0 I - Some!mes, oron approximately51-70% ofthesystems
race Yes Yes njnning this software
Other. Specify: 115, SQL Svr,Other Windows, HP MPE, MAC, njnnin ! !appro>1 mately 81-95% oft
heNovell, AIX Yes Yes
Comments: Interior has established approved security configuration siandards inthe form of Security Technical Implementation Guides (STIGs).Interior's policy allows for bureaus to define, document, approve, and implement
their own STlGswbicb many have done, or implementDepadmental STIGs. The ClO and IG differ in their perspectives with respect tothe level of policy compliance and STIG implementation byInteriors bureaus and offices due to a misunderstanding between our respectiveinterpretations of what the FISMA questions are asking and theIG's understanding of Interior's policy. The OIG appears to be oftbe opinion thatbureaus must implement the Depadmental STIGs and does notreflect the same credit and degree of compliance with respect to bureau-levelimplementation of STIGs as the Cbs FISMA report The OIG has
Indicate whether ornot the following policies and procedures are in place atyouragency. If appropriate or necessary, include comments in the area providedaelow.
The agency follows documented policies and procedures for identifyingY'!' and repoding incidents internally. Yes or No.
The agency follows documented policies and procedures for external9.b. reporfing to law enforcement authorities.Yss
Yes or No.The agency follows defined procedures for repoding to the United
! States Computer Emergency Readiness Team (US-CERT).YC! bttp:/"wi'w.us-ced.gov
Yes or No.
Comments: The IGs FISMA repod differs from the Cbs with respect to question 9.bbased on their observation that inS of 12 instances the OIGNas not notified. Unlike many other response choices for other questions in theFISMA template. this is a binary answer and does not enable amore appropriate selection that would identify the relative frequency where suchincidents are in fact repoded to the IG or consideration ofzircumstances preventing full compliance with established exlernal repodingprocedures. The ClO believes that appropriate policies and
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
21/235
procedures are in place and that there may be other mitigating circumstances thatmay have precluded adherence to these general procedures.
*m!flI'Has the agency documented in its security policies special proceduresfor using emerging technologies (including but not limited to wireless
ba. and lPv6) and countering emerging threats (including but not limited toYss
spyware, malware, etc.)?Yes_or No.
10 b If the answer to 10 a. is !Y?es ' briefly describe the documentedprocedures. These special procedures could include more
frequent control tests & evaluations, specific configurationrequirements. additional monitoring. or specialized training.
Response: Interior develops. maintains, and updates IT security policies andSecurity Technical Implementation Guides (STIGs) to respond to!merging threats and technologies. As pad of DOls Cerfification and Accreditation(C&A) continuous monitoring process. systems are routinelyassessed to identify and correct weaknesses resulting from newly discovered
vulnerabilities. Depending on the nature of the emerging threat ortechnology. more frequent control testing. specialized training for networl< orsystem administrators, additional monitoring. or application of STIGsto ensure specific configuration requirements are met may be required forsystems. Such requirements are typically specfied throughDepadmental or bureau policy or standards, and Designated Approving Authoritieshave the discretion to identify additional system specificsecurity control requirements depending on agency. risk, threat, andtechnological factors.Comments:
Subject to Protective OrderRegarding I-T Security Information
(Dkt. No, 2937) (Filed April 22, 2005)
REDACTED PUBLIC VERSIONDols FY 2005 FISMA Report
Defendantsi Notice of Filing ofDols FY 2005 FISMA Reports
Section B: Chief Information Officer. Question 8,9, and ID,Agency Name: U.S. Department ofthelnterior
Question B
Page 9 of 37
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
22/235
Aflachnient A: 4.a. Incident Detection Capabilities.
Response:
Incident Response Tools and Technology
The Department of the Interior Computer Incident Response Capability (DOI-CIRC)
uses avariety of tools to classify, track, and report IT security incidents. E-mail,
telephone, andcollaborative communication arc the predominate methods used to alert, track
and manageincidents. In a network-wide alert, e-mail is used to noti& all employees. iT
staff, IT sccurityprofessionals, or other well-defined groups of an ongoing security incident and
the appropriateaction to be followed. The incident response teams use e-mail and other
collaborativecommunication tools to cxchange information on an incident through the seven
stages of
reniediation: detection, classification, containment, reporting, investigation,recovery, and
closing. Web technology is used to inform employees of the action to befollowed in reporting
an incident, as well as to maintain a permanent record of the incident in aresponse database.
A variety of specialized commercial and freeware tools, scripts, manual andautomated
procedures are used to coHect, review, and correlate IT security system andhost logs in the
identification and investigation of an IT security incident. For virus andmalicious code
detection, DOl maintains an Enterprise Anti-Virus/virus protection softwarecontract and uses a
variety of commercial host- and network-based intrusion detection capabilitiesto identify, log,
and alert malicious network activities.
Incident Detection
IT security incidents are reported from internal and external sourcesincluding: DO! employees,
bureau IT security professionals, other federal agencies, and worldwide ITsecurity
organizations. As appropriate, DOT-CIRC alerts bureaus of security threats to
the Department'snetwork infrastructure and tracks the security alert from alert and
classification throughretnediation and closing! in the initial phases of an alert, a security
incident handler is assignedto track, record, and communicate information about the incident. Incidents
classified high ormedium arc reported to the Bureau IT Security Manager (BITSM) and DOI-CIIRC
within twohours or two days, respectiv&y. Incidents classified as low are reported to
DOI-CIRC monthly.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
23/235
Perimeter and Wide-Area Network Incident Detection
Logging is enabled on all security devices, including routers, network- andhost-based lirewalls,
intrusion detection/prevention and other security systems. These securitydevices are configured
to log access from, and egress to, the public Internet. In some environments,
wide-are-networkrouters are similarly configured to log events between internal network
segnients.
Network- and hos!-bascd cvent logs are routinely monitored for indication ofsignificant security
events and potential malicirnis activity. Security events include networkintrusions, scans, denial
of service attacks, worms, and unauthorized access to network integrateddevices in the DOl
wide-are-network infrastructure. Client initiated (egress) access is routinelyreviewed to dciect
REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 10 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
24/235
security incidents, including attempted propagation of malicious code from aninfected or
othenvise compromised host, inappropriate use of Internet services, or eventsincluding
misconfigured internal hosts.
