US Department of Justice Court Proceedings - 11172005 notice

8/14/2019 US Department of Justice Court Proceedings - 11172005 notice

1/235

IN THE UNITED STATES DISTRICT COURTFOR THE DISTRICT OF COLUMBIA

)ELOUISE PEPION COBELL, eta!., )

) No. 1:96CV01285P!aintiffs, ) (Judge Lamberth)

v. )

) FILED UNDER SEALGALE NORTON, et a!., )

)Defendants. )

___________________________________________________________________________)

DEFENDANTS' NOTICE OF FILING OF THE DEPARTMENT OF THE INTERIOR'SFISCAL YEAR 2005 FISMA REPORTS AND IG REPORT ON THE POA&M PROCESS

Defendants hereby submit the 2005 Federa! Information Security Management Act

("FISMA") reports from the Secretary of the Department of the Interior and the

Department of

the Interior's Office of the Inspector Genera! ("OIG"), as we!! as the proposedredactions thereto.

In addition, Defendants submit the OIG's report concerning the Department of theInterior's P!an

of Actions and Mi!estones ("POA&M") process. Defendants submit the reports andproposed

redactions pursuant to the Court's Apri! 22, 2005 Protective Order.

Dated: November 17, 2005 Respectfu!!y submitted,

ROBERT McCALLUM, JR.Associate Attorney Genera!PETER D. KEISLERAssistant Attorney Genera!STUART E. SCHIFFERDeputy Assistant Attorney Genera!J. CHRISTOPHER KOHNDire ctor


2/235

/s/ Robert E. Kirschman, Jr.ROBERT E. KIRSCHMAN, JR.(D.C. Bar No. 406635)Assistant DirectorGLENN D. GILLETTTrial AttorneyCommercial Litigation Branch

Civil DivisionP.O. Box 875Ben Franklin StationWashington, D.C. 20044-0875Telephone: (202) 307-0494Facsimile: (202) 514-7162

-2-


3/235

CERTIFICATE OF SERVICE

I hereby certif!y that, on November 17, 2005 a copy of the foregoingDefendants 'Noticeof Filing of the Department of the Interior's Fiscal Year 2005 FISAL4 ReportsandlG Report onthe POA&MProcess in PDF Format on CD was served upon:

Dennis M Gingold, Esq.Mark K. Bro!i, Esq.Elliot Levitas, Esq607 - 14th Street, NW, 9th Flr.Washington, DC 20005

and, without under seal attachments, on the following who is not registered forElectronic CaseFiling, by facsimile:

Earl Old Person (Pro se)

Blackfeet TribeP.O. Box 850Browning, MT 59417Fax (406) 338-7530

/s/ Kevin P. KingstonKevin P. Kingston


4/235

THE SECRETARY OF THE INTERIOR

WAS I-tIN (3 TO N

OCT 142005The Honorable Joshua B. BoltenDirector

Executive Office of the PresidentOffice of Management and BudgetWashington. D.C. 20503

Dear Mr. Bolten:

The Department of the Interior (DOl) provides the enclosed informationtechnolog! (iT)

compliance report, prepared using the guidance contained in the Office ofManagement

and Budget (0MB) memorandum NI-OS-IS. 112005 Reporting instructions for (heFederal information Security Management Act, June 15. 2005. Th.e annual

repori

includes both the vicws of the agency Chk1 Information Officer (CID) and theInspector

General (IC). a discussion on the differences between those perspectives,and the new

privacy requirements.

Interior made significant progress in improving its overall security posturein FY 2005, in

spite of the extraordinary burden placed on Interior by the ongoing ('obellv. Nor on

litigation. In the ('abe/I case, we produced over 4 1/a million pages ofdocumentation. and

testified throughout a 59 day evidentiary heariiig. The signifteant demands

cm us torespond to the court impacted the annual F[S\I.-\ evaluation., causing

delays andlimitations for both the C10s staff and the IG's staff

I would likc2 to highlight the fojiowing progress made in FY 2005:* DOl made progress toward consolidating 13 networks inth a single

DepartmentalEnterprise Services Network (ESN). Three remaining bureau networks aretargeted for consolidation this month.

* The ESN architecture incIu!Ths robust network perimeter securitycontrols and

enables Interior to manage perimeter controls more consistently,

effectively, andcost-efficiently.

* The Department is maintaining a continuous monitoring program as partof the

Certification and Accreditation (C&A) processes. This includes:o independent third-party review of C&A packages.o roui.ine automated vulnerability scanning and

remediation of identified!vcakncsses

o internal and external penetration testing ofnetworks and major


5/235


6/235

Mr. Joshua B. Bolton Page2

* 0MB rated DOEs Enterprise Architecture (EA) the highest among the 25 BAprograms reviewed. The DOl EA was noted as incorporating a security

standardsprofile, and aligned to the Technical Reference Model.

* The Department entered into an agreement with USALearning.gov todeliver a

standardized curriculum for individuals with significant IT securityroles.

* The DOl dO contracted an independent IT security assessment to evaluateDOl

against the myriad of security policies and guidance. We are pleased toreport

3.63 maturity level out of 5 from this assessment.

IT security has been, and will continue to be, one of my highest priorities,as evidenced

by the major improvements made throughout the DOT this past year. This

progress buildson accomplishments of the past. In June 2004, the K) concluded "the DOl POA&Mprocess is effective and satisfies the pertinent Federal guidance." The IG's

FY 2004report considered Interior's C&A process as being satisfactory. The

percentage of ITsystems certified and accredited increased from 83 percent for FY 2004 to

over 98percent in FY 2005. With better accountability and standardization, DOI, and

ultimatelythe taxpayers, avoided $17 million in C&A costs. We are pleased with the

return on theinvestment 0MB and Congress authorized in our F'! 2004 budget and sustained

in FY2005. In FY 2005, the IG appropriately raised the bar for evaluating the

securityprogram, based on DOl's increased maturity in the program. I support his

efforts and hisresources have increased to enable measurements against these higher

standards. Ourcollaborative efforts in monitoring our systems through exhaustive

penetration testingillustrate our commitment to maintaining a constantly improving C&A process.

We recognize that the C&A process is not perfect, particularly in light ofthe many new

or revised standards published by National Institute of Standards andTechnology (NIST)

within the past year, some of which are still in draft. We recognize that C&Ais primarily

a process of risk management, requiring application of considerablesubjective judgment.

Without clear criteria for reporting, the ambiguity leads to subjectivitybased on

individual perspectives. In preparing this year's report, I am struck by howstrongly this

subjectivity is impacted by the role of two key executives at DOl: the IG and


7/235

the ClO.Your guidance for the FY 2005 report asks that I include an analysis of the

differencesbetween the ClO's report and the IG's. I hope you will find this useful in

reducing theambiguity of future reporting, and to more fully understand the perspectives

presented.Through consistent reporting standards, we can arrive at a fair comparison of

governmentsecurity progress and deficiencies, and achieve or exceed the benchmark

leading toadequate security.

I understand the 10's opinion that the IT security at DCI is not perfect,that risks and

vulnerabilities still remain and improvements need to be made. From this heconcludes

DOl has significant weaknesses in complying with FISMA. From thisperspective, the

IG tempered the scores on his report by any weakness seen:

REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 2 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


8/235

Mr. Joshua B. Bolton Page3

* where a C&A package did not contain all required elements clearlypresented, it was

not counted as a valid package;* problems in the POA&M process were included in the JO report dated

September 23,2005, even though subsequently corrected, because the corrections had not

beenverified by the 010; mid

* any deviations from policy or procedures were reported as an inconsistentand

ineffective policy overall.

The IG's perspective can be supported by the language of the 0MB arid NISTrequirements. It is consistent with the IG's role of being DOl's watch dog

- who clearlyneeds to warn of!y potential risks, regardless of the weight or costs. The

ClO believes

the IG's responses to several of the questions iii the FY 2005 reportingtemplate exceed

the basic requirements of FISMA and do not rake into account improvementsmade

during the year in response to the testing the 10 conducted.

Ihave confidence in the ClO's opinion that, while IT security at DO! is notperfect, risks

and vulnerabilities still remain, and improvements need to be made,nonetheless, the

policies and processes to address those risks are adequate, improvementshave been and

will continue to be made, and therefore. DOT substantially complies with

FISMA. Fromthis perspective, when weaknesses are found. DOl corrects them and takes

credit forhaving done so. Based on extensive reviews of the IT security program, the

CIO believesthese corrective actions have generally been completed. sufficient to meet

the basicrequirements of FISMA. As required by FISMA, remaining problems are beingaddressed through the POA&M process.

The ClO perspective is clearly supported by the language of the 0MB andNTST

requirements. It is also consistent with the C10s role, which requires him

to balancerisks to DOl's information assets with the costs to address those risks.

