information technology management letter for the fy 2010 dhs
TRANSCRIPT
Department of Homeland Security Office of Inspector General
Information Technology Management Letter for the FY 2010 DHS Financial
Statement Audit
(Redacted)
OIG-11-103 August 2011
Office of Inspector General
u.s. Department ofHOllleland Security Washington, DC 25028
Homeland Security
AUG 18 2011
Preface
The Department of Homeland Security (DHS) Office ofInspector General (OIG) was established by the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector General Act of1978. This is one of a series of audit, inspection, and special reports prepared as part of our oversight responsibilities to promote economy, efficiency, and effectiveness within the department.
This report presents the information technology (IT) management letter for the FY 2010 DHS financial statement audit as of September 30,2010. It contains observations and recommendations related to information technology internal control that were summarized within the Independent Auditors' Report, dated November 12, 2010 and represents the separate restricted distribution report mentioned in that report. The independent accounting firm KPMG LLP (KPMG) performed the audit ofthe DHS' FY 2010 financial statements and prepared this IT management letter. KPMG is responsible for the attached IT management letter dated April 26,2011; and the conclusions expressed in it. We do not express opinions on DHS' financial statements or internal control or conclusion in compliance with laws and regulations.
The recommendations herein have been developed to the best knowledge available to our office, and have been discussed in draft with those responsible for implementation. We trust that this report will result in more effective, efficient, and economical operations. We express our appreciation to all of those who contributed to the preparation of this report.
Assistant Inspector General Information Technology Audits
KPMG LLP 2001 M Street, NW Washington, DC 20036-3389
April 26, 2011
Inspector General U.S. Department of Homeland Security
Chief Information Officer U.S. Department of Homeland Security
Chief Financial Officer U.S. Department of Homeland Security
We were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or Department) as of September 30, 2010, and the related statement of custodial activity for the year then ended (referred to herein as “financial statements”). We were also engaged to examine the Department’s internal control over financial reporting of the balance sheet as of September 30, 2010, and statement of custodial activity for the year then ended. In connection with our audit engagement, we also considered DHS’ compliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a direct and material effect on the balance sheet as of September 30, 2010 and the related statement of custodial activity for the year end. We were not engaged to audit the accompanying statements of net cost, changes in net position, and budgetary resources, for the years ended September 30, 2010 (referred to herein as “other fiscal year (FY) 2010 financial statements”), or to examine internal control over financial reporting over the other FY 2010 financial statements. Because of matters discussed in our Independent Auditors’ Report, dated November 12, 2010, the scope of our work was not sufficient to enable us to express, and we did not express, an opinion on the financial statements.
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.
During our audit engagement, we noted certain matters in the areas of access controls, configuration management, security management, contingency planning, and segregation of duties with respect to DHS’ financial systems Information Technology (IT) general controls which we believe contribute to a DHS-level significant deficiency that is considered a material weakness in IT controls and financial system functionality. We also noted that in some cases, financial system functionality is inhibiting DHS’ ability to implement and maintain internal controls, notably IT applications controls supporting financial data processing and reporting. These matters are described in the IT General Control and Financial System Functionality Findings section of this letter.
The material weakness described above is presented in our Independent Auditors’ Report, dated November 12, 2010. This letter represents the separate limited distribution report mentioned in that report.
KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative (“KPMG International”), a Swiss entity.
Although not considered to be a material weakness, we also noted certain other items during our audit engagement which we would like to bring to your attention. These matters are also described in the IT General Control and Financial System Functionality Findings section of this letter.
The material weakness and other comments described herein have been discussed with the appropriate members of management, or communicated through a Notice of Finding and Recommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of DHS’ organization gained during our audit engagement to make comments and suggestions that we hope will be useful to you. We have not considered internal control since the date of our Independent Auditors’ Report.
The Table of Contents on the next page identifies each section of the letter. We have provided a description of key DHS financial systems and IT infrastructure within the scope of the FY 2010 DHS financial statement audit engagement in Appendix A; a description of each internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to financial management and reporting internal controls have been presented in a separate letter to the Office of Inspector General and the DHS Chief Financial Officer dated February 1, 2011.
DHS’s written response to our comments and recommendations has not been subjected to auditing procedures and, accordingly, we express no opinion on it.
This report is intended solely for the information and use of DHS management, DHS Office of Inspector General, U.S. Office of Management and Budget, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these specified parties.
Very truly yours,
Objective, Scope and Approach 1
APPENDICES
Appendix Subject Page
Summary of Findings and Recommendations 2
IT General Control Findings and Recommendations 3
Access Controls 3
Configuration Management 4
Security Management 4
Contingency Planning 5
Segregation of Duties 5
Financial System Functionality 5
Management Comments and OIG Response 6
A Description of Key DHS Financial Systems and IT Infrastructure within the Scope of the 7FY 2010 DHS Financial Statement Audit
B FY 2010 Notices of IT Findings and Recommendations at DHS 19
� Notice of Findings and Recommendations (NFR)– Definition of 20 Severity Ratings
C Status of Prior Year Notices of Findings and Recommendations and Comparison to 147 Current Year Notices of Findings and Recommendations at DHS
D Management Comments 153
E Report Distribution 155
Page
Department of Homeland Security Information Technology Management Letter
September 30, 2010
INFORMATION TECHNOLOGY MANAGEMENT LETTER
TABLE OF CONTENTS
Department of Homeland Security Information Technology Management Letter
September 30, 2010
OBJECTIVE, SCOPE AND APPROACH During our engagement to perform an integrated audit of Department of Homeland Security (DHS), we evaluated the effectiveness of IT general controls of DHS’ financial processing environment and related IT infrastructure as necessary to support the engagement. The Federal Information System Controls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our audit as it relates to IT general controls assessments at DHS. The scope of the DHS IT general controls assessment is described in Appendix A.
FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist them in planning their audit work and to integrate the work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review that generally should be performed when evaluating general controls and the IT environment of a federal agency. FISCAM defines the following five control functions to be essential to the effective operation of the general IT controls environment.
�
�
�
�
�
Security Management (SM) – Controls that provide a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of computer-related security controls. Access Control (AC) – Controls that limit or detect access to computer resources (data, programs, equipment, and facilities) and protect against unauthorized modification, loss, and disclosure. Configuration Management (CM) – Controls that help to prevent unauthorized changes to information system resources (software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended. Segregation of duties (SD) – Controls that constitute policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations. Contingency Planning (CP) – Controls that involve procedures for continuing critical operations without interruption, or with prompt resumption, when unexpected events occur.
To complement our general IT controls audit procedures, we also performed technical security testing for key network and system devices, as well as testing over key financial application controls in the DHS environment. The technical security testing was performed both over the Internet and from within select DHS facilities, and focused on test, development, and production devices that directly support key general support systems.
In addition to testing DHS’ general control environment, we performed application control tests on a limited number of DHS’ financial systems and applications. The application control testing was performed to assess the input, processing, and output of financial data and transactions that support the financial systems’ internal controls. Application controls are the structure, policies, and procedures that apply to separate, individual application systems, such as accounts payable, inventory, or payroll.
During FY 2010, we also considered the effects of financial system functionality while testing IT general and application controls and other internal controls over financial reporting. Many of the financial systems in use at DHS components were inherited from the legacy agencies and have not been substantially updated since the department’s inception. As a result, financial system functionality may be inhibiting DHS’ ability to implement and maintain internal controls, notably IT applications controls supporting financial data processing and reporting at some components.
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 1
Department of Homeland Security Information Technology Management Letter
September 30, 2010
SUMMARY OF FINDINGS AND RECOMMENDATIONS During our FY 2010 assessment of IT general and application controls and financial system functionality, we noted that the DHS made some progress in remediation of IT findings we reported in FY 2009. We have closed approximately 30 percent of our prior year IT findings. In FY 2010 we identified approximately 161 findings, of which approximately 65 percent are repeated from last year. Nearly one-third of our repeat findings were for IT deficiencies that management represented were corrected during FY 2010. Disagreements with management’s self assessment occurred almost entirely at the Federal Emergency Management Agency (FEMA).
The most significant weaknesses from a financial statement audit perspective include: 1) excessive unauthorized access to key DHS financial applications; 2) configuration management controls that are not fully defined, followed, or effective; 3) security management deficiencies in the area of the certification and accreditation process and the lack of adhering to or developing policies and procedures , 4) contingency planning that lacked current, tested, contingency plans developed to protect DHS resources and financial applications, and 5) lack of proper segregation of duties for roles and responsibilities within financial systems.
Collectively, the IT control deficiencies limited DHS’ ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these deficiencies negatively impacted the internal controls over DHS’ financial reporting and its operation and we consider them to collectively represent a material weakness for DHS under standards established by the American Institute of Certified Public Accountants (AICPA) and GAO. The IT findings were combined into one material weakness regarding IT Controls and Financial Systems Functionality for the FY 2010 audit of the DHS consolidated financial statements. As reported last year, both FEMA and Immigration and Customs Enforcement’s (ICE) control deficiencies were found to have a more significant impact on the Department. FEMA continues to have a high number of significant IT general controls findings that repeat each fiscal year. These weaknesses affect our ability to fully audit its financial application controls. In addition, ICE has significant weaknesses in its key financial system which has resulted in duplicate payments, and poor configuration and patch management.
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 2
Department of Homeland Security Information Technology Management Letter
September 30, 2010
IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS Conditions: In FY 2010, a number of IT and financial system functionality deficiencies were identified at DHS. Approximately 162 findings were identified of which approximately 65 percent are repeated from last year. The findings identified below are a cross-representation of the nature of IT general control deficiencies identified throughout the department’s components which contribute to a material weakness for financial system security as part of the FY 2010 DHS financial statement audit.
Related to IT controls:
1. Access Controls - At the following DHS components: United States Coast Guard (USCG), Customs and Border Protection (CBP), Federal Law Enforcement Training Center (FLETC), FEMA, ICE, DHS Headquarters, Transportation Security Administration (TSA), and United States Citizenship and Immigration Services (USCIS) we noted:
� Deficiencies in management of application and/or database accounts, network, and remote user accounts:
- System administrator root access to financial applications was not properly restricted, logged, and monitored;
- Strong password requirements were not enforced;
- User account lists were not periodically reviewed for appropriateness, inappropriate authorizations and excessive user access privileges were allowed at some DHS components, and users were not disabled or removed promptly upon personnel termination;
- Emergency and temporary access was not properly authorized, and contractor development personnel were granted conflicting access to implement database changes;
- Initial and modified access granted to application and/or database, network, and remote users was not properly documented and authorized; and
- The process for authorizing and managing remote virtual private network (VPN) access to external state emergency management agencies, and component contractors, did not comply with DHS and component requirements.
� Ineffective safeguards over logical and physical access to sensitive facilities and resources:
- While performing after-hours physical access testing, we identified the following unsecured items: Government credit cards; financial system user IDs and passwords; computer laptops; and server names and IP addresses; and
- While performing social engineering testing, we identified instances where DHS employees provided their system user names and passwords to an auditor posing as a help desk employee.
� Ineffective or insufficient use of available audit logs:
- Logs of auditable events are not being reviewed to identify potential incidents, or were reviewed by those with conflicting roles;
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 3
Department of Homeland Security Information Technology Management Letter
September 30, 2010
- Logging of application and/or database events required to be recorded was not enabled;
- Documented procedures for audit log follow-up do not meet DHS requirements; and
- Evidence of audit log reviews was not retained.
2. Configuration Management: At the following DHS components: USCG, CBP, FLETC, FEMA, ICE, USCIS, and TSA we noted:
�
�
�
Lack of documented policies and procedures:
- To prevent users from having concurrent access to the development, test, and production environments of the system at four DHS components; and
- Configuration, vulnerability, and patch management plans have not been established and implemented, or did not comply with DHS policy;
Vulnerabilities were identified during periodic internal scans and related corrective actions were not reported and tracked in accordance with DHS policy; and
Security patch management and configuration deficiencies were identified during the vulnerability assessment on hosts supporting the key financial applications and general support systems.
3. Security Management - At the following DHS components: USCG, CBP, DHS Headquarters, TSA, FLETC, FEMA, USCIS, and ICE we noted:
�
�
�
Systems certification and accreditation:
- Several component financial and associated feeder systems as well as general support systems, were not properly certified and accredited, in compliance with DHS policy;
- Compliance with the Federal Desktop Core Configuration (FDCC) security configurations is in progress, but has not been completed; and
- An instance where Interconnection Security agreements were not documented.
Roles and responsibilities have not been clearly defined:
- Instances of security roles and responsibilities are not adequately defined for financial applications and general support systems; and
- System boundaries have not been adequately and completely defined within the System Security Plan.
Lack of policies and procedures:
- One instance of incomplete or inadequate policies and procedures associated with computer incident response capabilities;
- Procedures for exit processing of transferred/terminated personnel, including contractors, had not been established; and
- Lack of component policies and procedures for IT-based specialized security training.
� Lack of compliance with existing policies:
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 4
Department of Homeland Security Information Technology Management Letter
September 30, 2010
- Several instances where background investigations of federal employees and contractors employed to operate, manage and provide security over IT systems were not being properly conducted;
- Lack of compliance with DHS computer security awareness training requirements;
- Non-disclosure agreements were not completed at one DHS component; and
- A complete and accurate listing of workstations could not be provided at one DHS component and as a result anti-virus protection is not installed on all workstations.
4. Contingency Planning - At the following DHS components: CBP and FEMA, we noted:
� Instances where incomplete or outdated business continuity plans and systems with incomplete or outdated disaster recovery plans. Some plans did not contain current system information, emergency processing priorities, procedures for backup and storage, or other critical information;
� Service continuity plans were not consistently and/or adequately tested, and individuals did not receive training on how to respond to emergency situations;
� An alternate processing site has not been established for high risk systems; and
� Appropriate authorization to access backup media was not made available.
5. Segregation of Duties: At the following DHS components: USCG, CBP, FEMA, ICE, and USCIS we noted:
� Financial system users had conflicting access rights as the Originator, Funds Certification Official, and the Approving Official;
� Lack of evidence to show that least privilege and segregation of duties controls exist; and
� Policy and procedures to define and implement segregation of duties were not properly developed and/or implemented.
These control findings, including other significant deficiencies are described in greater detail in a separate Limited Official Use component-specific Information Technology Management letter provided to DHS component management.
FINANCIAL SYSTEM FUNCTIONALITY
We noted that in some cases, financial system functionality is inhibiting DHS’ ability to implement and maintain internal controls, notably IT applications controls supporting financial data processing and reporting. Financial system functionality limitations also contributes to other control deficiencies reported in our report dated November 12, 2010, and can make compliance with the Federal Financial Management Improvement Act (FFMIA) and the Office of Management and Budget (OMB) Circular A-127 more difficult. At the following DHS components: USCG, CBP, FLETC, ICE, USCIS, and TSA we noted financial system functionality conditions to include:
� Inability to modify IT system core software, and install controls to prevent duplicate payments. One component identified two instances where duplicate payments were made in FY 2009 and FY 2010, and the funds needed to be recovered;
� System limitations lead to extensive manual and redundant procedures to process transactions, to verify the accuracy of data, and to prepare financial statements;
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 5
Department of Homeland Security Information Technology Management Letter
September 30, 2010
� The financial systems in one component cannot be configured to:
- Prevent, detect, and correct excessive refunds;
- Provide summary information of the total unpaid assessments for duties, taxes, and fees by individual importer; and
- Report information on outstanding receivables, the age of receivables, or other data necessary for management to fully monitor collection actions; and
� Two inventory tracking systems are not fully integrated with the financial system of record; and
� Several financial systems do not have the necessary functionality to enforce DHS-required system security requirements. For example, one system does not have the functionality to enforce policy requirements related to password complexity, account lockout, and profile changes. In addition, a system does not have the functionality to track new users or user profile changes.
Recommendations: We recommend that the DHS Office of Chief Information Officer (OCIO), in coordination with the Office of Chief Financial Officer (OCFO), the DHS component OCIOs, OCFOs, and other appropriate component management review each individual IT NFR appropriately to ensure that the DHS components enter the recommendations as Plan of Action and Milestones in Trusted Agent FISMA, and work with the respective components to develop corrective action plans to address the root cause and condition of each NFR.
Financial System Functionality Recommendation: We recommend that the DHS OCIO, in coordination with the OCFO, the DHS component OCIOs, OCFOs, and other appropriate component management address the IT system aspects associated with the financial system functionality issues listed above, or develop compensating/mitigating controls in order to eliminate or reduce the associated risk.
MANAGEMENT COMMENTS AND OIG RESPONSE The OIG obtained written comments on a draft of this report from the DHS CIO, DHS Acting CFO, and DHS CISO. Generally, DHS management agreed with all of our findings and recommendations. DHS management has developed a remediation plan to address these findings and recommendations. A copy of the comments is included in Appendix D.
OIG Response We agree with the steps that DHS management is taking to satisfy these recommendations.
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 6
Appendix A Department of Homeland Security
Information Technology Management Letter September 30, 2010
Appendix A
Description of Key DHS Financial Systems and IT Infrastructure within the Scope of the FY 2010 DHS Financial
Statement Audit
Information Technology Management Letter for the FY 2010 DHS Financial Statement Audit Page 7
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Below is a description of significant financial management systems and supporting IT infrastructure included in the scope of the engagement to perform the financial statement audit.
United States Coast Guard (USCG)
Core Accounting System (CAS)
CAS is the core accounting system that records financial transactions and generates financial statements for the Coast Guard. CAS is hosted at the Coast Guard’s Finance Center (FINCEN), in Chesapeake, Virginia (VA). The FINCEN is the Coast Guard’s primary data center. CAS interfaces with two other systems located at the FINCEN, the Workflow Imaging Network System (WINS) and the Financial and Procurement Desktop (FPD).
� CAS Version 4.1 � CAS Oracle Database 9.2.0.8.0 – 47 GB 16x750mhz RISC Processor; cgofprod.world � CAS Operating System – HP Unix 11.11; ARGUS Server
Financial Procurement Desktop (FPD)
The FPD application is used to create and post obligations to the core accounting system. It allows users to enter funding, create purchase requests, issue procurement documents, perform system administration responsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS system and is located at the FINCEN in Chesapeake, VA.
� FPD Oracle 9.2.0.8.0 Database – 28 GB 12x750mhz RISC Processor; LUFS.world � FPD Operating System – HP UNIX 11.11; Dart Server
Workflow Imaging Network System (WINS)
WINS is the document image processing system, which is integrated with an Oracle Developer/2000 relational database. WINS allows electronic data and scanned paper documents to be imaged and processed for data verification, reconciliation and payment. WINS utilizes MarkView software to scan documents and to view the images of scanned documents and to render images of electronic data received. WINS is interconnected with the CAS and FPD systems and is located at the FINCEN in Chesapeake, VA.
� WINS Oracle 10.2.0.3 Database - 48 GB 12x750mhz RISC Processor; PROD1.world � WINS Operating System – HP Unix 11.11; Vigilant Server
Joint Uniform Military Pay System (JUMPS)
JUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located at the Pay and Personnel Center (PPC) in Topeka, Kansas.
� IBM Mainframe - z890 � JUMPS Operating System z/OS 1.8 Base
Direct Access
Direct Access is the system of record and all functionality, data entry, and processing of payroll events is conducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand (IBM AOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center in Sterling, VA.
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 8
Department of Homeland Security Information Technology Management Letter
September 30, 2010
� Hardware - 1 Sunfire 4800, 2 Sunfire 880, 1 Sunfire 4500, 1 Sunfire v240, 2 Sunfire V440, 2 F5Big-IP, 1IBM 3650
� Software – PeopleTools v8.4, PeopleSoft HCM v8.0, WebLogic v8, Tuxedo v8, MicroFocus Cobol v4, Oracle DB v9, ImageNow v5.4.1, WebNow v3.4.1
Global Pay (Direct Access II)
Global Pay provides retiree and annuitant support services. Global Pay is maintained by IBM AOD in the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center in Sterling, VA.
� Hardware – 2 Database Servers IBM P550, 1 Web/App Server IBM P520, 1 Web/App Server IBM P550, 1 W2K Server IBM x Series 336, 2 F5 BIGIP Load Balancer, 1 Database/App Server IBM P550, 2 Web Server IBM P520, 1 App Server IBM P550, 1 Proxy Server SunFire v240
� Software – 2 PeopleSoft HRMS v 9.0, 2 PeopleTools v 8.46.05, PeopleSoft Enterprise Portal v 8.0, 2 WebLogic v 8.1 sp3, 2 Tuxedo v 8.1 r3, 2 Oracle RDMS v 10.x, 1McAfee Entercept v 5.1 – IDS, 1 Checkpoint NG with Application Intelligence (R55) 105 – Firewall, 1 Legato v 7.x
Shore Asset Management (SAM)
SAM is hosted at the Coast Guard’s Operation System Center (OSC), in Martinsburg, WV. SAM provides core information about the USCG shore facility assets and facility engineering. The application tracks activities and assist in the management of the Civil Engineering (CE) Program and the Facility Engineering (FE) Program. SAM data contributes to the shore facility assets full life cycle Program management, facility engineering full life cycle Program management and rationale to adjust the USCG mission needs through planning, budgeting, and project funding. SAM also provides real property inventory and management of all shore facilities, in addition to the ability to manage and track the facilities engineering equipment and maintenance of that equipment.
� Hardware platform:-Intel MP BladeServer SBXD132, 2x Xeon Dual Core 2.66Ghz, EMT64, 4GB Ram (8GB DB Servers), Mirrored 72GB SAS, 2x 1GB Network Interface
� Operating - Software: Windows 2003 Server Standard 5.2.3790 Service Pack 2 build 3790 � Security Software - McAfee Virus Scan Enterprise 8.0.0 � Database - Oracle 9i, 32 bit
Naval and Electronics Supply Support System (NESSS)
NESSS is one of four automated information systems that comprise the family of Coast Guard logistics systems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit configuration, supply and inventory control, procurement, depot-level maintenance and property accountability, and a full financial ledger.
� Hardware platform:-1 HP A7137A, 1 Dell PowerEdge 6450, 2 Dell Power Edge 6650, 2 HP A3639A
� Software - Software: Oracle Application Server Forms and Report Services 10.1.2.02, Xventory Baseline, File Replication Pro, Windows 2003 Server Enterprise Edition, PDF Pagemaster
Aviation Logistics Management Information System (ALMIS)
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 9
Department of Homeland Security Information Technology Management Letter
September 30, 2010
ALMIS provides Coast Guard Aviation logistics management support in the areas of operations, configuration management, maintenance, supply, procurement, financial, and business intelligence. Additionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft & Crew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management Information System (AMMIS), a subcomponent of ALMIS, functions as the inventory management/fiscal accounting component of the ALMIS application. The Aircraft Repair & Supply Center (ARSC) Information Systems Division (ISD) in Elizabeth City, North Carolina hosts the ALMIS application.
� Linux AS 4.0 (OS for Oracle Databases) � HPUX 11i (OS for Ingres Databases) � Oracle 10g (Database Services) � Ingress 2.6 (Database Services) � Windows 2000 Advanced Server (Web Server)
CG Treasury Information Executive Repository (CG Tier)
CG TIER is a financial data warehouse containing summarized and consolidated financial data relating USCG operations. It is one of several supporting applications within CAS Suite designed to support the core financial services provided by FINCEN. CG TIER provides monthly submissions to DHS Consolidated TIER.
� Database- Oracle v 8.1.7.4 (Tiers) � Operating System- HP-UNIX; v 11.11
Customs and Border Protection (CBP)
SAP Enterprise Central Component (SAP ECC 6.0)
SAP is a client/server-based financial management system and includes the Funds Management, Budget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by CBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations: trade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP ECC 6.0 financial management system is included in full scope in the FY 2010 financial statement audit. The SAP ECC 6.0 system is located in Newington, VA.
Automated Commercial System (ACS)
ACS is a collection of mainframe-based business process systems used to track, control, and process commercial goods and conveyances entering the United States territory, for the purpose of collecting import duties, fees, and taxes owed the Federal government. ACS collects duties at ports, collaborates with financial institutions to process duty and tax payments, provides automated duty filing for trade clients, and shares information with the Federal Trade Commission on trade violations and illegal imports. The ACS system is included in full scope in the FY 2010 financial statement audit. The ACS system is located in Newington, VA.
Automated Commercial Environment (ACE)
ACE is the commercial trade processing system being developed by CBP to facilitate trade while strengthening border security. It is CBP’s plan that the ACE replaced ACS when ACE is fully
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 10
Department of Homeland Security Information Technology Management Letter
September 30, 2010
implemented. The mission of ACE is to implement a secure, integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data essential to federal agencies. ACE is being deployed in phases, with no set final full deployment date due to funding setbacks. As ACE is partially implemented now and processes a significant amount of revenue for CBP, ACE was included in full scope in the FY 2010 financial statement audit. The ACE system is located in Newington, VA.
Federal Law Enforcement and Training Center (FLETC)
Financial Accounting and Budgeting System (FABS)
Processing Location: FLETC Headquarters in Glynco, GA
The FLETC FABS application is an all-in-one financial processing system. It functions as the computerized accounting and budgeting system for FLETC. The FABS system exists to provide all of the financial and budgeting transactions in which FLETC is involved. The FABS environment primarily consists of the latest version of the Momentum version 6.1 COTS software, an Oracle 10g database and its companion Oracle 10.2 Database Management System (DBMS). An application called “Tuxedo,” also resides on a separate server. The Tuxedo middleware holds 67 executable files. These files are scripts that process daily information and are not directly accessible by users. The FABS application and servers reside on the FLETC LAN in a Hybrid physical network topology and are accessible from four sites: Glynco, GA, Washington D.C., Artesia, New Mexico, and Cheltenham, MD.