Internal Incident Detection and Alerting
As part of the IT Security Program, each bureau operates a computer securityincident team to
work closely with the BITSM and DOI-CIRC iii the classification, containment,reporting, and
remediation of identified security incidents. Any event classified as asecurity incident is
reported to DOI-CIIRC and is addressed using the standard methodology presentedin the
Department of the Interior Computer Security Incident Response Handbook.
Internal security events are reported to the bureau incident response team orDOJ-CJRC for
assignment of an event manager to track the event and log all action with theappropriate
authorities. Viruses and malicious code are detected using anti-virus softwaretechnology
deployed with individual workstations, mail servers, and SMTP e-mail gatewayservers.
Dctcction and quarantine/removal of malicious code is considered a securityevent and reported
monthly to DOl. An infected message or other malicious payload inadvertentlylaunched at the
workstation is reported as a security incident.
External ReDollirig of Security Incidents
DO! and its bureaus maintain Internet e-mail accounts for reporting possiblesecurity incidents
originating from DOl computcr systems. These reports are delivered to the BITSMand
computer security incident response team (CSIRT). The e-mail address forreporting security
incidents to DOl is incident!circ.doi.gov.
REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 11 of 37
Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
25/235
Discussion of Differences between ClO and ICSections
Introduction
Each year. the Chief Information Officer (CID) and the Inspector General(IG) complete
different sections of the annual Federal Information Security ManagementAct (FISMA)
report. The sections represent the respective viewpoints of the Office ofthe Chief
Information Officer (OCIO) and Office of the Inspector General (OIG) withregard to the
degree to which Interior's Information Technology (IT) Security Program iscompliant
with FISMA.
This document provides a gap analysis between the 010's characterization ofInterior's
FISMA compliance, as documented in their responses to Section C of the FY
2005annual report and their Annual Evaluation of the Department oF the interior
InformationSecurity Program (Report No. NSM-EV-MOT-0013-2005). and the OCIO'scharacterization, as documented in their draft responses to Section B of
the FY 2005annual report.
The OCIO and OIG worked together to develop and implement a cooperativemonitoring
agrecnient on the DOl IT security program. This program, funded by theDepartment
($1.1 mi]lion in FY 2005) and independent1! conducted by the 01G. provided
criticalinformation needed to prioritize further improvements to the DOl
operational IT securityposture. From quarterly updates provided by the OIG as well as penetration
test results,the OCIO was able to promptly take action to correct vulnerabilitics.
Although additionalcorrective actions remain from some JO evaluations, many actions were takenimmediately. including temporary disconnection from Internet access when
warranted.The OCIO appreciates the efforts of the 010 in pointing out weaknesses orvulnerabilities. and has utilized the results to make significant
improvements.
The primary difference iii the perspectives is a result of the ambigthty inFISMA, and
more particularly, differences in the interpretation of the term adequatesecurity." The
ClO believes that the criteria the OIG used exceed the basic requirementsof FISMA.
General Comments
The OIG report portrays the DOT OCIO as being uncooperative, requiring the
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
26/235
OTG to"modify various testing techniques" and that "information requested from
the OCIO wasvery late in coming." incomplete, or not readable. This does not
acknowledge thesignilicani burden placed on already constrained OCIC resources. They weresimultaneously engaged hi producing over 4 '/2 million pages of
documentation in
response to the court, as well as meeting the new OTG requirements toproduce
VolLinhiflous material in the Cobell litigation (e.g.. CDs and DVDs as wellas other
information) in support of the OIG FISMA evaluation.
The effort by the OtG to obtain, toad, and inspect copies of bureauhardened and secured
baseline operating system and database images represented a significant newworkload.
REDACTED PUBLIC VERSION
Subject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 12 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
27/235
The varying results (e.g., copies of default manufacturer provided imagesas opposed to
hardened and secure baseline images) in obtaining these copies werepartially attributed
to insufficient advance notice for the new requirement and insufficienttime to clearly
communicate what was expected.
The OIG report did not indicate that, for FY 2005, the OCIO providedfunding to the OIG
to participate with the Department in a collaborative but independentfashion to augment
our compliance program. The report does not mention the significantprogress in
implementing corrective actions for weaknesses identified in thepenetration tests
performed by the OIG as part of the compliance program funded by the OCIO.
In summary, the executive summary of the OIG report does not track with theanalysis
and conclusions provided in the remaining sections of that document. TheDepartment
acknowledges areas that need improvement. However the OCIO believes thatthe OIG's
interpretation of several of the questions asked in the FY 2005 FISMA,reporting
template exceed the basic requirements of FISMA. For example, the reportdoes not
indicate:
* lrderiofs Certification and Accreditation (C&A) policy, standards,guidelines,
processes. and independent compliance reviews is substantially
compliant withFISMA and NIST requirements;
* Risk impact !eve1 (e.g., Low, Moderate, and high) deteiminations forconfidentiality. integrity, and availability documented in System
Security Plansmeet or exceed NIST SP 800-60 and FIPS Pub 199 criteria;
* Interior's authoritative Departmental Enterprise ArchitectureRepository (DEAR)
has an accurate inventory of all major information systems;* Jnteriofs POA&Ms and POA&M proccss is substantially compliant with 0MB
requirements;* Bureaus implemented approved bureau-level STTGs (e.g., security
configuration
standards) in conformance with Departmental policy; and,* Substantial C&A training was provided to Department and bureau senior
management officials (e.g., Designated Approving Authorities (DAAs)via the
MIT forum).
The 000 believes that, at a minimum. the quality of our C&A process issatisfactory as
supported by the following analysis and recommendations. The followinganalysis
represents the perceived differences between the OCIO's and OIG's
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
28/235
interpretation ofthose requirements.
Analysis
The following gap analysis is limited to the areas where the report showsdifferences of
opinion between the ClO and 1G. The format used to contrast each area of
differencewill be identification of the relevant question in Section C used to
document the results ofthe JO's evaluation, and the corresponding question in Section B used to
document theresults of the ClO's assessment, In responding to each question in the
FISMA reporting
REDACTED PU!JC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 13 of 37Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
29/235
template, we believe the objec vc should be to consider whether Interior's iT security
program is adequate when measured against the requirements of FISMA. Thelevel of
adequacy would include the degree to which Interior has substantiallydemonstrated
compliance with Federal laws, regulations, and standards such as Memoranda
andCirculars issued by the Office of Management and Budget (0MB) and FederalInfornrntion Processing Standard Publications (FIPS Pubs) and Special
Publications (SPs)issued by the National Institute of Standards and Technology (NIST).