The ClO alsoappropriately relies on the determinations of competent accountable

officials, includingthe 1G. The CTO points out that Interior was successfiul in thwarting over

353 millionpotential incidents in contrast to only 33 incidents that could not be

prevented, asreported during our last quarterly reporting period. None of the successful

incidents have


9/235


10/235

H

IYiLhF!

! -

Subject to Protective Order RED!CTED PUBLIC VERSIONRegarding I-T Security Information Dol S FY 2005 FISMA Report(D!. No. 2937) (Filed April 22, 2005) Page 4 of 37Defendants' Notice of Filing ofDol 5 FY 2005 FISMA Reports


11/235

Section B: ChAd laton. Q{!. Que&Aons 1. L 3. otd 4-

Agency ?bff: US D!lrrtnt Cl 'he IaIo!jot

Qut!ljnn 1 and 2

1 By FIPS 199 rjik impact ev& Q!gh. modorain F!w, or not !l!orind) and by bureau.Idonti!j the number O! inTorin3L!ot1 sys!sm$ usad Q !porated by YOL!F agency. andtile wmaer olIrtIcnn!1Jon systems u!d or aper!tS !y a cor ractDr Cf yaw agency o otho, or!n!a!on on ben![I at your ag,nc&-

!Th'e A!ency systems shalL 'rd!de Iji!onii!bon !y!ern.s used oz! CcfltrThflOrs!5!ern5 sr.!J: !n!Iude nIorma!on s!sc!nis fts!d arepe ia!ed ! a !fl!ThCWr or an

auency or ofti!r urganizabbrl !fl b!&iI or an a!encv fle to!M numDerors!tern5 sr!aII IncwIJe Dobfl a!erIcy systams and contractor s!iams-

To ,n!t Uit r!ui,eme!t ccna!n! a NEST $p!cd!I Pubtat-c! tQ!-2! eviewagenoescan

1) Conli,ws rn use WIET Spe![ Pubbcat.on !OO-2, or,! Conduct a selr-!ssessjnenl a!ai9st the conirnis I.!un! in NIST S!ecat

P'.b!a!ionBU!-53

AQen!ios ale r!spun!ib! Ior!t!urgi In secuply ci J.! n1.et!o!, sptens u5!1! ! h!'rage'cy !rnln8roruantza!on !ri o! thei, a!ncy, !iernf!ce. sell roportr.! by

corIIracC!rs does !t rTi!et me requiremenls of ]!vt !eIt e!o'1srlq byanc1n!r F!o!raI a!!ncy. Thr exampe. a. Federal secMce proviDe!. rr!y b! !urlicIent. A!tn! an 6eiviC! prOnde!

fr?veasharedresprn!sibIay forflSMAcompI]anua

FIPS I !9, F!der!i ]ntDrnlatmn pr!e!En! aLandard. was pu sh!i1 ! F!raan2!O4. ir there mE sys!erns wr.!th ha! nct yet bean cai!o&!d, !r. ira risk inpadI!veI ! Ce!m!,i!&O

Inrough another method, pieas! e!Lain batON IR item (d.!

a. For each p!r! c! flils qLrnstinn. annhtty actual perlormance fl F? OS !y rtskLrnpact 'aye! an bijr!! in thn immat po!idnf below From the Total Number at Sysb!ri!. idrnitiU thenumbe, at w!rnms w!lic)1 have: a currcrtt certilicatlrni and actreditai'nn actntin!oncy plar' !st!d within ma past year, and security conLra4! t!sLed wIthJr,the past nat. C!nUri!er!Cy

pl.iThing , a raqulitneril tDr certit!cataori and !ccr!dItatJ!n, wJO, anrn'aL !nfln!errny pLan tasurig reqtiked thereaftar. the number ci !ntem! with fullcerIi!ioIior1 and accredflt!on Ishigher than tbD number aI s!s,ems w!th a msthd ccntinyency plan, *!s! expLain.

Qcas!jaqj QuinSljfla!

b.r. a.

FY05 A!ncy F! 05Contractor FY!-T thAI Number NUmber 01 sy$!ns Nnmb.f o! !.fs'n$ Mu,,thar of


12/235

5y!12rTIS Systn!T!nfSrn!ms !artuIe! an! flctedil. . for which secuffly I!r wtiichconIro! ha!n atan tcntlngancy plansmsthd mid eva]Lmted have bean tntad 1

n the last ynr tccordanc! !!J1I ;polLcy !rtd !uMance

FIPS lag Risk Irn!cL Thml N,!-s! Tm! !-!=frOTa1! Nus,ifjer ! Peqtarn ! ! Total Perr!n! Total Pawenithn,!. ItTTW L!v!1 Nunthrn Reviw!d '.'.mto:

Res!ep.'ad NurS! vImqt! Nqjpiber ToI& Numb. mt!I N!h![ T!IBLA -- - ___________________ 12: 12 2

5- 15] 1! ! _'!._________________________________ 20 r 2 2

22 22 ICO.O% 22 'QO!7! 22 'OCO!

- - a a- !Th!ThO.3% 3 1CC!% S_______________________________ _______________________

______ I_______________________________ a5 !s ! !

! 40 ! 97.S% asi !7Se!- -

0:____________________ 73

23iW!. ! 23

O

fl 23 23 1&1O! 231CC.!?

- 1 11 I

22 fl!. ! 22i ! 21 !55!:

12 12- ! 12! !GDd!1 12

___________________ 3A I! Cas an 35 1O1B! ! 1!O%. !a

- 1

- 1 1 I IID 10

C ID! lO1! ! !-

1! I !-. ___________________________ ______________________________

_______ - !-1 -.............-......______________________________________ Ia 12 0

12 !2 II 100Th!- 11 ! 12 oCr


13/235

S

-- . 5 S ! U5

S S .0: a c!U!, B T!Ea ai ,b3cr

1 1! I E!W. Ii

- B i 1e ! ! saBe S aR. &

___________n

5 SU !O.O 4]_____________________________________________________

o ____________________________________

S!b4th.I - 5 5 0- !

S 4 !&Th! ! 8OO* tI I ! l! ! _J.L_!J! !

__________________________________ _______________________I -, ____________________

S!b-I!L!I 1 0 01 -t I ! ! :! IDOf.

a i4 1!CO! 4 IO!.U! 4 !C.

2 2

12 12 12i I!O! fl ci____________ __

__....................................-!

REDACTEDPUBLIC VERSION

Subject to Protective Order Dols FY 2005FISMA Report

Regarding I-T Security Information Page 5of 37 Defendants' Notice of Filing of

(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


14/235

Subject to Protective OrderRegarding I-T Security Information(DId. No. 2937) (Filed April 22, 2005)

REDACTED PUBLIC VERSIONDols FY 2005 FISMA Report

Page 6 of 37

Li

Defendants' Notice of Filing ofDols FY 2005 FISMA Reports


15/235

Section B: Chief Information Officer. Question 5.

Agency Name: U.S. Department of the InteriorQuestIon 5

InFormation gathered in this question will be forwarded to the Departmentof Homeland Security for

validationS

For each category of incident listed: identify the total number ofsuccessful incidents in FY05, the

number of incidents reported to US-CERT. and the number reported to lawenforcement. If your

agency considers another category of incident type to be high priority,include this information in

category e 'Other". If appropriate or necessary. include comments in thearea provided below.

5.

Number of Incidents, by category:

Subject to Protective OrderRegarding i-T Security Information(DId. No. 2937) (Filed April 22, 2005)


Page 7 of 37

Reportedinternally

Number ofIncidents

Type of Incident:

Reported toUS-C ERT

Number ofIncidents

Reported to lawenforcement

Number ofIncidents

a. Unauthorized Access 23 22 2b. Denial of Service (DoS) - 2 2 0c. Malicious Code 191 - 171 - 1d. Improper Usage - 34 28 4


16/235

c. Other 36 28 3Totals: 286! 251 10

Comments:

Defendants' Notice of Filing ofDols FY 2005 FISMA Reports


17/235

Section 8: Questions Sand 7Question 6

6. Has the agency ensured security training and awareness of all employees,including

contractors and those employees with significant IT security responsibilities'Yes or No.

a, b C. d.

Total number of Number of empLoyees that Total number of Number ofemployees with Total costs for

employees in FY05 received IT security awareness employees withsignificant security providing IT

training in FY 05. as described in sign!ficant ITresponsibilities that received security training in

NIST Special Publication 800-50 securityspecialized training, as FY05

Building an Information responsibilities describedin NIST Special (in 8's)

Technology Security Awareness PubhcaUon800-16,

and Training Program (OctoberInformation Technology

2003) SecurityTraining

Requirements: A Role- and

Performance-Based Model

_______________ ____________ (anril1!CQ!

Number F Percentage NumberPercentage

84,159 82.848 98.44% 2611 1736 66 49% Si 340487

Briefly describe the training provided in b. and d. Employees aretrained by usEng a comprehensive 001

University online system. The (raining covers a broad range of ITsecurity subjects incluthng, access

controls. passwords, malicious code (viruses). 001 Policy and FederalRegulations. Central reporting is

6 e bufit into the system and provides compliance tracking by bureaus andoffices. Specialized training for! those with "significant secunty responsibilities includes certification

courses. industry and vendor trainingclasses: internal briefings and awareness seminars (for designated

authorities, senior management.technical staff, and security representatives; DOl IT security team

meeting training sessions! and onlinecontinuing education.


