Federal Communications Commission Office of Inspector General FY 2001 Government Information Security Reform Act Evaluation September 5, 2001 Prepared by KPMG, LLP EXECUTIVE SUMMARY Background The Government Information Security Reform Act (Security Act), passed last year as part of the FY 2001 Defense Authorization Act (P.L. 106-398), amended the Paperwork Reduction Act of 1995 (PRA) by adding a new subchapter on information security. The Security Act focuses on the program management, implementation, and evaluation aspects of the security of unclassified and national security systems. Generally, the Security Act codifies existing Office of Management and Budget (OMB) security policies, Circular A-130, Appendix III, and reiterates security responsibilities outlined in the Computer Security Act of 1987, the PRA, and the Clinger-Cohen Act of 1996. In addition, the Security Act requires annual agency program reviews and annual independent evaluations for both unclassified and national security programs. A key provision of the Security Act requires that the Inspector General (IG) perform an annual independent evaluation of the information security program of the Federal Communications Commission (FCC). The Security Act also permits the IG to select an independent evaluator to perform this evaluation. The IG contracted with KPMG, LLP to perform the independent evaluation as required by the Security Act. The purpose of this review was to perform the independent evaluation of FCC's information security program and practices to ensure proper management and security for the information resources supporting the agency's operations and assets as required by the act. To perform this independent evaluation, we followed the guidance as described in OMB Memorandum M-01-08, entitled "Guidance on Implementing the Government Information Security Reform Act" and dated January 16, 2001. Also quite relevant to this evaluation was guidance from OMB Memorandum M-01-24, entitled "Reporting on the Government Information Security Reform Act" and dated June 22, 2001. OMB M-01-24 provided the topics/questions that were required to be addressed in the IG's independent evaluation of the FCC's information security program and practices. The independent evaluation, which includes the responses to topics/questions-2 - 13, is attached The fundamental mission of the Federal Communications Commission (FCC) is to implement the Communications Act of 1934, as amended, in a manner that promotes competition, innovation, and deregulation in the communications industry and the availability of high quality communications services for all Americans. In order to achieve these objectives, the Commission must strive to stay on the cutting edge of changes in technology, economics and law. As stated in the Commission's FY 2002 Budget Estimate to Congress, the advent of Internet-based and other new technology driven communications services will continue to erode the traditional regulatory distinctions between different sectors of the communications industry. The FCC recognizes that their most immediate challenge is to integrate the changing character of the industry into its core functions of 1) licensing; 2) consumer protection; 3) enforcement; 4) promotion of competitive markets; and 5) spectrum management. In the past few years, the FCC has streamlined its licensing procedures and implemented electronic filing capability in 78 services, 72% of all licensing systems. At the end of Fiscal Year 2000, 62% of all license applications were filed electronically. Additionally, 93% of all applications were acted on within the FCC's speed of disposal goals. Implementation of these electronic licensing systems has led to improved processing time and to a significant decrease in the number of backlogged applications. In Fiscal Year 2000, the FCC made its website more accessible to their Internet users. The FCC received 320 million "hits," making the FCC one of the most popular government online sites. The FCC's consumer information centers received more than 789,000 consumer inquiries on such hot topics as cramming, slamming and spamming. To this end, supporting specific information technology initiatives requires an effective information security program that will safeguard FCC's computer-based assets from technological vulnerabilities, or from disruption of services. To support today's information technology infrastructure, effective management, operational and technical controls are essential. The FCC's method of implementing the requirements of the Security Act is focused on ensuring that programs and policies are in compliance with OMB A-130 requirements and in association with National Institute of Standards and Technology (NIST). Evaluation Objective The objective of this independent evaluation was to examine the Commission's security program and practices. The examination included testing the effectiveness of security controls for an appropriate subset of the Commission's systems. The evaluation objective also included a review of the Commission's security policies, security architecture, business continuity, security capital planning, critical infrastructure, and security program planning and management. The specific objectives of the evaluation were to: * Obtain an understanding of the Commission's Information Technology (IT) infrastructure; * Obtain an understanding of the Commission's information security program and practices; * Use the Security Act security assessment tool to evaluate the effectiveness of the Commission's information security program and assess risk for each component of the program. At a minimum, the assessment should include an identification and ranking of the critical information security threats to the FCC IT infrastructure on a risk vulnerability basis; and * Prepare the annual submission in accordance with the reporting requirements mandated under the Security Act for Fiscal