Adequacy shouldbe characterized by the degree to which:* Interior has adequate IT security policies,* Processes and procedures are in place to implement those policies, and* Programs and systems have been sufficiently tested to ensure that agreed
uponsecurity controls, as approved by senior management officials (e.g..
Designated
Approving Authorities (DAAs)) and as documented in security plans, arefunctioning
as intended.
IG's FISMA Questions Ia thru !c and 2a thru 2cSection CResponseClOs's FISMA Questions Ia thru Ic and 2a thru 2cSection BResponseDifference For each question, actual performance in FY 2005 by risk impact
level and bureau are expected to he identified. The FISMAtemplate
provides a heading for the second column for these questions thatreads 'FIPS 199 Risk Impact Level." Potential risk impact ratings(e.g.. }-ligh Moderate, or Low) for Confidentiality. Integrity,
andAvailability (CIA) and the resulting overall security
categorizationof IT systems (e.g.. the high-water mark of the impact ratings
forCIA) for each system are documented iii their respective SystemSecurity Plans (SSPs). The ClO responses to these FISMAquestions are identified by the documented FJPS 199 Risk ImpactLevels as required. The OIG does not recognize these documentedrisk impact levels as they have asserted that the method
prescribedby the Department's Asset Valuation Guide (AVG) is not compliantwith NTST FIPS Pub 199. However, the OIG also indicated theexisting method used by Interior typically meets or exceeds theprovisional impact ratings that would he obtained by using the
NISTSP 800-60 and FIPS Pub 199 ratings.
Discussion The NIST standards provide for flexibility for agencies to definetheir own common data and information types. The standards alsoprovide guidance for determining risk impact levels using thosetypes, considering other factors unique to each agency, as long
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
30/235
as theresulting sensitivity ratings equal or exceed the minimum
thresholdsand specifications prescribed by NIST. As long as agencies:
REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 14 of 37
Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
31/235
* identify, select, implement. and testminimum mandatory
management, operational. andtechnical security controls
based on the security categorizationof each system;
* risk impact levels equal or exceed
minimum expectedsensitivity ratings as identified by
the provisional ratingscontained for similar data and
information types specified inNIST SP 800-60; =md
* security controls are tailored toindividual ratings for CIA. as
specified by the draft NIST lIPS Pub200 and the related
NIST SP 800-53;
then the agency has demonstrated a
consistent and adequatemethodology used to determine risk impact
ratings for IT systems.Agencies aren't expected to have
implemented NIST FIPS Pub 200and SP 800-53 until one year following the
final release of FIPS Pub200, currently still in draft.
In an eartier meeting with the 010, theOCIO was inlbrrncd that the
sensitivity ratings and securitycategorizations were not documented
in any of the C&A packages (e.g., in theSSP or the Risk Assessment
report), The OCIO reviewed the C&Apackages in question and
found the information documented in theSSPs. In a follow-up
conversation with the 01G. the OCIO wasinformed that the real
issue was related to inconsistenciesbetween what was documented
in the AVGs compared to the SSPs. Althoughthe AVG sen'es a
useful purpose as a tool for the System
Owner to develop arecommendation for the ratings to be
considered by the DAA, it doesnot serve as the documentation for the
final determination. The finalsensitivity ratings for CIA, the overall
security categorization andthe agreed upon security controls are
documented in the DAA-approved final SSP.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
32/235
The OIG report reflects a more narrowinterpretation of the NIST
standards which we believe is inconsistentin their recognition that
Interior's existing process results insensitivity and impact
determinations which equal or exceed theprovisional impact ratings
identified in NIST SP 800-60. whichinherently considers the NIST
FIPS Pub 199 minimum impact ratingdeterminations. This
interpretation does not recognize theagencys discretion in
identifying additional criteria andrequirements which may result in
higher impact levels being assigned tosystems.
The OCIO recognizes the need to reevaluatethe existing process to
ensure that systems are not overlycategorized in terms of data and
information sensitivity and impactratings. This is particularly
important as there is an associated burdenand cost implication to
REDACTED PLJ4LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 15 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)
Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
33/235
IG's FISMA Question 3bSection C -ResponseClOs's FJSMA No corresponding question(s)Section BResponseDifference Question 3b asks the IG to evaluate the degree to which "The
agencyhas developed an inventory of major information systems (includingmajor national security systems) operated by or under the control
ofsuch agency, including identification of the interfaces between
eachsuch system and all other systems or networks including those notoperated by or under the control of the agency." The IG's responsecharacterizes Interior's inventory of "major information systems"as "approximately 8 1-95% complete" while the CEO remainsconfident that the Department Enterprise Architecture Repository(DEAR), the authoritative repository for IT system inventory.contains an accurate inventory of the Department's major
information systems.Discussion The OlOs evaluation does not identi!' any specific discrepancies
with respect to the Department's inventory of major informationsystems necessary to substantiate their response characterizingInteriors inventory at anything less than 100%.
implement die operational, and technical security controls'appropriate to these ratings.
The 010 appeared to base their conclusion on interviews withindividuals as to whether they had followed NIST FIPS Pub 199 indetermining these ratings. The individuats were not familiar withthat NIST publication and had indicated that they had used the AVG
process. The OIG did not provide recognition in their report that thesensitivity determinations had been based on consistent applicationof the AVG methodology. They also did not indicate that the AVGprocess resulted in sensitivity determinations lower than what theywould expect from the FIPS Pub 199 process alone. There is norequirement that individuals be familiar with the specific NIST FIPSPub 199 reference (e.g.. recognize the name or title of a reference). ifthey are following an agency-prescribed process that incorporatesthose requirements.The ClO believes that the OIGs criteria used to evaluate the degrecto which Interior is compliant with these questions exceed theessential requirements of FISMA.
REDACTED PU!JC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 16 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
34/235
The ClO believes that the OlGs criteria used to evaluate thedegree
to which Irnerior is compliant with this question exceed theessential
requirements_of FISMA.