18/235

Comments: DOl has taken step5 to enhance IT security training in FY 2005 bycontracting with USALearning gov to provide role

based training for bureaus and offices, The curriculum provides spectalizedtraining modules geared towards DAAs. system

owners, ISSO's. and network, database! and system administrat3rs This willundoubtably raise lntec!ors compliance levels

with respect to training those '!with significant IT security responsibilities'In FY 2005, the ClO and CISO provided C&A training

to the Secretary and other senior nianagement officials having DAAresponsibilities. This role-based training included a review

of the C&A process and the responsibilities of the DAAs, Certftying Officials,ISSOs and other individuals assigned C&A roles

and responsibilities. The Bureau IT Security Managers (BITSMs} are constantlyengaging in external training and certification.

Over 80 IT staff, including BITSMs and some of their security staff, haveachieved certifications as Certified Information

Systems Security Professionals (CISSP). In addition, eight employees recentlyachieved certification as Certification and

Accreditation Professionals (CAP). These eight ndivuduals are among the firstin the country to receive such certification Sec

It's important to note that the 84159 reported in a. includes ALL employees and contractors (per instructions) A percenta!

Does the agency explain policies regarding peer-to!peer file sharing in ITsecurity

awareness training, ethics training, or any other agency wide training?Yes

Yes or No.

REDACTED PUBLIC VERSIONSubject to Protective Order Dol's FY 2005 FISMA ReportRegarding I-T Security Information Page 8 of 37

Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dol's FY 2005 FISMA Reports

Question 7


19/235

Ba. !Is there an agen cywide secunty configuration po 'icy? Yes or No.

Comments: Policy Diredive Issued by the Office ofthe Chief Information Officer

Yss

Configuration guides are available for theprodu ds listed below. ldenti!

which sofiw are is addressed in the agenc ywide securitySb. configuration policy. mdi cate whether ornot an yagency systems run thesoftware. In addition, ap proximate thee!dent of implementation

ofthesecurity configuration policy on the systems running the software.

Approximate the extent ofimplementation of the security

configuration policy on the systemsrunning the software.

Response choices include:- Rarely, or, on approximately 0-50%

of thesystems running this software- Sometimes, or on approximately 51-

70% ofProduct thesystems runningthis software

Addressed in Doany agency ientl!,oroiiimate&71-80%of

agencywide policy? syst ems run this - Mostly, or onapproximately 8105% ofthe

software? sys tems running this software- AlmostAlways, or on

approximately96-100%

Yes, No, ofthesys tems running this softwareorN/A. Yes orNo.

Windows - Frequently, oron approximately71-80% oft he syste

Yes Yes njnning this software

Windows Yes Yes nJnnin! Rar!y, or,on approximately 0-50% ofthesystems

Windows Yes Yes njnninq th!s software mately 81-95%oft he syste

Windows Yes Yes njnninq oxi mately 51-70% oft he systems

Windows Yes Yes njnninq th!s software mately 81-95%oft he syste

Solaris - Mostly, or on approximately 81-95% oft he syste

Yes Yes ,,Jnning this software

HP-UX Yes Yes ,,Jnninq th!s software mately 81-95%


20/235

oft he syste

L - Rarely, or, on approximately 0-50% oft he systems

i nux Yes Yes ,,Jnning this software

Cisco Router lOS Yes Yes ,,Jnnin! Rar!y, or,on approximately0-50% oft he systems

0 I - Some!mes, oron approximately51-70% ofthesystems

race Yes Yes njnning this software

Other. Specify: 115, SQL Svr,Other Windows, HP MPE, MAC, njnnin ! !appro>1 mately 81-95% oft

heNovell, AIX Yes Yes

Comments: Interior has established approved security configuration siandards inthe form of Security Technical Implementation Guides (STIGs).Interior's policy allows for bureaus to define, document, approve, and implement

their own STlGswbicb many have done, or implementDepadmental STIGs. The ClO and IG differ in their perspectives with respect tothe level of policy compliance and STIG implementation byInteriors bureaus and offices due to a misunderstanding between our respectiveinterpretations of what the FISMA questions are asking and theIG's understanding of Interior's policy. The OIG appears to be oftbe opinion thatbureaus must implement the Depadmental STIGs and does notreflect the same credit and degree of compliance with respect to bureau-levelimplementation of STIGs as the Cbs FISMA report The OIG has

Indicate whether ornot the following policies and procedures are in place atyouragency. If appropriate or necessary, include comments in the area providedaelow.

The agency follows documented policies and procedures for identifyingY'!' and repoding incidents internally. Yes or No.

The agency follows documented policies and procedures for external9.b. reporfing to law enforcement authorities.Yss

Yes or No.The agency follows defined procedures for repoding to the United

! States Computer Emergency Readiness Team (US-CERT).YC! bttp:/"wi'w.us-ced.gov

Yes or No.

Comments: The IGs FISMA repod differs from the Cbs with respect to question 9.bbased on their observation that inS of 12 instances the OIGNas not notified. Unlike many other response choices for other questions in theFISMA template. this is a binary answer and does not enable amore appropriate selection that would identify the relative frequency where suchincidents are in fact repoded to the IG or consideration ofzircumstances preventing full compliance with established exlernal repodingprocedures. The ClO believes that appropriate policies and


21/235

procedures are in place and that there may be other mitigating circumstances thatmay have precluded adherence to these general procedures.

*m!flI'Has the agency documented in its security policies special proceduresfor using emerging technologies (including but not limited to wireless

ba. and lPv6) and countering emerging threats (including but not limited toYss

spyware, malware, etc.)?Yes_or No.

10 b If the answer to 10 a. is !Y?es ' briefly describe the documentedprocedures. These special procedures could include more

frequent control tests & evaluations, specific configurationrequirements. additional monitoring. or specialized training.

Response: Interior develops. maintains, and updates IT security policies andSecurity Technical Implementation Guides (STIGs) to respond to!merging threats and technologies. As pad of DOls Cerfification and Accreditation(C&A) continuous monitoring process. systems are routinelyassessed to identify and correct weaknesses resulting from newly discovered

vulnerabilities. Depending on the nature of the emerging threat ortechnology. more frequent control testing. specialized training for networl< orsystem administrators, additional monitoring. or application of STIGsto ensure specific configuration requirements are met may be required forsystems. Such requirements are typically specfied throughDepadmental or bureau policy or standards, and Designated Approving Authoritieshave the discretion to identify additional system specificsecurity control requirements depending on agency. risk, threat, andtechnological factors.Comments:

Subject to Protective OrderRegarding I-T Security Information

(Dkt. No, 2937) (Filed April 22, 2005)


Defendantsi Notice of Filing ofDols FY 2005 FISMA Reports

Section B: Chief Information Officer. Question 8,9, and ID,Agency Name: U.S. Department ofthelnterior

Question B

Page 9 of 37


22/235

Aflachnient A: 4.a. Incident Detection Capabilities.

Response:

Incident Response Tools and Technology

The Department of the Interior Computer Incident Response Capability (DOI-CIRC)

uses avariety of tools to classify, track, and report IT security incidents. E-mail,

telephone, andcollaborative communication arc the predominate methods used to alert, track

and manageincidents. In a network-wide alert, e-mail is used to noti& all employees. iT

staff, IT sccurityprofessionals, or other well-defined groups of an ongoing security incident and

the appropriateaction to be followed. The incident response teams use e-mail and other

collaborativecommunication tools to cxchange information on an incident through the seven

stages of

reniediation: detection, classification, containment, reporting, investigation,recovery, and

closing. Web technology is used to inform employees of the action to befollowed in reporting

an incident, as well as to maintain a permanent record of the incident in aresponse database.

A variety of specialized commercial and freeware tools, scripts, manual andautomated

procedures are used to coHect, review, and correlate IT security system andhost logs in the

identification and investigation of an IT security incident. For virus andmalicious code

detection, DOl maintains an Enterprise Anti-Virus/virus protection softwarecontract and uses a

variety of commercial host- and network-based intrusion detection capabilitiesto identify, log,

and alert malicious network activities.

Incident Detection

IT security incidents are reported from internal and external sourcesincluding: DO! employees,

bureau IT security professionals, other federal agencies, and worldwide ITsecurity

organizations. As appropriate, DOT-CIRC alerts bureaus of security threats to

the Department'snetwork infrastructure and tracks the security alert from alert and

classification throughretnediation and closing! in the initial phases of an alert, a security

incident handler is assignedto track, record, and communicate information about the incident. Incidents

classified high ormedium arc reported to the Bureau IT Security Manager (BITSM) and DOI-CIIRC

within twohours or two days, respectiv&y. Incidents classified as low are reported to

DOI-CIRC monthly.