� Hardware: Hewlett Packard ProLiant BL465c Blade Servers (web and application) and Hewlett Packard ProLiant BL685c Blade Servers (database)
� Operating System: Microsoft Windows 2003 Server running on virtual machines on top of VMware Infrastructure 3.5 Enterprise hypervisor on the web and application servers
� Database: Red Hat Enterprise Linux � Security Software: FABS system does not currently have a firewall scheme and resides on
FLETC LAN that has a firewall in place
Interfaces:
� National Finance Center (NFC) Payroll System � Student Information System (SIS) � TIER � US Coast Guard Interface � Kansas City Financial Center (KFC)
Glynco Administrative Network Processing Location: FLETC Headquarters in Glynco, GA
The purpose of the Glynco Administrative Network (GLYADLAN) is to provide access to IT network applications and services to include voice to authorized FLETC personnel, contractors and partner organizations located at the Glynco, Georgia facility. It provides authorized users access to email, internet services, required applications such as Financial Management Systems (FMS), Procurement systems, Property management systems, Video conference, and other network services and shared resources.
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 11
Department of Homeland Security Information Technology Management Letter
September 30, 2010
� Hardware: Cisco ACS TACAS Server, Avaya 8700 Media Servers, Dell Poweredge servers 1750, 1850, 1950, 2650, 2850, 2950, and 6650.
� Operating System: Windows XP SP2 (Desktop) � Database: Redhat Linux 4 Enterprise edition � Security Software: ASA 5500 series firewall and static IP addresses
Interfaces:
� FMS � DHS HQ
Federal Emergency Management Agency (FEMA)
Core Integrated Financial Management Information System (IFMIS) (Operational through February 22, 2010
Processing Location: Mount Weather Emergency Operations Center in Bluemont, VA
Core IFMIS was the key financial reporting system, and had several feeder subsystems (budget, procurement, accounting, and other administrative processes and reporting). The application was a Commercial Off-The Shelf (COTS) software package developed and maintained by Digital Systems Group (DSG) Incorporated.
� Hardware: Two (2) HP 9000 servers (operational and standby) � Operating System: HP-UX (Unix) version 11.11 � Database: Oracle 9i Enterprise Edition
� Security Software: Servers are protected by a CISCO PIX Firewall Interfaces:
� NEMIS � Credit Card Transaction Management System (CCTMS) � Fire Grants � Mitigation Grants � eGrants � ProTrac � Payroll � Department of Treasury � Smartlink � TIER
Grants and Training (G&T) IFMIS (Operational through February 22, 2010)
Processing Location: Mount Weather Emergency Operations Center in Bluemont, VA
In April 2007, the Office of Grants and Training (G&T) that was previously under the Department of Justice was transferred over to FEMA. Due to the short amount of time given to FEMA to take over the financial management role for G&T in FY 2007, a separate instance of IFMIS was inherited from the Department of Justice, resulting in two separate IFMIS instances at FEMA. G&T IFMIS, held all former G&T financial information. The application is a COTS software package developed and maintained by DSG Incorporated.
� Hardware: HP 9000 server
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 12
Department of Homeland Security Information Technology Management Letter
September 30, 2010
� Operating System: HP-UX (Unix) version 11.11 � Database: Oracle 9i Enterprise Edition � Security Software: Servers are protected by a CISCO PIX Firewall
Interfaces:
� PARS
IFMIS-Merger (Operational as of February 23, 2010)
Processing Location: Mount Weather Emergency Operations Center in Bluemont, VA
IFMIS-Merger is the official accounting system of FEMA and maintains all financial data for internal and external reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost Posting, Disbursements, Accounts Receivable, and General Ledger. The application is a COTS software package developed and maintained by DSG Incorporated.
� Hardware: Two (2) HP 9000 servers � Operating System: HP-UX (Unix) version 11.11 � Database: Oracle 9i Enterprise Edition � Security Software: Servers are protected by a CISCO PIX Firewall
Interfaces:
� Payment and Reporting System (PARS) � ProTrac � Smartlink (Department of Health and Human Services) � TIER (Department of Treasury) � Secure Payment System (SPS) (Department of Treasury) � Grants Management System (Department of Justice) � National Emergency Management Information System (NEMIS) � US Coast Guard Credit Card System � CCTMS � Fire Grants � eGrants � Enterprise Data Warehouse (EDW) � Payroll (National Finance Center)
Payment and Reporting System (PARS)
Processing Location: Mount Weather Emergency Operations Center in Bluemont, VA
PARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger UNIX server. Prior to the merger of Core IFMIS and G&T IFMIS, PARS resided on the core IFMIS server. Through its web interface, PARS collects Standard Form 269 information from grantees and stores the information in its Oracle 9i database. Automated chron jobs are run daily to update and interface grant and obligation information between PARS and IFMIS-Merger. All payments to grantees are made through IFMIS-Merger. Prior to the IFMIS-Merger instance in February 2010, the PARS application interfaced with G&T IFMIS.
� Hardware: HP 9000 server � Operating System: HP-UX (Unix) version 11.11
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 13
Department of Homeland Security Information Technology Management Letter
September 30, 2010
� Database: Oracle 9i Enterprise Edition � Security Software: Servers are protected by a CISCO PIX Firewall
Interfaces:
� G&T IFMIS (prior to February 23, 2010) � IFMIS-Merger (as of February 23, 2010)
National Emergency Management Information System (NEMIS)
Processing Location: Mount Weather Emergency Operations Center in Bluemont, VA
NEMIS is a FEMA-wide system of hardware, software, telecommunications, services, and applications. NEMIS consists of many integrated subsystems distributed over hundreds of separate servers accessed by thousands of client workstations. NEMIS is an integrated system to provide FEMA, the states, and other federal agencies with automation to perform disaster related operations. NEMIS supports all phases of emergency management and provides financial related data to IFMIS via an automated interface.
� Hardware: Numerous HP ProLiant DL series servers � Operating System: Linux, Microsoft NT and Microsoft 2000 � Database: Replicated Oracle 10g, 9i, and 8i databases � Security Software: Servers are protected by a PIX Firewall Symantec Anti-Virus corporate
edition version 10.1.4.4000
Interfaces:
� IFMIS � US Coast Guard Credit Card System � Small Business Administration
Traverse Processing Location: Lanham, MD (until July 31, 2010), Landover, MD (after August 1, 2010).
Traverse is the general ledger application currently used by the Nation Flood Insurance Program (NFIP) Bureau and Statistical Agent to generate the NFIP financial statements. Traverse is a client-server application that runs on the NFIP Local Area Network (LAN) Windows server environment in Landover, MD. The Traverse client is installed on the desktop computers of the NFIP Bureau of Financial Statistical Control group members.
� Hardware: Hewlett Packard ML530, Dual Xeon 2.8 Processors, 2 GB RAM, Redundant Array of Independent Disks (RAID) Storage
� Operating System: Microsoft Windows Server 2003 � Database: Microsoft Structured Query Language (SQL) � Security Software: CheckPoint firewall
Interfaces:
No known system interfaces
Transaction Recording and Reporting Processing (TRRP)
Processing Location: Norwich, CT
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 14
Department of Homeland Security Information Technology Management Letter
September 30, 2010
The TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO) companies for the NFIP. TRRP also supports the WYO program, primarily by ensuring the quality of financial data submitted by the WYO companies to TRRP. TRRP is a mainframe-based application that runs on the NFIP mainframe logical partition in Norwich, CT.
� Hardware: IBM 2086-220 Mainframe with two central processing units � Operating System: IBM z/OS 1.9 � Database: WebFocus
Interfaces:
No known system interfaces
Immigration and Customs Enforcement (ICE)
Federal Financial Management System (FFMS)
The FFMS is a CFO designated financial system and certified software application that conforms to OMB Circular A-127 and implements the use of a Standard General Ledger for the accounting of agency financial transactions. It is used to create and maintain a record of each allocation, commitment, obligation, travel advance and accounts receivable issued. It is the system of record for the agency and supports all internal and external reporting requirements. FFMS is a commercial off-the-shelf financial reporting system and is built on Oracle 9i Relational Database Management System running off an IBM 9672 Mainframe with ZOS 1.4 platform. The FFMS operating system operates off an IBM ZOS, Version 1.4 Mainframe Server and Microsoft Windows 2000 report servers protected by firewalls. It includes the core system used by accountants, FFMS Desktop that is used by average users, and an NFC payroll interface. As of July 2010, the FFMS mainframe component and two network servers are hosted at the DHS DC2 facility located in Clarksville, Virginia. Prior to July, the system was housed at the Department of Commerce in Springfield, VA. FFMS currently interfaces with the following systems:
� Direct Connect for transmission of DHS payments to Treasury � Fed Travel � The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data
Inquiry (CADI), for the purpose of processing NFC user account and payroll information. � The Debt Collection System (DCOS) � Bond Management Information System (BMIS) Web
ICE Network
The ICE Network, also known as the Active Directory/Exchange (ADEX) E-mail System, is a major application for ICE and other DHS components, such as the USCIS. The ADEX servers and infrastructure for the headquarters and National Capital Area are located on the third floor of the Potomac Center North Tower in Washington, DC. The ICE Network utilizes a hybrid mesh/hub and mesh network design to maximize redundancy throughout the network. ICE operates off of Dell PowerEdge 2950, HP ProLiant DL 385 Server, HP ProLiant BL45p Server Blade, HP BL 25P Blade Server, and EMC Symmetrix DM. ADEX has implemented Microsoft Windows 2003 Enterprise Server operating system to provide directory, domain control, and network services to clients. For security purposes, ADEX has implemented firewalls and a logical Layer-3 encrypted overlay network through the use of Generic Routing Encapsulation (GRE) and IPSec tunneling. ADEX currently interfaces with the following systems:
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 15
Department of Homeland Security Information Technology Management Letter
September 30, 2010
� Diplomatic Telecommunications Service Program Office (DTSPO) ICENet Infrastructure
Office of Financial Management (OFM)/Consolidated Component
DHS Treasury Information Executive Repository (DHSTIER)
DHSTIER is the system of record for the DHS consolidated financial statements and is used to track, process, and perform validation and edit checks against monthly financial data uploaded from each of the DHS bureaus’ core financial management systems. DHSTIER is administered jointly by the OCFO Resource Management Transformation Office (RMTO) and the OCFO Office of Financial Management (OFM) and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.
� Database: Oracle DB 10g v10.3 � Operating System: Microsoft Windows 2003 � Hardware: HP ProLiant BL460c G1 server
Chief Financial Office VISION (CFO Vision)
CFO Vision is a subsystem of DHSTIER used for the consolidation of the financial data and the preparation of the DHS financial statements. CFO Vision is also administered by RMTO and OFM and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.
� COTS Software - SAS Financial Management Solutions version 4.3 (FM 4.3) with its own internal SAS database
� Operating System: Microsoft Windows 2003 Hardware: HP ProLiant BL460c G1 server
Transportation Security Administration (TSA)
Core Accounting System (CAS)
CAS is the core accounting system that records financial transactions and generates financial statements for the United States Coast Guard. CAS is hosted at the Coast Guard’s FINCEN in Chesapeake, VA and is managed by the United States Coast Guard. The FINCEN is the Coast Guard’s primary financial system data center. CAS interfaces with other systems located at the FINCEN, including FPD.
� CAS Version 4.1 � CAS Oracle Database 9.2.0.8.0 – 47 GB 16x750mhz RISC Processor; cgofprod.world � CAS Operating System – HP Unix 11.11; ARGUS Server
Financial Procurement Desktop (FPD)
The FPD application is used to create and post obligations to the core accounting system. It allows users to enter funding, create purchase requests, issue procurement documents, perform system administration responsibilities, and reconcile weekly program element status reports. FPD is interconnected with the CAS system and is hosted at the FINCEN in Chesapeake, VA and is and managed by the United States Coast Guard.
� FPD Oracle 9.2.0.8.0 Database – 28 GB 12x750mhz RISC Processor; LUFS.world � FPD Operating System – HP UNIX 11.11; Dart Server
Sunflower
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 16
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Sunflower is a customized third party COTS product used for TSA and Federal Air Marshals (FAMS) property management. Sunflower interacts directly with the Office of Finance Fixed Assets module in CAS. Additionally, Sunflower is interconnected to the FPD system and is hosted at the FINCEN in Chesapeake, VA and is managed by the United States Coast Guard.
� Sunflower Oracle Database – 10.2.0.3 - 2 x 3.06 GB Xeon Processor – 72 GB � Sunflower Operating System – Red Hat Linux 4.0AS � Sunflower Third Party Software – IBMJava 2.-131RC2
MarkView
MarkView is an imaging and workflow software used to manage invoices in CAS. Each invoice is stored electronically and associated to a business transaction so that users are able to see the image of the invoice. MarkView is interconnected with the CAS system and is located at the FINCEN in Chesapeake, VA and is managed by the United States Coast Guard.
� CAS Oracle Database 9.2.0.8.0 – 47 GB 16x750mhz RISC Processor
� CAS Operating System – HP Unix 11.11; ARGUS Server
United States Citizenship and Immigration Services (USCIS)
CLAIMS 3 LAN
CLAIMS 3 LAN provides USCIS with a decentralized, geographically dispersed LAN based mission support case management system, with participation in the centralized CLAIMS 3 Mainframe data repository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I and II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The CLAIMS 3 LAN is located at the following service centers and district offices: Nebraska, California, Texas, Vermont, Baltimore District Office, and Administrative Appeals Office. CLAIMS 3 executes on Dell 220 S (EMC), RAID Controller, Disk Storage servers protected by firewalls, and Windows 2003, MS Sp2 as the operating system and Pervasive database software and is used to enter and track immigration applications. CLAIMS 3 LAN interfaces with the following systems:
� Citizenship and Immigration Services Centralized Oracle Repository (CISCOR) � CLAIMS 3 Mainframe � Integrated Card Production System (ICPS) � CLAIMS 4 � E-filing � Benefits Biometric Support System (BBSS) � Refugee, Asylum, and Parole System (RAPS) � National File Tracking System (NFTS) � Integrated Card Production System (ICPS) � Customer Relationship Interface System (CRIS) � USCIS Enterprise Service Bus (ESB)
CLAIMS 4
The purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a client/server application. CLAIMS 4 runs off of Sunfire 890, 490, Solaris 9, and Oracle 9iR2 servers with Oracle 9i, Windows NT, and Windows 2000 Server operating systems and are
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 17
Department of Homeland Security Information Technology Management Letter
September 30, 2010
protected by firewalls. The central Oracle Database that runs off Oracle Enterprise 9i is located in Washington, DC while application servers and client components are located throughout USCIS service centers and district offices. CLAIMS 4 interfaces with the following systems:
� Central Index System (CIS) � Reengineered Naturalization Automated Casework System (RNACS) � CLAIMS 3 LAN and Mainframe � Refugee, Asylum, and Parole System (RAPS) � Enterprise Performance Analysis System (ePAS) � National File Tracking System (NFTS) � Asylum Pre-Screening System (APSS) � USCIS Enterprise Service Bus (ESB) � Biometrics Benefits Support System (BBSS) � Enterprise Citizenship and Immigration Service Centralized Operational Repository (eCISOR) � Customer Relationship Interface System (CRIS) � FD 258 Enterprise Editions and Mainframe � Site Profile System (SPS)
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 18
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Appendix B FY 2010 Notices of IT Findings and Recommendations at DHS
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 19
Appendix B Department of Homeland Security
Information Technology Management Letter September 30, 2010
Notice of Findings and Recommendations (NFR) – Definition of Severity Ratings:
Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the DHS Consolidated Independent Auditors Report.
1 – Not substantial
2 – Less significant
3 – More significant
The severity ratings indicate the degree to which the deficiency influenced the determination of severity for consolidated reporting purposes.
These rating are provided only to assist the DHS in prioritizing the development of its corrective action plans for remediation of the deficiency.
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 20
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
� United States Coast Guard
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 21
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Coa
st G
uard
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
-IT-
10-0
1 In
FY
200
9, w
e de
term
ined
tha
t C
oast
Gua
rd w
as
final
izin
g th
e bu
sine
ss p
roce
ss th
at w
ould
be
used
to
rem
edia
te t
he p
rior
year
NFR
. O
nce
this
bus
ines
s pr
oces
s is
fin
aliz
ed, a
tech
nica
l im
plem
enta
tion
coul
d be
gin,
and
Coa
st G
uard
pla
nned
on
usin
g th
e D
irect
A
cces
s H
uman
R
esou
rces
(H
R)
syst
em
to
notif
y sy
stem
ow
ners
of H
R st
atus
cha
nges
for a
ll in
divi
dual
s w
ithin
the
Coa
st G
uard
.
Dur
ing
our
FY
2010
fo
llow
-up
test
w
ork,
w
e de
term
ined
tha
t th
is N
FR r
emed
iatio
n is
stil
l in
the
pl
anni
ng
stag
es.
Req
uire
men
ts
still
ne
ed
to
be
prio
ritiz
ed a
nd c
ost e
stim
ates
nee
d to
be
deve
lope
d in
or
der
to o
btai
n fu
ndin
g.
Coa
st G
uard
stil
l pl
ans
on
usin
g D
irect
Acc
ess
but w
ill o
nly
impl
emen
t thi
s ne
w
proc
ess
once
D
irect
A
cces
s ha
s be
en
upgr
aded
, ho
wev
er,
the
impl
emen
tatio
n da
te h
as n
ot y
et b
een
final
ized
.
We
reco
mm
end
that
Coa
st G
uard
Hea
dqua
rters
co
ntin
ue w
ith th
e fo
llow
ing
effo
rts:
�D
evel
op a
res
ourc
e pl
an (
RP)
with
ass
ocia
ted
supp
ortin
g bu
sine
ss c
ase(
s) to
add
ress
acc
ount
tra
ckin
g fo
r te
rmin
ated
, tra
nsfe
rred
, or
retir
ed
cont
ract
or,
mili
tary
, an
d ci
vilia
n pe
rson
nel;
and,
�
Con
tinue
ex
istin
g pl
anni
ng
effo
rts
and
deve
lop,
doc
umen
t, an
d im
plem
ent e
nter
pris
e-w
ide
proc
esse
s th
at w
ill n
otify
all
impa
cted
sy
stem
ow
ners
of
term
inat
ed,
trans
ferr
ed,
or
retir
ed
cont
ract
or,
mili
tary
, an
d ci
vilia
n pe
rson
nel.
X
2
CG
-IT-
10-0
2 In
FY
200
9, w
e de
term
ined
tha
t D
HS
no l
onge
r re
quire
s al
l con
tract
ed e
mpl
oyee
s to
hav
e a
Min
imum
B
ackg
roun
d In
vest
igat
ion
(MB
I)
if th
ey
have
an
ex
istin
g co
nfid
entia
l or
secr
et c
lear
ance
, and
the
new
m
inim
um s
tand
ard
is th
e N
atio
nal A
genc
y C
heck
and
In
quiri
es (N
AC
I).
In a
dditi
on,
Coa
st G
uard
Hea
dqua
rters
had
in
plac
e si
nce
2007
Com
man
dant
Ins
truct
ion
(CO
MD
TIN
ST)
M55
20.1
2C, w
hich
sta
ted
that
Pro
gram
Man
ager
s ar
e re
spon
sibl
e fo
r det
erm
inin
g th
e ris
k le
vel a
nd p
ositi
on
sens
itivi
ty d
esig
natio
n as
soci
ated
with
eac
h C
ontra
ct
We
reco
mm
end
that
Coa
st G
uard
Hea
dqua
rters
co
ntin
ue w
ith th
e fo
llow
ing
effo
rts:
�C
ontin
ue
to
upda
te
exis
ting
cont
ract
s to
in
clud
e th
e ne
w c
ontra
ctor
bac
kgro
und
chec
k re
quire
men
ts,
and
perf
orm
as
soci
ated
co
ntra
ctor
bac
kgro
und
chec
ks.
�C
ontin
ue
to
incl
ude
new
co
ntra
ctor
ba
ckgr
ound
ch
eck
requ
irem
ents
in
ne
w
cont
ract
s, an
d pe
rfor
m a
ssoc
iate
d ba
ckgr
ound
ch
ecks
.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
Line
Ite
m N
umbe
r (C
LIN
) an
d/or
lab
or c
ateg
ory
for
proc
ured
con
tract
or s
uppo
rt.
Thes
e w
ill b
e pr
ovid
ed
to t
he C
ontra
ctin
g O
ffic
er w
ho i
s re
spon
sibl
e fo
r in
clud
ing
as s
olic
itatio
n an
d co
ntra
ct r
equi
rem
ents
. U
nfor
tuna
tely
, thi
s in
stru
ctio
n di
d no
t inc
lude
spe
cific
gu
idan
ce fo
r the
Pro
gram
Man
ager
s on
how
to s
et th
e co
rrec
t an
d co
nsis
tent
ris
k le
vels
an
d po
sitio
n se
nsiti
vity
des
igna
tions
.
In
FY
2010
, w
e de
term
ined
th
at
Coa
st
Gua
rd
Hea
dqua
rters
inco
rpor
ated
Pro
gram
Man
ager
gui
danc
e to
the
Com
man
dant
Inst
ruct
ion,
as E
nclo
sure
3, s
o th
at
the
Prog
ram
Man
ager
s co
uld
dete
rmin
e th
e co
rrec
t ris
k le
vel a
nd p
ositi
on s
ensi
tivity
des
igna
tion.
An
All
Coa
st G
uard
(A
LCO
AST
) m
essa
ge w
as a
lso
rele
ased
in
Ju
ne
that
st
ated
al
l co
ntra
ctor
s m
ust
have
a
favo
rabl
e fin
gerp
rint c
heck
and
initi
ated
or c
ompl
eted
m
inim
um i
nves
tigat
ion
(NA
CI)
in
orde
r to
obt
ain
a C
omm
on
Acc
ess
Car
d (C
AC
) ca
rd,
effe
ctiv
e im
med
iate
ly.
This
has
res
ulte
d in
tw
o ac
tiviti
es:
1)
new
con
tract
s w
ill in
corp
orat
e th
ese
new
requ
irem
ents
im
med
iate
ly, a
nd 2
) exi
stin
g co
ntra
cts
will
inco
rpor
ate
thes
e ne
w r
equi
rem
ents
whe
n ne
w t
ask
orde
rs a
re
issu
ed,
optio
ns a
re e
xerc
ised
, co
ntra
ct m
odifi
catio
ns
are
mad
e,
etc.
Th
eref
ore,
ba
sed
upon
th
e re
new
al/o
ptio
n da
te o
f a
cont
ract
in p
lace
prio
r to
the
ALC
OA
ST, i
t cou
ld ta
ke u
p to
two
year
s be
fore
all
of
the
cont
ract
ors
thro
ugho
ut C
oast
Gua
rd w
ill m
eet
thes
e ne
w re
quire
men
ts.
Furth
erm
ore,
as
part
of o
ur a
naly
sis,
we
wer
e un
able
to
de
term
ine
if U
SCG
ha
d th
e ca
pabi
lity
to
�D
evel
op
a R
P w
ith
asso
ciat
ed
supp
ortin
g bu
sine
ss c
ase(
s) t
o ad
dres
s th
e ne
ed f
or a
re
porti
ng m
echa
nism
for
con
tract
or r
isk
leve
l, po
sitio
n se
nsiti
vity
des
igna
tion,
and
ass
ocia
ted
back
grou
nd c
heck
.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
cons
iste
ntly
pro
duce
a c
urre
nt a
nd c
ompr
ehen
sive
list
of
al
l C
oast
G
uard
co
ntra
ctor
s to
in
clud
e va
lid
back
grou
nd
inve
stig
atio
n in
form
atio
n tie
d to
th
e co
rrec
t ris
k le
vel a
nd p
ositi
on se
nsiti
vity
des
igna
tion.
Alth
ough
Coa
st G
uard
has
take
n co
rrec
tive
actio
ns to
re
med
iate
th
e pr
ior
year
N
FR
CG
-IT-
09-1
0 by
up
datin
g th
e C
omm
anda
nt I
nstru
ctio
n an
d be
gun
the
proc
ess
of
incl
udin
g th
e ne
w
requ
irem
ents
in
co
ntra
cts,
we
belie
ve t
hat
not
havi
ng t
he a
bilit
y to
id
entif
y an
d pr
ovid
e a
full
popu
latio
n of
con
tract
ors
wor
king
for
Coa
st G
uard
doe
s no
t ful
ly r
emed
iate
all
of
the
findi
ngs
and
cond
ition
s fr
om
FY
2009
. Th
eref
ore,
this
prio
r ye
ar N
FR w
ill b
e re
issu
ed in
FY
20
10.
CG
-IT-
10-0
3 In
FY
20
09,
we
dete
rmin
ed
that
C
oast
G
uard
H
eadq
uarte
rs a
ctiv
ely
mon
itors
all
civi
lians
to
verif
y w
heth
er th
ey h
ave
a va
lid b
ackg
roun
d in
vesti
gatio
n on
re
cord
. C
oast
Gua
rd s
tate
d th
at i
t co
nsid
ers
Coa
st
Gua
rd
gove
rnm
ent
posi
tions
th
at
use,
de
velo
p,
oper
ate,
or m
aint
ain
IT s
yste
ms
to b
e at
leas
t low
risk
ba
sed
upon
OPM
gui
danc
e. T
here
fore
, C
oast
Gua
rd
cont
inue
d ve
tting
in
divi
dual
s ba
sed
on
the
OPM
re
quire
men
ts f
or l
ow r
isk
posi
tions
whi
ch r
equi
re a
N
AC
I inv
estig
atio
n. T
his p
ositi
on is
not
in c
ompl
ianc
e w
ith
the
DH
S st
anda
rd
that
st
ates
th
at
all
DH
S go
vern
men
t po
sitio
ns t
hat
use,
dev
elop
, op
erat
e, o
r m
aint
ain
IT s
yste
ms
are
cons
ider
ed a
t lea
st m
oder
ate
risk,
and
per
DH
S 43
00A
req
uire
men
ts,
a M
inim
um
Bac
kgro
und
Inve
stig
atio
n (M
BI)
is
th
e m
inim
um
stan
dard
of i
nves
tigat
ion.