LU's PISMA Question 4aSection CResponseCIOs's FISMA No corresponding question(s)Section BResponseDifference Question 4a asks the 10 to select from one of several response
categories with respect to the degree to which "The POA&M is anagency wide process, incorporating all known IT securityweaknesses associated with information systems used or operated bythe agency or by a contractor of the agency or other organization
onbehalf of the agency." The 010 selected the response category of
"Sometimes, for example, approximately 5 1-70% of the time" and intheir comments on the FISMA response indicated that they "did notdetermine the amount of unreported IT security weaknesses thatwere not included in the POA&Ms'. The OCIO has no basis tosuggest that weaknesses captured on POA&Ms arc anything lessthan the highest response category option of "Almost Always, forexample, approximately 96-100% of the time."
Discussion In FY 2005. the DOl POA&M process tracked 2,895 weaknesses.The OW acknowledges that DOl captures up to 95% of OTGidentified weaknesses. The Department has very formal proceduresin place. particularly for the financial audit, to ensure 100% ofweaknesses are recorded in system POA&Ms. The 000 is at a lossto determine where another 1.000+ (this number would be based on
OIG current response indicating that the Department incorporatesknown weaknesses only !Sometimes. for example. approximately5 1-70% of the time") weaknesses should be derived. It appears
thatthere is substantial agreement on the nature and number ofweaknesses and the POA&M report takes exception to methods ofresolution.The remaining findings are based upon the OIG report for the DOlPOA&M process that questions the methods by which POA&Mitems are closed and the nature of prioritization. In response to
OIGconcerns, the DO! ClO directed (OCIO Directive 2005-007) acomplete audit to verify that FY 2005 POA&M items were
appropriately closed. Every program official was required tocerti!'
in writing that closed items met appropriate criteria for closureor re-
REDACTED PLJ LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 17 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
35/235
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
36/235
IG's FISMA Question 4bSection CResponseCbs's FISMA No corresponding question(s)Section BResponseDifference Question 4b asks the 10 to select from one of several response
categories with respcct to the degree to "When ai! IT securityweakness is identified, program officials (including CIOs. if
theyown or operate a system) develop, implement. and managePOA&Ms for their system(s)." The OIG selected the responsecategory of "Rarely. for example. approximately 0-50% of the
time"and in their comments on the FISMA response indicated that"Although DOl's POA&M process for IT security weaknessesincludes the development, implementation, and management ofPOA&M for systems. DOl does not adequately manage theweaknesses adequately through its POA&M process." The OCIOhas no basis in fact to suggest that program officials do not
develop,implement. and manage POA&Ms for thcir systems when ITsecurity weaknesses are identified. Therefore, the OCIU finds
thatthe response category option of "Almost Always. for example,approximately 96-100% of the time" is a more appropriate
open the weakness for action. While we saw a 25% increase in thenumber of rew findings for FY 2005 Q3 and FY 2005 Q4. thisincrease is explained by the audits and self-assessments thatoccurred during this time period. In short, a 100% audit of 1.389 FY2005 closed POA&M weaknesses (through Q3) did not conclude thesame level of discrepancy as the 133 item sample in the POA&M
report. Further. the draft POA&M report cites the September andNovember 2004 POA&M submission for a majority of its findings.That data is more than a year old and may not sufficientlycharacterize the FY 2005 POA&M program.
Lastly. every POA&M weakness is prioritized within the system forwhich it is attributed. Point acknowledged by the OIG team. OCIOstaff has discussed this point and commented to the report that aDepartmental prioritization scheme is not required andadministratively inappropriate. Each system is required to pursueappropriated funds through the relevant investment portfolio.Bureau nrnnagers may not reallocate those resources outside theportfolio based on Departmental priorities. Therefore, the most
meaningful and effective prioritization is within each systcrn.Additionally, this meets FISMA requirements and should beacknowledged as such.
REDACTED PU!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 18 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
37/235
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
38/235
characterization of compliance withrespect to this question.
Discussion The FISMA question specifically asks thequestion as to whether or
not program officials (including Cbs)develop. implement. and
manage POA&Ms for their systems when
weaknesses are identified.The Department has demonstrated that there
are POA&Ms for everysystelil that is reported quarterly.
Ideally, there would be a specificFISMA question, or questions. that inquire
about specific quaLitycharacteristics of the POA&Ms and POA&M
process. Thisparticular FISMA question does not inquire
about the quality oradequacy of either. and simply asks if
program officials are
managing weaknesses via their program orsystem POA&Ms.
The ClO believes that the OlGs criteriaused to evaluate the degree
to which Interior is compliant !!ith thisquestion exceed the essential
requirements of FISMA.
With respect to any questions regardingquality, raised in the
comment section of the lU's FISMA report,the OIG relied on FY
2004 POA&Ms as the basis for theirconclusions. The OIG's
analysis did not take into considerationthe substafflial improvements
to the FY 2005 POA&M process resultingFrom issuance of several
OCIO Directives. In FY 2005, bureau CIOswere required to verify
and validate completed actions on theirPOA&Ms and submit a
signed certification statement attestingthat they have done so with
the submission of each of their quarterly
POA&Ms. The OIG'sreport does not consider any FY 2005
progress and actuallyrepresents the state of the FY 2004 POA&M
process. Thecharacterization of Interior's POA&M
process on the FISMA reportshould more appropriately reflect the
effectiveness of the FY 2005process.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
39/235
The 0MB Memorandum 04-25 states thefollowing with respect to
the level of detail used to describeweaknesses in a POA&M:
"Detailed descriptions of specificweaknesses are not necessary. but
sufficient data is necessary to permit
oversight and tracking, Forexample, to the maximum extent practicable
agencies should use thetypes of descriptions commonly found in
reports of the GAO and ICsuch as "inadequate password controls."
"insufficient or inconsistentdata integrity contro!s,' "inadequate
lirewal I configuration reviews"background investigations not been
performed prior to systemaccess.' "physical access controls are
insufflcienC' etc."