23/235

Perimeter and Wide-Area Network Incident Detection

Logging is enabled on all security devices, including routers, network- andhost-based lirewalls,

intrusion detection/prevention and other security systems. These securitydevices are configured

to log access from, and egress to, the public Internet. In some environments,

wide-are-networkrouters are similarly configured to log events between internal network

segnients.

Network- and hos!-bascd cvent logs are routinely monitored for indication ofsignificant security

events and potential malicirnis activity. Security events include networkintrusions, scans, denial

of service attacks, worms, and unauthorized access to network integrateddevices in the DOl

wide-are-network infrastructure. Client initiated (egress) access is routinelyreviewed to dciect

REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 10 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


24/235

security incidents, including attempted propagation of malicious code from aninfected or

othenvise compromised host, inappropriate use of Internet services, or eventsincluding

misconfigured internal hosts.

Internal Incident Detection and Alerting

As part of the IT Security Program, each bureau operates a computer securityincident team to

work closely with the BITSM and DOI-CIRC iii the classification, containment,reporting, and

remediation of identified security incidents. Any event classified as asecurity incident is

reported to DOI-CIIRC and is addressed using the standard methodology presentedin the

Department of the Interior Computer Security Incident Response Handbook.

Internal security events are reported to the bureau incident response team orDOJ-CJRC for

assignment of an event manager to track the event and log all action with theappropriate

authorities. Viruses and malicious code are detected using anti-virus softwaretechnology

deployed with individual workstations, mail servers, and SMTP e-mail gatewayservers.

Dctcction and quarantine/removal of malicious code is considered a securityevent and reported

monthly to DOl. An infected message or other malicious payload inadvertentlylaunched at the

workstation is reported as a security incident.

External ReDollirig of Security Incidents

DO! and its bureaus maintain Internet e-mail accounts for reporting possiblesecurity incidents

originating from DOl computcr systems. These reports are delivered to the BITSMand

computer security incident response team (CSIRT). The e-mail address forreporting security

incidents to DOl is incident!circ.doi.gov.

REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 11 of 37

Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


25/235

Discussion of Differences between ClO and ICSections

Introduction

Each year. the Chief Information Officer (CID) and the Inspector General(IG) complete

different sections of the annual Federal Information Security ManagementAct (FISMA)

report. The sections represent the respective viewpoints of the Office ofthe Chief

Information Officer (OCIO) and Office of the Inspector General (OIG) withregard to the

degree to which Interior's Information Technology (IT) Security Program iscompliant

with FISMA.

This document provides a gap analysis between the 010's characterization ofInterior's

FISMA compliance, as documented in their responses to Section C of the FY

2005annual report and their Annual Evaluation of the Department oF the interior

InformationSecurity Program (Report No. NSM-EV-MOT-0013-2005). and the OCIO'scharacterization, as documented in their draft responses to Section B of

the FY 2005annual report.

The OCIO and OIG worked together to develop and implement a cooperativemonitoring

agrecnient on the DOl IT security program. This program, funded by theDepartment

($1.1 mi]lion in FY 2005) and independent1! conducted by the 01G. provided

criticalinformation needed to prioritize further improvements to the DOl

operational IT securityposture. From quarterly updates provided by the OIG as well as penetration

test results,the OCIO was able to promptly take action to correct vulnerabilitics.

Although additionalcorrective actions remain from some JO evaluations, many actions were takenimmediately. including temporary disconnection from Internet access when

warranted.The OCIO appreciates the efforts of the 010 in pointing out weaknesses orvulnerabilities. and has utilized the results to make significant

improvements.

The primary difference iii the perspectives is a result of the ambigthty inFISMA, and

more particularly, differences in the interpretation of the term adequatesecurity." The

ClO believes that the criteria the OIG used exceed the basic requirementsof FISMA.

General Comments

The OIG report portrays the DOT OCIO as being uncooperative, requiring the


26/235

OTG to"modify various testing techniques" and that "information requested from

the OCIO wasvery late in coming." incomplete, or not readable. This does not

acknowledge thesignilicani burden placed on already constrained OCIC resources. They weresimultaneously engaged hi producing over 4 '/2 million pages of

documentation in

response to the court, as well as meeting the new OTG requirements toproduce

VolLinhiflous material in the Cobell litigation (e.g.. CDs and DVDs as wellas other

information) in support of the OIG FISMA evaluation.

The effort by the OtG to obtain, toad, and inspect copies of bureauhardened and secured

baseline operating system and database images represented a significant newworkload.

REDACTED PUBLIC VERSION

Subject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 12 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


27/235

The varying results (e.g., copies of default manufacturer provided imagesas opposed to

hardened and secure baseline images) in obtaining these copies werepartially attributed

to insufficient advance notice for the new requirement and insufficienttime to clearly

communicate what was expected.

The OIG report did not indicate that, for FY 2005, the OCIO providedfunding to the OIG

to participate with the Department in a collaborative but independentfashion to augment

our compliance program. The report does not mention the significantprogress in

implementing corrective actions for weaknesses identified in thepenetration tests

performed by the OIG as part of the compliance program funded by the OCIO.

In summary, the executive summary of the OIG report does not track with theanalysis

and conclusions provided in the remaining sections of that document. TheDepartment

acknowledges areas that need improvement. However the OCIO believes thatthe OIG's

interpretation of several of the questions asked in the FY 2005 FISMA,reporting

template exceed the basic requirements of FISMA. For example, the reportdoes not

indicate:

* lrderiofs Certification and Accreditation (C&A) policy, standards,guidelines,

processes. and independent compliance reviews is substantially

compliant withFISMA and NIST requirements;

* Risk impact !eve1 (e.g., Low, Moderate, and high) deteiminations forconfidentiality. integrity, and availability documented in System

Security Plansmeet or exceed NIST SP 800-60 and FIPS Pub 199 criteria;

* Interior's authoritative Departmental Enterprise ArchitectureRepository (DEAR)

has an accurate inventory of all major information systems;* Jnteriofs POA&Ms and POA&M proccss is substantially compliant with 0MB

requirements;* Bureaus implemented approved bureau-level STTGs (e.g., security

configuration

standards) in conformance with Departmental policy; and,* Substantial C&A training was provided to Department and bureau senior

management officials (e.g., Designated Approving Authorities (DAAs)via the

MIT forum).

The 000 believes that, at a minimum. the quality of our C&A process issatisfactory as

supported by the following analysis and recommendations. The followinganalysis

represents the perceived differences between the OCIO's and OIG's


28/235

interpretation ofthose requirements.

Analysis

The following gap analysis is limited to the areas where the report showsdifferences of

opinion between the ClO and 1G. The format used to contrast each area of

differencewill be identification of the relevant question in Section C used to

document the results ofthe JO's evaluation, and the corresponding question in Section B used to

document theresults of the ClO's assessment, In responding to each question in the

FISMA reporting

REDACTED PU!JC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 13 of 37Defendants' Notice of Filing of



29/235

template, we believe the objec vc should be to consider whether Interior's iT security

program is adequate when measured against the requirements of FISMA. Thelevel of

adequacy would include the degree to which Interior has substantiallydemonstrated

compliance with Federal laws, regulations, and standards such as Memoranda

andCirculars issued by the Office of Management and Budget (0MB) and FederalInfornrntion Processing Standard Publications (FIPS Pubs) and Special

Publications (SPs)issued by the National Institute of Standards and Technology (NIST).

Adequacy shouldbe characterized by the degree to which:* Interior has adequate IT security policies,* Processes and procedures are in place to implement those policies, and* Programs and systems have been sufficiently tested to ensure that agreed

uponsecurity controls, as approved by senior management officials (e.g..

Designated

Approving Authorities (DAAs)) and as documented in security plans, arefunctioning

as intended.

IG's FISMA Questions Ia thru !c and 2a thru 2cSection CResponseClOs's FISMA Questions Ia thru Ic and 2a thru 2cSection BResponseDifference For each question, actual performance in FY 2005 by risk impact

level and bureau are expected to he identified. The FISMAtemplate

provides a heading for the second column for these questions thatreads 'FIPS 199 Risk Impact Level." Potential risk impact ratings(e.g.. }-ligh Moderate, or Low) for Confidentiality. Integrity,

andAvailability (CIA) and the resulting overall security

categorizationof IT systems (e.g.. the high-water mark of the impact ratings

forCIA) for each system are documented iii their respective SystemSecurity Plans (SSPs). The ClO responses to these FISMAquestions are identified by the documented FJPS 199 Risk ImpactLevels as required. The OIG does not recognize these documentedrisk impact levels as they have asserted that the method

prescribedby the Department's Asset Valuation Guide (AVG) is not compliantwith NTST FIPS Pub 199. However, the OIG also indicated theexisting method used by Interior typically meets or exceeds theprovisional impact ratings that would he obtained by using the

NISTSP 800-60 and FIPS Pub 199 ratings.