We
reco
mm
end
that
Coa
st G
uard
Hea
dqua
rters
co
ntin
ue w
ith th
e fo
llow
ing
effo
rts:
�D
evel
op a
RP
with
as
soci
ated
sup
porti
ng
busi
ness
ca
se(s
) to
ad
dres
s fix
ing
the
orga
niza
tion-
wid
e ba
ckgr
ound
inv
estig
atio
ns
repo
rt.
�C
ontin
ue e
xist
ing
effo
rts to
upd
ate,
doc
umen
t, an
d im
plem
ent
the
over
all
Coa
st
Gua
rd
pers
onne
l se
curit
y pr
oces
s fo
r ci
vilia
n pe
rson
nel,
base
d up
on
the
JRT
repo
rt/gu
idan
ce.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
In
addi
tion,
C
oast
G
uard
H
eadq
uarte
rs
did
not
com
plet
e ba
ckgr
ound
rei
nves
tigat
ions
for
all
civi
lian
staf
f due
to th
e fa
ct th
at th
is is
not
a re
quire
men
t und
er
OPM
gui
danc
e fo
r lo
w r
isk
posi
tions
. Thi
s is
in n
on-
com
plia
nce
with
DH
S po
licy
(MD
110
50.2
) tha
t sta
tes
that
rein
vest
igat
ions
mus
t be
com
plet
ed e
very
10
year
s fo
r mod
erat
e ris
k po
sitio
ns.
Furth
er, a
Joi
nt R
efor
m T
eam
(JR
T) b
een
esta
blis
hed
by th
e O
ffic
e of
the
Dire
ctor
of
Nat
iona
l Int
ellig
ence
(O
DN
I) a
nd t
he O
ffic
e of
Man
agem
ent
and
Bud
get
(OM
B)
to r
efor
m t
he f
eder
al s
uita
bilit
y cl
eara
nce
proc
ess,
and
the
JRT
stan
dard
s w
ere
sche
dule
d fo
r im
plem
enta
tion
by t
he e
nd o
f C
alen
dar
Yea
r 20
10.
The
Coa
st
Gua
rd
was
w
aitin
g on
th
e JR
T re
port/
guid
ance
to b
e im
plem
ente
d pr
ior
to m
akin
g a
dete
rmin
atio
n on
if
they
w
ould
fo
llow
th
e D
HS
stan
dard
s in
re
gard
s to
ci
vilia
n ba
ckgr
ound
in
vest
igat
ions
and
rein
vest
igat
ions
.
Dur
ing
our F
Y 2
010
follo
w u
p, w
e de
term
ined
that
the
Coa
st G
uard
will
del
ay i
ssui
ng a
ny n
ew o
r up
date
d gu
idan
ce/in
stru
ctio
ns u
ntil
the
JRT
repo
rt/gu
idan
ce
has
been
issu
ed a
nd w
ill c
ontin
ue to
not
com
ply
with
th
e D
HS
stan
dard
s in
reg
ards
to
civi
lian
back
grou
nd
inve
stig
atio
n an
d re
inve
stig
atio
ns.
Coa
st G
uard
will
co
ntin
ue to
vet
civ
ilian
indi
vidu
als
base
d on
the
OPM
re
quire
men
ts
and
asso
ciat
ed
met
hodo
logy
bo
th
in
term
s of
ini
tial
back
grou
nd i
nves
tigat
ions
and
re-
inve
stig
atio
ns.
In a
dditi
on, C
oast
Gua
rd h
as c
reat
ed a
n or
gani
zatio
n-
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
wid
e au
tom
ated
rep
ort
that
sho
ws
the
back
grou
nd
inve
stig
atio
n st
atus
of
ea
ch
civi
lian
Coa
st
Gua
rd
empl
oyee
. H
owev
er, C
oast
Gua
rd is
cur
rent
ly u
nabl
e to
co
nsis
tent
ly
gene
rate
er
ror-
free
rep
orts
.
Coa
st
Gua
rd s
tate
d th
at th
e re
port
coul
d be
cor
rect
ed w
ithin
tw
o ye
ars i
f add
ition
al re
sour
ces a
re p
rovi
ded.
CG
-IT-
10-0
4 Fr
om t
he p
erio
d of
Oct
ober
1,
2009
thr
ough
the
N
ovem
ber
29,
2009
, th
ere
was
no
t ad
equa
te
guid
ance
in p
lace
for C
oast
Gua
rd to
pro
perly
ass
ess
the
finan
cial
sta
tem
ent
impa
ct o
f ch
ange
s to
the
pr
oduc
tion
envi
ronm
ent
of
the
CA
S,
FPD
an
d W
INS.
Dur
ing
this
tim
e pe
riod,
tw
o C
AS
chan
ges
wer
e im
plem
ente
d in
to
prod
uctio
n w
ithou
t a
prop
er
asse
ssm
ent o
f th
e fin
anci
al s
tate
men
t im
pact
of
the
prop
osed
cha
nges
.
Upo
n th
e ef
fect
ive
date
of
the
Fina
ncia
l Im
pact
D
eter
min
atio
n fo
r D
ata
Scri
pts
and
Syst
em C
hang
e Re
ques
ts M
emor
andu
m o
n N
ovem
ber
30,
2009
, C
oast
G
uard
be
gan
and
cont
inue
d to
fo
llow
ad
equa
te g
uida
nce
to p
rope
rly a
sses
s th
e fin
anci
al
stat
emen
t im
pact
of
chan
ges
to C
AS,
FPD
and
W
INS.
No
reco
mm
enda
tion
requ
ired.
C
oast
Gua
rd t
ook
appr
opria
te c
orre
ctiv
e ac
tion
durin
g th
e cu
rren
t fis
cal
year
to
rem
edia
te t
he e
xcep
tion
that
was
id
entif
ied
durin
g th
is fi
scal
yea
r.
X
1
CG
-IT-
10-0
5 W
e de
term
ined
th
at
som
e pr
evio
usly
no
ted
wea
knes
ses
wer
e re
med
iate
d (p
artic
ular
ly
in
the
seco
nd
half
of
FY
2010
), w
hile
ot
her
cont
rol
defic
ienc
ies
cont
inue
d to
exi
st.
The
rem
aini
ng c
ontro
l de
ficie
ncie
s th
at w
ere
pres
ent
thro
ugho
ut F
Y 2
010
We
reco
mm
end
that
Coa
st G
uard
: �
Upd
ate
the
scrip
ting
polic
ies
and
proc
edur
es
to i
nclu
de a
dditi
onal
and
mor
e de
taile
d te
st
docu
men
tatio
n;
�D
evel
op tr
aini
ng th
at a
ddre
sses
all
aspe
cts
of
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
vary
in
sign
ifica
nce,
how
ever
thr
ee k
ey a
reas
tha
t im
pact
the
Coa
st G
uard
Scr
ipt
cont
rol
envi
ronm
ent
are:
1) S
crip
t Tes
ting
Req
uire
men
ts; 2
) Scr
ipt T
estin
g En
viro
nmen
t; an
d 3)
Scr
ipt A
udit
Logg
ing
Proc
ess.
a.
Scrip
t Te
stin
g R
equi
rem
ents
: Li
mite
d te
stin
g re
quire
men
ts e
xist
to
guid
e FI
NC
EN s
taff
in
the
deve
lopm
ent
of t
est
plan
s an
d gu
idan
ce
over
th
e fu
nctio
nal
test
ing
that
sh
ould
be
pe
rfor
med
. A
dditi
onal
ly,
we
dete
rmin
ed t
hat
ther
e ar
e no
det
aile
d re
quire
men
ts o
ver
the
revi
ew a
nd te
stin
g of
func
tiona
l cha
nges
to th
e da
ta.
FIN
CEN
onl
y tra
cks
and
docu
men
ts th
e nu
mbe
r of
tran
sact
ions
upd
ated
on
scrip
ts th
at
have
a f
inan
cial
im
pact
and
not
the
det
aile
d do
llar
amou
nts
asso
ciat
ed w
ith t
he f
inan
cial
im
pact
tran
sact
ions
.
b.
Scrip
t Te
stin
g En
viro
nmen
t: N
ot a
ll sc
ript
chan
ges
wer
e te
sted
in
the
appr
opria
te C
AS
Suite
test
env
ironm
ents
, as r
equi
red.
FI
NC
EN
man
agem
ent
info
rmed
us
th
at
the
test
ing
envi
ronm
ents
, C
AS4
and
LU
FSFQ
T3,
wer
e of
fline
for t
hese
exc
eptio
ns d
ue to
a re
fres
h of
th
e da
taba
ses
and
that
tes
ters
use
d C
AS3
and
A
lpha
as
al
tern
ate
test
ing
envi
ronm
ents
in
stea
d.
How
ever
, FI
NC
EN
man
agem
ent
info
rmed
KPM
G t
hat
thes
e en
viro
nmen
ts a
re
refr
eshe
d on
an
as n
eede
d ba
sis
and
no fu
rther
in
form
atio
n co
uld
be
prov
ided
ov
er
how
fr
eque
ntly
the
CA
S3 a
nd A
lpha
dat
abas
es w
ere
refr
eshe
d to
ve
rify
that
th
e sc
ripts
w
ere
adeq
uate
ly
test
ed
in
the
appr
opria
te
scrip
t tes
ting
(incl
udin
g do
cum
enta
tion
of te
st
docu
men
ts)
and
prov
ide
train
ing
to
appr
opria
te C
M st
aff;
�D
evel
op
a re
sour
ce
plan
w
ith
asso
ciat
ed
supp
ortin
g bu
sine
ss
case
(s)
to
addr
ess
the
data
base
aud
it lo
ggin
g re
quire
men
ts;
�D
evel
op
proc
edur
es
and
perf
orm
re
gula
r ac
coun
t re
valid
atio
n fo
r Se
rena
to
en
sure
pr
ivile
ges r
emai
n ap
prop
riate
; and
�
Con
duct
an
as
sess
men
t ov
er
the
Inte
rnal
C
ontro
l O
ver
Fina
ncia
l R
epor
ting
(IC
OFR
) pr
oces
s re
late
d to
ide
ntify
ing
and
eval
uatin
g sc
ripts
that
hav
e a
finan
cial
stat
emen
t im
pact
.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
envi
ronm
ent.
Fur
ther
mor
e, w
e de
term
ined
that
gu
idan
ce
is
not
prov
ided
ov
er
the
use
of
alte
rnat
e te
stin
g en
viro
nmen
ts fo
r the
test
ing
of
scrip
ts to
ens
ure
they
are
ade
quat
ely
test
ed.
c. S
crip
t A
udit
Logg
ing
Proc
ess:
T
he C
AS,
FP
D,
and
Sunf
low
er d
atab
ases
are
log
ging
ch
ange
s to
tab
les
as w
ell
as s
ucce
ssfu
l an
d un
succ
essf
ul
logi
ns.
H
owev
er,
no
reco
ncili
atio
n be
twee
n th
e sc
ripts
run
and
the
ch
ange
s m
ade
to t
he d
atab
ase
tabl
es i
s be
ing
perf
orm
ed t
o m
onito
r th
e sc
ript
activ
ities
and
en
sure
that
all
scrip
ts r
un h
ave
been
app
rove
d th
roug
h C
hang
e m
anag
emen
t Scr
ipt S
yste
m o
r Se
rena
. I
n ad
ditio
n, w
e no
ted
that
FIN
CEN
ha
s not
est
ablis
hed
a fo
rmal
pro
cess
to m
onito
r an
d re
view
cha
nges
mad
e to
the
Sun
flow
er
data
base
inc
ludi
ng t
he t
able
s an
d ac
tiviti
es
mod
ified
by
the
data
base
adm
inis
trato
rs.
Dur
ing
our
test
wor
k, w
e no
ted
wea
knes
ses
in t
he
scrip
t cha
nge
man
agem
ent p
roce
ss a
s it
rela
tes
to th
e IC
OFR
pro
cess
(e.g
., th
e fin
anci
al s
tate
men
t im
pact
of
the
chan
ges
to t
he C
AS
Suite
thr
ough
the
scr
ipt
chan
ge m
anag
emen
t pro
cess
). W
hile
a p
roce
ss e
xist
s to
iden
tify,
and
rou
te a
scr
ipt w
ith p
oten
tial f
inan
cial
st
atem
ent
impa
ct t
hrou
gh a
n as
sess
men
t pr
oces
s, th
e re
view
and
det
erm
inat
ion
over
eac
h sc
ript i
s pr
imar
ily
perf
orm
ed w
ithou
t st
ruct
ured
/det
aile
d pr
oced
ures
in
plac
e.
Furth
erm
ore,
the
rat
iona
le d
ocum
entin
g th
e im
pact
of
th
e sc
ript,
whe
ther
de
emed
as
ha
ving
fin
anci
al
impa
ct
or
not,
is
not
docu
men
ted
and
reta
ined
. In
ad
ditio
n,
with
in
the
CA
S Su
ite
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
envi
ronm
ent,
ther
e ar
e ov
er 2
00 s
crip
ts r
un o
n a
wee
kly
basi
s an
d w
e no
ted
that
the
finan
cial
sta
tem
ent
impa
ct a
sses
smen
t is
esse
ntia
lly p
erfo
rmed
by
a si
ngle
br
anch
, w
hich
has
aut
horiz
ed o
nly
thre
e pe
ople
to
asse
ss th
e sc
ripts
.
CG
-IT-
10-0
6 To
com
plem
ent o
ur I
T au
dit t
estin
g ef
forts
as
part
of
the
FY 2
010
DH
S Fi
nanc
ial
Stat
emen
t A
udit
and
Aud
it of
Inte
rnal
Con
trol o
ver F
inan
cial
Rep
ortin
g, w
e al
so p
erfo
rmed
soci
al e
ngin
eerin
g te
stin
g. T
his t
estin
g w
as c
ondu
cted
at
key
Coa
st G
uard
loc
atio
ns t
hat
proc
ess,
supp
ort a
nd h
ouse
Coa
st G
uard
fina
ncia
l dat
a.
Soci
al e
ngin
eerin
g is
def
ined
as
the
act o
f at
tem
ptin
g to
man
ipul
ate
or d
ecei
ve in
divi
dual
s in
to ta
king
act
ion
that
is
in
cons
iste
nt
with
D
HS
polic
ies,
such
as
di
vulg
ing
sens
itive
info
rmat
ion
or a
llow
ing
/ ena
blin
g co
mpu
ter s
yste
m a
cces
s. T
he te
rm ty
pica
lly a
pplie
s to
tri
cker
y or
dec
eptio
n fo
r th
e pu
rpos
e of
inf
orm
atio
n ga
ther
ing,
or g
aini
ng c
ompu
ter s
yste
m a
cces
s.
Dur
ing
the
cour
se o
f our
soc
ial e
ngin
eerin
g te
st w
ork,
th
e ob
ject
ive
was
prim
arily
foc
used
on
atte
mpt
ing
to
obta
in u
ser
pass
wor
ds.
Pos
ing
as D
HS
tech
nica
l su
ppor
t em
ploy
ees,
atte
mpt
s w
ere
mad
e to
obt
ain
this
ty
pe o
f ac
coun
t in
form
atio
n by
con
tact
ing
rand
omly
se
lect
ed U
SCG
em
ploy
ees
by te
leph
one
at tw
o C
oast
G
uard
loc
atio
ns,
Hea
dqua
rters
(H
Q)
and
the
Coa
st
Gua
rd F
INC
EN.
A s
crip
t was
follo
wed
whi
ch h
ad u
s as
k fo
r as
sist
ance
fro
m t
he u
ser
in r
esol
ving
a C
oast
G
uard
net
wor
k is
sue.
A
s pr
esen
ted
in t
he f
ollo
win
g ta
ble,
for
eac
h pe
rson
we
atte
mpt
ed to
cal
l, w
e no
ted
whe
ther
the
indi
vidu
als
wer
e re
ache
d an
d w
heth
er w
e
We
reco
mm
end
that
Coa
st G
uard
Hea
dqua
rters
up
date
th
e an
nual
In
form
atio
n A
ssur
ance
(I
A)
train
ing
to i
nclu
de m
ore
robu
st “
phis
hing
” an
d “s
ocia
l eng
inee
ring”
gui
danc
e an
d in
stru
ctio
n an
d ex
plic
itly
test
ind
ivid
uals
dur
ing
the
train
ing
on
thes
e to
pic
area
s.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 2
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
obta
ined
any
inf
orm
atio
n fr
om t
hem
tha
t sh
ould
not
ha
ve b
een
shar
ed w
ith u
s ac
cord
ing
to D
HS
polic
y.
Our
se
lect
ion
of
indi
vidu
als
was
no
t st
atis
tical
ly
deriv
ed, a
nd, t
here
fore
, we
are
unab
le to
pro
ject
resu
lts
to th
e C
oast
Gua
rd o
r the
DH
S as
a w
hole
. C
G-I
T-10
-07
Dur
ing
the
FY 2
010
IT A
udit,
a s
elec
tion
of n
ewly
cr
eate
d us
ers
of th
e JU
MPS
app
licat
ion
was
mad
e to
in
spec
t w
heth
er
appl
icab
le
docu
men
tatio
n w
as
reco
rded
and
ret
aine
d to
ide
ntify
aut
horiz
ed u
sers
. W
e de
term
ined
tha
t do
cum
enta
tion
was
not
ret
aine
d fo
r on
e of
the
fiv
e us
ers
sele
cted
. W
e pe
rfor
med
in
quiry
pro
cedu
res w
ith m
anag
emen
t to
dete
rmin
e th
at
acce
ss
was
ap
prop
riate
ly
rest
ricte
d fo
r th
is
user
; ho
wev
er,
no
JUM
PS
Acc
ess
Aut
horiz
atio
n Fo
rm
coul
d be
loc
ated
. O
n Ju
ly 2
0, 2
010,
man
agem
ent
rem
edia
ted
the
exce
ptio
n by
com
plet
ing
a ne
w JU
MPS
A
cces
s A
utho
rizat
ion
Form
for
the
note
d us
er w
ith a
co
py o
f the
form
bei
ng e
nter
ed in
to th
e C
oast
Gua
rd’s
Im
ageN
ow im
agin
ing
repo
sito
ry.
As n
oted
in th
e co
nditi
on, m
anag
emen
t rem
edia
ted
the
exce
ptio
n up
on n
otifi
catio
n of
this
IT N
FR. N
o ad
ditio
nal
actio
ns a
re r
equi
red
and,
the
refo
re,
no
reco
mm
enda
tion
will
be
issu
ed.
X
1
CG
-IT-
10-0
8 D
urin
g ou
r FY
201
0 te
st w
ork,
we
dete
rmin
ed th
at th
e C
oast
G
uard
TI
ER
Syst
em
pass
wor
d se
tting
fo
r lo
ckou
t du
ratio
n (P
ASS
WO
RD
_LO
CK
_TIM
E)
is
only
con
figur
ed to
0.0
005
days
(les
s th
an o
ne m
inut
e).
This
set
ting
was
sub
sequ
ently
rem
edia
ted
on 7
/19/
201
to a
set
ting
of “
UN
LIM
ITED
” w
hich
req
uire
s an
ad
min
istra
tor t
o un
lock
the
acco
unt.
We
obse
rved
and
no
ted
that
this
rem
edia
tion
was
take
n by
Coa
st G
uard
.
No
reco
mm
enda
tion
requ
ired.
C
oast
Gua
rd t
ook
appr
opria
te c
orre
ctiv
e ac
tion
durin
g th
e cu
rren
t fis
cal
year
to
rem
edia
te t
he e
xcep
tion
that
was
id
entif
ied
durin
g th
is fi
scal
yea
r.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
0
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
-IT-
10-0
9 To
com
plem
ent o
ur I
T au
dit t
estin
g ef
forts
as
part
of
the
FY 2
010
DH
S Fi
nanc
ial
Stat
emen
t A
udit
and
Aud
it of
Inte
rnal
Con
trol o
ver F
inan
cial
Rep
ortin
g, w
e al
so p
erfo
rmed
afte
r-ho
urs
phys
ical
sec
urity
tes
ting.
Th
is
test
ing
was
co
nduc
ted
at
key
Coa
st
Gua
rd
loca
tions
that
pro
cess
, sup
port
and
hous
e C
oast
Gua
rd
finan
cial
dat
a.
We
perf
orm
ed a
fter-
hour
s ph
ysic
al s
ecur
ity te
stin
g to
id
entif
y ris
ks r
elat
ed t
o no
n-te
chni
cal
aspe
cts
of I
T se
curit
y.
Thes
e no
n-te
chni
cal
IT s
ecur
ity a
spec
ts
incl
ude
phys
ical
acc
ess
to m
edia
and
equ
ipm
ent
that
ho
uses
fin
anci
al d
ata
and
info
rmat
ion
resi
ding
on
a U
SCG
em
ploy
ee’s
/ co
ntra
ctor
’s d
esk,
whi
ch c
ould
be
used
by
othe
rs to
gai
n un
auth
oriz
ed a
cces
s to
sys
tem
s ho
usin
g fin
anci
al
info
rmat
ion.
The
test
ing
was
pe
rfor
med
at v
ario
us U
SCG
loca
tions
that
pro
cess
and
/
or m
aint
ain
finan
cial
dat
a. A
fter
gain
ing
phys
ical
ac
cess
to
the
faci
litie
s w
ith a
USC
G e
mpl
oyee
who
w
as d
esig
nate
d to
ass
ist
with
and
mon
itor
our
test
w
ork,
we
insp
ecte
d a
sele
ctio
n of
45
desk
s, cu
bicl
es,
offic
es,
and
othe
r w
ork
area
s fo
r ea
ch
loca
tion.
D
urin
g th
e te
stin
g w
e w
ere
look
ing
for
item
s su
ch a
s im
prop
er p
rote
ctio
n of
use
r acc
ount
logi
n in
form
atio
n,
unse
cure
d
porta
ble
syst
em
hard
war
e,
incl
udin
g la
ptop
s an
d ex
tern
al h
ard
driv
es,
and
open
/ a
ctiv
e ap
plic
atio
n or
net
wor
k se
ssio
ns.
In
addi
tion,
we
insp
ecte
d w
ork
area
s fo
r do
cum
enta
tion
mar
ked
“For
O
ffic
ial
Use
Onl
y” (
FOU
O),
pers
onal
ly i
dent
ifiab
le
info
rmat
ion
(PII
), Fe
dera
l G
over
nmen
t cr
edits
car
ds,
and
agen
cy b
adge
s. T
his
list d
oes
not e
ncom
pass
the
tota
l ty
pe o
f ite
ms
we
wer
e se
arch
ing
for
durin
g ou
r
We
reco
mm
end
that
Coa
st G
uard
: �
Upd
ate
the
annu
al IA
trai
ning
to in
clud
e m
ore
robu
st o
ffic
e “p
hysi
cal
secu
rity”
and
“cl
ean
desk
” gu
idan
ce a
nd i
nstru
ctio
n an
d ex
plic
itly
test
ind
ivid
uals
dur
ing
the
train
ing
on t
hese
to
pic
area
s. �
Impl
emen
t en
terp
rise-
wid
e an
d si
te-s
peci
fic
proc
esse
s fo
r ve
rifyi
ng t
he e
ffec
tiven
ess
of
this
tra
inin
g vi
a m
echa
nism
s su
ch
as
sche
dule
d an
d ad
hoc
des
k ch
ecks
, tra
inin
g fo
llow
-ups
, and
oth
er m
anag
emen
t con
trols
.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
test
ing.
As
depi
cted
in
the
follo
win
g ta
ble,
for
eac
h lo
catio
n vi
site
d,
we
note
d th
e ty
pe
of
unse
cure
d in
form
atio
n or
pro
perty
we
iden
tifie
d an
d in
clud
ed th
e to
tal e
xcep
tions
not
ed b
y lo
catio
n, a
s w
ell a
s by
type
of
info
rmat
ion
or p
rope
rty id
entif
ied.
C
G-I
T-10
-10
In F
Y 2
009,
w
e de
term
ined
th
at
the
Rol
e-B
ased
Tr
aini
ng f
or U
SCG
IA
Pro
fess
iona
ls C
omm
anda
nt
Inst
ruct
ion
had
been
rena
med
the
Rol
e-B
ased
Indu
stry
St
anda
rds
for
USC
G I
A P
rofe
ssio
nals
Com
man
dant
In
stru
ctio
n.
H
owev
er,
the
rena
med
In
stru
ctio
n re
mai
ned
in d
raft
form
. I
n ad
ditio
n, w
e de
term
ined
th
at
once
th
e In
stru
ctio
n ha
d be
en
final
ized
, th
e cu
rric
ulum
had
bee
n ag
reed
upo
n an
d th
e tra
inin
g im
plem
ente
d,
Coa
st
Gua
rd
wou
ld
utili
ze
the
Prof
essi
onal
C
ertif
icat
ions
an
d Li
cens
es
mod
ule
with
in
the
Dire
ct
Acc
ess
syst
em
rath
er
than
th
e Tr
aini
ng M
anag
emen
t To
ol (
TMT)
to
mon
itor
and
verif
y tra
inin
g co
mpl
etio
n. T
his
was
not
the
cas
e as
D
irect
Acc
ess
was
not
con
figur
ed t
o tra
ck c
ontra
ctor
in
form
atio
n an
d, t
here
fore
will
not
inc
lude
tra
inin
g in
form
atio
n fo
r con
tract
ors.
The
Inst
ruct
ion
cont
inue
d to
ref
eren
ce t
he u
se o
f th
e TM
T an
d ha
d no
t be
en
upda
ted
to i
nclu
de p
roce
dure
s fo
r ut
ilizi
ng D
irect
A
cces
s.
Dur
ing
our
FY
2010
fo
llow
-up
test
w
ork,
w
e de
term
ined
that
the
Role
-Bas
ed In
dust
ry S
tand
ards
for
USC
G I
A Pr
ofes
sion
als
Com
man
dant
Ins
truct
ion
had
been
re
nam
ed
Info
rmat
ion
Assu
ranc
e Pr
ofes
sion
al
Cer
tific
atio
ns a
nd w
as f
orm
ally
iss
ued
on M
arch
23,
20
10.