Furthermore. 0MB M-04-25 states that:
_________________ "lOs are again asked to assess against minimumrequirements
REDACTED PL&LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 19 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
40/235
IG's Draft Question 4cFISMA Section CResponseClOs's Draft No corresponding question(s)FISMA Section BResponse
Difference Question 4c asks the IGto select fr0111one of several response
categories with respect to the degree towhich "Program officials.
including contractors, report to the ClOon a regular basis (at least
quarterly) on their remediation progress."The 010 selected the
response category of "Sometimes. forexample. approxirnatety 51-
70% of the time" and in their comments onthe FISMA response
indicated that "Although DOI program
officials report to the dO ona quarterly basis, we did not find any
indications that contractorswere reporting security weaknesses to
program officials or bureauCbs and that these security weaknesses
were being reported by theprogram officials on the." This sentence
was prematurelyterminated but the dO assumes that it was
to conclude with theword POA&M. The OCIO has no basis to
suggest that program
officials. including contractors, do notreport to the ClO on a regular
basis (at least quarterly) on theirrernedianon progress.. Therefore,
the OCTO finds that the response categoryoption of "Almost
Always, for example, approximately 96-100%of the time" is a more
appropriate characterization of compliancewith respect to this
ctllestion.
If the 010's evaluation provides evidence
to support theirconclusion with respect to contractor
reporting. then the OCIObelieves that the response category of
"Mostly. for example.approximately 8 1-95% of the time" would
be appropriate. However.the OCIO is not aware of any specific
details with respect to theabsence of POA&Ms for contractor systems
or any instances of non-
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
41/235
reporting of POA&Ms to the ClO for suchsystems. The OCIO has
provided copies of system POA&Ms andsigned cei-tification
statements from relevant DOs associatedwith the contractor
__________________ systems to the 01G.
REDACTED PL!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 20 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
whether thc agency has developed, implemented, and is managingan agency-wide POA&M process (see Section C of the reportingtemplate)."
The IG's report should distinguish between when recommendations
exceed the essential requirements of FISMA and 0MB and beconsistent in interpreting the adequacy or inadequacy of POA&Mprocesses with respect to those "minimum requirements."
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
42/235
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
43/235
157/1 67 or 94% compliance towards meeting this requirement.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
44/235
dO as part of the last quarterly POA&M submission and reportingcycle.
Discussion Assuming that an unauthorized individual was addressing the issueof risk acceptance on their own, without the concurrence of theDesignated Approving Authority (DAA), the numbers of suchoccurrences are not quantified sufficient to suggest
noncompliance.
Compared to the thousands of weaknesses that are being tracked,managed, and reviewed, it is difficult to see how the OIG couldconclude at this point that the number of any such instances
couldcontribute to between 50% and 100% non-compliance with respectto this requirement. To the extent that the IC is aware of a
numberof such isolated incidents and has not identified such systemic
issueson a larger and quantifiable scale it does not appear reasonable,
forthese occurrences to be used to extrapolate conclusion aboutnoncompliance.
The ClO believes that the OIG's criteria used to evaluate thedegree
to which Interior is compliant with this question exceed theessential
requirements_of FISMA.
TO's Draft Question 4eFISMA Section CResponseClOs's Draft No corresponding question(s)F1SMA Section B
ResponseDifference Question 4e asks the lOto select from one of several response
categories with respect to the degree to which the !OIG findingsare
incorporated into the POA&M process." The OIG selected theresponse category of "Mostly, for example, approximately 8 1-95%of the time.' The OCIO has no basis in fact to suggest that OIGfindings are not being incorporated into POA&Ms. Therefore. theOCIO finds that the response category option of "Almost Always.for example. approximately 96-100% of the tirne is a moreappropriate characterization of compliance with respect to thisquestion as there have been no known instances where OIG findingswere not incorporated into the POA&M process.
Discussion OIG "findings" are required to be always incorporated into theprogram- and system-level POA&Ms along with weaknessesidentUied from other sources. The CTO feels that the distinctionwould be that OIG "recommendations' are not always incorporatedinto the POA&M process as senior management does not alwaysconcur with such "recommendations" and has the discretion toconsider whether or not such "recommendations" are required to heacted on or not. Forthepurpose of the FISMA report, the ClO
REDACTED PIJbLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA Report
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
45/235
Regarding I-T Security Information Page 22 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
46/235
IG's Draft Question 4fFISMA Section CResponseClOs's Draft No corresponding question(s)FISMA Section BResponseDifference Question 4f asks the 10 to select from one of several response
categories with respect to the degree to which the "POA&M processprioritizes IT security weaknesses to help ensure significant ITsecurity weaknesses are addressed in a timely manner and receiveappropriate resources." The OIG selected the response category of"Rarely, for example. approximately 0-50% of the time" and in
theircomments on the FISMA response indicated that "Currently bureausprioritize weaknesses within system POA&Ms. However, we foundlittle evidence that DO! overall prioritizes IT security
weaknesses toensure funding for this project The OCTO finds that the responsecategory option of "Almost Always. for example, approximately 96-100% of the time" is a more appropriate characterization of
compliance with respect to this question. The Department'sPOA&M process prioritizes IT security weaknesses consistent withOMBs requirements and within die constraints imposed bybudgetary and capital planning and investment control (CPIC)processes.
Discussion Interior's IT security program- and system-level POA&Ms includethe appropriate level of detail and information required by the
Officeof Management and Budget (0MB) Memorandum 04-25.Prioritization of corrective actions is the responsibility of
eachDesignated Approving Authority's (DAA's). Each DAA ensuresthat weaknesses are addressed in a timely manner and receives
appropriate resources through their review and approval of theirrespective POA&Ms, which identi!t:
. description of each weakness;
. risk-level associated with each weakness:* specific corrective action milestones;* scheduled commitments to accomplish each milestone; and* resources (budgetary and staff) required to implement each
REDACTED PLJ!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 23 of 37Defendants' Notice of Filing of
(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
requests that the OIG consider whether or not their response wasbased on the notion of incorporating "recommendations" vs."findings", which might have contributed to a different perspective.
The ClO believes that the 010's criteria used to evaluate the degreeto which Interior is compliant with this question exceed the essentialrequirements of FTSMA.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
47/235
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
48/235
corrective action.
The DAA has the responsibility of making determinationsregarding
risk acceptance and the duration and conditions under whichthey
will accept any residual risks.