Discussion The NIST standards provide for flexibility for agencies to definetheir own common data and information types. The standards alsoprovide guidance for determining risk impact levels using thosetypes, considering other factors unique to each agency, as long


30/235

as theresulting sensitivity ratings equal or exceed the minimum

thresholdsand specifications prescribed by NIST. As long as agencies:

REDACTED PUBLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 14 of 37

Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


31/235

* identify, select, implement. and testminimum mandatory

management, operational. andtechnical security controls

based on the security categorizationof each system;

* risk impact levels equal or exceed

minimum expectedsensitivity ratings as identified by

the provisional ratingscontained for similar data and

information types specified inNIST SP 800-60; =md

* security controls are tailored toindividual ratings for CIA. as

specified by the draft NIST lIPS Pub200 and the related

NIST SP 800-53;

then the agency has demonstrated a

consistent and adequatemethodology used to determine risk impact

ratings for IT systems.Agencies aren't expected to have

implemented NIST FIPS Pub 200and SP 800-53 until one year following the

final release of FIPS Pub200, currently still in draft.

In an eartier meeting with the 010, theOCIO was inlbrrncd that the

sensitivity ratings and securitycategorizations were not documented

in any of the C&A packages (e.g., in theSSP or the Risk Assessment

report), The OCIO reviewed the C&Apackages in question and

found the information documented in theSSPs. In a follow-up

conversation with the 01G. the OCIO wasinformed that the real

issue was related to inconsistenciesbetween what was documented

in the AVGs compared to the SSPs. Althoughthe AVG sen'es a

useful purpose as a tool for the System

Owner to develop arecommendation for the ratings to be

considered by the DAA, it doesnot serve as the documentation for the

final determination. The finalsensitivity ratings for CIA, the overall

security categorization andthe agreed upon security controls are

documented in the DAA-approved final SSP.


32/235

The OIG report reflects a more narrowinterpretation of the NIST

standards which we believe is inconsistentin their recognition that

Interior's existing process results insensitivity and impact

determinations which equal or exceed theprovisional impact ratings

identified in NIST SP 800-60. whichinherently considers the NIST

FIPS Pub 199 minimum impact ratingdeterminations. This

interpretation does not recognize theagencys discretion in

identifying additional criteria andrequirements which may result in

higher impact levels being assigned tosystems.

The OCIO recognizes the need to reevaluatethe existing process to

ensure that systems are not overlycategorized in terms of data and

information sensitivity and impactratings. This is particularly

important as there is an associated burdenand cost implication to

REDACTED PLJ4LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 15 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)

Dols FY 2005 FISMA Reports


33/235

IG's FISMA Question 3bSection C -ResponseClOs's FJSMA No corresponding question(s)Section BResponseDifference Question 3b asks the IG to evaluate the degree to which "The

agencyhas developed an inventory of major information systems (includingmajor national security systems) operated by or under the control

ofsuch agency, including identification of the interfaces between

eachsuch system and all other systems or networks including those notoperated by or under the control of the agency." The IG's responsecharacterizes Interior's inventory of "major information systems"as "approximately 8 1-95% complete" while the CEO remainsconfident that the Department Enterprise Architecture Repository(DEAR), the authoritative repository for IT system inventory.contains an accurate inventory of the Department's major

information systems.Discussion The OlOs evaluation does not identi!' any specific discrepancies

with respect to the Department's inventory of major informationsystems necessary to substantiate their response characterizingInteriors inventory at anything less than 100%.

implement die operational, and technical security controls'appropriate to these ratings.

The 010 appeared to base their conclusion on interviews withindividuals as to whether they had followed NIST FIPS Pub 199 indetermining these ratings. The individuats were not familiar withthat NIST publication and had indicated that they had used the AVG

process. The OIG did not provide recognition in their report that thesensitivity determinations had been based on consistent applicationof the AVG methodology. They also did not indicate that the AVGprocess resulted in sensitivity determinations lower than what theywould expect from the FIPS Pub 199 process alone. There is norequirement that individuals be familiar with the specific NIST FIPSPub 199 reference (e.g.. recognize the name or title of a reference). ifthey are following an agency-prescribed process that incorporatesthose requirements.The ClO believes that the OIGs criteria used to evaluate the degrecto which Interior is compliant with these questions exceed theessential requirements of FISMA.

REDACTED PU!JC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 16 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


34/235

The ClO believes that the OlGs criteria used to evaluate thedegree

to which Irnerior is compliant with this question exceed theessential

requirements_of FISMA.

LU's PISMA Question 4aSection CResponseCIOs's FISMA No corresponding question(s)Section BResponseDifference Question 4a asks the 10 to select from one of several response

categories with respect to the degree to which "The POA&M is anagency wide process, incorporating all known IT securityweaknesses associated with information systems used or operated bythe agency or by a contractor of the agency or other organization

onbehalf of the agency." The 010 selected the response category of

"Sometimes, for example, approximately 5 1-70% of the time" and intheir comments on the FISMA response indicated that they "did notdetermine the amount of unreported IT security weaknesses thatwere not included in the POA&Ms'. The OCIO has no basis tosuggest that weaknesses captured on POA&Ms arc anything lessthan the highest response category option of "Almost Always, forexample, approximately 96-100% of the time."

Discussion In FY 2005. the DOl POA&M process tracked 2,895 weaknesses.The OW acknowledges that DOl captures up to 95% of OTGidentified weaknesses. The Department has very formal proceduresin place. particularly for the financial audit, to ensure 100% ofweaknesses are recorded in system POA&Ms. The 000 is at a lossto determine where another 1.000+ (this number would be based on

OIG current response indicating that the Department incorporatesknown weaknesses only !Sometimes. for example. approximately5 1-70% of the time") weaknesses should be derived. It appears

thatthere is substantial agreement on the nature and number ofweaknesses and the POA&M report takes exception to methods ofresolution.The remaining findings are based upon the OIG report for the DOlPOA&M process that questions the methods by which POA&Mitems are closed and the nature of prioritization. In response to

OIGconcerns, the DO! ClO directed (OCIO Directive 2005-007) acomplete audit to verify that FY 2005 POA&M items were

appropriately closed. Every program official was required tocerti!'

in writing that closed items met appropriate criteria for closureor re-

REDACTED PLJ LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 17 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


35/235


36/235

IG's FISMA Question 4bSection CResponseCbs's FISMA No corresponding question(s)Section BResponseDifference Question 4b asks the 10 to select from one of several response

categories with respcct to the degree to "When ai! IT securityweakness is identified, program officials (including CIOs. if

theyown or operate a system) develop, implement. and managePOA&Ms for their system(s)." The OIG selected the responsecategory of "Rarely. for example. approximately 0-50% of the

time"and in their comments on the FISMA response indicated that"Although DOl's POA&M process for IT security weaknessesincludes the development, implementation, and management ofPOA&M for systems. DOl does not adequately manage theweaknesses adequately through its POA&M process." The OCIOhas no basis in fact to suggest that program officials do not

develop,implement. and manage POA&Ms for thcir systems when ITsecurity weaknesses are identified. Therefore, the OCIU finds

thatthe response category option of "Almost Always. for example,approximately 96-100% of the time" is a more appropriate

open the weakness for action. While we saw a 25% increase in thenumber of rew findings for FY 2005 Q3 and FY 2005 Q4. thisincrease is explained by the audits and self-assessments thatoccurred during this time period. In short, a 100% audit of 1.389 FY2005 closed POA&M weaknesses (through Q3) did not conclude thesame level of discrepancy as the 133 item sample in the POA&M

report. Further. the draft POA&M report cites the September andNovember 2004 POA&M submission for a majority of its findings.That data is more than a year old and may not sufficientlycharacterize the FY 2005 POA&M program.

Lastly. every POA&M weakness is prioritized within the system forwhich it is attributed. Point acknowledged by the OIG team. OCIOstaff has discussed this point and commented to the report that aDepartmental prioritization scheme is not required andadministratively inappropriate. Each system is required to pursueappropriated funds through the relevant investment portfolio.Bureau nrnnagers may not reallocate those resources outside theportfolio based on Departmental priorities. Therefore, the most

meaningful and effective prioritization is within each systcrn.Additionally, this meets FISMA requirements and should beacknowledged as such.

REDACTED PU!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 18 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


37/235


38/235

characterization of compliance withrespect to this question.

Discussion The FISMA question specifically asks thequestion as to whether or

not program officials (including Cbs)develop. implement. and

manage POA&Ms for their systems when

weaknesses are identified.The Department has demonstrated that there

are POA&Ms for everysystelil that is reported quarterly.

Ideally, there would be a specificFISMA question, or questions. that inquire

about specific quaLitycharacteristics of the POA&Ms and POA&M

process. Thisparticular FISMA question does not inquire

about the quality oradequacy of either. and simply asks if

program officials are

managing weaknesses via their program orsystem POA&Ms.