The
Inst
ruct
ion
stat
ed
that
al
l m
ilita
ry
empl
oyee
s as
sign
ed t
o an
IA
rol
e m
ust
obta
in a
We
reco
mm
end
Coa
st G
uard
Hea
dqua
rters
: �
Con
tinue
to
im
plem
ent
Com
man
dant
In
stru
ctio
n In
form
atio
n As
sura
nce
Prof
essi
onal
Cer
tific
atio
ns.
�Im
prov
e an
d ut
ilize
its
m
anua
l tra
ckin
g pr
oces
s un
til s
uch
time
that
the
Dire
ct A
cces
s im
plem
enta
tion
is in
pla
ce.
X
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
requ
ired
certi
ficat
ion
with
in
12
mon
ths
of
the
Com
man
dant
Ins
truct
ion
issu
e da
te (
i.e.,
Mar
ch 2
3,
2011
), an
d al
l ci
vilia
n em
ploy
ees
curr
ently
in
an I
A
role
wou
ld b
e gr
ante
d a
wai
ver
with
in 1
2 m
onth
s of
th
e C
omm
anda
nt
Inst
ruct
ion
issu
e da
te.
The
Com
man
dant
In
stru
ctio
n fu
rther
st
ated
: 1)
bo
th
mili
tary
and
civ
ilian
em
ploy
ees
assi
gned
to a
n IA
role
af
ter
the
issu
ance
dat
e w
ould
be
requ
ired
to o
btai
n a
certi
ficat
ion
with
in 1
2 m
onth
s, in
clud
ing
trans
fers
, and
2)
all
certi
ficat
ions
mus
t be
rec
orde
d /
track
ed i
n D
irect
A
cces
s. Pe
rtain
ing
to
cont
ract
ors,
the
Con
tract
ing
Off
icer
Tec
hnic
al R
epre
sent
ativ
e (C
OTR
) m
ust k
eep
reco
rds
of a
ll IA
per
sonn
el th
at re
quire
and
ha
ve r
ecei
ved
role
-bas
ed c
ertif
icat
ion
prep
arat
ion
or
Con
tinui
ng P
rofe
ssio
nal E
duca
tion
(CPE
) cr
edits
, and
al
l tra
inin
g an
d ce
rtific
atio
n re
quire
men
ts a
re in
serte
d w
ithin
all
futu
re s
tate
men
ts o
f w
ork
and
awar
ded
cont
ract
s. T
he i
nstru
ctio
n al
so s
tate
s th
at a
ll IA
pe
rson
nel
(mili
tary
, ci
vilia
ns,
and
cont
ract
ors)
mus
t re
ceiv
e in
itial
pro
fess
iona
l ce
rtific
atio
n pr
epar
atio
n an
d an
nual
CPE
s th
erea
fter
prio
r to
bei
ng g
rant
ed
Coa
st G
uard
IT
syst
ems
acce
ss s
peci
fic t
o th
ose
secu
rity
dutie
s.
Alth
ough
Coa
st G
uard
has
take
n co
rrec
tive
actio
ns to
re
med
iate
thi
s pr
ior
year
NFR
, w
e de
term
ined
tha
t ev
en t
houg
h th
e co
rrec
tive
actio
ns a
re p
lann
ed f
or
com
plet
ion
by M
arch
201
1, t
hey
have
not
yet
bee
n co
mpl
eted
in F
Y 2
010
(i.e.
, all
IA p
rofe
ssio
nals
who
ar
e re
quire
d to
ob
tain
/
mai
ntai
n a
prof
essi
onal
ce
rtific
atio
n w
ithin
a y
ear o
f the
dat
e of
the
Inst
ruct
ion
have
not
obt
aine
d a
certi
ficat
ion
to d
ate)
. O
ur te
stin
g
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
note
d th
at 8
or
3.9%
of
Coa
st G
uard
IA
pro
fess
iona
ls
out
of t
he t
otal
pop
ulat
ion
of 2
05 h
ave
the
requ
ired
certi
ficat
ion
for
thei
r pr
escr
ibed
le
vel
on
file.
Fu
rther
mor
e, w
e no
ted
that
59
or 2
8.7%
of
Coa
st
Gua
rd IA
pro
fess
iona
ls h
ave
not p
rovi
ded
evid
ence
of
indu
stry
-bas
ed
train
ing.
In
addi
tion,
th
roug
h ou
r te
stin
g, w
e co
uld
not
dete
rmin
e th
e nu
mbe
r of
IA
pr
ofes
sion
als
that
had
bee
n gr
ante
d w
aive
rs f
or t
he
certi
ficat
ion
requ
irem
ent.
In
clos
ing,
we
also
not
ed
that
14
Coa
st G
uard
Sys
tem
Adm
inis
trato
rs w
ere
not
liste
d as
bei
ng p
art
of t
he 2
05 C
oast
Gua
rd I
A
prof
essi
onal
s. C
G-I
T-10
-11
Dur
ing
the
FY 2
010
IT A
udit,
a s
elec
tion
of u
sers
ad
ded
to th
e C
G T
IER
app
licat
ion
for
the
fisca
l yea
r w
as m
ade
to i
nspe
ct w
heth
er p
rope
r do
cum
enta
tion
was
rec
orde
d an
d re
tain
ed f
or i
dent
ify a
utho
rized
us
ers.
Our
test
ing
dete
rmin
ed th
at d
ocum
enta
tion
was
no
t re
tain
ed f
or o
ne o
f th
e tw
o C
G T
IER
use
rs
sele
cted
. Upo
n fu
rther
inq
uiry
with
man
agem
ent,
we
wer
e in
form
ed th
at th
e id
entif
ied
CG
TIE
R u
ser
was
au
thor
ized
acc
ess
by t
he F
inan
cial
Bra
nch
Chi
ef;
how
ever
, the
em
ail a
ppro
val h
ad b
een
lost
.
We
reco
mm
end
that
Coa
st G
uard
Fin
ance
Cen
ter
take
the
follo
w a
ctio
ns:
�Fo
r the
use
r ide
ntifi
ed d
urin
g te
stin
g, c
ompl
ete
and
reta
in a
ll ap
prop
riate
acc
ess r
eque
st
docu
men
tatio
n; a
nd,
�U
pdat
e th
e C
G T
IER
acc
ount
man
agem
ent
proc
edur
es to
eff
ectiv
ely
track
and
reta
in u
ser
acce
ss d
ocum
enta
tion.
X
1
CG
-IT-
10-1
2 D
urin
g ou
r FY
200
9 te
st w
ork,
we
dete
rmin
ed th
at o
n a
quar
terly
bas
is,
45-9
0 D
irect
Acc
ess
user
acc
ount
s ar
e ra
ndom
ly
sam
pled
an
d fo
rmal
ly
revi
ewed
to
de
term
ine
if ac
cess
re
mai
ns
appr
opria
te
for
each
se
lect
ed u
ser a
ccou
nt.
As
part
of th
e qu
arte
rly re
view
, C
oast
G
uard
’s
Pay
and
Pers
onne
l C
ente
r (P
PC)
man
agem
ent
verif
ies
that
no
sing
le u
ser
has
both
C
GA
PPL
(abi
lity
to
ente
r an
ap
plic
ant)
and
CG
HR
SUP
(abi
lity
to h
ire a
n ap
plic
atio
n) ro
les.
PPC
m
anag
emen
t th
en
verif
ies
that
no
us
er
has
both
We
reco
mm
end
Coa
st G
uard
hea
dqua
rters
and
the
PPC
: �
Dev
elop
a
RP
with
as
soci
ated
su
ppor
ting
busi
ness
cas
e(s)
to a
ddre
ss th
e 10
0% a
ccou
nt
revi
ew re
quire
men
t. �
Con
tinue
to c
oord
inat
e w
ith th
e D
HS
CIS
O’s
of
fice
to
dete
rmin
e an
d fo
rmal
ize
the
freq
uenc
y an
d de
pth
/ br
eadt
h of
eff
ectiv
e re
view
s th
at a
ddre
ss th
e pe
rcei
ved
risk.
Bas
ed
upon
the
resu
lts o
f th
ese
disc
ussi
ons
with
the
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
APP
L an
d C
GH
IRE
priv
ilege
s w
ithin
the
Dire
ct
Acc
ess a
pplic
atio
n.
Per
PPC
man
agem
ent,
ther
e ar
e 17
,496
ind
ivid
uals
w
ith
activ
e D
irect
A
cces
s ac
coun
ts
that
m
aint
ain
grea
ter
than
re
ad-o
nly
acce
ss.
PPC
m
anag
emen
t fu
rther
adv
ised
us
that
6,9
20 (
40%
) of
the
Dire
ct
Acc
ess
acco
unts
wer
e re
valid
ated
dur
ing
the
perio
d of
O
ctob
er 1
, 200
8 –
Sept
embe
r 17,
200
9, le
avin
g 10
,576
(6
0%)
Dire
ct A
cces
s ac
coun
ts n
ot r
eval
idat
ed d
urin
g FY
09.
As a
resu
lt, w
e de
term
ined
that
100
% o
f Dire
ct
Acc
ess
user
acc
ount
s w
ith g
reat
er t
han
read
-onl
y ac
cess
ar
e no
t an
nual
ly
revi
ewed
pe
r th
e D
HS
requ
irem
ent.
Dur
ing
our
FY 2
010
test
wor
k, w
e w
ere
info
rmed
by
the
Coa
st G
uard
that
an
annu
al re
view
of 1
00%
of t
he
Dire
ct A
cces
s us
er a
ccou
nts
with
gre
ater
tha
n re
ad-
only
acc
ess
(and
the
ir as
soci
ated
priv
ilege
s) h
as n
ot
been
per
form
ed fo
r thi
s fis
cal y
ear.
Coa
st G
uard
als
o in
form
ed u
s th
at a
ll D
irect
Acc
ess
acco
unts
cre
ated
and
/or m
odifi
ed d
urin
g th
e fis
cal y
ear
have
bee
n re
view
ed a
s pa
rt of
the
norm
al tr
ansf
er a
nd
agin
g pr
oces
ses;
how
ever
, our
test
ing
did
not e
xten
d to
va
lidat
e th
is s
tate
men
t. B
ased
upo
n a
risk
base
d de
cisi
on,
the
Coa
st G
uard
has
des
igne
d a
proc
ess
to
revi
ew a
sub
set o
f use
rs th
at re
pres
ent t
he g
reat
est r
isk
to D
irect
Acc
ess.
Thi
s an
nual
rev
iew
wou
ld c
over
ap
prox
imat
ely
743
Dire
ct A
cces
s us
ers.
The
sco
pe o
f th
e re
view
inc
lude
s us
ers
with
pay
men
t ap
prov
al,
secu
rity
adm
inis
trato
r per
mis
sion
s, al
l con
tract
ors,
and
user
s with
upd
ate/
dele
te p
erm
issi
ons.
DH
S C
ISO
’s o
ffic
e, t
he C
oast
Gua
rd w
ill
mod
ify p
roce
dure
s an
d de
velo
p, if
app
licab
le,
requ
ired
wai
vers
/exc
eptio
ns
to
refle
ct
an
adeq
uate
per
cent
age
of D
irect
Acc
ess
user
ac
coun
ts to
be
revi
ewed
. �
Con
tinue
to u
se it
s ex
istin
g ris
k-ba
sed
acco
unt
revi
ew
effo
rts
until
su
ch
time
that
th
e pr
oced
ures
are
upd
ated
in
resp
onse
to
the
activ
ities
as
soci
ated
w
ith
the
seco
nd
reco
mm
enda
tion.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
How
ever
, si
nce
this
sub
set
revi
ew d
oes
not
cove
r 10
0% o
f the
Dire
ct A
cces
s us
er a
ccou
nts
with
gre
ater
th
an re
ad-o
nly
acce
ss (a
nd th
eir a
ssoc
iate
d pr
ivile
ges)
as
req
uire
d by
DH
S, w
e co
nsid
er t
his
NFR
to
be r
e-is
sued
.
CG
-IT-
10-1
3 D
urin
g ou
r te
stin
g, w
e de
term
ined
tha
t al
l pr
evio
us
year
con
ditio
ns l
iste
d in
NFR
s C
G-I
T-09
-46
wer
e pr
oper
ly r
emed
iate
d by
USC
G.
We
cons
ider
thi
s pr
ior-
year
IT N
FR a
s clo
sed.
As
part
of
this
ye
ar’s
te
stin
g, w
e id
entif
ied
one
secu
rity
conf
igur
atio
n m
anag
emen
t w
eakn
ess
(i.e.
, ou
tdat
ed
oper
atin
g sy
stem
so
ftwar
e)
on
host
s su
ppor
ting
CA
S,
FPD
, N
ESSS
, as
w
ell
as
thos
e sy
stem
s’
netw
ork
infr
astru
ctur
e an
d as
soci
ated
w
orks
tatio
ns.
Tabl
e 1,
sta
rting
on
the
next
pag
e, li
sts
the
cond
ition
s as
ide
ntifi
ed b
y th
e so
ftwar
e to
ol u
sed,
the
sys
tem
(h
ost)
impa
cted
, ef
fect
sta
tem
ent,
IT g
ener
al c
ontro
l ar
ea, s
oftw
are
tool
use
d to
iden
tify
the
cond
ition
, and
if
the
cond
ition
ide
ntifi
ed w
as a
prio
r ye
ar I
T au
dit
issu
e. T
he c
ondi
tions
list
ed in
Tab
le 1
are
pot
entia
lly
expl
oita
ble
by a
n in
side
r w
ithou
t sp
ecifi
c kn
owle
dge
of t
he o
pera
tion
of t
he s
yste
m o
r th
e ap
plic
atio
ns
host
ed o
n th
at sy
stem
.
We
reco
mm
end
that
Coa
st G
uard
FIN
CEN
: �
Dev
elop
a
RP
with
as
soci
ated
su
ppor
ting
busi
ness
cas
e(s)
to
addr
ess
the
inst
alla
tion
of
Serv
ice
Pack
3 o
n al
l app
licab
le W
indo
ws
XP
wor
ksta
tions
an
d/or
up
grad
e th
e op
erat
ing
syst
ems
of t
hese
wor
ksta
tions
to
the
Coa
st
Gua
rd’s
Vis
ta-b
ased
Sta
ndar
d Im
age
6.0.
�
Dev
elop
a
RP
with
as
soci
ated
su
ppor
ting
busi
ness
ca
se(s
) to
ad
dres
s th
e se
rver
op
erat
ing
syst
em
upgr
ades
to
in
clud
e a
tech
nica
l an
alys
is t
o en
sure
Win
dow
s 20
03
serv
er u
pgra
des d
o no
t adv
erse
ly a
ffec
t sys
tem
op
erat
ion.
�
Bas
ed u
pon
the
resu
lts o
f R
ecom
men
datio
n 1
and
Rec
omm
enda
tion
2, s
ched
ule
and
perf
orm
th
e up
grad
es a
nd/o
r pa
tche
s of
the
im
pact
ed
serv
ers a
nd w
orks
tatio
ns.
X
1
CG
-IT-
10-1
4 D
urin
g ou
r FY
201
0 au
dit t
est w
ork,
we
sam
pled
25
new
use
r acc
esse
s for
NES
SS th
at w
ere
gran
ted
durin
g th
e fis
cal y
ear
to d
eter
min
e if
an a
cces
s au
thor
izat
ion
form
had
bee
n co
mpl
eted
, if
the
acce
ss h
ad b
een
timel
y ap
prov
ed b
y th
e us
er’s
sup
ervi
sor,
and
that
the
We
reco
mm
end
the
Coa
st
Gua
rd’s
O
pera
tion
Syst
ems
Cen
ter (
OSC
) upd
ate
the
NES
SS a
ccou
nt
man
agem
ent S
tand
ard
Ope
ratin
g Pr
oced
ure
(SO
P)
to p
rovi
de c
lear
gui
danc
e re
gard
ing
the
use
of u
ser
acce
ss fo
rms a
nd u
pdat
e th
e ac
cess
form
to in
clud
e
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
form
s w
ere
reta
ined
. B
ased
upo
n ou
r tes
ting,
we
wer
e un
able
to
obta
in 9
of
the
25 u
ser
acce
ss f
orm
s. I
n ad
ditio
n, e
vide
nce
of s
uper
viso
ry a
ppro
val f
or 9
of t
he
25 sa
mpl
ed u
sers
was
not
ava
ilabl
e.
an a
ppro
val s
igna
ture
line
.
CG
-IT-
10-1
5 D
urin
g th
e FY
20
10
audi
t te
st
wor
k,
Avi
atio
n Lo
gist
ics
Cen
ter (
ALC
) vis
itor l
ogs
for t
he fi
scal
yea
r w
ere
obta
ined
to
de
term
ine
whe
ther
pr
oper
do
cum
enta
tion
was
re
cord
ed
and
reta
ined
fo
r th
e ve
rific
atio
n of
in
divi
dual
s vi
sitin
g th
e A
LC
Dat
a C
ente
r an
d Fa
cilit
y.
Our
tes
ting
dete
rmin
ed t
hat
the
ALC
C
usto
mer
Su
ppor
t D
esk
did
not
prop
erly
co
mpl
ete
the
visi
tor
logs
dur
ing
the
FY 2
010
audi
t pe
riod.
Sp
ecifi
cally
, fr
om a
tot
al o
f 19
0 vi
sito
r lo
g en
tries
for t
he fi
scal
yea
r, 33
vis
itor l
og e
ntrie
s di
d no
t ha
ve th
e D
ate-
Out
and
Tim
e-O
ut fi
elds
com
plet
ed a
nd
31 v
isito
r lo
g en
tries
did
not
hav
e th
e Sp
onso
r fie
ld
com
plet
ed.
Add
ition
ally
, th
e A
LC D
ata
Cen
ter
Acc
ess
List
ing
was
obt
aine
d to
det
erm
ine
whe
ther
a r
evie
w o
f th
e ac
cess
lis
ting
was
con
duct
ed a
nd e
vide
nce
of t
he
revi
ew w
as p
erfo
rmed
and
mai
ntai
ned.
O
ur t
estin
g de
term
ined
tha
t th
e ev
iden
ce o
f re
view
s of
the
Dat
a C
ente
r A
cces
s fo
r th
e FY
20
10
perio
d w
as
not
mai
ntai
ned.
Th
eref
ore,
we
coul
d no
t de
term
ine
that
th
e D
ata
Cen
ter
Acc
ess
List
ing
had
been
pro
perly
re
view
ed d
urin
g th
e ye
ar.
We
reco
mm
end
that
Coa
st G
uard
: �
Dev
elop
and
mai
ntai
n an
SO
P to
ens
ure
that
th
e A
LC D
ata
Cen
ter
Acc
ess
Con
trol
list
is
kept
cur
rent
and
tha
t its
qua
rterly
rev
iew
is
docu
men
ted
and
mai
ntai
ned;
and
�
Re-
emph
asiz
e to
al
l A
LC
Supp
ort
Des
k pe
rson
nel
(thro
ugh
train
ing)
, th
e im
porta
nce
of p
rope
rly m
aint
aini
ng th
e vi
sito
r lo
g an
d to
en
sure
it
is
fille
d ou
t co
mpl
etel
y an
d ac
cura
tely
.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
-IT-
10-1
6 D
urin
g th
e FY
20
10
IT
Aud
it,
the
Avi
atio
n M
aint
enan
ce
Man
agem
ent
Info
rmat
ion
Syst
em
(AM
MIS
) pa
ssw
ord
conf
igur
atio
n se
tting
s w
ere
obta
ined
an
d te
sted
to
de
term
ine
whe
ther
th
ey
com
plie
d w
ith D
HS
polic
y.
Our
tes
ting
dete
rmin
ed
that
the
AM
MIS
sub
syst
em p
assw
ord
conf
igur
atio
n se
tting
s do
not
com
ply
with
all
of t
he r
equi
red
DH
S pa
ssw
ord
guid
elin
es.
Spec
ifica
lly, A
MM
IS p
assw
ord
conf
igur
atio
n se
tting
s di
d no
t co
mpl
y w
ith
the
follo
win
g D
HS
pass
wor
d po
licy:
�C
onta
in a
com
bina
tion
of a
lpha
betic
, num
eric
, an
d sp
ecia
l ch
arac
ters
–
the
AM
MIS
pa
ssw
ord
requ
ires
a co
mbi
natio
n of
al
phab
etic
, num
eric
, or s
peci
al c
hara
cter
s; a
nd
�N
ot b
e th
e sa
me
as th
e pr
evio
us 8
pas
swor
ds.
The
AM
MIS
pas
swor
d co
nfig
urat
ion
is s
et to
be
the
sam
e as
the
prev
ious
6 p
assw
ords
.
Add
ition
ally
, ou
r te
stin
g de
term
ined
tha
t th
e cu
rren
t A
viat
ion
Logi
stic
s M
anag
emen
t In
form
atio
n Sy
stem
(A
LMIS
) Sys
tem
Sec
urity
Pla
n (S
SP),
whi
ch in
clud
es
the
syst
em
leve
l re
quire
men
ts
of
the
AM
MIS
su
bsys
tem
, st
ates
th
at
the
impl
emen
ted
pass
wor
d co
nfig
urat
ion
does
not
com
ply
with
the
cur
rent
DH
S pa
ssw
ord
polic
y. S
peci
fical
ly, t
he A
LMIS
SSP
sta
tes
that
the
pass
wor
d ca
nnot
be
the
sam
e as
the
prev
ious
6
pass
wor
ds;
how
ever
, D
HS
guid
ance
st
ates
th
at
pass
wor
ds c
anno
t be
the
sam
e as
the
pre
viou
s 8
pass
wor
ds.
We
reco
mm
end
that
the
Coa
st G
uard
con
figur
e th
e A
MM
IS
appl
icat
ion
to
enfo
rce
the
stro
ng
pass
wor
d an
d pa
ssw
ord
hist
ory
requ
irem
ents
de
scrib
ed
in
the
DH
S M
anag
emen
t D
irect
ive
4300
A P
olic
y D
irect
ive
and
to u
pdat
e al
l im
pact
ed
Cer
tific
atio
n &
A
ccre
dita
tion
and
syst
em
docu
men
tatio
n ac
cord
ingl
y.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
-IT-
10-1
7 To
com
plem
ent o
ur I
T au
dit t
estin
g ef
forts
as
part
of
the
FY 2
010
DH
S Fi
nanc
ial
Stat
emen
t A
udit
and
Aud
it of
Inte
rnal
Con
trol o
ver F
inan
cial
Rep
ortin
g, w
e al
so p
erfo
rmed
soci
al e
ngin
eerin
g te
stin
g. T
his t
estin
g w
as c
ondu
cted
at
key
Coa
st G
uard
loc
atio
ns t
hat
proc
ess,
supp
ort a
nd h
ouse
Coa
st G
uard
fina
ncia
l dat
a.
Soci
al e
ngin
eerin
g is
def
ined
as
the
act o
f at
tem
ptin
g to
man
ipul
ate
or d
ecei
ve in
divi
dual
s in
to ta
king
act
ion
that
is
in
cons
iste
nt
with
D
HS
polic
ies,
such
as
di
vulg
ing
sens
itive
info
rmat
ion
or a
llow
ing
/ ena
blin
g co
mpu
ter s
yste
m a
cces
s. T
he te
rm ty
pica
lly a
pplie
s to
tri
cker
y or
dec
eptio
n fo
r th
e pu
rpos
e of
inf
orm
atio
n ga
ther
ing,
or g
aini
ng c
ompu
ter s
yste
m a
cces
s.
This
was
the
sec
ond
roun
d of
soc
ial
engi
neer
ing
test
ing
cond
ucte
d as
par
t the
FY
201
0 D
HS
Fina
ncia
l A
udit
and
Aud
it of
Int
erna
l C
ontro
l ov
er F
inan
cial
R
epor
ting.
O
ur in
itial
test
ing
occu
rred
bac
k on
Jun
e 30
th a
nd J
uly
1st .
Our
initi
al te
stin
g re
sulte
d in
Coa
st
Gua
rd
IT-N
FR-1
0-06
be
ing
issu
ed.
Th
e te
stin
g ap
proa
ch a
nd s
cope
for
the
sec
ond
roun
d of
tes
ting
was
the
sam
e as
the
initi
al ro
und.
Dur
ing
the
cour
se o
f our
soc
ial e
ngin
eerin
g te
st w
ork,
th
e ob
ject
ive
was
prim
arily
foc
used
on
atte
mpt
ing
to
obta
in u
ser
pass
wor
ds.
Pos
ing
as D
HS
tech
nica
l su
ppor
t em
ploy
ees,
atte
mpt
s w
ere
mad
e to
obt
ain
this
It is
reco
mm
ende
d th
at C
oast
Gua
rd im
plem
ent t
he
reco
mm
enda
tions
pre
sent
ed i
n C
oast
Gua
rd I
T-N
FR-1
0-06
. N
o ad
ditio
nal a
ctio
ns a
re re
quire
d.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 3
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
type
of
acco
unt
info
rmat
ion
by c
onta
ctin
g ra
ndom
ly
sele
cted
USC
G e
mpl
oyee
s by
tele
phon
e at
two
Coa
st
Gua
rd l
ocat
ions
, H
eadq
uarte
rs (
HQ
) an
d th
e C
oast
G
uard
Fin
ance
Cen
ter
(FIN
CEN
). A
scr
ipt w
as u
sed
to a
sk f
or a
ssis
tanc
e fr
om t
he u
ser
in r
esol
ving
a
netw
ork
issu
e at
the
Coa
st G
uard
. A
s pr
esen
ted
in th
e fo
llow
ing
tabl
e, f
or e
ach
pers
on w
e at
tem
pted
to c
all,
we
note
d w
heth
er t
he i
ndiv
idua
ls w
ere
reac
hed
and
whe
ther
we
obta
ined
any
info
rmat
ion
from
them
that
sh
ould
not
hav
e be
en sh
ared
with
us a
ccor
ding
to D
HS
polic
y.
