|
Federal Managers' Financial Integrity Act (FMFIA) of 1982
During FY 2007, the Department reviewed its management control system in accordance with the requirements of FMFIA, and Office of Management and Budget (OMB) and Departmental guidelines. The objective of the Department’s management control system is to provide reasonable assurance that:
Section 2 of FMFIA – Internal Management ControlsSection 2 of the FMFIA requires that federal agencies report, on the basis of annual assessments, any material weaknesses that have been identified in connection with their internal and administrative controls. The efficiency of the Department’s operations is continually evaluated using information obtained from reviews conducted by the Government Accountability Office (GAO) and the Office of Inspector General (OIG), and specifically requested studies. The diverse reviews that took place during FY 2007 relative to nonfinancial controls provide assurance that the Department’s systems and management controls comply with standards established under FMFIA, with the exception of one material weakness. As discussed in detail below, this material weakness involves information technology (IT) security issues and the need to improve the quality of certification and accreditation (C&A) processes and documentation for IT systems. See Appendix D for summary of material weaknesses reported under Section 2 of FMFIA. Department-wide Enhancements to IT Security ContinueGiven the continuing significant focus across the federal government, in general, and the Department, specifically, on the need for effective cyber security and the protection of sensitive information, the Department continued working assiduously to enhance its IT security program during FY 2007. In addition to other improvements made in recent years, the Department has adopted a comprehensive approach to IT security by utilizing enterprise architecture and governance to address security matters from the earliest stages of an IT investment’s lifecycle. By fully considering IT security needs and building on the collective strength of its operating units, the Department has implemented an IT risk management model that combines centralized and decentralized processes in a way that ensures an appropriate level of standardization, but not at the expense of innovation. This cohesive and coordinated approach is critical to overcoming IT security deficiencies that have burdened the Department for the last several years. Consistent and vocal support from senior leadership has enabled the Department and its bureaus to work as a team in addressing IT security issues. The Department’s Chief Information Officers (CIO) Council has implemented controls to improve the integrity, availability, and confidentiality of IT systems throughout the Agency. Furthermore, the Department’s CIO incorporated IT security in performance plans for operating unit CIOs, and instituted effective mechanisms that have allowed successful communication and collaboration across organizational boundaries. The result, thus far, has been a stronger and highly visible IT security program that continuously weighs the risks of technology against operational necessity to bring about a security posture that facilitates mission accomplishment. To ensure that the Department effectively manages ongoing IT security concerns, the Office of the CIO (OCIO) has adjusted its strategy to include reviewing and updating relevant policies and procedures as needed as well as exercising C&A compliance oversight based on Federal Information Security Management Act (FISMA) requirements, OMB policy, National Institute of Standards and Technology (NIST) standards and guidelines, and previous OIG recommendations. As a result of this year’s Department-wide C&A improvement effort, 96 percent of the Department’s 302 IT systems have been certified and accredited. OCIO determined that all of the C&A packages it reviewed follow the Department’s IT security policy and NIST guidance on risk management framework. The highlights of the Department’s IT security accomplishments are described below. Personally Identifiable Information (PII): The Department aggressively pursues the OMB mandate for protecting and monitoring sensitive information. Since issuance of OMB Memorandum M-06-16, Protection of Sensitive Agency Information, in June 2006, the Department has developed and implemented the policies and standards needed to protect such information.
Encryption: The Department has taken assertive steps in safeguarding sensitive information such as encrypting any PII contained on mobile devices. The Department has successfully installed full-disk encryption on 100 percent of its laptop computers using Safeboot Federal Information Processing Standards (FIPS) 140-2-compliant software. Two-Factor Authentication: A Department-wide standard for two-factor authentication was selected that will strengthen access control by substantially reducing the threat from reusable passwords. IT Security Governance: OCIO has revitalized the IT Security Coordinating Committee (ITSCC) to improve the Department’s IT security program’s strategic alignment with Departmental policy. Regularly scheduled sessions were held to discuss pressing issues, to define and resolve technical IT security problems, and to make recommendations concerning IT security to the CIO Council. IT Security Training: Targeted training was provided to the core group of personnel that are responsible for carrying out the C&A process as well as for interpreting and determining the acceptability of C&A results. OCIO has provided or has plans to provide role-based training to all stakeholders involved in the C&A process. Additionally, IT security training was provided for FISMA database automation, risk management process, management of plans of action and milestones (POA&M), and C&A quality improvement. Because of the significance of addressing IT security awareness at the Department, it has experienced an unprecedented participation in training efforts. Certification and Accreditation (C&A) Quality and Process: The Department transformed C&A compliance reviews into a dynamic and collaborative process, interacting with stakeholders through an exhaustive review of past OIG findings as well as OMB and NIST guidance. Emphasis was placed on better documentation and risk acceptance awareness by authorizing officials. Subsequently, eight high quality packages were delivered to the OIG for its review. These CIO-conducted C&A reviews were generally received positively by the operating units and the results are being incorporated in their quality assurance processes. The CIO Council has selected for implementation in early FY 2008 a software solution—the Cyber Security Assessment and Management tool—to assist with FISMA reporting. Internal Control Review: The Department conducted an internal control review for all 14 of its operating units that combined FISMA and FMFIA requirements. The review assessed the effectiveness of IT security controls, PII management, C&A, IT security training, contractor system oversight, and usage of a newly instituted Information Security Acquisitions Checklist. In addition to reviewing the operating units, two program level functions were reviewed—the IT security and the identity theft protection programs. OCIO found that the internal controls that were examined were generally effective. Plans to Further Strengthen IT Security in FY 2008Notwithstanding these achievements, the Department believes that further enhancements are possible in implementing and managing secure system configurations, and in sustaining improvements in the C&A process to ensure quality work products for managing system security. To ensure consistent and repeatable processes, the following activities will continue to foster effective oversight of Department-wide IT security program implementation:
Automated FISMA Tool: The Department has developed an implementation plan for an automated FISMA tool, which will enhance its integrity in managing IT risks, corrective action plans (CAP), and OMB reporting. Secure Configurations: Secure system configurations are an essential element in an IT security program and the Department has made it a critical element of its C&A quality improvement process. In the OIG’s FY 2007 FISMA evaluation, four of the six C&A packages that were submitted for their review had inadequate secure configuration settings. As a result, secure configurations will be stressed and incorporated as a critical process in the Department’s C&A Smart Spot-Checks. OCIO has also coordinated with the Department’s Office of Acquisition Management to ensure that the appropriate security clause is used to obtain secure operating systems upon the purchase of any Microsoft Windows or Intel-based system. To support the operating units’ schedules for the use of secure configurations in early FY 2008 for all Vista and XP devices, OCIO has begun to explore how it can assist with consistency and standardization across the Department. Selection is imminent of a lead operating unit to help guide this effort and reduce redundancy for the implementation of configurations for Windows, as well as other key operating systems and applications. Perimeter Protection, Critical Infrastructure, and Continuity of Operations (COOP): The Department’s IT infrastructure is comprised of a heterogeneous network of networks. To effectively manage its IT assets, the Department utilizes a Defense-in-Depth strategy, which involves people, process, and technology. The Department has implemented a baseline IT security policy and conducted oversight reviews to ensure sufficient security awareness training for employees and contractors with security responsibilities. From a technology perspective, the Department, through a federation of CIRTs, communicates and protects its network perimeters from malicious threats. The Department’s CIRT uses state of the art technologies—including forensic analysis tools, intrusion detection and protection devices, incident alert software, and log analysis tools—to protect the Department’s networks and users from cyber incidents. As incidents occur and are investigated, the Department’s CIRT coordinates efforts with the Department of Homeland Security, US-CERT, OIG, and the Department federation of CIRTs. The Department responded to and reported 533 incidents in FY 2007. The Department has selected an E-Team emergency management system to provide alert notification and task tracking capability throughout the organization. Several exercises have been conducted thus far with personnel trained on the use of the system. The Department also participated in the government-wide FY 2007 Pinnacle exercise in which OCIO responded to several incidents and tested communications capabilities between the normal operating location and alternate operating facilities. The Department conducts monthly COOP working group meetings to share information and to coordinate appropriate maintenance of COOP support plans. OCIO recently conducted situational awareness, and roles and responsibilities refresher training for all personnel in its organization. Personnel were updated on the tasks to be performed in the event of COOP activation, as well as the importance of personnel availability and sustainability to ensure the Department’s essential functions continue regardless of the nature of any event. Other Internal Control Enhancement Activities ContinueThe Department’s comprehensive effort to enhance management of internal controls under OMB Circular A-123 continued during FY 2007. Progress made in implementing Appendix A to OMB Circular A-123, which relates to financial internal controls, included the following:
The Department also continued its focus on management of nonfinancial internal controls under OMB Circular A-123. Through the SAT, the operating units were tasked with identifying and conducting assessments of programmatic and administrative activities meriting review in FY 2007. A wide range of programs and functions were assessed within individual operating units. Department-wide, principal focus was given to enhancing internal controls relating to the management of personal property. Late in FY 2006, it became evident through press reports and Congressional inquiries that oversight of laptop computers and the data that they contain required evaluation across government. In addition to the overall efforts of OCIO in the area of IT security, the Office of the CFO/ASA undertook a comprehensive initiative to assess how the Department and its operating units manage not only laptop computers, but personal property, in general. The Department’s multi-prong approach included:
The Department’s assessments reflect a system of nonfinancial and financial controls that is operating effectively. No material weaknesses relative to financial controls were identified for the period July 1, 2006 through June 30, 2007, the reporting period established by OMB Circular A-123. Further, with limited review and inquiries, no material weaknesses related to internal control over financial reporting were identified between July 1, 2007 and September 30, 2007. As a result of its FY 2007 activities, the Department identified only one material weakness in its internal controls, which, as described above, relates to IT security. Section 4 of the FMFIA – Internal Controls over Financial Management SystemsBased on reviews conducted by the Department and its operating units for FY 2007, the financial systems in the Department are compliant with GAO principles and standards and requirements of the CFOs Act and OMB. The Department had no material weaknesses under Section 4 of FMFIA. See Appendix E for summary of material weaknesses reported under Section 4 of FMFIA. |
Previous Page | Next Page |
U.S Department of Commerce Home Page | Office of Budget Home | Privacy Policy |