The ClO believes that the OlGs criteriaused to evaluate the degree

to which Interior is compliant !!ith thisquestion exceed the essential

requirements of FISMA.

With respect to any questions regardingquality, raised in the

comment section of the lU's FISMA report,the OIG relied on FY

2004 POA&Ms as the basis for theirconclusions. The OIG's

analysis did not take into considerationthe substafflial improvements

to the FY 2005 POA&M process resultingFrom issuance of several

OCIO Directives. In FY 2005, bureau CIOswere required to verify

and validate completed actions on theirPOA&Ms and submit a

signed certification statement attestingthat they have done so with

the submission of each of their quarterly

POA&Ms. The OIG'sreport does not consider any FY 2005

progress and actuallyrepresents the state of the FY 2004 POA&M

process. Thecharacterization of Interior's POA&M

process on the FISMA reportshould more appropriately reflect the

effectiveness of the FY 2005process.


39/235

The 0MB Memorandum 04-25 states thefollowing with respect to

the level of detail used to describeweaknesses in a POA&M:

"Detailed descriptions of specificweaknesses are not necessary. but

sufficient data is necessary to permit

oversight and tracking, Forexample, to the maximum extent practicable

agencies should use thetypes of descriptions commonly found in

reports of the GAO and ICsuch as "inadequate password controls."

"insufficient or inconsistentdata integrity contro!s,' "inadequate

lirewal I configuration reviews"background investigations not been

performed prior to systemaccess.' "physical access controls are

insufflcienC' etc."

Furthermore. 0MB M-04-25 states that:

_________________ "lOs are again asked to assess against minimumrequirements

REDACTED PL&LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 19 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


40/235

IG's Draft Question 4cFISMA Section CResponseClOs's Draft No corresponding question(s)FISMA Section BResponse

Difference Question 4c asks the IGto select fr0111one of several response

categories with respect to the degree towhich "Program officials.

including contractors, report to the ClOon a regular basis (at least

quarterly) on their remediation progress."The 010 selected the

response category of "Sometimes. forexample. approxirnatety 51-

70% of the time" and in their comments onthe FISMA response

indicated that "Although DOI program

officials report to the dO ona quarterly basis, we did not find any

indications that contractorswere reporting security weaknesses to

program officials or bureauCbs and that these security weaknesses

were being reported by theprogram officials on the." This sentence

was prematurelyterminated but the dO assumes that it was

to conclude with theword POA&M. The OCIO has no basis to

suggest that program

officials. including contractors, do notreport to the ClO on a regular

basis (at least quarterly) on theirrernedianon progress.. Therefore,

the OCTO finds that the response categoryoption of "Almost

Always, for example, approximately 96-100%of the time" is a more

appropriate characterization of compliancewith respect to this

ctllestion.

If the 010's evaluation provides evidence

to support theirconclusion with respect to contractor

reporting. then the OCIObelieves that the response category of

"Mostly. for example.approximately 8 1-95% of the time" would

be appropriate. However.the OCIO is not aware of any specific

details with respect to theabsence of POA&Ms for contractor systems

or any instances of non-


41/235

reporting of POA&Ms to the ClO for suchsystems. The OCIO has

provided copies of system POA&Ms andsigned cei-tification

statements from relevant DOs associatedwith the contractor

__________________ systems to the 01G.

REDACTED PL!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 20 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports

whether thc agency has developed, implemented, and is managingan agency-wide POA&M process (see Section C of the reportingtemplate)."

The IG's report should distinguish between when recommendations

exceed the essential requirements of FISMA and 0MB and beconsistent in interpreting the adequacy or inadequacy of POA&Mprocesses with respect to those "minimum requirements."


42/235


43/235

157/1 67 or 94% compliance towards meeting this requirement.


44/235

dO as part of the last quarterly POA&M submission and reportingcycle.

Discussion Assuming that an unauthorized individual was addressing the issueof risk acceptance on their own, without the concurrence of theDesignated Approving Authority (DAA), the numbers of suchoccurrences are not quantified sufficient to suggest

noncompliance.

Compared to the thousands of weaknesses that are being tracked,managed, and reviewed, it is difficult to see how the OIG couldconclude at this point that the number of any such instances

couldcontribute to between 50% and 100% non-compliance with respectto this requirement. To the extent that the IC is aware of a

numberof such isolated incidents and has not identified such systemic

issueson a larger and quantifiable scale it does not appear reasonable,

forthese occurrences to be used to extrapolate conclusion aboutnoncompliance.

The ClO believes that the OIG's criteria used to evaluate thedegree

to which Interior is compliant with this question exceed theessential

requirements_of FISMA.

TO's Draft Question 4eFISMA Section CResponseClOs's Draft No corresponding question(s)F1SMA Section B

ResponseDifference Question 4e asks the lOto select from one of several response

categories with respect to the degree to which the !OIG findingsare

incorporated into the POA&M process." The OIG selected theresponse category of "Mostly, for example, approximately 8 1-95%of the time.' The OCIO has no basis in fact to suggest that OIGfindings are not being incorporated into POA&Ms. Therefore. theOCIO finds that the response category option of "Almost Always.for example. approximately 96-100% of the tirne is a moreappropriate characterization of compliance with respect to thisquestion as there have been no known instances where OIG findingswere not incorporated into the POA&M process.

Discussion OIG "findings" are required to be always incorporated into theprogram- and system-level POA&Ms along with weaknessesidentUied from other sources. The CTO feels that the distinctionwould be that OIG "recommendations' are not always incorporatedinto the POA&M process as senior management does not alwaysconcur with such "recommendations" and has the discretion toconsider whether or not such "recommendations" are required to heacted on or not. Forthepurpose of the FISMA report, the ClO

REDACTED PIJbLIC VERSIONSubject to Protective Order Dols FY 2005 FISMA Report


45/235

Regarding I-T Security Information Page 22 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


46/235

IG's Draft Question 4fFISMA Section CResponseClOs's Draft No corresponding question(s)FISMA Section BResponseDifference Question 4f asks the 10 to select from one of several response

categories with respect to the degree to which the "POA&M processprioritizes IT security weaknesses to help ensure significant ITsecurity weaknesses are addressed in a timely manner and receiveappropriate resources." The OIG selected the response category of"Rarely, for example. approximately 0-50% of the time" and in

theircomments on the FISMA response indicated that "Currently bureausprioritize weaknesses within system POA&Ms. However, we foundlittle evidence that DO! overall prioritizes IT security

weaknesses toensure funding for this project The OCTO finds that the responsecategory option of "Almost Always. for example, approximately 96-100% of the time" is a more appropriate characterization of

compliance with respect to this question. The Department'sPOA&M process prioritizes IT security weaknesses consistent withOMBs requirements and within die constraints imposed bybudgetary and capital planning and investment control (CPIC)processes.

Discussion Interior's IT security program- and system-level POA&Ms includethe appropriate level of detail and information required by the

Officeof Management and Budget (0MB) Memorandum 04-25.Prioritization of corrective actions is the responsibility of

eachDesignated Approving Authority's (DAA's). Each DAA ensuresthat weaknesses are addressed in a timely manner and receives

appropriate resources through their review and approval of theirrespective POA&Ms, which identi!t:

. description of each weakness;

. risk-level associated with each weakness:* specific corrective action milestones;* scheduled commitments to accomplish each milestone; and* resources (budgetary and staff) required to implement each

REDACTED PLJ!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 23 of 37Defendants' Notice of Filing of


requests that the OIG consider whether or not their response wasbased on the notion of incorporating "recommendations" vs."findings", which might have contributed to a different perspective.

The ClO believes that the 010's criteria used to evaluate the degreeto which Interior is compliant with this question exceed the essentialrequirements of FTSMA.


47/235


48/235

corrective action.

The DAA has the responsibility of making determinationsregarding

risk acceptance and the duration and conditions under whichthey

will accept any residual risks.

Lastly. every POA&M weakness is prioritized within the systemfor

which it is attributed. Point acknowledged by the OJG team.OCIO

stafihas discussed this point and commented to the report thata

Departmenta' prioritization scheme is not required andadministratively inappropriate. Each system is required to

pursueappropriated funds through the relevant investment portfolio.Burcau managers may not reallocate those resources outside theportfolio based on Departmental priorities. Therefore, the

mostnicaningftul and effective prioritization is within each

system.Additionally, this meets FISMA requirements and should beacknowledged as such.