Lastly. every POA&M weakness is prioritized within the systemfor
which it is attributed. Point acknowledged by the OJG team.OCIO
stafihas discussed this point and commented to the report thata
Departmenta' prioritization scheme is not required andadministratively inappropriate. Each system is required to
pursueappropriated funds through the relevant investment portfolio.Burcau managers may not reallocate those resources outside theportfolio based on Departmental priorities. Therefore, the
mostnicaningftul and effective prioritization is within each
system.Additionally, this meets FISMA requirements and should beacknowledged as such.
The ClO believes that the OIG's criteria used to evaluate thedegree
to which Interior is compliant with this question exceed theessential
requirements of FISMA.
IG's Draft Question 5
FISMA Section CResponseCIOs's Draft No corresponding question(s)FISMA Section BResponseDifference Question 5 asks the 10 to "assess the overall quality of the
Department's certification and accreditation process." The OIGselected the response category of "Poor" without quali!'ingcomments within the FISMA reporting template. The OCTO findsthat the response category option of at least "Sacisfactory is a
moreappropriate characterization of compliance with respect to thisquestion based on our analysis of the current state of the C&A
process.Discussion In the OIG's Annual Evaluation report, the IG points to several
factors contributing to their characterization of the DcpaftmentS
C&A process being rated as poor. The ClO maintains that theDepartments Asset Valuation Guide (AVG) process to determinerisk impact levels and security categorizations of systems forconfidentiality, integrity, and availability equal or exceed any
ratingsbased on the NIST FIPS Pub 199 and NIST SP 800-60 alone. Thelevels of concern expressed in appendix F of the Departments AVG
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
49/235
guide used in determining potential impact ratings (e.g.. Low.
REDACTED PL!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 24 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
50/235
Moderate, or High) for Confidentiality.Integrity, and Availability
(CIA) are consistent with FIPS Pub 199.The AVG guide also
identifies 15 sensitive informationcategories for Interior and the
minimum expected impact ratings to be used
for Interior's ITsystems.
The Department's C&A, System SecurityP]an, Risk Assessment
report, Security Test and Evaluation, andContingency Planning
guides substantially address therequirements of applicable NIST
standards and guidelines.
The OCTO performed independent reviews ofthe quality of C&A
packages and issued compliance reportsback to each bureau
identifying areas needing improvement,This process has resulted in
many C&A packages being revised, resultingin significant
improvement in the quality of thosepackages and 98% of Interior's
systems are certified and accredited.
The OIG's report indicates that 8 of 17systems reviewed had ST&E
reports that were dated after they were
accredited while the OCIO'srecords in Command Center indicate that
approximately 31 of 171C&A systems of record have ST&E reports
dated after the date ofthe accreditation letter. This represents
a potential concern with lessthan 20% of the C&A packages as opposed to
the OIG's informationindicating potential concerns with
approximately 47% of thepackages, These perspectives also don't
identify whether or not the
ST&Es were actually concluded prior to theDAA's decision to
accredit their respective systems andwhether or not those decisions
were based on vulnerabilities andweaknesses identified in the
S1&E. Consideration should be given to theactual dates within
which the ST&Es were actually performedand the DAAs having
had the benefit of those results as
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
51/235
opposed to the date of the ST&Ereport documentation, which may have
subsequently been revisedbased on feedback from independent reviews
performed by theOCIO on the quality of those reports.
The JO's report does not contest the
merits on which the DAA basedtheir accreditation decision. which
suggests that the certificationsand accreditation are valid and based on
each DAA's understandingand acceptance of any remaining residual
risk to their systems.
With respect to the 010's characterizationof the POA&M process.
the 010 relied on FY04 POA&Ms and did notbenefit from a more
recent study of the FY05 POA&Ms and
associated process. The000 responded to these findings and
recommendations iii aseparate response indicating that
Interior's FY05 process has
REDACTED P!4LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 25 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
52/235
IG's Draft Question 6FISMA Section CResponseClOs's Draft Question 8FISMA Section BResponseDifference Question 6a asks 'Is there an agency wide security configuration
policy." The OIG selected the response of "Yes" and identifiedthe
relevant OCTO Directive. This question (both 6a and 6b) relatesto
agency policy and implementation of approved Security TechnicalImplementation Guides (STIGs). Each STIG provides specificsecurity hardening and configuration instructions and parameters
forvarious types of network resources and devices (e.g.. operatingsystems. databases, routers, etc.) Question 6b asks the IG to"Approximate the extent of implementation of the securityconfiguration policy on the systems running the software." TheFISMA reporting template identifies 1 1 products for which the
ClOand IG must select a response choice to indicate the degree to
whichsystems have implemented approved ST!Gs. The ClO and IG differin their response choices as there is a difference between ourrespective interpretations of what the FISMA questions arc askingand the IG understands of Interior's policy.
Discussion The 010 appears to be of the opinion that bureaus must imptementthe STIGs specified in Command Center (the Department!s currentIT security information dissemination portal) hut acknowledges
thatbureaus frequently have their own STIGs which they implement.
REDACTED P!J!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 26 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
substantially improved and that we had proactively taken measuresto improve the process which already had addressed the tO'srecommendations.
The OCIO recognizes the need to make some additional updates toC&A guidance in light of the significant number of new or revised
standards and guidelines issued by NIST. which should beimplemented in FY06 to implement FIN Pub 200 and related SP800-53 and 53a. Nonetheless, the ClO maintains that Ibr FY05 theC&A process within Interior remains satisfactory. Beginning oneyear after the issuance of the FIPS Pub 200 by NIST, the ClOrecognizes that existing System Security Plans and ST&E processes!vil1 be in jeopardy if these new requirements are not effectivclyimplemented.
1'he dO believes that the OIG's criteria used to evaluate the degreeto which Interior is compliant with this question exceed the essential
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
53/235
requirements of FISMA.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
54/235
lU's Draft Question 7bFISMA Section CResponseClOs's Draft Question 9bFISMA Section BResponseDifference Question 7b asks does "The agency follow documented policies and
procedures for external reporting to law enforcement." The OIGselected the response choice of"No" based on their observation
that in8 of 12 instances the OJU was not notified. Unlike many oilierrcsponse choices for other questions in the FISMA template, this
is abinary answer and does not enable a more appropriate selection
thatwould identify the relative frequency where such incidents are in
factreported to the IG or consideration of circumstances preventing
fullcompliance with established external reporting procedures. The
ClOfee]s that appropriate policies and procedures are in place and
that theremay be other mitigating circumstances that may have precludedadherence to these general procedures.