Our
se
lect
ion
of
indi
vidu
als
was
no
t st
atis
tical
ly d
eriv
ed,
and,
the
refo
re,
we
are
unab
le t
o pr
ojec
t re
sults
to
the
com
pone
nt o
r de
partm
ent
as a
w
hole
. C
G-I
T-10
-18
Our
tes
ting
dete
rmin
ed t
hat
the
evid
ence
of
revi
ews
over
the
AM
MIS
aud
it lo
gs f
or t
he F
Y 2
010
audi
t pe
riod
wer
e no
t m
aint
aine
d by
ALC
. Th
eref
ore,
we
coul
d no
t det
erm
ine
if th
e A
MM
IS a
udit
logs
had
bee
n pr
oper
ly re
view
ed d
urin
g th
e ye
ar.
Add
ition
ally
, our
test
ing
dete
rmin
ed th
at re
view
s of a
ll de
activ
ated
AM
MIS
acc
ount
s m
ay n
ot h
ave
been
pe
rfor
med
an
d ev
iden
ce
of
the
revi
ews
was
no
t m
aint
aine
d by
the
ALC
. T
here
fore
, w
e co
uld
not
dete
rmin
e w
heth
er d
eact
ivat
ed A
MM
IS a
ccou
nts
had
been
pro
perly
mon
itore
d an
d re
view
ed d
urin
g th
e ye
ar.
Last
ly,
we
wer
e in
form
ed
by
the
ALC
th
at
the
AM
MIS
aud
it lo
gs w
ere
not
bein
g re
view
ed b
y an
in
divi
dual
th
at
is
cons
ider
ed
inde
pend
ent
to
the
proc
ess.
W
e no
ted
that
an
A
MM
IS
syst
em
We
reco
mm
end
that
Coa
st G
uard
: �
Upd
ate
the
AM
MIS
St
anda
rd
Ope
ratin
g Pr
oced
ures
to a
ddre
ss th
e au
dit l
og re
view
and
re
tent
ion
proc
edur
es; a
nd
�Im
plem
ent
sepa
ratio
n of
du
ties
for
the
AM
MIS
aud
it lo
g re
view
s.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
0
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
adm
inis
trato
r is
resp
onsi
ble
for r
evie
win
g th
e A
MM
IS
audi
t log
s.
CG
-IT-
10-1
9 O
ur te
stin
g de
term
ined
that
evi
denc
e of
a r
evie
w a
nd
rece
rtific
atio
n of
th
e 11
,306
us
ers
with
“U
pdat
e”
priv
ilege
in A
LMIS
was
not
mai
ntai
ned
by th
e A
LC.
Ther
efor
e, w
e co
uld
not
dete
rmin
e th
at A
LMIS
use
r ac
coun
ts h
ad b
een
prop
erly
rev
iew
ed a
nd r
ecer
tifie
d du
ring
the
year
.
We
reco
mm
end
that
Coa
st G
uard
: �
Dev
elop
a
RP
with
as
soci
ated
su
ppor
ting
busi
ness
cas
e(s)
to a
ddre
ss th
e 10
0% a
ccou
nt
revi
ew re
quire
men
t; �
Con
tinue
to c
oord
inat
e w
ith th
e D
HS
CIS
O’s
of
fice
to
dete
rmin
e an
d fo
rmal
ize
the
freq
uenc
y an
d de
pth
/ br
eadt
h of
eff
ectiv
e re
view
s th
at a
ddre
ss th
e pe
rcei
ved
risk.
Bas
ed
upon
the
resu
lts o
f th
ese
disc
ussi
ons
with
the
DH
S C
ISO
’s o
ffic
e, t
he C
oast
Gua
rd w
ill
mod
ify p
roce
dure
s an
d de
velo
p, if
app
licab
le,
requ
ired
wai
vers
/exc
eptio
ns
to
refle
ct
an
adeq
uate
per
cent
age
of A
LMIS
use
r ac
coun
ts
to b
e re
view
ed; a
nd
�C
ontin
ue to
use
its
exis
ting
risk-
base
d ac
coun
t re
view
ef
forts
un
til
such
tim
e th
at
the
proc
edur
es a
re u
pdat
ed i
n re
spon
se t
o th
e ac
tiviti
es
asso
ciat
ed
with
th
e se
cond
re
com
men
datio
n.
X
2
CG
-IT-
10-2
0 O
ur t
estin
g de
term
ined
tha
t th
e A
MM
IS S
oftw
are
Cha
nge
Req
uest
Fo
rms
wer
e no
t ap
prop
riate
ly
auth
oriz
ed.
Spec
ifica
lly,
for
the
four
(4)
AM
MIS
so
ftwar
e ch
ange
s m
ade
durin
g th
e fis
cal y
ear,
two
(2)
of th
e so
ftwar
e ch
ange
req
uest
for
ms
wer
e no
t sig
ned
by th
e D
ivis
ion
Chi
ef.
We
reco
mm
end
that
Coa
st G
uard
est
ablis
h an
d fo
llow
a m
anag
emen
t re
view
pro
cess
to
ensu
re
that
any
new
AM
MIS
SC
Rs
proc
esse
d w
ill b
e re
view
ed b
y th
e PC
team
for t
he p
rope
r / re
quire
d si
gnat
ures
.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
-IT-
10-2
1 D
urin
g ou
r FY
201
0 au
dit t
est w
ork
over
the
NES
SS
rece
rtific
atio
n pr
oces
s, w
e no
ted
that
32
user
s w
ere
assi
gned
the
rol
e FL
S_U
SR_A
DM
_GR
P w
ithin
the
N
ESSS
app
licat
ion.
Thi
s rol
e gr
ants
the
abili
ty to
add
, m
odify
, and
del
ete
user
acc
ount
s. In
add
ition
, tw
o (2
) of
th
ese
user
s w
ere
syst
em
adm
inis
trato
rs.
Th
is
num
ber o
f use
rs w
ith th
is e
leva
ted
role
was
con
side
red
exce
ssiv
e ba
sed
upon
the
rat
io o
f th
is r
ole
to t
he
NES
SS u
ser p
opul
atio
n.
On
Oct
ober
7, 2
010,
OSC
man
agem
ent r
emed
iate
d th
e co
nditi
on b
y re
duci
ng t
he n
umbe
r of
use
rs w
ith t
he
FLS_
USR
_AD
M_G
RP
role
dow
n to
six.
Coa
st G
uard
took
app
ropr
iate
cor
rect
ive
actio
n to
re
med
iate
the
exce
ptio
n th
at w
as id
entif
ied
and
no
addi
tiona
l cor
rect
ive
actio
ns a
re re
quire
d.
X
2
CG
-IT-
10-2
2 W
e de
term
ined
th
at
Ope
ratio
ns
Syst
em
Cen
ter
(OSC
) ha
d up
date
d th
e po
licie
s an
d pr
oced
ures
for
Sy
stem
A
dmin
istra
tors
(S
As)
an
d D
atab
ase
Adm
inis
trato
rs (
DB
As)
to
incl
ude
mor
e de
tail
and
inst
ruct
ions
on
en
terin
g su
ffic
ient
ev
iden
ce
rega
rdin
g th
e w
eekl
y no
n-in
depe
nden
t au
dit
log
revi
ews
docu
men
ted
and
track
ed i
n th
e C
lear
Que
st
Tick
etin
g sy
stem
. W
e al
so n
oted
tha
t th
e m
onth
ly
SAM
aud
it lo
g re
view
s w
ere
bein
g co
nduc
ted
by a
n in
depe
nden
t tea
m.
Alth
ough
OSC
has
take
n st
eps t
o re
med
iate
the
prio
r ye
ar
cond
ition
s by
up
datin
g th
e po
licie
s an
d co
mpl
etin
g th
e m
onth
ly i
ndep
ende
nt r
evie
ws,
we
dete
rmin
ed t
hat
the
3 sa
mpl
ed m
onth
s of
SA
and
D
BA
aud
it lo
g re
view
s di
d no
t hav
e su
ffic
ient
det
ail
on
the
Cle
arQ
uest
tic
kets
. Sp
ecifi
cally
, w
e id
entif
ied
the
follo
win
g:
We
reco
mm
end
that
Coa
st G
uard
: �
Upd
ate
the
SAM
and
NES
SS a
udit
log
revi
ew
proc
edur
es
with
in
the
Stan
dard
O
pera
ting
Proc
edur
es
to
incl
ude
mor
e de
tail
in
the
Cle
arQ
uest
Tic
kets
inc
ludi
ng r
ecor
ding
the
re
sults
of t
he re
view
of t
he a
udit
logs
; �
Impl
emen
t sim
ilar
sepa
ratio
n of
dut
ies
for
the
NES
SS
audi
t lo
g re
view
s as
ha
ve
been
im
plem
ente
d fo
r th
e SA
M a
udit
log
revi
ews;
an
d;
�C
ontin
ue w
ith o
ngoi
ng e
ffor
ts f
or id
entif
ying
, de
sign
ing,
and
im
plem
entin
g au
tom
ated
too
ls
to
assi
st
in
audi
t lo
g co
llect
ion,
st
orag
e,
anal
ysis
, an
d re
porti
ng
whi
ch
will
fu
rther
im
prov
e co
nsis
tenc
y, ti
mel
ines
s, an
d ac
cura
cy
of th
e re
view
s w
hen
com
pare
d w
ith la
bor a
nd
time
inte
nsiv
e m
anua
l pro
cess
es.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
�1
of th
e 3
SA m
onth
ly re
view
s did
not
hav
e a
sear
chab
le ti
tle
�2
of t
he 3
SA
mon
thly
rev
iew
s di
d no
t in
clud
e re
sults
of t
he a
udit
log
revi
ew (i
.e.,
audi
t log
s had
no
exce
ptio
ns.)
�3
of t
he 3
DB
A m
onth
ly r
evie
ws
did
not
list
the
logs
tha
t w
ere
incl
uded
in
th
e re
view
�
3 of
the
3 D
BA
mon
thly
rev
iew
s di
d no
t ha
ve re
sults
of t
he a
udit
log
revi
ews
As
a re
sult
of li
mita
tions
of t
he u
nder
lyin
g op
erat
ing
syst
em o
f the
Sho
re A
sset
Man
agem
ent S
yste
m A
M
syst
em:
�Th
e se
rver
s do
not a
utom
atic
ally
ale
rt in
th
e ev
ent o
f an
inci
dent
. �
The
serv
er o
pera
ting
syst
ems d
o no
t in
here
ntly
pro
vide
aud
it re
duct
ion
and
repo
rt ge
nera
tion
capa
bilit
y.
Furth
erm
ore,
th
e O
SC
has
not
impl
emen
ted
a ce
ntra
lized
log
solu
tion
for
audi
t lo
g re
duct
ion
and
repo
rting
, and
aut
omat
ed a
lert
notif
icat
ions
.
NES
SS A
udit
Logs
: D
urin
g ou
r FY
201
0 te
st w
ork
for
the
NES
SS, w
e no
ted
that
dai
ly a
nd w
eekl
y au
dit
log
revi
ews
are
perf
orm
ed b
y th
e N
ESSS
Sys
tem
Adm
inis
trato
r. Th
e w
eekl
y au
dit l
og re
view
s ar
e do
cum
ente
d in
the
Cle
arQ
uest
sys
tem
with
a r
unni
ng t
icke
t fo
r th
e ca
lend
ar y
ear.
Eac
h w
eek’
s re
view
is a
dded
to th
e
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
Cle
arQ
uest
tic
ket.
How
ever
, w
e de
term
ined
tha
t th
ere
is n
ot s
uffic
ient
det
ail i
n th
e C
lear
Que
st ti
cket
in
rec
ordi
ng t
he r
esul
ts o
f th
e re
view
of
the
audi
t lo
gs.
Furth
erm
ore,
as
sim
ilar
to S
AM
aud
it lo
g re
view
pr
oces
s lis
ted
abov
e,
OSC
ha
s no
t im
plem
ente
d a
cent
raliz
ed lo
g so
lutio
n fo
r aud
it lo
g re
duct
ion
and
repo
rting
, an
d au
tom
ated
al
ert
notif
icat
ions
. In
add
ition
, th
e w
eekl
y re
view
s ar
e pe
rfor
med
by
the
NES
SS S
yste
m A
dmin
istra
tor,
who
is
not
cons
ider
ed a
n in
depe
nden
t pa
rty a
s re
quire
d by
DH
S M
D 4
300A
. C
G-I
T-10
-23
Dur
ing
the
FY 2
010
audi
t te
st w
ork,
the
OSC
dat
a ce
nter
ac
cess
lis
ting
was
ob
tain
ed
in
orde
r to
de
term
ine
whe
ther
a r
evie
w o
f th
e ac
cess
list
ing
was
co
nduc
ted
and
evid
ence
of t
he re
view
was
mai
ntai
ned.
O
SC i
nfor
med
us
that
the
y pe
rfor
m a
rev
iew
of
the
data
cen
ter a
cces
s on
a q
uarte
rly b
asis
. H
owev
er, o
ur
test
ing
dete
rmin
ed
that
th
e ev
iden
ce
of
revi
ews
conc
erni
ng O
SC d
ata
cent
er a
cces
s fo
r th
e FY
201
0 pe
riod
was
not
mai
ntai
ned.
Th
eref
ore,
we
coul
d no
t de
term
ine
whe
ther
the
OSC
dat
a ce
nter
acc
ess
listin
g ha
d be
en p
rope
rly re
view
ed d
urin
g th
e ye
ar.
We
reco
mm
end
that
Coa
st G
uard
dev
elop
det
aile
d pr
oced
ures
for:
�Q
uarte
rly
data
ce
nter
ac
cess
re
view
s to
in
clud
e va
lidat
ing
that
use
rs h
ave
a ph
ysic
al
need
to a
cces
s the
dat
a flo
or; a
nd
�M
etho
ds
for
mai
ntai
ning
th
e re
view
do
cum
enta
tion.
X
1
CG
-IT-
10-2
4 D
urin
g pr
ior
finan
cial
sta
tem
ent a
udits
dat
ing
back
to
FY
2003
, w
e no
ted
that
th
e im
plem
enta
tion
and
over
sigh
t of
the
Coa
st G
uard
’s i
nfor
mat
ion
secu
rity
cont
rols
nee
ded
vario
us im
prov
emen
ts.
In F
Y 2
010,
co
ntin
ued
impr
ovem
ents
hav
e be
en m
ade
in th
e ar
eas
of
acce
ss
cont
rols
, en
tity-
leve
l co
ntro
ls,
and
conf
igur
atio
n m
anag
emen
t. I
mpr
ovem
ents
in
the
IT
cont
rol
envi
ronm
ent
wer
e id
entif
ied
at e
ach
of t
he
Coa
st G
uard
fin
anci
al p
roce
ssin
g lo
catio
ns w
here
IT
We
reco
mm
end
Coa
st G
uard
to:
�C
ontin
ue t
o im
plem
ent
and
impr
ove
upon
th
e m
onito
ring
of c
ompl
ianc
e w
ith D
HS,
C
oast
Gua
rd,
and
Fede
ral
secu
rity
polic
ies
and
proc
edur
es
in
the
area
s of
sc
ript
conf
igur
atio
n m
anag
emen
t co
ntro
ls
to
incl
ude
the
use
of
the
auto
mat
ed
tool
s de
ploy
ed a
t the
FIN
CEN
; and
�
Dev
elop
and
im
plem
ent
corr
ectiv
e ac
tion
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
audi
t was
pre
viou
sly
cond
ucte
d.
How
ever
, sig
nific
ant i
mpr
ovem
ents
are
stil
l war
rant
ed
in
the
area
of
sc
ript
conf
igur
atio
n m
anag
emen
t co
ntro
ls f
or t
he k
ey f
inan
cial
sys
tem
s lo
cate
d at
the
FI
NC
EN.
Scrip
t con
figur
atio
n m
anag
emen
t con
trol i
s th
e su
bjec
t of
th
e si
gnifi
cant
co
ntro
l de
ficie
ncie
s id
entif
ied
and
reco
mm
enda
tions
tha
t w
ere
deve
lope
d du
ring
the
audi
t. O
ther
wea
knes
ses
cont
inue
d to
exi
st,
to a
less
er e
xten
t, in
the
area
s of
acc
ess
cont
rols
and
en
tity-
wid
e se
curit
y at
ea
ch
of
the
Coa
st
Gua
rd
finan
cial
pr
oces
sing
lo
catio
ns.
Th
ese
cont
inue
d w
eakn
esse
s re
quire
Coa
st G
uard
to c
ontin
ue w
ith th
e im
plem
enta
tion
of t
heir
corr
ectiv
e ac
tions
pla
ns a
nd
mon
itorin
g ef
forts
.
As
a re
sult
of o
ur a
udit
test
wor
k an
d su
ppor
ted
by a
ll th
e IT
NFR
s is
sued
dur
ing
the
curr
ent
year
, w
e de
term
ined
that
Coa
st G
uard
is n
on-c
ompl
iant
with
the
Fede
ral
Fina
ncia
l M
anag
emen
t Im
prov
emen
t A
ct
(FFM
IA).
plan
s to
add
ress
and
rem
edia
te t
he N
FRs
issu
ed d
urin
g th
e FY
201
0 au
dit.
CG
-IT-
10-2
5 D
urin
g ou
r FY
201
0 ye
ar-e
nd I
T ro
ll-fo
rwar
d au
dit
test
ing
proc
edur
es, w
e de
term
ined
that
one
(1) o
f the
fiv
e (5
) Fi
nanc
ial
Proc
urem
ent
Des
ktop
(F
PD),
Prod
uctio
n Im
plem
enta
tion
Req
uest
(P
IR)
form
s te
sted
w
as
not
sign
ed
off
on
by
the
anal
yst/s
ubm
itter
/impl
emen
ter
as r
equi
red
per
the
FIN
CEN
PIR
form
.
The
proc
ess
for
obta
inin
g w
ritte
n si
gn-o
ff o
n PI
R
form
s ha
s re
cent
ly
been
re
plac
ed
with
an
au
tom
ated
wor
kflo
w p
roce
ss t
hat
elim
inat
es t
he
need
for w
ritte
n ap
prov
als;
ther
efor
e no
add
ition
al
corr
ectiv
e ac
tions
are
requ
ired.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CG
-IT-
10-2
6 D
urin
g th
e FY
201
0 au
dit
test
wor
k, w
e de
term
ined
th
at A
LC p
olic
ies
and
proc
edur
es f
or t
he f
ollo
win
g co
ntro
l ar
eas
are
not
adeq
uate
ly d
etai
led
to p
rovi
de
clea
r and
com
plet
e co
ntro
l des
crip
tions
for e
ach
of th
e fo
llow
ing
proc
esse
s:
�Ph
ysic
al
Acc
ess
to
the
data
ce
nter
an
d sy
stem
s in
the
data
cen
ter;
�A
cces
s to
Prog
ram
Lib
rarie
s;
�Se
greg
atio
n of
D
utie
s in
su
ppor
t of
th
e A
MM
IS a
pplic
atio
n;
�A
MM
IS A
udit
Log
Rev
iew
and
Ret
entio
n;
�B
acku
ps a
nd D
ata
Res
tora
tion;
and
, �
Off
site
Sto
rage
of B
acku
p m
edia
.
We
reco
mm
end
that
C
oast
G
uard
de
velo
p,
docu
men
t, co
mm
unic
ate,
tra
in,
test
, an
d co
ntin
uous
ly m
aint
ain
polic
ies
and
proc
edur
es f
or
the
cite
d co
ntro
l and
pro
cess
are
as.
X
2
CG
-IT-
10-2
7 Th
e N
ESSS
’ O
racl
e ve
rify
_fun
ctio
n in
th
e SY
S sc
hem
a is
inco
rrec
tly c
onfig
ured
and
doe
s no
t inc
lude
ve
rific
atio
n of
spec
ial c
hara
cter
s for
pas
swor
ds.
We
reco
mm
end
that
C
oast
G
uard
re
view
an
d up
date
the
Ora
cle
veri
fy f
unct
ion
in t
he S
YS
sche
ma
to
incl
ude
the
verif
icat
ion
of
spec
ial
char
acte
rs fo
r pas
swor
ds.
X
1
CG
-IT-
10-2
8 D
urin
g ou
r FY
201
0 au
dit t
est w
ork,
we
follo
wed
up
with
Coa
st G
uard
man
agem
ent a
nd w
ere
notif
ied
that
th
is D
irect
Acc
ess
audi
t lo
ggin
g w
eakn
ess,
note
d in
FY
200
9, c
anno
t be
res
olve
d un
til D
irect
Acc
ess
is
upda
ted
to P
eopl
eSof
t ver
sion
9.
Ther
e is
no
curr
ent
timel
ine
for t
he u
pgra
de to
take
pla
ce.
The
follo
win
g co
nditi
ons
wer
e no
ted
last
yea
r an
d ar
e st
ill o
pen
in
FY 2
010.
Not
all
Dire
ct A
cces
s fa
iled
logo
n at
tem
pts
are
logg
ed
or r
evie
wed
; an
d ac
coun
t m
anag
emen
t au
dit
logs
for
th
e D
irect
Acc
ess
appl
icat
ion
are
not
revi
ewed
on
a
We
reco
mm
end
Coa
st G
uard
con
tinue
with
the
Pe
ople
Soft
9.0
upgr
ade
and
Peop
leSo
ft Po
rtal
impl
emen
tatio
n.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
6
A
ppen
dix
B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
mon
thly
bas
is, w
hich
is a
requ
irem
ent s
et fo
rth w
ithin
D
HS
Polic
y. Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
7
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
� Customs and Border Protection (CBP)
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 48
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Cus
tom
s and
Bor
der
Prot
ectio
nN
FR
#No
Con
ditio
n R
ecom
men
datio
n N
ew
Issu
e R
epea
t Is
sue
Ris
k R
atin
g C
BP-
IT-1
0-01
This
is a
sys
tem
-leve
l fin
ding
. K
PMG
not
ed th
at C
BP
porta
l ac
coun
ts f
or s
epar
ated
em
ploy
ees
are
rem
oved
on
a b
i-wee
kly
basi
s an
d ar
e no
t rem
oved
on
the
day
of
the
indi
vidu
al’s
sep
arat
ion
as r
equi
red
by C
BP
and
DH
S po
licy.
KPM
G d
id n
ote
that
CB
P is
aw
are
of th
e is
sue
and
is l
ooki
ng i
nto
an a
utom
ated
sol
utio
n fo
r co
mpl
ianc
e w
ith C
BP
and
DH
S po
licy.
Upo
n fu
rther
te
stin
g of
ter
min
ated
em
ploy
ees,
KPM
G d
id n
ot f
ind
any
user
s th
at h
ad a
cces
sed
the
syst
em a
fter
thei
r se
para
tion
date
from
CB
P.
CB
P sh
ould
impl
emen
t pro
cedu
res
to re
info
rce
adhe
renc
e to
gu
idan
ce r
equi
ring
timel
y no
tific
atio
n of
sep
arat
ions
by
empl
oyee
s or
co
ntra
ctor
s w
ith
acce
ss
to
AC
E.
Thos
e re
spon
sibl
e fo
r A
CE
acce
ss c
ontro
l nee
d to
be
notif
ied
of a
se
para
tion
no la
ter t
han
the
day
of se
para
tion.
X
2
CB
P-IT
-10-
02
This
is a
sys
tem
leve
l fin
ding
. K
PMG
not
ed th
at A
CE
is n
ot c
urre
ntly
con
figur
ed t
o pr
even
t in
com
patib
le
role
s fro
m b
eing
ass
igne
d to
a u
ser,
as re
quire
d by
CB
P an
d D
HS
polic
ies.
Whi
le, i
nitia
l ste
ps h
ave
been
take
n to
add
ress
for
mal
seg
rega
tion
of d
utie
s w
ithin
the
sy
stem
, no
addi
tiona
l act
ions
hav
e ta
ken
plac
e.
CB
P O
ffic
e of
Info
rmat
ion
and
Tech
nolo
gy w
ill c
ontin
ue to
w
ork
with
the
Off
ice
of I
nter
natio
nal
Trad
e, O
ffic
e of
A
dmin
istra
tion
and
Off
ice
of F
ield
Ope
ratio
ns t
o id
entif
y in
com
patib
le r
oles
and
dev
elop
pro
cedu
res
as p
art
of t
he
acce
ss c
ontro
l pro
cess
to e
nsur
e th
at th
ese
role
com
bina
tions
ar
e no
t gr
ante
d to
AC
E us
ers,
exce
pt w
hen
a w
aive
r is
gr
ante
d in
writ
ing.
X
2
CB
P-IT
-10-
03
This
is
a
syst
em-le
vel
findi
ng.
KPM
G
note
d th
at
evid
ence
of
co
mpl
eted
A
CE
syst
em
log
(Sys
log)
re
view
s di
d no
t inc
lude
an
appr
opria
te le
vel o
f de
tail.
Sp
ecifi
cally
, dur
ing
the
maj
ority
of F
Y 2
010,
ther
e w
as
no f
orm
al m
etho
d of
doc
umen
ting
who
per
form
ed th
e au
dit
log
revi
ews,
whe
n th
ey w
ere
revi
ewed
, w
hat
issu
es (i
f any
) wer
e id
entif
ied,
and
the
actio
ns ta
ken
(if
appl
icab
le).
KPM
G n
oted
tha
t pr
oced
ures
reg
ardi
ng
the
revi
ew o
f A
CE
audi
t lo
gs h
ave
been
est
ablis
hed
prio
r to
FY
201
0, a
nd t
hat
man
agem
ent
is c
urre
ntly
im
plem
entin
g a
form
al m
etho
d of
doc
umen
ting
the
requ
isite
syst
em lo
g re
view
info
rmat
ion.