The ClO believes that the OIG's criteria used to evaluate thedegree

to which Interior is compliant with this question exceed theessential


IG's Draft Question 5

FISMA Section CResponseCIOs's Draft No corresponding question(s)FISMA Section BResponseDifference Question 5 asks the 10 to "assess the overall quality of the

Department's certification and accreditation process." The OIGselected the response category of "Poor" without quali!'ingcomments within the FISMA reporting template. The OCTO findsthat the response category option of at least "Sacisfactory is a

moreappropriate characterization of compliance with respect to thisquestion based on our analysis of the current state of the C&A

process.Discussion In the OIG's Annual Evaluation report, the IG points to several

factors contributing to their characterization of the DcpaftmentS

C&A process being rated as poor. The ClO maintains that theDepartments Asset Valuation Guide (AVG) process to determinerisk impact levels and security categorizations of systems forconfidentiality, integrity, and availability equal or exceed any

ratingsbased on the NIST FIPS Pub 199 and NIST SP 800-60 alone. Thelevels of concern expressed in appendix F of the Departments AVG


49/235

guide used in determining potential impact ratings (e.g.. Low.

REDACTED PL!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 24 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


50/235

Moderate, or High) for Confidentiality.Integrity, and Availability

(CIA) are consistent with FIPS Pub 199.The AVG guide also

identifies 15 sensitive informationcategories for Interior and the

minimum expected impact ratings to be used

for Interior's ITsystems.

The Department's C&A, System SecurityP]an, Risk Assessment

report, Security Test and Evaluation, andContingency Planning

guides substantially address therequirements of applicable NIST

standards and guidelines.

The OCTO performed independent reviews ofthe quality of C&A

packages and issued compliance reportsback to each bureau

identifying areas needing improvement,This process has resulted in

many C&A packages being revised, resultingin significant

improvement in the quality of thosepackages and 98% of Interior's

systems are certified and accredited.

The OIG's report indicates that 8 of 17systems reviewed had ST&E

reports that were dated after they were

accredited while the OCIO'srecords in Command Center indicate that

approximately 31 of 171C&A systems of record have ST&E reports

dated after the date ofthe accreditation letter. This represents

a potential concern with lessthan 20% of the C&A packages as opposed to

the OIG's informationindicating potential concerns with

approximately 47% of thepackages, These perspectives also don't

identify whether or not the

ST&Es were actually concluded prior to theDAA's decision to

accredit their respective systems andwhether or not those decisions

were based on vulnerabilities andweaknesses identified in the

S1&E. Consideration should be given to theactual dates within

which the ST&Es were actually performedand the DAAs having

had the benefit of those results as


51/235

opposed to the date of the ST&Ereport documentation, which may have

subsequently been revisedbased on feedback from independent reviews

performed by theOCIO on the quality of those reports.

The JO's report does not contest the

merits on which the DAA basedtheir accreditation decision. which

suggests that the certificationsand accreditation are valid and based on

each DAA's understandingand acceptance of any remaining residual

risk to their systems.

With respect to the 010's characterizationof the POA&M process.

the 010 relied on FY04 POA&Ms and did notbenefit from a more

recent study of the FY05 POA&Ms and

associated process. The000 responded to these findings and

recommendations iii aseparate response indicating that

Interior's FY05 process has

REDACTED P!4LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 25 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


52/235

IG's Draft Question 6FISMA Section CResponseClOs's Draft Question 8FISMA Section BResponseDifference Question 6a asks 'Is there an agency wide security configuration

policy." The OIG selected the response of "Yes" and identifiedthe

relevant OCTO Directive. This question (both 6a and 6b) relatesto

agency policy and implementation of approved Security TechnicalImplementation Guides (STIGs). Each STIG provides specificsecurity hardening and configuration instructions and parameters

forvarious types of network resources and devices (e.g.. operatingsystems. databases, routers, etc.) Question 6b asks the IG to"Approximate the extent of implementation of the securityconfiguration policy on the systems running the software." TheFISMA reporting template identifies 1 1 products for which the

ClOand IG must select a response choice to indicate the degree to

whichsystems have implemented approved ST!Gs. The ClO and IG differin their response choices as there is a difference between ourrespective interpretations of what the FISMA questions arc askingand the IG understands of Interior's policy.

Discussion The 010 appears to be of the opinion that bureaus must imptementthe STIGs specified in Command Center (the Department!s currentIT security information dissemination portal) hut acknowledges

thatbureaus frequently have their own STIGs which they implement.

REDACTED P!J!LIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 26 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports

substantially improved and that we had proactively taken measuresto improve the process which already had addressed the tO'srecommendations.

The OCIO recognizes the need to make some additional updates toC&A guidance in light of the significant number of new or revised

standards and guidelines issued by NIST. which should beimplemented in FY06 to implement FIN Pub 200 and related SP800-53 and 53a. Nonetheless, the ClO maintains that Ibr FY05 theC&A process within Interior remains satisfactory. Beginning oneyear after the issuance of the FIPS Pub 200 by NIST, the ClOrecognizes that existing System Security Plans and ST&E processes!vil1 be in jeopardy if these new requirements are not effectivclyimplemented.

1'he dO believes that the OIG's criteria used to evaluate the degreeto which Interior is compliant with this question exceed the essential


53/235



54/235

lU's Draft Question 7bFISMA Section CResponseClOs's Draft Question 9bFISMA Section BResponseDifference Question 7b asks does "The agency follow documented policies and

procedures for external reporting to law enforcement." The OIGselected the response choice of"No" based on their observation

that in8 of 12 instances the OJU was not notified. Unlike many oilierrcsponse choices for other questions in the FISMA template, this

is abinary answer and does not enable a more appropriate selection

thatwould identify the relative frequency where such incidents are in

factreported to the IG or consideration of circumstances preventing

fullcompliance with established external reporting procedures. The

ClOfee]s that appropriate policies and procedures are in place and

that theremay be other mitigating circumstances that may have precludedadherence to these general procedures.

Discussion Circumstances about why the 8 incidents were purportedly notreported

via the IG were not sufficiently articulated. It is unclear whatfactors

contributed to the lapse in notification for these specificincidents but it

is clear that notification policies and procedures are in placeand have

successfully been used in other instances.The CJO acknowledges that interior's policy requires notification

ofthe OIG's Office of Investigations when IT security incidents arereported to external law enforcement. The ClO understands that

theresponsible 010 office was not !veI1 positioned for most of FY

2005 toreceive, or respond to. such notifications. However, it should berecognized that Interiors bureaus and offices did engage otherappropriate law enforcement officials to respond to incidents

whereappropriate.

REDACTED PIILIC VERSIONSubject to Protective Order Dols FY 2005 FISMA ReportRegarding I-T Security Information Page 27 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports

The GO disagrees with the 10's interpretation as Jnterior!s policyallows for bureaus to define, document, approve, and implementtheir own STIGs. which many have done. Bureaus are only required


55/235

to implement the Department's STIGs avai[ab]e through CommandCenter whenever the bureau does not have their own approvedSTIG.

The ClO believes that the 010's criteria used to evaluale the degreeto which Interior is compliant with this question exceed the essentialrequirements of FISM_A. The OCIO also believes that the IG reportdoes not reflect the same credit and degree of compliance with

respect to bureau-level Implementation of STIGs as the DO'sFESMA report reflects.


56/235

JO's Draft Question SFISMA Section CResponseCIO&s FISMA Question 6Section BResponseDifference Question 8 asks "1-las the agency ensured security training and

awareness of all employees. including contractors and thoseemployees with significant IT security responsibilities." The OIGselected die response choice of "Mostly. or approximately 81-95%of employees have sufficient training" which is inconsistent with

theClO's analysis.

Discussion The OCIO's performance metrics with respect to annualawareness

training and role-based training identifies the followingrelevant

metrics in question 6 of the CIO's response:

a t

Total number of Nuniber of employees that Total number ofNumber of employees with

employees in FY05 received IT security awareness employeeswith significant security

flaming in FY05. as described significant ITresponsiblithes that recerved

in NIST Special Pub!cabon OC( securityspeciahzed training, as

SO. Building an Informationresponsibilities described in NIST Spectal

Technology Security

Publicabon 800-16,Awareness and TrEining

lntormaUon TechnologyProgram (October 2003)

Security Train!ngRequirements! A Role. andPerformance-eased Msder

__________ __________IA',.41 flr!%

Number PercentageNumber Percentage

84,159 82818 YB 44% 2611 1736 6649%

The ClO is advocating that the progress inthe areas of awareness

and role-based training be equallyweighted. which would result in

the selection of "Almost Always, orapproximately 96-100% of


57/235

employees have sufficient training" basedon the resulting weighted

average of 97.48%. Additional creditshould include recognition of

the C&A training provided to the Secretaryand Designated

Approving Authorities (DAAs) by the CEOand CISO regarding the

C&A process and each of their respectiveroles and responsibilities.