Year 2001. In addition to preparing the annual submission, provide a detailed report that will (1) identify and rank the critical security risk factors and (2) contain observations and recommendations for improvements, if any. Evaluation Scope The evaluation approach consisted of reviewing documentation that included previous special reviews and audits, by conducting interviews, attending meetings, and by observations. Our procedures were designed to comply with applicable auditing standards and guidelines. These included AICPA Professional Standards, Generally Accepted Government Auditing Standards (GAGAS) as well as GAO's Federal Information Systems Control Audit Methodology (FISCAM); however, this review was intended to be a risk assessment and not a general controls review; FISCAM was used as appropriate to assess management, operational and technical controls. The scope of the evaluation included the security infrastructure managed by the Office of Managing Director's Information Technology Center (ITC) and the Auctions Automation Branch of the Wireless Telecommunications Bureau (WTB). In addition, the scope included selecting an appropriate subset of the Commission's business applications. As part of our evaluation of the FCC's Computer Security Program, we selected the Consolidated Database System (CDBS) application for review. CDBS is a major application operated by the Commission's Mass Media Bureau. The evaluation methodology used was the NIST Self-Assessment Guide questionnaire (National Institute of Standards and Technology Systems (NIST) Self-Assessment Guide for Information Technology Systems). The final NIST Self-Assessment Guide was not available, therefore, the draft Self-Assessment Guide was used. Our observations are organized according to NIST control areas: management controls, operational controls, technical controls. Within each control area, specific control objectives are addressed. Management Controls - Management controls focus on the management of the IT security system and the management of risk for a system. They are techniques and concerns that are normally addressed by management. The specific management control objectives addressed are: * Risk Management * Review of Security Controls * Life Cycle * Authorize Processing (Certification & Accreditation) * System Security Plan Operational Controls - The operational controls address security methods focusing on mechanisms primarily implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise and often rely upon management activities as well as technical controls. The specific operational control objectives addressed are: * Personnel Security * Physical and Environmental Protection * Production, Input/Output Controls * Contingency Planning * Hardware and System Software Maintenance * Data Integrity * Documentation * Security Awareness, Training and Education * Incident Response Capability Technical Controls - Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. The specific technical control objectives addressed are: * Identification and Authentication * Audit Trails * Logical Access Controls Results of the Independent Evaluation As a result of the independent evaluation, we have concluded that the Commission has a generally effective information security program with acceptable practices for managing and safeguarding the FCC's information technology assets. During the evaluation, we identified in-place controls in key areas such as a current computer security program policy. An update to the current policy is already in circulation for approval and it is planned that this policy will replace the current policy by November 2001. The revised computer security program policy, which is in draft, is indicative of how proactive the FCC is with keeping pace with technological challenges, changes, demands, and innovations. The FCC is diligent about synchronizing their procedures with OMB A-130 guidance. The security plan templates that have been created for general support systems and major applications are designed in accordance with NIST guidance for developing security plans. The FCC has begun development of their security plans; however, an area for improvement is to complete the security plans for all of the major applications. On a monthly basis, the Computer Security Officer conducts Security Awareness Training for all new users who are granted access to the FCC Network general support system. Also in place is a recently developed system development life cycle methodology that was developed jointly with the Information Technology Center (ITC) and the Office of Inspector General (OIG). An initiative demonstrated by the ITC was a site visit to J.P. Morgan/Chase Bank prior to allowing the processing of FCC data. The ITC group made an unannounced visit to the J.P. Morgan office in New York to review the effectiveness of the bank's security posture. The visit proved successful and authorization for J.P. Morgan to handle processing for the FCC was awarded. Last year, the FCC conducted numerous computer security assessments. The assessments identified potential risks and provided countermeasures and safeguards to mitigate the risks identified. In addition, a risk assessment of the FCC Net and Auctions LAN general support systems was conducted. Although the FCC has several controls in place, areas for improvement in the management, operational and technical control areas exist. To strengthen the agency's security program and practices, a strategy and plan of action as prescribed by OMB M-01-24, Reporting Instructions for the Government Information Security Reform Act, topic/question #14, should be developed with milestones that include completion dates, how the agency plans to address control areas that need to be strengthened as identified through the independent evaluation, and should identify a strategy to overcome any obstacles that would affect addressing known weaknesses. 6 5