We
reco
mm
end
that
CB
P m
aint
ain
evid
ence
tha
t re
gula
r re
view
s of
aud
it lo
gs a
re o
ccur
ring.
S
peci
fical
ly,
we
reco
mm
end
that
CB
P co
ntin
ue w
ith p
lans
initi
ated
in J
uly
of
2010
to
in
stitu
tiona
lize
a m
ore
form
al
met
hod
of
docu
men
ting
who
per
form
ed r
evie
ws
of a
udit
logs
, w
hen
thes
e re
view
s oc
curr
ed,
and
wha
t is
sues
(if
any)
wer
e id
entif
ied.
We
also
re
com
men
d th
at
CB
P pe
rfor
m
a co
st/b
enef
it an
alys
is t
o de
term
ine
whe
ther
an
AC
E cu
stom
-dev
elop
ed
solu
tion
or
a pu
rcha
sed
CO
TS
prod
uct
shou
ld
be
impl
emen
ted
for f
ull a
utom
atio
n of
aud
it lo
g re
view
s.
X
2
CB
P-So
cial
eng
inee
ring
is d
efin
ed a
s the
act
of a
ttem
ptin
g to
W
e re
com
men
d th
at C
BP
impl
emen
t m
ultip
le t
ypes
of
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 4
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
IT-1
0-05
m
anip
ulat
e or
dec
eive
peo
ple
into
taki
ng a
ctio
n th
at is
in
cons
iste
nt w
ith p
olic
ies,
such
as
divu
lgin
g se
nsiti
ve
info
rmat
ion
or a
llow
ing
/ en
ablin
g co
mpu
ter
syst
em
acce
ss.
The
term
typ
ical
ly a
pplie
s to
tric
kery
or
dece
ptio
n fo
r th
e pu
rpos
e of
info
rmat
ion
gath
erin
g, o
r co
mpu
ter s
yste
m a
cces
s.
The
obje
ctiv
e of
our
soc
ial
engi
neer
ing
test
wor
k pr
imar
ily
focu
sed
on
atte
mpt
ing
to
iden
tify
user
pa
ssw
ords
. Po
sing
as
D
HS
tech
nica
l su
ppor
t em
ploy
ees,
atte
mpt
s w
ere
mad
e to
obt
ain
this
typ
e of
ac
coun
t in
form
atio
n by
con
tact
ing
rand
omly
sel
ecte
d em
ploy
ees
by te
leph
one.
A
scr
ipt w
as u
sed
to a
sk f
or
assi
stan
ce fr
om th
e us
er in
reso
lvin
g a
netw
ork
issu
e in
th
e co
mpo
nent
. Fo
r ea
ch p
erso
n w
e at
tem
pted
to c
all,
we
note
d in
the
tab
le b
elow
whe
ther
the
ind
ivid
ual
answ
ered
and
whe
ther
we
obta
ined
any
inf
orm
atio
n fr
om t
hem
tha
t sh
ould
not
hav
e be
en s
hare
d w
ith u
s ac
cord
ing
to D
HS
polic
y. O
ur s
elec
tion
of in
divi
dual
s w
as n
ot s
tatis
tical
ly d
eriv
ed,
and
ther
efor
e w
e ar
e un
able
to
pr
ojec
t re
sults
to
th
e co
mpo
nent
or
de
partm
ent a
s a w
hole
.
Of
25 in
divi
dual
s ca
lled,
16
answ
ered
. O
f th
e 16
that
an
swer
ed, 2
div
ulge
d th
eir n
etw
ork
pass
wor
d.
secu
rity
awar
enes
s re
min
ders
and
opp
ortu
nitie
s to
edu
cate
us
ers
of t
he i
mpo
rtanc
e of
pro
tect
ing
CB
P in
form
atio
n sy
stem
s an
d da
ta.
Spec
ifica
lly,
we
reco
mm
end
that
soc
ial
engi
neer
ing
eval
uatio
ns b
e in
corp
orat
ed i
nto
rout
ine
site
in
spec
tions
to
test
em
ploy
ee’s
sec
urity
aw
aren
ess
and
to
educ
ate
user
s on
how
to
resp
ond
to i
nfor
mat
ion
secu
rity
atta
cks.
CB
P-IT
-10-
06
This
is
a sy
stem
-leve
l fin
ding
. K
PMG
req
uest
ed
acce
ss a
utho
rizat
ion
docu
men
tatio
n fo
r 25
ind
ivid
uals
w
ho w
ere
gran
ted
AC
E ac
cess
dur
ing
FY 2
010.
Ini
tial
acce
ss re
ques
ts a
nd a
ppro
vals
for 9
of t
hese
indi
vidu
als
wer
e no
t pro
vide
d. A
lthou
gh a
pro
cess
for c
reat
ing
and
mai
ntai
ning
use
r acc
ess
form
s an
d re
ques
ts h
as b
een
in
plac
e si
nce
befo
re t
he b
egin
ning
of
FY 2
010,
acc
ess
appr
oval
s pr
ior
to th
e cr
eatio
n of
AC
E ac
coun
ts w
ere
not
cons
iste
ntly
mai
ntai
ned
in a
ccor
danc
e w
ith C
BP
polic
y an
d pr
oced
ures
.
We
reco
mm
end
that
th
e O
ffic
e of
In
form
atio
n an
d Te
chno
logy
(O
IT) i
ssue
a m
emor
andu
m a
nd d
istri
bute
the
pr
oced
ures
to th
e re
spec
tive
CB
P O
ffic
es to
impl
emen
t. W
e al
so r
ecom
men
d th
at m
onito
ring
proc
edur
es b
e es
tabl
ishe
d to
ens
ure
com
plia
nce
with
the
pro
cedu
res
and
that
OIT
co
ordi
nate
a
mee
ting
with
th
e ot
her
CB
P O
ffic
es
to
dete
rmin
e if
cent
raliz
ed
acce
ss
cont
rol
mea
sure
s ar
e ne
cess
ary.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
0
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
CB
P-IT
-10-
07
We
perf
orm
ed a
fter-
hour
s ph
ysic
al s
ecur
ity t
estin
g to
id
entif
y ris
ks r
elat
ed t
o no
n-te
chni
cal
aspe
cts
of I
T se
curit
y.
Thes
e no
n-te
chni
cal
IT
secu
rity
aspe
cts
incl
ude
phys
ical
ac
cess
to
eq
uipm
ent
that
ho
uses
fin
anci
al
data
an
d in
form
atio
n re
sidi
ng
on
CB
P pe
rson
nel
desk
s, w
hich
cou
ld b
e us
ed b
y ot
hers
to
inap
prop
riate
ly
acce
ss
finan
cial
in
form
atio
n.
Th
e te
stin
g w
as p
erfo
rmed
at
vario
us C
BP
loca
tions
tha
t pr
oces
s an
d/or
m
aint
ain
finan
cial
da
ta.
A
CB
P em
ploy
ee w
as d
esig
nate
d to
ass
ist
with
and
mon
itor
our
test
wor
k.
Afte
r ga
inin
g ac
cess
to C
BP
faci
litie
s, w
e in
spec
ted
a se
lect
ion
of
desk
s an
d/or
of
fices
, lo
okin
g fo
r ite
ms
such
as
im
prop
er
prot
ectio
n of
sy
stem
pa
ssw
ords
, un
secu
red
info
rmat
ion
syst
em
hard
war
e, d
ocum
enta
tion
mar
ked
FOU
O, a
nd u
nloc
ked
netw
ork
sess
ions
. O
ur s
elec
tion
of d
esks
and
off
ices
w
as n
ot s
tatis
tical
ly d
eriv
ed,
and
ther
efor
e w
e ar
e un
able
to
pr
ojec
t re
sults
to
th
e co
mpo
nent
or
de
partm
ent a
s a
who
le.
For
each
loca
tion
visi
ted,
we
note
the
type
of
unse
cure
d in
form
atio
n or
pro
perty
we
iden
tifie
d an
d in
clud
ed t
he t
otal
exc
eptio
ns n
oted
by
loca
tion,
as
wel
l as
by ty
pe o
f in
form
atio
n or
pro
perty
id
entif
ied.
A to
tal o
f 10
2 in
stan
ces
wer
e id
entif
ied
acro
ss th
e si
x lo
catio
ns w
here
phy
sica
l ass
ets o
r sen
sitiv
e in
form
atio
n w
as n
ot s
ecur
ed in
acc
orda
nce
with
DH
S an
d/or
CB
P po
licie
s.
CB
P sh
ould
con
tinue
its a
nnua
l sec
urity
aw
aren
ess t
rain
ing.
In
add
ition
, it s
houl
d se
ek to
add
oth
er m
eans
of i
ncre
asin
g se
curit
y aw
aren
ess.
X
2
CB
P-IT
-10-
08
This
is a
com
pone
nt-le
vel f
indi
ng.
KPM
G n
oted
that
se
para
tion
proc
edur
es fo
r con
tract
em
ploy
ees
(Cus
tom
s D
irect
ive
5171
5-00
6) a
re o
ut o
f da
te a
nd i
nclu
de
inco
mpl
ete
and
inac
cura
te re
fere
nces
. S
peci
fical
ly, t
he
proc
edur
es h
ave
not
been
upd
ated
sin
ce S
epte
mbe
r 20
01.
The
proc
edur
es re
fere
nce
Trea
sury
faci
litie
s an
d
We
reco
mm
end
that
C
BP
revi
ew
the
curr
ent
Cus
tom
s D
irect
ive
and
upda
te i
t to
ref
lect
the
cur
rent
ope
ratin
g en
viro
nmen
t. A
dditi
onal
ly, w
e re
com
men
d th
at C
BP
requ
ire
the
cons
iste
nt a
nd a
ccur
ate
com
plet
ion
of th
e SF
242
for a
ll se
para
ting
cont
ract
ors
with
ac
cess
to
C
BP
faci
litie
s, in
form
atio
n sy
stem
s and
/or s
ensi
tive
info
rmat
ion.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Trea
sury
pol
icie
s as
sou
rce
docu
men
tatio
n.
KPM
G
note
s th
at a
new
dire
ctiv
e, C
BP
Dire
ctiv
e 12
10-0
07,
entit
led
‘Con
tract
or
Trac
king
Sy
stem
,’ w
as
issu
ed
requ
iring
the
use
of
the
Con
tract
or T
rack
ing
Syst
em;
how
ever
, th
e ne
w d
irect
ive
still
ref
ers
to o
ut o
f da
te
Cus
tom
s D
irect
ive
5171
5-00
6 fo
r se
para
tion
proc
edur
es fo
r con
tract
or e
mpl
oyee
s.
Add
ition
ally
, K
PMG
not
ed t
hat
SF 2
42 c
ontra
ctor
se
para
tion
form
s ar
e no
t co
mpl
eted
con
sist
ently
for
se
para
ting
CB
P co
ntra
ctor
s. S
peci
fical
ly, K
PMG
not
ed
that
of
45 s
epar
ated
con
tract
ors
with
acc
ess
to C
BP
faci
litie
s, in
form
atio
n sy
stem
s, an
d/or
se
nsiti
ve
info
rmat
ion
who
wer
e se
lect
ed f
or t
estin
g, 9
for
ms
wer
e no
t co
mpl
eted
, w
ere
not
prov
ided
, or
wer
e no
t co
mpl
eted
in a
tim
ely
man
ner.
CB
P-IT
-10-
09
This
is a
com
pone
nt le
vel f
indi
ng.
KPM
G s
elec
ted
45
gove
rnm
ent e
mpl
oyee
s th
at h
ad s
epar
ated
in F
Y 2
010
and
note
d th
at 1
9 of
the
se i
ndiv
idua
ls d
id n
ot h
ave
a co
mpl
eted
CB
P Fo
rm 2
41 o
n fil
e.
We
reco
mm
end
that
CB
P re
view
the
val
idity
of
the
CB
P Fo
rm 2
41 E
mpl
oyee
Sep
arat
ion
proc
ess
and
dete
rmin
e an
al
tern
ate
mec
hani
sm
to
hold
m
anag
ers
acco
unta
ble
for
timel
y no
tific
atio
n of
em
ploy
ee
sepa
ratio
ns
and
for
conf
irmin
g th
e te
rmin
atio
n of
acc
ess
to in
form
atio
n sy
stem
s, an
d th
e re
turn
of p
rope
rty a
nd e
quip
men
t.
X
2
CB
P-IT
-10-
10
This
is a
com
pone
nt le
vel f
indi
ng.
Whi
le K
PMG
not
es
that
pr
ogre
ss
has
been
m
ade
in
impl
emen
ting
proc
edur
es r
equi
ring
the
sign
ing
of N
DA
s, K
PMG
no
ted
that
ND
As a
re st
ill n
ot c
onsi
sten
tly c
ompl
eted
by
cont
ract
ors a
t CB
P. S
peci
fical
ly, K
PMG
not
ed th
at o
ut
of a
sel
ectio
n of
45
cont
ract
ors,
one
ND
A w
as s
igne
d m
ore
than
four
mon
ths
afte
r the
hire
dat
e. I
n ad
ditio
n,
one
ND
A w
as n
ot p
rovi
ded
for
a co
ntra
ctor
in
a m
ediu
m o
r hi
gh r
isk
posi
tion.
Fu
rther
, KPM
G n
oted
th
at t
he N
DA
s fo
r 27
con
tract
ors
in m
ediu
m o
r hi
gh
risk
posi
tions
did
not
hav
e a
date
of s
igna
ture
.
We
reco
mm
end
that
CB
P im
plem
ent
a m
ore
cons
iste
nt
met
hod
of
ensu
ring
that
ea
ch
cont
ract
or
empl
oyee
in
m
oder
ate
and
high
-ris
k po
sitio
ns si
gn a
nd d
ate
a N
DA
.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
BP-
IT-1
0-11
Con
ditio
n
This
is
a co
mpo
nent
-leve
l fin
ding
. K
PMG
has
not
ed
that
CB
P ha
s no
t be
en a
ble
to p
rovi
de e
vide
nce
that
w
orks
tatio
ns n
ot o
n ar
e re
ceiv
ing
anti-
viru
s an
d ot
her
secu
rity
patc
h up
date
s on
a ti
mel
y ba
sis.
KPM
G n
oted
that
whi
le p
rogr
ess
has
been
mad
e in
acc
ount
ing
for a
ll C
BP
wor
ksta
tions
, a c
ompl
ete
and
up-to
-dat
e lis
ting
of a
ll C
BP
wor
ksta
tions
has
not
bee
n m
aint
aine
d fo
r th
e m
ajor
ity o
f FY
201
0.
As
a re
sult,
C
BP
does
not
hav
e an
acc
urat
e in
vent
ory
of w
hich
w
orks
tatio
ns h
ave
not
rece
ived
ant
i-viru
s an
d ot
her
secu
rity
patc
h up
date
s.
Rec
omm
enda
tion
We
reco
mm
end
that
CB
P co
ntin
ue i
nsta
lling
a
nd
deve
lop,
impl
emen
t, an
d m
onito
r pol
icie
s an
d pr
oced
ures
to
mov
e al
l w
orks
tatio
ns t
o o
r to
obt
ain
wai
vers
and
com
pens
atin
g co
ntro
ls f
or t
hose
wor
ksta
tions
th
at c
anno
t be
mov
ed to
.
New
Is
sue
Rep
eat
Issu
e X
Ris
k R
atin
g 2
CB
P-IT
-10-
12
CB
P’s
RB
ST
Prog
ram
do
es
not
mee
t th
e D
HS
requ
irem
ents
for
“an
nual
spe
cial
ized
tra
inin
g” t
hat
is
“com
men
sura
te
with
th
e in
divi
dual
’s
dutie
s an
d re
spon
sibi
litie
s.” S
peci
fical
ly, t
he C
BP
RB
ST p
rogr
am
requ
ires
IT p
erso
nnel
to
com
plet
e on
ly o
ne h
our
of
Inci
dent
Res
pons
e tra
inin
g, a
nd o
ne h
our o
f C
lass
ified
In
form
atio
n tra
inin
g (if
app
licab
le t
o th
e in
divi
dual
’s
resp
onsi
bilit
ies)
ann
ually
.
Furth
erm
ore,
out
of
the
sam
pled
45
CB
P pe
rson
nel
with
si
gnifi
cant
IT
se
curit
y re
spon
sibi
litie
s, 5
com
plet
ed t
he t
rain
ing
afte
r C
BP’
s in
tern
al J
une
30,
2010
dea
dlin
e.
In a
dditi
on, a
noth
er e
ight
hav
e ye
t to
co
mpl
ete
the
train
ing.
We
reco
mm
end
that
CB
P re
-exa
min
e its
rol
e-ba
sed
train
ing
prog
ram
and
con
side
r im
plem
entin
g th
e D
HS
Rol
e-B
ased
Se
curit
y Tr
aini
ng P
rogr
am o
nce
it ha
s be
en im
plem
ente
d at
th
e de
partm
ent l
evel
.
X
2
CB
P-IT
-10-
13
This
is
a co
mpo
nent
-leve
l fin
ding
. W
e no
ted
the
follo
win
g w
eakn
esse
s re
late
d to
acc
ess
to t
he r
aise
d flo
or a
rea:
�
We
revi
ewed
acc
ess
requ
est
auth
oriz
atio
ns t
o th
e ra
ised
floo
r are
a of
and
not
ed th
at o
f the
45
indi
vidu
als
sele
cted
, 1 a
utho
rized
acc
ess
form
was
no
t pro
vide
d.
�W
e re
view
ed e
vide
nce
of t
he r
ecer
tific
atio
n of
We
reco
mm
end
that
m
anag
emen
t de
velo
p to
ols
and
proc
edur
es
for
faci
litat
ing
and
docu
men
ting
the
appr
oval
/rece
rtific
atio
n an
d re
view
of
indi
vidu
al a
cces
s to
th
e ra
ised
floo
r are
a.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
3
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
indi
vidu
als
with
acc
ess
to th
e ra
ised
floo
r are
a an
d no
ted
that
of t
he 1
5 se
lect
ed in
divi
dual
s, 2
had
not
yet b
een
rece
rtifie
d.
CB
P-IT
-10-
14
This
is
a sy
stem
lev
el f
indi
ng.
KPM
G n
oted
tha
t al
thou
gh c
hang
es t
o a
user
’s A
CS
acce
ss p
rofil
e ar
e lo
gged
, th
e lo
gs o
f th
ese
even
ts a
re n
ot r
egul
arly
re
view
ed
by
pers
onne
l in
depe
nden
t fr
om
thos
e in
divi
dual
s tha
t mad
e th
e ch
ange
s.
We
reco
mm
end
that
CB
P fo
rmal
ize
a de
taile
d pr
oced
ure
for
the
revi
ew o
f A
CS
secu
rity
prof
ile c
hang
e lo
gs.
The
pr
oced
ure
shou
ld in
clud
e im
plem
entin
g a
perio
dic
revi
ew o
f th
e lo
gs b
y an
inde
pend
ent r
evie
wer
.
X
2
CB
P-IT
-10-
15
Dur
ing
our
tech
nica
l te
stin
g, p
atch
and
con
figur
atio
n m
anag
emen
t ex
cept
ions
wer
e id
entif
ied
on t
he
.
X
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
4
NFR
#N
o C
ondi
tion
.
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
CB
P-IT
-10-
16
This
is
a sy
stem
-leve
l fin
ding
and
a p
rior
year
iss
ue
from
FY
200
8 an
d FY
200
9.
KPM
G d
eter
min
ed th
at
evid
ence
of I
SAs
for 6
of t
he 1
7 PG
As
iden
tifie
d in
the
Syst
em S
ecur
ity P
lan
coul
d no
t be
prov
ided
. O
f the
six
th
at w
ere
prov
ided
, tw
o ex
pire
d du
ring
FY20
10 a
nd
ha
d no
t bee
n re
new
ed.
We
reco
mm
end
that
CB
P de
vote
suf
ficie
nt r
esou
rces
in
orde
r to
impl
emen
t and
mai
ntai
n fo
rmal
ISA
s with
the
PGA
s th
at i
nter
conn
ect
with
AC
S.
We
reco
mm
end
that
CB
P do
cum
ent
ISA
s fo
r al
l A
CS
PGA
con
nect
ions
ide
ntifi
ed i
n th
e A
CS
SSP.
X
2
CB
P-IT
-10-
17
This
is
a sy
stem
-leve
l fin
ding
.
W
e re
ques
ted
acce
ss
auth
oriz
atio
n ev
iden
ce f
or 4
5 A
CS
user
s to
det
erm
ine
whe
ther
AC
S ac
cess
was
app
ropr
iate
ly
auth
oriz
ed.
OIT
was
unab
le t
o pr
ovid
e ev
iden
ce o
f th
e ac
cess
requ
est a
utho
rizat
ions
for
any
of
the
45 s
elec
ted
AC
S us
ers.
As
a re
sult,
we
are
not
able
to
dete
rmin
e w
heth
er A
CS
acce
ss i
nitia
tions
or
mod
ifica
tions
wer
e ap
prop
riate
ly
appr
oved
an
d w
heth
er
A
CS
acce
ssco
ntro
ls a
re in
pla
ce a
nd o
pera
ting
as re
quire
d by
DH
S an
d C
BP
polic
ies.
We
reco
mm
end
that
C
BP
impl
emen
t pr
oced
ures
to
co
nsis
tent
ly d
ocum
ent t
he a
cces
s re
ques
ts a
nd a
ppro
vals
for
an
y an
d al
l ac
cess
cre
atio
ns a
nd c
hang
es t
o A
CS
user
prof
iles.
X
2
CB
P-IT
-10-
18
This
is
a co
mpo
nent
lev
el f
indi
ng.
We
note
d th
at
acce
ss r
eque
st f
orm
s, or
evi
denc
e of
rec
ertif
icat
ion
of
acce
ss, t
o th
e of
fsite
med
ia c
ould
not
be
prov
ided
for 5
of
the
15 se
lect
ed e
mpl
oyee
s.
We
reco
mm
end
that
CB
P up
date
the
acc
ess
auth
oriz
atio
n pr
oces
s to
indi
cate
that
the
acce
ss li
st w
ill u
nder
go a
100
%
rece
rtific
atio
n an
nual
ly.
The
artif
act
shou
ld b
e an
off
icia
l re
port
from
the
Con
tract
ing
Off
icer
Tec
hnic
al R
epre
sent
ativ
e fo
r off
site
med
ia st
orag
e cl
early
stat
ing
the
resu
lts a
long
with
ba
ckup
pap
erw
ork
for
all
add,
del
etes
, an
d ch
ange
s to
the
ac
cess
list
.
X
1
CB
P-IT
-10-
19
Th
is is
a s
yste
m le
vel f
indi
ng.
We
wer
e in
form
ed th
at
AC
S Se
curit
y A
udit
Logs
are
not
bei
ng r
evie
wed
. A
dditi
onal
ly, w
e no
ted
that
the
fol
low
ing
wea
knes
ses
rela
ted
to t
he A
CS
Secu
rity
Aud
it Lo
gs p
roce
dure
s co
ntin
ue to
exi
st:
�Pr
oced
ures
do
not
defin
e ho
w o
ften
t
he A
CS
We
reco
mm
end
that
CB
P de
velo
p an
d im
plem
ent p
roce
dure
s th
at d
ocum
ent
the
revi
ew p
roce
ss f
or A
CS
prof
ile c
hang
e lo
gs.
The
proc
ess
shou
ld in
clud
e th
e do
cum
ente
d ev
iden
ce
of re
view
, how
ofte
n au
dit l
ogs
are
revi
ewed
, and
the
revi
ew
sa
mpl
ing
met
hodo
logy
.
X
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
secu
rity
prof
ile c
hang
e au
dit l
ogs a
re re
view
ed.
�Pr
oced
ures
do
not
desc
ribe
how
the
doc
umen
ted
evid
ence
of
the
revi
ew p
roce
ss i
s cr
eate
d by
the
A
CS
Info
rmat
ion
Syst
em
Secu
rity
Off
icer
(I
SSO
)/Ind
epen
dent
Rev
iew
er.
�Pr
oced
ures
do
no
t de
fine
the
sam
plin
g m
etho
dolo
gy t
hat
is u
sed
to s
elec
t A
CS
prof
ile
chan
ge se
curit
y lo
gs fo
r rev
iew
CB
P-IT
-10-
20
This
is a
sys
tem
-leve
l fin
ding
. We
note
d th
e fo
llow
ing
wea
knes
ses
rela
ted
to t
he
e co
nfig
urat
ion
setti
ngs:
�
KPM
G n
oted
that
use
rs w
ere
allo
wed
an
num
ber
of f
aile
d at
tem
pts
to a
cces
s da
tase
ts t
o w
hich
th
ey
wer
e no
t au
thor
ized
. K
PMG
de
term
ined
tha
t th
e co
ntro
l op
tion
in t
he s
ecur
ity
softw
are,
whi
ch re
sults
in im
med
iate
sus
pens
ion
of
any
user
who
exc
eeds
the
spe
cifie
d nu
mbe
r of
vi
olat
ions
, ha
d no
t be
en
conf
igur
ed
prop
erly
. K
PMG
not
ed t
hat
this
set
ting
was
cor
rect
ed o
n Fe
brua
ry 2
4, 2
010.
�
KPM
G n
oted
tha
t us
ers
wer
e al
low
ed
faile
d lo
gon
atte
mpt
s be
fore
thei
r ac
coun
ts w
ere
lock
ed.
At
the
end
of t
he f
isca
l ye
ar t
he s
ettin
g w
as
upda
ted
to th
ree
faile
d lo
gin
atte
mpt
s, an
d K
PMG
ob
serv
ed th
e se
tting
in th
e sy
stem
and
not
ed th
at it
w
as c
orre
cted
on
Sept
embe
r 24,
201
0.
As
the
cond
ition
s w
ere
clos
ed
durin
g te
stin
g,
no
reco
mm
enda
tion
is re
quire
d.
X
2
CB
P-IT
-10-
21
This
is
a co
mpo
nent
lev
el f
indi
ng.