Interior also has over 80 individuals whohave achieved and are

maintaining certification as a CertifiedInformation Systems Security

Professional (CISSP) from theInternational Information Systems

_________________ Security Consortium. Inc., or (JSC)2.

REDACTED PIJkIC VERSIONSubject to Protective Order Dols FY 2005 FISMA Report

Regarding I-T Security Information Page 28 of 37Defendants' Notice of Filing of(Dkt. No. 2937) (Filed April 22, 2005)Dols FY 2005 FISMA Reports


58/235

SSltl6011IobpbOtolOboblli 065ti512460d5

d!bo6y 46151

OobbtloO 16042

I 46 tbqoitbd IISMO thbI050lIIbSlIolt 15551 tsbbo bt605yMtblSloOIodo15 tioMybtsos osbdoto p51654 by sooyo, 06 tIoltolof 065 6t06!6tbb06If60660b06yByFIPSllllMklMpbdIbSbI l0l4%lMdblltOgIolbolootoltblol!bd) !dbybo,blgldbMtl06thbloMb ofMyMtblMlbSSogbd iothobS6k!tl6Mf61b6th1I6bMlfi66t!0MbbI6l2l6!b 0410

odooti,ggNISTSpogIPobIbogtil, 600-2110006 006 61.lCbltiltblSl.NSTSplOigIPlbIilgtkbl 000-21, Il:llCbldOOtg 56! lbSblltgggi%tthl OlltllllbdilNISTSplOlIPObIblgtibb600-bS

lg 56 po,HbIl 6' gthb yblillb 1,1,st 0Sdbgg OlltMOtllblthliglboyllbthlllggliogfllblblhgfflfthlilggllOg,thlllll56fflyolilgbgObltlOtbl%dllblbtlltthllgOillbll

bllOh. SlIllpOltilgbgglbthllFldllgIgglbo6lb 606650, 6FdlIb,oio 51100161,lggblbOffbOillt. lgOlbgldSl%iOlpbhgolgbhgldlbpO%ibiIi%IFISM401%pIigbOl.

2 F46thplltlftl!1 qobltll%ldtl06lltolIpbOolS011llFVllby kl4plltIbllilMdboblglMthbf l4ltp56lldbdbbIlS FM4thblbplblbltltl blbt601yMtbllIoltbdldtfytl ttho,oOMyMtst,150110 OllbllSpIolbd tOsfoIIosiog. 66616156 loltlfllltl MdllllbdltltlS!61611605015 pigo tsltsd 621Mb 665 p1655611 god 1016lty 16111111 tSltld ogithil Mspglt p561

-..!-

6 b

6 b I111054 slIySyltsls FVl5061llItll

FYOITIINII!gfM!bsOlyltMM!bl601ybtslsflllIol!bsflyltslsSystsl,s 1,15666

161llsdlMdlIIlsdltsd ogOiIOssIo II1160tbMlslIypIlls 0665 boglOSlsblSMtsMtsdlod tlstsdbMl116ldl0166lltOsllioltsd bMtOsIlstysll plIbIylMd6odl016

FIPSl996iMkIl!pllt TItOIN01HbOITIOOIN01HbOI46'566461!5 Lsloi 0010b0l6001s0h0d0010b0l6001s0h0dT0t610010b0l

52052602 N0SbOlTIgOIN0SbOlTItOITItOIN0SbOlPOlOOltIlTItO0050001 11201 010115 High 0

MIlioloto 0LoS 0NbtCotogbHooH 1

1100.0% 1100.0% 1 100.0%Sob-totol 0 0 0 1 I

1 100.054 1 100.0% 1 100.0%1050001 Lo,d bIg bogoIHolt High 0

M000toto 0Los 0


59/235

hkOlOolI000060 2 21 1000%, 01000%- 1 100gb.

Ms,svTotol 4!0 I I I I II I I

ModsIots I I I I II I I

Lob I I I I II I I

lIltlgtslllMsd I 14 I 6 I17 1

Iblglop5noS%000I00101g000:slgosolht&oobtn%oos%g,d000boo%ooslb0o,to14 *

Th0050bopOllbl%0000bOlhtgbd000bogtlbtbObbolOiblbl%0tlb%ot0%0000dblbpoltodbgg oo,t,00to,olthoggoboH

ot%o,ogghioot,obo,bohgffolthoogobogsoott%o,ogoi,o 60,to4Fb0Ml, 205 polioyg,d NbSTgoidoliboo, 1010601 0000'

P0bb0g! old OgObO% p011%. 0011-lOpbltilgblNISTSp600IPlblbOtll 600- 01 lOgoilO%060 bgo ObltlOOtblblbt%0 105011010

*bbbtblffi02lt! hb2h000l!b0ff-lp0Hlgbg0bbth0lF0d0l0I0g0b0y%0gb0blffb1i01s.

! 0551065010 H0-b0%bltho 1150- 15000110- lo,000sp0 !0pp50i%0t00 11- 60%ol 166 1166

- 00501150%- 110100144 10,210560- oppsoisotoIg 11-60% bltho 450- MobIlL 11000556 - opp,sgisotopo O1-bb%olthotiso- lIsootlIohgyo! 10,00050-,

Sob-toll'

0620 loll

Loos

Fibhold 15101140 0010000 High

Loos

Not Co logo0 601

4!15011604%50501050655 High0660 loll

Not Co 10gb 601Sob -toll'


60/235

0660 lOll

Sob -toll'

%lgtibbgl 502000014600 High

Not Co logo0 601

DffsoolSp000lT,ootoo High0660 lOll

Not Co logo0 601Sob -toll'

Off IS II Mu

US 0000060gb 00600

01051 012 1511565:

50 1011001

0Clbl-N CIII

I

I

I

I


61/235

I

2

I

I

II

7

I

II

1


62/235

I

I

I

I

I

I

II

I


63/235

I


64/235

I

2

I

22

0

I

II


65/235

III Ill!

1000%

1000%11115!

111.114

1000%

1000%11115!

I


66/235

C

I

11115!

1000%

1000%11115!

07114

00%


67/235

1000%11115!

2

0

22

7

0

I


68/235

I111

10007-

00%

100.0%.III lb

0:07-

071%

00%

100.0%.III lb

Subject to Protective OrderRegarding I-T Security Information(Dkt. No. 2937) (Filed April 22, 2005)


Defendants' Notice of Filing of

Page 29 of 37


69/235



70/235

(i!d!di!g , ! by!d!th ! h!g yi!d!di!g! ! !! !

Fp!! C!tg&!.lb. - App i,t,0-50%!&!pI! -

App!!i,t,61-95%!&!pIt

- App!4! ! ! ! ! [tI!thft! ! ! !

4.d. CI I ! -R!Iy, f& !&!pI, !pp,!


71/235

M!tIy, f&!!pIpp,d, g!t&PDA&Mf!y!t,! DDId!!!t,! !flth!k! ! !

! ! th!t' !dspth d,!td!th,ti!' d!t&!J !! R!p !:&,!ti,!!-51-70%. ! !q,t!yb!i! did gfi!d yls ! ! !! R!Sy0-50%- !PDA&M!!d !

! !! Thbi!d,! t!tdbyth !pt!& kth!t! b !&!pIbhdbyDDI !4.. M!tIy 60-95%. 4.f. Fft!!: R!!!/ 0-50%. C!, !t!/b !! ! !&th!tWf d!dft!f!!& !f!i!gf!thb pjrn. N !t!II&DDI! !t hb if!d!d ! !! p!iddt!thDDIITM! g!!t ! ! d!Di!t!, qffl,i!gb !d!ffk! !

! Wh!! !t!/!fld !

! A ! DMSi! ! ! ! t!!i!ti!g p!Ikyg!id!!,! 600-37G!kJf&th S! !,Otffi!tk!.!d ! S!t,!(M!y, 2004If! ddit!ti! !,ki!it!td!ftM!y2004. !FIPS199(Fby2004)StdJ!ft!S!&y !

Subject to Protective OrderRegarding I-T Security Information(Dkt. No. 2937) (Filed April 22, 2005)


Defendants' Notice of Filing of


Fp!! C!tg&!.- E!I!t

-

-

-

Page 30 of 37


72/235

Section B: Inspector General. Question 6, 7, 8, and 9.

Agency Name:

Question 6

6 Is them an agency wid esecurity configuration policy?a. Yes or No.

Comments: OCIO Directive 2004-007, March 05, 2004, Standardized SystemSecurity Coni!gumtion

Yes

Configuration guides are available for the products listed below.Identify which software is addressed in the agency wide security coni!gumtionpolicy. Indicate

6.b. whether or not any agency systems run the software. In addition,approximate the extent of implementation ofthe security coni!gumtion policy on the

systemsrunning the software.

Approximate the extentof implementation ofthe security

configuration policy onthe systems running the software.

Response choic esinclude:

. Rarely, or, onapproximately 0.50% ofthe

Product syste ms running thissoftware

. Sometimes, or onapproximately 51.70% of

the systems runningthis software

Addressed in agencywide . Frequently, or onapproximately 71.80% of

. the systems runningthis software

policy? Do any agency systems run Mostly,or on approximately 81.95% ofthe

this software? syste ms runningthis software

. Almost Always, or onapproximately 96.1 00% of the

Y

US Department of Justice Court Proceedings - 11172005 notice

Documents

Transcript of US Department of Justice Court Proceedings - 11172005 notice