Discussion Circumstances about why the 8 incidents were purportedly notreported
via the IG were not sufficiently articulated. It is unclear whatfactors
contributed to the lapse in notification for these specificincidents but it
is clear that notification policies and procedures are in placeand have
successfully been used in other instances.The CJO acknowledges that interior's policy requires notification
ofthe OIG's Office of Investigations when IT security incidents arereported to external law enforcement. The ClO understands that
theresponsible 010 office was not !veI1 positioned for most of FY
2005 toreceive, or respond to. such notifications. However, it should berecognized that Interiors bureaus and offices did engage otherappropriate law enforcement officials to respond to incidents
whereappropriate.
REDACTED PIILIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 27 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
The GO disagrees with the 10's interpretation as Jnterior!s policyallows for bureaus to define, document, approve, and implementtheir own STIGs. which many have done. Bureaus are only required
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
55/235
to implement the Department's STIGs avai[ab]e through CommandCenter whenever the bureau does not have their own approvedSTIG.
The ClO believes that the 010's criteria used to evaluale the degreeto which Interior is compliant with this question exceed the essentialrequirements of FISM_A. The OCIO also believes that the IG reportdoes not reflect the same credit and degree of compliance with
respect to bureau-level Implementation of STIGs as the DO'sFESMA report reflects.
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
56/235
JO's Draft Question SFISMA Section CResponseCIO&s FISMA Question 6Section BResponseDifference Question 8 asks "1-las the agency ensured security training and
awareness of all employees. including contractors and thoseemployees with significant IT security responsibilities." The OIGselected die response choice of "Mostly. or approximately 81-95%of employees have sufficient training" which is inconsistent with
theClO's analysis.
Discussion The OCIO's performance metrics with respect to annualawareness
training and role-based training identifies the followingrelevant
metrics in question 6 of the CIO's response:
a t
Total number of Nuniber of employees that Total number ofNumber of employees with
employees in FY05 received IT security awareness employeeswith significant security
flaming in FY05. as described significant ITresponsiblithes that recerved
in NIST Special Pub!cabon OC( securityspeciahzed training, as
SO. Building an Informationresponsibilities described in NIST Spectal
Technology Security
Publicabon 800-16,Awareness and TrEining
lntormaUon TechnologyProgram (October 2003)
Security Train!ngRequirements! A Role. andPerformance-eased Msder
__________ __________IA',.41 flr!%
Number PercentageNumber Percentage
84,159 82818 YB 44% 2611 1736 6649%
The ClO is advocating that the progress inthe areas of awareness
and role-based training be equallyweighted. which would result in
the selection of "Almost Always, orapproximately 96-100% of
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
57/235
employees have sufficient training" basedon the resulting weighted
average of 97.48%. Additional creditshould include recognition of
the C&A training provided to the Secretaryand Designated
Approving Authorities (DAAs) by the CEOand CISO regarding the
C&A process and each of their respectiveroles and responsibilities.
Interior also has over 80 individuals whohave achieved and are
maintaining certification as a CertifiedInformation Systems Security
Professional (CISSP) from theInternational Information Systems
_________________ Security Consortium. Inc., or (JSC)2.
REDACTED PIJkIC VERSIONSubject to Protective Order Dols FY 2005 FISMA Report
Regarding I-T Security Information Page 28 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
58/235
SSltl6011IobpbOtolOboblli 065ti512460d5
d!bo6y 46151
OobbtloO 16042
I 46 tbqoitbd IISMO thbI050lIIbSlIolt 15551 tsbbo bt605yMtblSloOIodo15 tioMybtsos osbdoto p51654 by sooyo, 06 tIoltolof 065 6t06!6tbb06If60660b06yByFIPSllllMklMpbdIbSbI l0l4%lMdblltOgIolbolootoltblol!bd) !dbybo,blgldbMtl06thbloMb ofMyMtblMlbSSogbd iothobS6k!tl6Mf61b6th1I6bMlfi66t!0MbbI6l2l6!b 0410
odooti,ggNISTSpogIPobIbogtil, 600-2110006 006 61.lCbltiltblSl.NSTSplOigIPlbIilgtkbl 000-21, Il:llCbldOOtg 56! lbSblltgggi%tthl OlltllllbdilNISTSplOlIPObIblgtibb600-bS
lg 56 po,HbIl 6' gthb yblillb 1,1,st 0Sdbgg OlltMOtllblthliglboyllbthlllggliogfllblblhgfflfthlilggllOg,thlllll56fflyolilgbgObltlOtbl%dllblbtlltthllgOillbll
bllOh. SlIllpOltilgbgglbthllFldllgIgglbo6lb 606650, 6FdlIb,oio 51100161,lggblbOffbOillt. lgOlbgldSl%iOlpbhgolgbhgldlbpO%ibiIi%IFISM401%pIigbOl.
2 F46thplltlftl!1 qobltll%ldtl06lltolIpbOolS011llFVllby kl4plltIbllilMdboblglMthbf l4ltp56lldbdbbIlS FM4thblbplblbltltl blbt601yMtbllIoltbdldtfytl ttho,oOMyMtst,150110 OllbllSpIolbd tOsfoIIosiog. 66616156 loltlfllltl MdllllbdltltlS!61611605015 pigo tsltsd 621Mb 665 p1655611 god 1016lty 16111111 tSltld ogithil Mspglt p561
-..!-
6 b
6 b I111054 slIySyltsls FVl5061llItll
FYOITIINII!gfM!bsOlyltMM!bl601ybtslsflllIol!bsflyltslsSystsl,s 1,15666
161llsdlMdlIIlsdltsd ogOiIOssIo II1160tbMlslIypIlls 0665 boglOSlsblSMtsMtsdlod tlstsdbMl116ldl0166lltOsllioltsd bMtOsIlstysll plIbIylMd6odl016
FIPSl996iMkIl!pllt TItOIN01HbOITIOOIN01HbOI46'566461!5 Lsloi 0010b0l6001s0h0d0010b0l6001s0h0dT0t610010b0l
52052602 N0SbOlTIgOIN0SbOlTItOITItOIN0SbOlPOlOOltIlTItO0050001 11201 010115 High 0
MIlioloto 0LoS 0NbtCotogbHooH 1
1100.0% 1100.0% 1 100.0%Sob-totol 0 0 0 1 I
1 100.054 1 100.0% 1 100.0%1050001 Lo,d bIg bogoIHolt High 0
M000toto 0Los 0
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
59/235
hkOlOolI000060 2 21 1000%, 01000%- 1 100gb.