We
note
d th
e fo
llow
ing
wea
knes
ses
rela
ted
to th
e C
BP
Bac
kgro
und
Inve
stig
atio
n pr
oces
s:
�O
f th
e 45
ind
ivid
uals
sel
ecte
d, w
e no
ted
that
1
cont
ract
or d
id n
ot h
ave
a co
mpl
eted
bac
kgro
und
inve
stig
atio
n as
req
uire
d by
the
CB
P In
form
atio
n Sy
stem
Se
curit
y Po
licie
s an
d Pr
oced
ures
We
reco
mm
end
that
CB
P:
�C
ompl
ete
via
e-Q
IP t
he “
initi
atio
n” o
f al
l re
mai
ning
em
ploy
ee re
inve
stig
atio
ns b
y D
ecem
ber 3
0, 2
010.
�
Com
plet
e th
e re
inve
stig
atio
ns fo
r all
such
em
ploy
ees
by
Dec
embe
r 30,
201
1.
�D
evel
op/d
eplo
y a
track
ing
mec
hani
sm
(Con
tract
or
Trac
king
Sys
tem
) by
whi
ch to
iden
tify
thos
e co
ntra
ctor
s
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Han
dboo
k. W
e no
ted
that
this
con
tract
has
acc
ess
to th
e A
utom
ated
Com
mer
cial
Env
ironm
ent (
AC
E)
syst
em.
�O
f th
e 45
ind
ivid
uals
sel
ecte
d, w
e no
ted
that
5
empl
oyee
s an
d 25
con
tract
ors
did
not
have
the
ir ba
ckgr
ound
rei
nves
tigat
ions
ini
tiate
d w
ithin
the
fiv
e ye
ar
timef
ram
e as
re
quire
d by
C
BP
Mem
oran
dum
Reg
ardi
ng R
einv
estig
atio
ns,
date
d A
ugus
t 18,
200
8.
requ
iring
rein
vest
igat
ion.
�
Dev
elop
an
d im
plem
ent
a st
rate
gy
to
ensu
re
that
re
inve
stig
atio
ns
for
all
cont
ract
ors
are
initi
ated
as
re
quire
d.
CB
P-IT
-10-
22
This
is
a sy
stem
-leve
l fin
ding
. A
CS
deve
lope
rs m
ay
gain
em
erge
ncy/
tem
pora
ry a
cces
s to
the
pro
duct
ion
envi
ronm
ent t
hrou
gh th
e po
rtal r
eque
st p
roce
ss.
Whi
le
the
emer
genc
y/te
mpo
rary
acc
ount
act
iviti
es a
re lo
gged
, C
BP
does
not
rev
iew
the
se a
ctiv
ity l
ogs
to i
dent
ify
inap
prop
riate
act
iviti
es.
KPM
G r
ecom
men
ds t
hat
CB
P re
ports
on
the
TSS
audi
t of
em
erge
ncy
acce
ss s
houl
d be
run
as n
eede
d at
man
agem
ent’s
(e
.g.,
emer
genc
y ap
prov
er’s
) req
uest
.
X
2
CB
P-IT
-10-
23
This
is a
sys
tem
-leve
l fin
ding
. A
cces
s ap
prov
als
prio
r to
th
e cr
eatio
n of
N
DC
-LA
N
acco
unts
w
ere
not
cons
iste
ntly
mai
ntai
ned
in a
ccor
danc
e w
ith C
BP
polic
y an
d pr
oced
ures
. K
PMG
requ
este
d ac
cess
aut
horiz
atio
n do
cum
enta
tion
for
25 i
ndiv
idua
ls w
ho w
ere
gran
ted
ND
C-L
AN
ac
cess
du
ring
FY
2010
.
Alth
ough
a
proc
ess
for c
reat
ing
and
mai
ntai
ning
use
r acc
ess
form
s an
d re
ques
ts
has
been
in
pl
ace
sinc
e be
fore
th
e be
ginn
ing
of F
Y 2
010,
ini
tial
acce
ss r
eque
sts
and
appr
oval
s fo
r 10
of
th
ese
indi
vidu
als
wer
e no
t pr
ovid
ed.
We
reco
mm
end
that
CB
P fu
lly t
rans
ition
the
ir pr
oces
s fo
r re
ques
ting
ND
C-L
AN
Net
wor
k ac
cess
from
the
pape
r-ba
sed
user
acc
ess
requ
est f
orm
to a
n el
ectro
nic
user
acc
ess
requ
est
form
. O
nce
the
elec
troni
c fo
rm i
s fu
lly i
mpl
emen
ted,
the
do
cum
ente
d pr
oces
s w
ill b
e up
date
d to
refle
ct th
at a
ll N
DC
-LA
N u
ser a
cces
s req
uest
s mus
t go
to th
e Te
chno
logy
Ser
vice
D
esk
(TSD
) fo
r ac
tion.
TS
D w
ill g
ener
ate
a tro
uble
tick
et
and
atta
ch t
he e
lect
roni
c ac
cess
req
uest
for
m t
o th
e in
itial
us
er r
eque
st ti
cket
for
ND
C-L
AN
acc
ess.
The
ticke
t will
be
issu
ed i
n th
e na
me
of t
he u
ser
gain
ing
the
acce
ss s
o it
is
easi
ly se
arch
able
.
TSD
is
curr
ently
in
the
deve
lopm
ent
phas
e fo
r a
new
use
r ac
coun
t re
ques
t po
rtal
whi
ch w
ill p
rovi
de a
sec
ure
onlin
e en
viro
nmen
t for
man
agin
g th
is p
roce
ss.
This
new
tool
will
al
low
requ
esto
rs th
e ab
ility
to c
ompl
ete
and
subm
it LA
N a
nd
eMai
l ac
coun
t re
ques
ts v
ia o
nlin
e w
eb f
orm
. O
nce
the
requ
est i
s re
view
ed a
nd a
ppro
ved
by th
e C
BP
supe
rvis
or, a
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
ticke
t will
be
auto
mat
ical
ly g
ener
ated
(byp
assi
ng th
e ne
ed o
f sa
ving
/atta
chin
g an
d em
ailin
g th
e TS
D)
and
rout
ed t
o th
e ap
prop
riate
gro
up fo
r pro
cess
ing.
A lo
g w
ill b
e ca
ptur
ed a
nd
save
d in
the
new
sys
tem
for
eac
h ap
prov
ed/d
enie
d re
ques
t fo
r fut
ure
refe
renc
e.
CB
P-IT
-10-
24
CB
P ha
s no
t co
rrec
ted
func
tiona
lity
issu
es c
urre
ntly
no
ted
in A
CS,
and
rout
ine
mai
nten
ance
is in
crea
sing
ly
diff
icul
t an
d ex
pens
ive.
C
urre
ntly
, on
ly t
wo
vend
ors
supp
ort
AC
S, w
hich
lim
its C
BP’
s ab
ility
to
obta
in
mai
nten
ance
ser
vice
s at
a r
easo
nabl
e co
st.
Dur
ing
FY
2010
, CB
P sp
ent n
early
$12
.1 m
illio
n ju
st to
mai
ntai
n A
CS
at it
s cu
rren
t lev
el o
f fu
nctio
nalit
y.
In a
dditi
on,
CB
P is
cur
rent
ly r
e-vi
sitin
g th
e am
ount
of
fund
ing
nece
ssar
y to
com
plet
e th
e im
plem
enta
tion
of th
e A
CE
finan
cial
mod
ules
and
will
com
plet
e th
is a
naly
sis i
n FY
20
11.
Due
to t
hese
con
ditio
ns r
egar
ding
the
func
tiona
lity
of
AC
S an
d de
laye
d im
plem
enta
tion
of A
CE,
CB
P ha
s no
t re
solv
ed t
he f
ollo
win
g kn
own
AC
S fu
nctio
nalit
y is
sues
:
�A
CS
lack
s th
e co
ntro
ls n
eces
sary
to
prev
ent,
or
dete
ct a
nd c
orre
ct e
xces
sive
dra
wba
ck c
laim
s. T
he
prog
ram
min
g lo
gic
in A
CS
does
not
link
dra
wba
ck
clai
ms
to im
ports
at a
det
aile
d, li
ne it
em le
vel.
In
addi
tion,
AC
S do
es n
ot h
ave
the
capa
bilit
y to
co
mpa
re, v
erify
, and
trac
k es
sent
ial i
nfor
mat
ion
on
draw
back
cl
aim
s to
th
e re
late
d un
derly
ing
cons
umpt
ion
entri
es
and
expo
rt do
cum
enta
tion
upon
whi
ch th
e dr
awba
ck c
laim
is b
ased
. Ex
port
info
rmat
ion
is n
ot li
nked
to th
e D
raw
back
mod
ule
and
ther
efor
e el
ectro
nic
com
paris
ons o
f exp
ort d
ata
cann
ot b
e pe
rfor
med
with
in A
CS.
See
NFR
CB
P-10
-20
for f
urth
er d
etai
ls.
To a
ddre
ss th
is fi
ndin
g, C
BP
reco
mm
ends
that
it c
ontin
ue to
: �
Mod
erni
ze
its
busi
ness
pr
oces
ses
thou
gh
the
deve
lopm
ent
and
depl
oym
ent
of f
unct
iona
lity
in t
he
Aut
omat
ed C
omm
erci
al E
nviro
nmen
t as
it
has
done
si
nce
2001
. �
Wor
k w
ith
sta
keho
lder
s, in
clud
ing
CB
P pe
rson
nel,
the
trade
, pa
rtici
patin
g go
vern
men
t ag
enci
es,
the
Dep
artm
ent o
f H
omel
and
Secu
rity
and
the
Con
gres
s to
pr
iorit
ize,
dev
elop
, and
dep
loy
func
tiona
lity
that
allo
ws
CB
P to
ful
fill
its m
issi
on a
nd m
eet
the
need
s of
its
st
akeh
olde
rs.
�Se
ek f
unds
thr
ough
the
bud
get
proc
ess
that
will
allo
w
CB
P to
con
tinue
to d
evel
op a
nd d
eplo
y fu
nctio
nalit
y in
t
hat
will
sup
port
CB
P’s
mis
sion
and
mee
t th
e ne
eds o
f its
stak
ehol
ders
.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
�C
erta
in
mon
itorin
g re
ports
us
ed
to
mon
itor
(rev
iew
) im
porte
r co
mpl
ianc
e w
ith t
he i
n-bo
nd
proc
ess
have
not
bee
n de
velo
ped
and
ther
efor
e im
porte
r co
mpl
ianc
e is
not
bei
ng t
rack
ed.
In
addi
tion,
in-
bond
s ar
e no
t au
tom
atic
ally
lin
ked
to
the
rele
vant
ent
ry o
r ex
port
filin
gs in
AC
S, w
hich
le
ads
to e
xten
sive
man
ual
wor
k to
clo
se o
pen
in-
bond
s. F
inal
ly, A
CS
does
not
pro
vide
the
abili
ty to
ru
n ov
ersi
ght
repo
rts t
o de
term
ine
if po
rts h
ave
com
plet
ed a
ll re
quire
d in
-bon
d po
st a
udits
and
ex
ams.
See
NFR
CB
P-10
-14
for f
urth
er d
etai
ls.
�A
CS
does
no
t pr
oper
ly
acco
unt
for
bond
su
ffic
ienc
y of
cla
ims
that
inv
olve
a c
ontin
uous
bo
nd a
nd th
eref
ore
a cl
aim
ant c
an p
oten
tially
cla
im
and
rece
ive
an a
ccel
erat
ed p
aym
ent
that
exc
eeds
th
e bo
nd a
mou
nt o
n fil
e. A
s a
resu
lt, C
BP
will
not
ha
ve s
uffic
ient
sur
ety
agai
nst
a dr
awba
ck o
ver
clai
min
g. S
ee N
FR C
BP-
10-0
5 fo
r fur
ther
det
ails
. �
AC
S do
es n
ot p
rovi
de s
umm
ary
info
rmat
ion
of th
e to
tal u
npai
d as
sess
men
ts fo
r dut
ies,
taxe
s, an
d fe
es
by i
ndiv
idua
l im
porte
r (i.
e.,
a su
b-le
dger
) an
d ca
nnot
pr
ovid
e re
porti
ng
info
rmat
ion
on
outs
tand
ing
rece
ivab
les,
the
age
of r
ecei
vabl
es, o
r ot
her d
ata
nece
ssar
y fo
r man
agem
ent t
o ef
fect
ivel
y m
onito
r co
llect
ion
actio
ns.
See
NFR
CB
P-10
-04
for f
urth
er d
etai
ls.
�Th
e dr
awba
ck s
elec
tivity
fun
ctio
n of
AC
S is
not
pr
ogra
mm
ed to
sele
ct a
stat
istic
ally
val
id sa
mpl
e of
pr
ior
draw
back
cla
ims
agai
nst
a se
lect
ed i
mpo
rt en
try.
See
NFR
CB
P-10
-03
for f
urth
er d
etai
ls.
�A
CS
is p
rogr
amm
ed to
aut
omat
ical
ly in
dica
te th
at
a Po
rt D
irect
or c
ertif
ied
a re
fund
or
draw
back
pa
ymen
t eve
n if
the
Port
Dire
ctor
doe
s not
cer
tify
a gi
ven
paym
ent.
See
NFR
CB
P-10
-19
for
furth
er
deta
ils.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 5
9
A
ppen
dix
B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
0
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland SecurityFY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
Federal Emergency Management Agency
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 61
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Fede
ral E
mer
genc
y M
anag
emen
t Age
ncy
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
FEM
A-
IT-1
0-01
Dur
ing
FY 2
010,
FEM
A f
inal
ized
and
doc
umen
ted
requ
irem
ents
, an
d in
itiat
ed
auto
mat
ed
tech
nica
l pr
oces
ses
and
cont
rols
rel
ated
to
the
NEM
IS A
cces
s C
ontro
l Sys
tem
(N
AC
S) P
ositi
on R
e-A
ppro
val P
roje
ct
(NPR
P).
Spe
cific
ally
, En
terp
rise
Ope
ratio
ns B
ranc
h pe
rson
nel h
ave
begu
n sy
stem
atic
ally
exp
iring
pos
ition
as
sign
men
ts a
nd re
quiri
ng su
perv
isor
reau
thor
izat
ion
of
a su
bset
of
NA
CS
acco
unts
an
d re
late
d po
sitio
ns
prog
ress
ivel
y ov
er a
180
day
per
iod.
D
ue t
o th
e vo
lum
e of
act
ive
posi
tions
, FEM
A m
anag
emen
t sta
ted
that
the
rece
rtific
atio
n pr
oces
s w
ill r
ecer
tify
all N
AC
S po
sitio
ns a
fter
the
180
days
and
is
antic
ipat
ed t
o be
co
mpl
eted
in F
Y 2
011.
Th
us, w
hile
we
note
d th
at im
prov
emen
ts w
ere
mad
e by
de
velo
ping
and
impl
emen
ting
an a
utom
ated
pro
cess
for
rece
rtify
ing
all
NA
CS
acco
unts
and
rel
ated
pos
ition
s, in
clud
ing
thos
e re
late
d to
N
EMIS
ac
cess
, in
itial
re
certi
ficat
ion
to
revi
ew
and
reva
lidat
e al
l N
AC
S ac
coun
ts a
nd p
ositi
ons h
as st
ill n
ot b
een
com
plet
ed.
�C
ompl
ete
the
initi
al r
ecer
tific
atio
n of
all
exis
ting
NA
CS
acco
unts
and
rel
ated
pos
ition
s in
itiat
ed i
n A
pril
2010
to
en
sure
th
at
all
activ
e N
EMIS
ac
coun
ts
and
thei
r as
soci
ated
pr
ivile
ges
are
appr
opria
tely
aut
horiz
ed; a
nd
�En
sure
th
at
all
NA
CS
acco
unts
an
d re
late
d po
sitio
ns a
re r
ecer
tifie
d by
the
use
r’s
appr
opria
te
supe
rvis
or n
o le
ss t
han
annu
ally
, in
acc
orda
nce
with
DH
S po
licy.
X
3
FEM
A-
IT-1
0-02
FEM
A h
as n
ot e
stab
lishe
d an
alte
rnat
e pr
oces
sing
site
fo
r NEM
IS.
Add
ition
ally
, an
exce
ptio
n to
DH
S po
licy
for
the
lack
of
an e
stab
lishe
d al
tern
ate
proc
essi
ng s
ite
as
requ
ired
syst
ems
such
as
N
EMIS
th
at
are
cate
goriz
ed a
s “h
igh
impa
ct”
for
avai
labi
lity
has
not
been
requ
este
d by
FEM
A.
�C
ontin
ue a
nd c
ompl
ete
effo
rts re
quire
d to
est
ablis
h an
d im
plem
ent
an a
ltern
ate
proc
essi
ng s
ite f
or
NEM
IS a
ccor
ding
to D
HS
4300
A.
�U
ntil
an a
ltern
ate
proc
essi
ng s
ite i
s es
tabl
ishe
d,
deve
lop
and
subm
it an
exc
eptio
n fo
r ap
prov
al i
n ac
cord
ance
w
ith
DH
S po
licy,
an
d en
sure
th
at
com
pens
atin
g co
ntro
ls
over
th
e al
tern
ate
proc
essi
ng s
ite h
ave
been
im
plem
ente
d an
d ar
e ef
fect
ive,
and
doc
umen
tatio
n of
thei
r eff
ectiv
enes
s is
mai
ntai
ned
as a
udita
ble
reco
rds.
X
3
FEM
A-
IT-1
0-03
The
FEM
A d
omai
n se
curit
y po
licy
is c
onfig
ured
to
enfo
rce
activ
atio
n of
a p
assw
ord-
prot
ecte
d sc
reen
save
r on
end
-use
r wor
ksta
tions
afte
r 15
min
utes
of i
nact
ivity
,
�C
onfig
ure
the
FEM
A L
AN
dom
ain
secu
rity
polic
y to
au
tom
atic
ally
ac
tivat
e a
pass
wor
d-pr
otec
ted
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
rath
er th
an th
e fiv
e m
inut
e in
activ
ity th
resh
old
requ
ired
by D
HS
polic
y.
scre
ensa
ver
on e
nd-u
ser
wor
ksta
tions
afte
r fiv
e m
inut
es o
f ina
ctiv
ity, c
onsi
sten
t with
DH
S po
licy.
�
Impl
emen
t ap
prop
riate
man
agem
ent
cont
rols
to
ensu
re ti
mel
y co
mm
unic
atio
n an
d im
plem
enta
tion
of e
xist
ing
and
futu
re D
HS
info
rmat
ion
secu
rity
polic
y re
quire
men
ts p
erta
inin
g to
the
conf
igur
atio
n of
FE
MA
en
d us
er
wor
ksta
tions
, an
d to
pe
riodi
cally
ass
ess
syst
em c
ontro
ls t
o de
term
ine
com
plia
nce.
FE
MA
-IT
-10-
04
As
note
d du
ring
our
FY
2009
au
dit
proc
edur
es,
wea
knes
ses
exis
t in
pr
oces
ses
rela
ted
to
logg
ing,
m
onito
ring,
an
d re
tain
ing
audi
t lo
gs
on
syst
em
softw
are
and
oper
atin
g sy
stem
s su
ppor
ting
NEM
IS.
Spec
ifica
lly,
polic
ies
and
proc
edur
es r
elat
ed t
o th
e m
onito
ring
of
activ
ity
on
syst
em
softw
are
and
oper
atin
g sy
stem
s su
ppor
ting
NEM
IS h
ave
not
been
re
vise
d to
incl
ude
all i
dent
ified
ope
ratin
g sy
stem
s an
d IT
com
pone
nts
that
com
pris
e th
e sy
stem
bou
ndar
y fo
r th
e N
EMIS
app
licat
ion.
Add
ition
ally
, co
ntro
ls h
ave
not
been
con
figur
ed a
nd
appr
opria
tely
im
plem
ente
d to
log
, m
onito
r, or
ret
ain
suff
icie
ntly
det
aile
d au
dit
logs
for
act
ivity
on
NEM
IS
oper
atin
g sy
stem
s and
serv
ers.
�R
evis
e th
e SO
P, M
onito
ring
Sen
sitiv
e Ac
cess
to
NEM
IS, t
o en
sure
that
it st
ates
that
the
scop
e of
the
proc
edur
es
incl
udes
op
erat
ing
syst
ems
on
all
serv
ers
with
in s
yste
m b
ound
arie
s as
def
ined
in u
p-to
-dat
e N
EMIS
syst
em d
ocum
enta
tion.
�
Acq
uire
and
dep
loy
appr
opria
te to
ols
on o
pera
ting
syst
ems
and
serv
ers
supp
ortin
g N
EMIS
to g
ener
ate
audi
t tra
ils a
nd r
ecor
ds in
acc
orda
nce
with
FEM
A
and
DH
S po
licy.
�
Impl
emen
t th
e SO
P, M
onito
ring
Sen
sitiv
e Ac
cess
to
NEM
IS, b
y re
view
ing
and
reta
inin
g au
dit t
rails
an
d re
cord
s in
acc
orda
nce
with
FEM
A a
nd D
HS
polic
y.
X
3
FEM
A-
IT-1
0-05
As i
dent
ified
dur
ing
the
FY 2
009
audi
t, PA
RS
data
base
se
curit
y co
ntro
ls a
re n
ot a
ppro
pria
tely
est
ablis
hed
as
note
d be
low
:
�PA
RS
data
base
ac
coun
ts
are
not
revi
ewed
to
id
entif
y ac
coun
ts t
hat
have
bee
n in
activ
e fo
r 45
da
ys o
r mor
e, a
s re
quire
d by
DH
S po
licy
for h
igh
impa
ct sy
stem
s.
�St
rong
pas
swor
ds a
nd a
uthe
ntic
ator
con
trols
are
no
t im
plem
ente
d fo
r PA
RS
data
base
acc
ount
s in
ac
cord
ance
w
ith
FEM
A
and
DH
S po
licy.
�D
ocum
ent
and
impl
emen
t a
form
al p
roce
ss t
o im
plem
ent
appr
opria
te
cont
rols
to
en
sure
th
at
inac
tive
PAR
S da
taba
se a
ccou
nts
are
disa
bled
in
acco
rdan
ce w
ith D
HS
polic
y.
�C
onfig
ure
PAR
S da
taba
se a
ccou
nts
in a
ccor
danc
e w
ith D
HS
and
FEM
A r
equi
rem
ents
for
pas
swor
ds
and
auth
entic
ator
con
trols
, in
clud
ing
expi
ratio
n,
reus
e, a
nd c
ompl
exity
. �
Doc
umen
t an
d im
plem
ent
syst
em-s
peci
fic
proc
esse
s for
gen
erat
ing
and
perf
orm
ing
revi
ews o
f PA
RS
data
base
aud
it lo
gs a
nd r
etai
ning
aud
itabl
e
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Spec
ifica
lly:
-A
min
imum
pas
swor
d le
ngth
is n
ot se
t;
-Pa
ssw
ord
com
plex
ity is
not
enf
orce
d to
requ
ire
pass
wor
ds
that
in
clud
e a
com
bina
tion
of
uppe
r/low
erca
se l
ette
rs,
num
bers
, an
d sp
ecia
l ch
arac
ters
or
to r
estri
ct t
he u
se o
f di
ctio
nary
w
ords
as p
assw
ords
;
-R
euse
of p
revi
ous p
assw
ords
is n
ot p
rohi
bite
d;
-Pa
ssw
ords
are
not
con
figur
ed t
o ex
pire
or
be
chan
ged
afte
r a p
re-d
eter
min
ed le
ngth
of t
ime;
an
d
-A
ccou
nts
are
not c
onfig
ured
to d
isab
le a
fter
a pr
e-de
term
ined
num
ber
of c
onse
cutiv
e in
valid
lo
gin
atte
mpt
s.
�Sy
stem
-spe
cific
pol
icie
s an
d pr
oced
ures
hav
e no
t be
en d
evel
oped
for t
he P
AR
S O
racl
e da
taba
se, a
nd
exis
ting
polic
ies
and
proc
edur
es in
herit
ed fr
om th
e IF
MIS
app
licat
ion
oper
atin
g en
viro
nmen
t do
not
ad
equa
tely
de
scrib
e im
plem
enta
tion
of
FEM
A
polic
ies
for
the
gene
ratio
n, r
evie
w,
and
rete
ntio
n of
all
requ
ired
audi
tabl
e ev
ents
.
�D
atab
ase
audi
t log
s ar
e no
t con
figur
ed to
cap
ture
au
dita
ble
even
ts,
incl
udin
g fa
iled
logi
n at
tem
pts
and
adm
inis
trato
r-le
vel
actio
ns,
as r
equi
red
by
FEM
A a
nd D
HS
polic
y.
�A
lthou
gh
a pe
riodi
c re
certi
ficat
ion
of
PAR
S da
taba
se a
cces
s ac
coun
ts i
s pe
rfor
med
to
ensu
re
that
acc
ess
is s
till
nece
ssar
y an
d ap
prop
riate
for
ea
ch i
ndiv
idua
l, po
licie
s an
d pr
oced
ures
ove
r th
e m
anag
emen
t of
acc
ount
s on
the
PA
RS
Ora
cle
data
base
do
no
t sp
ecify
re
quire
men
ts
for
perf
orm
ing
a pe
riodi
c re
certi
ficat
ion
of d
atab
ase
evid
ence
of r
evie
w in
acc
orda
nce
with
FEM
A a
nd
DH
S po
licy.
Add
ition
ally
, en
sure
tha
t al
l D
HS
requ
irem
ents
ar
e m
et
thro
ugh
this
pr
oces
s, in
clud
ing
appr
opria
te
supe
rvis
ory
revi
ew
and
segr
egat
ion
of d
utie
s prin
cipl
es.
�C
onfig
ure
PAR
S da
taba
se a
udit
logs
to c
aptu
re a
nd
reta
in a
udita
ble
even
ts i
n ac
cord
ance
with
FEM
A
and
DH
S po
licy.