Ms,svTotol 4!0 I I I I II I I
ModsIots I I I I II I I
Lob I I I I II I I
lIltlgtslllMsd I 14 I 6 I17 1
Iblglop5noS%000I00101g000:slgosolht&oobtn%oos%g,d000boo%ooslb0o,to14 *
Th0050bopOllbl%0000bOlhtgbd000bogtlbtbObbolOiblbl%0tlb%ot0%0000dblbpoltodbgg oo,t,00to,olthoggoboH
ot%o,ogghioot,obo,bohgffolthoogobogsoott%o,ogoi,o 60,to4Fb0Ml, 205 polioyg,d NbSTgoidoliboo, 1010601 0000'
P0bb0g! old OgObO% p011%. 0011-lOpbltilgblNISTSp600IPlblbOtll 600- 01 lOgoilO%060 bgo ObltlOOtblblbt%0 105011010
*bbbtblffi02lt! hb2h000l!b0ff-lp0Hlgbg0bbth0lF0d0l0I0g0b0y%0gb0blffb1i01s.
! 0551065010 H0-b0%bltho 1150- 15000110- lo,000sp0 !0pp50i%0t00 11- 60%ol 166 1166
- 00501150%- 110100144 10,210560- oppsoisotoIg 11-60% bltho 450- MobIlL 11000556 - opp,sgisotopo O1-bb%olthotiso- lIsootlIohgyo! 10,00050-,
Sob-toll'
0620 loll
Loos
Fibhold 15101140 0010000 High
Loos
Not Co logo0 601
4!15011604%50501050655 High0660 loll
Not Co 10gb 601Sob -toll'
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
60/235
0660 lOll
Sob -toll'
%lgtibbgl 502000014600 High
Not Co logo0 601
DffsoolSp000lT,ootoo High0660 lOll
Not Co logo0 601Sob -toll'
Off IS II Mu
US 0000060gb 00600
01051 012 1511565:
50 1011001
0Clbl-N CIII
I
I
I
I
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
61/235
I
2
I
I
II
7
I
II
1
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
62/235
I
I
I
I
I
I
II
I
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
63/235
I
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
64/235
I
2
I
22
0
I
II
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
65/235
III Ill!
1000%
1000%11115!
111.114
1000%
1000%11115!
I
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
66/235
C
I
11115!
1000%
1000%11115!
07114
00%
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
67/235
1000%11115!
2
0
22
7
0
I
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
68/235
I111
10007-
00%
100.0%.III lb
0:07-
071%
00%
100.0%.III lb
Subject to Protective OrderRegarding I-T Security Information(Dkt. No. 2937) (Filed April 22, 2005)
REDACTED PUBLIC VERSIONDols FY 2005 FISMA Report
Defendants' Notice of Filing of
Page 29 of 37
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
69/235
Dols FY 2005 FISMA Reports
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
70/235
(i!d!di!g , ! by!d!th ! h!g yi!d!di!g! ! !! !
Fp!! C!tg&!.lb. - App i,t,0-50%!&!pI! -
App!!i,t,61-95%!&!pIt
- App!4! ! ! ! ! [tI!thft! ! ! !
4.d. CI I ! -R!Iy, f& !&!pI, !pp,!
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
71/235
M!tIy, f&!!pIpp,d, g!t&PDA&Mf!y!t,! DDId!!!t,! !flth!k! ! !
! ! th!t' !dspth d,!td!th,ti!' d!t&!J !! R!p !:&,!ti,!!-51-70%. ! !q,t!yb!i! did gfi!d yls ! ! !! R!Sy0-50%- !PDA&M!!d !
! !! Thbi!d,! t!tdbyth !pt!& kth!t! b !&!pIbhdbyDDI !4.. M!tIy 60-95%. 4.f. Fft!!: R!!!/ 0-50%. C!, !t!/b !! ! !&th!tWf d!dft!f!!& !f!i!gf!thb pjrn. N !t!II&DDI! !t hb if!d!d ! !! p!iddt!thDDIITM! g!!t ! ! d!Di!t!, qffl,i!gb !d!ffk! !
! Wh!! !t!/!fld !
! A ! DMSi! ! ! ! t!!i!ti!g p!Ikyg!id!!,! 600-37G!kJf&th S! !,Otffi!tk!.!d ! S!t,!(M!y, 2004If! ddit!ti! !,ki!it!td!ftM!y2004. !FIPS199(Fby2004)StdJ!ft!S!&y !
Subject to Protective OrderRegarding I-T Security Information(Dkt. No. 2937) (Filed April 22, 2005)
REDACTED PUBLIC VERSIONDols FY 2005 FISMA Report
Defendants' Notice of Filing of
Dols FY 2005 FISMA Reports
Fp!! C!tg&!.- E!I!t
-
-
-
Page 30 of 37
-
8/14/2019 US Department of Justice Court Proceedings - 11172005 notice
72/235
Section B: Inspector General. Question 6, 7, 8, and 9.
Agency Name:
Question 6
6 Is them an agency wid esecurity configuration policy?a. Yes or No.
Comments: OCIO Directive 2004-007, March 05, 2004, Standardized SystemSecurity Coni!gumtion
Yes
Configuration guides are available for the products listed below.Identify which software is addressed in the agency wide security coni!gumtionpolicy. Indicate
6.b. whether or not any agency systems run the software. In addition,approximate the extent of implementation ofthe security coni!gumtion policy on the
systemsrunning the software.
Approximate the extentof implementation ofthe security
configuration policy onthe systems running the software.
Response choic esinclude:
. Rarely, or, onapproximately 0.50% ofthe
Product syste ms running thissoftware
. Sometimes, or onapproximately 51.70% of
the systems runningthis software
Addressed in agencywide . Frequently, or onapproximately 71.80% of
. the systems runningthis software
policy? Do any agency systems run Mostly,or on approximately 81.95% ofthe
this software? syste ms runningthis software
. Almost Always, or onapproximately 96.1 00% of the
Y