�
Furth
er d
efin
e an
d es
tabl
ish
a fo
rmal
pro
cess
for
gr
antin
g in
itial
ac
cess
an
d re
certi
fyin
g ac
cess
sp
ecifi
cally
to
the
PAR
S da
taba
se t
hat
incl
udes
ap
prop
riate
app
rova
l fro
m F
EMA
man
agem
ent a
nd
requ
irem
ents
for t
empo
rary
and
em
erge
ncy
acce
ss,
in a
ccor
danc
e w
ith D
HS
guid
ance
.
Plea
se s
ee N
FR F
EMA
-IT-
10-4
8 fo
r rec
omm
enda
tions
re
late
d to
th
e pe
riodi
c re
view
an
d as
sess
men
t of
se
curit
y co
ntro
ls i
n pl
ace
to e
nsur
e th
at c
orre
ctiv
e ac
tions
are
app
ropr
iate
ly i
mpl
emen
ted
over
ide
ntifi
ed
secu
rity
wea
knes
ses.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
acco
unts
to v
alid
ate
the
cont
inue
d ap
prop
riate
ness
of
ac
cess
. A
dditi
onal
ly,
the
FY
2010
re
certi
ficat
ion
of
PAR
S O
racl
e da
taba
se
user
ac
coun
ts w
as n
ot c
ompl
eted
con
sist
ently
and
in
acco
rdan
ce
with
FE
MA
re
quire
men
ts.
Spec
ifica
lly, o
f a s
elec
tion
of re
certi
ficat
ion
form
s fo
r fiv
e PA
RS
data
base
use
r ac
coun
ts r
eque
sted
, fo
ur
form
s re
certi
fied
acce
ss
for
cont
ract
ors
with
out d
ocum
ente
d C
OTR
app
rova
l.
�A
utho
rizat
ion
of
initi
al
acce
ss
for
the
PAR
S da
taba
se
is
not
cons
iste
ntly
co
mpl
eted
in
ac
cord
ance
w
ith
FEM
A
and
DH
S po
licy.
Sp
ecifi
cally
, of a
sel
ectio
n of
thre
e PA
RS
data
base
ac
cess
form
s req
uest
ed:
-Tw
o us
er a
ccou
nts w
ere
gran
ted
to c
ontra
ctor
s w
ithou
t the
requ
ired
CO
TR si
gnat
ure.
-O
ne
acco
unt
was
id
entif
ied
by
Fina
ncia
l Sy
stem
s Se
ctio
n (F
SS) p
erso
nnel
as
an IF
MIS
sy
stem
acc
ount
. H
owev
er,
no d
ocum
enta
tion
just
ifyin
g or
aut
horiz
ing
the
use
of th
is s
yste
m
acco
unt w
as p
rovi
ded.
FEM
A-
IT-1
0-06
Dur
ing
the
FY 2
010
finan
cial
stat
emen
t aud
it, w
e no
ted
that
FE
MA
ha
s m
ade
impr
ovem
ents
ov
er
the
man
agem
ent
of
NEM
IS
Ora
cle
data
base
pa
ssw
ord
cont
rols
fo
r IT
O
pera
tions
da
taba
se
adm
inis
trato
r ac
coun
ts,
spec
ifica
lly
by
conf
igur
ing
a 10
4-da
y pa
ssw
ord
lifet
ime.
H
owev
er,
the
follo
win
g w
eakn
esse
s no
ted
in F
Y 2
009
cont
inue
to e
xist
in F
Y
2010
for t
he fo
ur d
atab
ases
sele
cted
for t
estin
g:
�A
pas
swor
d co
mpl
exity
ver
ifica
tion
func
tion
is n
ot
conf
igur
ed
to
requ
ire
a co
mbi
natio
n of
up
per/l
ower
case
le
tters
, nu
mbe
rs,
and
spec
ial
We
reco
mm
end
that
FE
MA
co
nfig
ure
all
NEM
IS
Ora
cle
data
base
s to
ens
ure
com
plia
nce
with
eff
ectiv
e D
HS
and
FEM
A p
olic
y re
quire
men
ts f
or p
assw
ords
an
d au
then
ticat
or
cont
rol
requ
irem
ents
, in
clud
ing
expi
ratio
n, re
use,
and
leng
th a
nd c
ompl
exity
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
char
acte
rs.
�R
euse
of p
revi
ous p
assw
ords
is n
ot p
rohi
bite
d.
�N
o m
inim
um p
assw
ord
leng
th is
enf
orce
d.
FEM
A-
IT-1
0-07
FEM
A h
as m
ade
impr
ovem
ents
ove
r th
e m
anag
emen
t of
IF
MIS
-Mer
ged
Ora
cle
data
base
pa
ssw
ords
by
co
nfig
urin
g th
e sy
stem
to
re
tain
a
hist
ory
of
the
prev
ious
ten
pass
wor
ds.
How
ever
, upo
n in
spec
tion
of
addi
tiona
l da
taba
se
pass
wor
d pa
ram
eter
s, w
e de
term
ined
th
at
the
pass
wor
d hi
stor
y fo
r th
e te
n pr
evio
us
pass
wor
ds
is
only
re
tain
ed
for
30
days
. Th
eref
ore,
afte
r th
e 30
day
tim
efra
me,
the
pas
swor
d hi
stor
y is
era
sed,
allo
win
g th
e us
er t
o po
tent
ially
use
on
e of
the
prev
ious
ten
pass
wor
ds.
We
reco
mm
end
that
FEM
A c
onfig
ure
the
IFM
IS-
Mer
ged
Ora
cle
data
base
to
ensu
re c
ompl
ianc
e w
ith
effe
ctiv
e D
HS
and
FEM
A
polic
y re
quire
men
ts
rega
rdin
g th
e re
use
of u
ser p
assw
ords
.
X
3
FEM
A-
IT-1
0-08
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e se
lect
ed f
our
NEM
IS O
racl
e da
taba
ses
for
test
ing
and
note
d th
at e
ach
is c
onfig
ured
to
lock
acc
ount
s af
ter
thre
e co
nsec
utiv
e fa
iled
logi
n at
tem
pts
and
to r
emai
n lo
cked
for
415
sec
onds
(7.
5 m
inut
es)
befo
re b
eing
un
lock
ed.
Con
figur
e al
l N
EMIS
O
racl
e da
taba
ses
to
ensu
re
com
plia
nce
with
eff
ectiv
e D
HS
and
FEM
A p
olic
y re
quire
men
ts f
or a
ccou
nt l
ocko
uts
due
to f
aile
d lo
gin
atte
mpt
s.
X
3
FEM
A-
IT-1
0-09
As
note
d du
ring
the
FY 2
009
audi
t, th
e fo
llow
ing
wea
knes
ses
over
aud
it lo
ggin
g co
ntro
ls fo
r the
NEM
IS
Ora
cle
data
base
s con
tinue
to e
xist
in F
Y 2
010:
�Th
e FE
MA
IT
O
pera
tions
B
ranc
h St
anda
rd
Ope
ratin
g Pr
oced
ure
(SO
P)
for
Han
dlin
g of
O
racl
e Au
dit
Logs
ha
s no
t be
en
upda
ted.
Sp
ecifi
cally
:
-Th
e sc
ope
sect
ion
of th
e SO
P do
es n
ot li
st a
ll O
racl
e da
taba
ses
iden
tifie
d th
at c
ompr
ise
the
NEM
IS d
ata
proc
essi
ng e
nviro
nmen
t.
-Th
e SO
P ha
s no
t bee
n up
date
d to
add
ress
all
DH
S po
licy
requ
irem
ents
sur
roun
ding
aud
it
�R
evis
e th
e SO
P fo
r H
andl
ing
of O
racl
e Au
dit L
ogs
to e
nsur
e th
at p
roce
dure
s ov
er r
equi
rem
ents
for
lo
ggin
g an
d m
onito
ring
audi
tabl
e ac
tiviti
es o
n al
l N
EMIS
dat
abas
es a
re d
ocum
ente
d in
acc
orda
nce
with
DH
S an
d FE
MA
gui
danc
e an
d th
e pr
oces
s fo
r au
dit l
og r
evie
w is
app
ropr
iate
ly im
plem
ente
d fo
r al
l dat
abas
es w
ithin
the
NEM
IS sy
stem
bou
ndar
y.
�Im
plem
ent
data
base
con
figur
atio
ns o
n al
l N
EMIS
da
taba
ses
in a
ccor
danc
e w
ith D
HS
and
FEM
A
polic
y an
d pr
oced
ures
ov
er
requ
ired
audi
tabl
e ev
ents
and
act
iviti
es.
�D
edic
ate
the
appr
opria
te r
esou
rces
and
impl
emen
t th
e ap
prop
riate
au
tom
ated
to
ols
or
esta
blis
h m
anua
l pr
oces
ses
to
colle
ct,
revi
ew,
and
reta
in
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
trails
and
act
ivity
mon
itorin
g.
Spec
ifica
lly,
succ
essf
ul lo
gins
, acc
ess m
odifi
catio
ns, h
ighl
y pr
ivile
ged
user
acc
ount
act
ivity
, and
cha
nges
to
use
r pr
ofile
s ar
e no
t req
uire
d to
be
logg
ed
and
revi
ewed
.
-Th
e SO
P sp
ecifi
es
that
da
taba
se
adm
inis
trato
rs
will
re
view
O
racl
e au
dit
reco
rds,
whi
ch is
a v
iola
tion
of s
egre
gatio
n of
du
ties
prin
cipl
es t
hat
requ
ire a
n in
depe
nden
t re
view
of s
yste
m a
ctiv
ity.
�O
n th
e fo
ur N
EMIS
dat
abas
es s
elec
ted
for t
estin
g,
conf
igur
atio
ns a
re n
ot f
ully
ena
bled
so
that
a
revi
ew o
f au
dit t
rails
and
act
ivity
def
ined
by
DH
S po
licy
requ
irem
ents
ca
n be
co
mpl
eted
. Sp
ecifi
cally
, on
ly
faile
d lo
gin
atte
mpt
s ar
e re
cord
ed i
n th
e au
dit
trails
of
all
data
base
use
r ac
coun
ts.
audi
tabl
e ac
tiviti
es o
n al
l N
EMIS
dat
abas
es,
to
ensu
re c
ompl
ianc
e w
ith D
HS
and
FEM
A p
olic
y.
FEM
A-
IT-1
0-10
As
note
d du
ring
the
FY 2
009
audi
t, w
e de
term
ined
that
w
eakn
esse
s ov
er t
he t
rack
ing
of F
EMA
con
tract
ors
cont
inue
to e
xist
in F
Y 2
010.
Spe
cific
ally
:
�FE
MA
doe
s not
hav
e a
form
al p
roce
ss fo
r cen
trally
an
d ad
equa
tely
tra
ckin
g FE
MA
co
ntra
ctor
s th
roug
hout
th
e on
-boa
rdin
g,
term
inat
ion,
an
d tra
nsfe
r pr
oces
ses.
As
a re
sult,
FEM
A c
ould
not
pr
ovid
e a
com
plet
e lis
ting
of
all
cont
ract
ors
wor
king
for F
EMA
.
�Th
e pr
oces
s es
tabl
ishe
d fo
r no
tifyi
ng
FEM
A
Off
ice
of
Chi
ef
Info
rmat
ion
Off
icer
(O
CIO
) m
anag
emen
t, in
clud
ing
IT s
yste
m a
dmin
istra
tors
, of
cha
nges
in
cont
ract
or's
stat
us, s
o th
at a
ccou
nts
can
be d
isab
led/
rem
oved
or a
ccou
nt p
rofil
es c
an b
e ap
prop
riate
ly m
odifi
ed i
n th
e re
quire
d tim
efra
me,
�D
evel
op,
docu
men
t, fu
lly
impl
emen
t, an
d co
mm
unic
ate
form
al
polic
ies
and
proc
edur
es,
acco
rdin
g to
DH
S gu
idel
ines
and
requ
irem
ents
, for
ce
ntra
lly t
rack
ing
all
cont
ract
ors
thro
ugho
ut t
he
on-b
oard
ing,
ter
min
atio
n, a
nd t
rans
fer
proc
esse
s. En
sure
pol
icie
s and
pro
cedu
res i
nclu
de:
• Th
e as
sign
men
t of
role
s an
d re
spon
sibi
litie
s to
ap
prop
riate
FE
MA
m
anag
emen
t an
d st
akeh
olde
rs.
�Pr
oced
ures
to
ensu
re t
hat
CO
TRs
notif
y th
e FE
MA
OC
IO o
f cha
nges
in c
ontra
ctor
s’ s
tatu
s, in
clud
ing
sepa
ratio
n or
tra
nsfe
r, so
th
at
acco
unts
can
be
disa
bled
/rem
oved
or
acco
unt
prof
iles
can
be a
ppro
pria
tely
mod
ified
in
the
requ
ired
timef
ram
e.
�Es
tabl
ishm
ent
of
cont
rols
fo
r pe
riodi
cally
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
is n
ot e
ffec
tive
or c
ompr
ehen
sive
. Sp
ecifi
cally
, no
form
al re
quire
men
ts e
xist
for C
ontra
ctin
g O
ffic
er’s
Te
chni
cal
Rep
rese
ntat
ives
(C
OTR
s) t
o no
tify
the
OC
IO o
f sep
arat
ing
cont
ract
ors.
mon
itorin
g th
e ef
fect
iven
ess
of t
he p
roce
ss t
o en
sure
com
plia
nce
with
pol
icy.
�
Reg
ular
ly
dist
ribut
e a
listin
g of
te
rmin
ated
co
ntra
ctor
pe
rson
nel
to
info
rmat
ion
syst
em
adm
inis
trato
rs s
o th
ey c
an r
emov
e us
er a
cces
s tim
ely.
FE
MA
-IT
-10-
11
Whi
le F
EMA
has
mad
e im
prov
emen
ts o
ver t
he re
view
of
IFM
IS-M
erge
r ap
plic
atio
n ac
tivity
by
docu
men
ting
resp
onsi
bilit
ies
for
perf
orm
ing
perio
dic
revi
ews
of
supe
r use
r acc
ount
act
iviti
es, t
he fo
llow
ing
wea
knes
ses
note
d in
FY
200
9 co
ntin
ue to
exi
st in
FY
201
0:
�Ex
istin
g po
licie
s an
d pr
oced
ures
, inc
ludi
ng F
EMA
In
terim
C
FO
Dire
ctiv
e 26
00-2
1,
IFM
IS
Use
r Ac
cess
and
Ter
min
atio
n, a
nd F
EMA
SO
P 20
00-
002,
Mon
itori
ng o
f IFM
IS D
atab
ase
Audi
t Log
, do
not r
equi
re th
e ge
nera
tion,
rev
iew
, or
rete
ntio
n of
au
dit l
ogs
for a
ll ac
tiviti
es r
equi
red
by F
EMA
and
D
HS
polic
y.
�Fa
iled
data
base
(O
racl
e) a
nd a
pplic
atio
n (U
NIX
) lo
gin
atte
mpt
s an
d ac
tivity
pe
rfor
med
by
ap
plic
atio
n us
ers
with
the
“sup
er u
ser”
role
rem
ain
the
only
form
s of a
ctiv
ity lo
gged
and
mon
itore
d fo
r IF
MIS
-Mer
ger.
Oth
er ty
pes o
f act
ivity
requ
ired
by
FEM
A
and
DH
S po
licy,
in
clud
ing
succ
essf
ul
logi
ns,
acce
ss m
odifi
catio
ns,
and
chan
ges
to u
ser
prof
iles,
are
not l
ogge
d or
mon
itore
d.
�W
hile
we
note
d th
at lo
ggin
g of
use
rs a
cces
sing
or
atte
mpt
ing
to a
cces
s th
e IF
MIS
-Mer
ger a
pplic
atio
n is
en
able
d an
d di
strib
uted
to
ap
prop
riate
in
depe
nden
t re
view
ers,
evid
ence
of
re
view
of
ap
plic
atio
n lo
gin
atte
mpt
s is n
ot d
ocum
ente
d.
Add
ition
ally
, w
e no
ted
the
follo
win
g w
eakn
esse
s re
late
d to
rev
iew
s of
act
ivity
of
supe
r us
ers
with
in th
e
�R
evis
e an
d im
plem
ent p
olic
ies
and
proc
edur
es th
at
docu
men
t re
quire
men
ts f
or c
onfig
urin
g, r
etai
ning
, an
d re
view
ing
audi
t tra
ils f
or t
he I
FMIS
-Mer
ger
appl
icat
ion
and
data
base
, in
clud
ing
defin
ed r
oles
an
d re
spon
sibi
litie
s, in
acc
orda
nce
with
DH
S an
d FE
MA
pol
icy.
�
Impl
emen
t co
nfig
urat
ions
on
the
IFM
IS-M
erge
r ap
plic
atio
n an
d da
taba
se t
o en
sure
tha
t au
dit
logs
re
cord
req
uire
d au
dita
ble
even
ts a
nd a
ctiv
ities
, in
acco
rdan
ce w
ith D
HS
and
FEM
A p
olic
y.
�Im
plem
ent
appr
opria
te
man
agem
ent
cont
rols
to
ensu
re ti
mel
y co
mm
unic
atio
n an
d im
plem
enta
tion
of e
xist
ing
and
futu
re D
HS
info
rmat
ion
secu
rity
polic
y re
quire
men
ts p
erta
inin
g to
the
conf
igur
atio
n of
aud
it lo
gs o
n th
e IF
MIS
-Mer
ger a
pplic
atio
n an
d da
taba
se,
and
to
perio
dica
lly
asse
ss
syst
em
cont
rols
to d
eter
min
e co
mpl
ianc
e.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
IFM
IS-M
erge
r app
licat
ion:
�A
ctiv
ity o
f use
rs w
ith e
leva
ted
priv
ilege
s is
logg
ed
and
revi
ewed
on
a w
eekl
y ba
sis.
How
ever
, FEM
A
polic
y re
quire
s th
at a
udit
reco
rds
be c
aptu
red
and
revi
ewed
at l
east
eve
ry th
ree
days
.
�R
evie
w o
f su
per
user
act
ivity
is
perf
orm
ed b
y an
in
divi
dual
with
sup
er u
ser
priv
ilege
s w
ithin
the
ap
plic
atio
n, i
n co
nflic
t w
ith s
egre
gatio
n of
dut
ies
prin
cipl
es.
FEM
A-
IT-1
0-12
The
follo
win
g w
eakn
esse
s no
ted
in F
Y 2
009
cont
inue
d to
exi
st in
FY
201
0:
�G
&T
IFM
IS a
pplic
atio
n us
er a
ccou
nts
wer
e no
t co
nsis
tent
ly a
ppro
ved
or a
utho
rized
prio
r to
initi
al
acco
unt
crea
tion
or
mod
ifica
tion
of
acco
unt
priv
ilege
s. O
f th
e 25
act
ive
appl
icat
ion
user
s se
lect
ed f
or te
stin
g, F
EMA
was
una
ble
to p
rovi
de
adeq
uate
doc
umen
ted
evid
ence
that
cre
atio
n of
, or
mod
ifica
tions
to
, ac
coun
t pr
ivile
ges
for
22
acco
unts
wer
e pr
oper
ly a
utho
rized
. Sp
ecifi
cally
:
�D
ocum
enta
tion
for
10
acco
unts
di
d no
t ev
iden
ce t
hat
acce
ss w
as a
utho
rized
by
the
Off
ice
of th
e C
hief
Fin
anci
al O
ffic
er (O
CFO
).
�D
ocum
enta
tion
for
11 a
ccou
nts
indi
cate
d th
at
acce
ss w
as a
utho
rized
by
the
OC
FO a
fter
the
mod
ifica
tions
to
the
acco
unt
priv
ilege
s w
ere
perf
orm
ed.
�D
ocum
enta
tion
for
one
acco
unt
was
no
t av
aila
ble.
�G
&T
IFM
IS O
racl
e da
taba
se u
ser
acco
unts
wer
e no
t co
nsis
tent
ly a
ppro
ved
or a
utho
rized
prio
r to
in
itial
acc
ount
cre
atio
n.
Spec
ifica
lly, o
f th
e ei
ght
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
th
is f
indi
ng b
ecau
se o
f th
e de
com
mis
sion
ing
of G
&T
IFM
IS in
June
201
0. A
ny G
&T
IFM
IS a
ccou
nts w
hich
no
w e
xist
on
the
IFM
IS –
Mer
ged
inst
ance
will
nee
d to
be
in
clud
ed
in
rece
rtific
atio
n ef
forts
th
at
will
be
pe
rfor
med
by
FEM
A a
s co
rrec
tive
actio
n to
rem
edia
te
NFR
FEM
A-I
T-10
-14,
whi
ch c
ites
a la
ck o
f con
sist
ent
rece
rtific
atio
n of
C
ore/
Mer
ged
IFM
IS
acco
unts
, to
en
sure
tha
t al
l m
igra
ted
G&
T IF
MIS
acc
ount
s ar
e ap
prop
riate
ly a
utho
rized
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 6
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
activ
e da
taba
se u
ser
acco
unts
sel
ecte
d fo
r te
stin
g,
FEM
A
was
un
able
to
pr
ovid
e do
cum
ente
d ev
iden
ce t
hat
the
initi
al a
ccou
nt c
reat
ion
of t
wo
acco
unts
in F
Y 2
010
was
aut
horiz
ed.
Whi
le K
PMG
not
ed t
hat
the
plan
ned
mer
ger
of t
he
G&
T IF
MIS
and
Cor
e IF
MIS
ins
tanc
es o
ccur
red
in
Febr
uary
201
0, a
nd t
he e
xist
ing
G&
T IF
MIS
Ora
cle
data
base
and
app
licat
ion
serv
er w
as d
ecom
mis
sion
ed
in J
une
2010
, th
e w
eakn
esse
s ov
er t
he f
inan
cial
dat
a ex
iste
d fo
r the
maj
ority
of t
he fi
scal
yea
r.
FEM
A-
IT-1
0-13
As
note
d du
ring
the
FY 2
009
audi
t, w
eakn
esse
s in
G
&T
IFM
IS O
racl
e da
taba
se a
udit
logg
ing
cont
rols
co
ntin
ued
to e
xist
in
FY 2
010.
Spe
cific
ally
, O
racl
e da
taba
se a
udit
trails
wer
e no
t con
figur
ed to
cap
ture
any
ac
tivity
, in
clud
ing
faile
d lo
gin
atte
mpt
s or
ad
min
istra
tor-
leve
l ac
tions
as
requ
ired
by F
EMA
and
D
HS
guid
ance
.
Whi
le w
e no
ted
that
the
pla
nned
mer
ger
of t
he G
&T
IFM
IS a
nd C
ore
IFM
IS in
stan
ces
occu
rred
in F
ebru
ary
2010
and
the
exis
ting
G&
T IF
MIS
Ora
cle
data
base
was
de
com
mis
sion
ed in
June
201
0, th
e w
eakn
esse
s ove
r the
fin
anci
al d
ata
exis
ted
for t
he m
ajor
ity o
f the
fisc
al y
ear.
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
th
is f
indi
ng b
ecau
se o
f th
e de
com
mis
sion
ing
of G
&T
IFM
IS in
June
201
0.
X
3
FEM
A-
IT-1
0-14
Dur
ing
the
FY 2
010
audi
t pr
oced
ures
, w
e no
ted
that
w
eakn
esse
s w
hich
exi
sted
in
FY 2
009
rela
ted
to t
he
rece
rtific
atio
n of
IFM
IS a
pplic
atio
n ac
coun
ts c
ontin
ue
to
exis
t. Sp
ecifi
cally
, al
thou
gh
the
Cor
e IF
MIS
ap
plic
atio
n us
er a
ccou
nts
wer
e re
certi
fied
in J
anua
ry
2010
prio
r to
the
mer
ge o
f th
e G
&T
and
Cor
e IF
MIS
ap
plic
atio
ns, w
e de
term
ined
tha
t th
e re
certi
ficat
ion
of
the
Cor
e IF
MIS
acc
ount
s w
as n
ot p
rope
rly c
ompl
eted
. O
f th
e 25
act
ive
appl
icat
ion
acco
unts
sel
ecte
d, F
EMA
w
as u
nabl
e to
pro
vide
doc
umen
ted
evid
ence
that
thre
e of
the
acco
unts
wer
e re
certi
fied
by th
e sy
stem
ow
ner t
o
�D
edic
ate
reso
urce
s to
ful
ly im
plem
ent F
EMA
and
D
HS
requ
irem
ents
fo
r a
rece
rtific
atio
n of
al
l IF
MIS
-Mer
ger
appl
icat
ion
acco
unts
at
le
ast
annu
ally
, in
clud
ing
revo
king
ac
cess
fo
r an
y ac
coun
ts n
ot c
urre
ntly
in
com
plia
nce
with
the
an
nual
rece
rtific
atio
n.
�Id
entif
y an
d im
plem
ent
appr
opria
te
mon
itorin
g co
ntro
ls
to
ensu
re
cont
inue
d co
mpl
ianc
e w
ith
rece
rtific
atio
n re
quire
men
ts f
or th
e IF
MIS
-Mer
ger
appl
icat
ion.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
0
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
valid
ate
the
cont
inue
d ap
prop
riate
ness
of
the
acco
unt,
as r
equi
red
by F
EMA
and
DH
S po
licy.
Fu
rther
mor
e,
thes
e ac
coun
ts t
hen
rem
aine
d on
the
IFM
IS-M
erge
r ap
plic
atio
n af
ter
the
mer
ger
of
the
appl
icat
ions
oc
curr
ed.
FEM
A-
IT-1
0-15
Dur
ing
the
FY
2010
au
dit,
we
note
d th
at
the
wea
knes
ses
over
the
rec
ertif
icat
ion
of G
&T
IFM
IS
appl
icat
ion
and
Ora
cle
data
base
use
rs n
oted
in
FY
2009
con
tinue
d to
exi
st.
Spec
ifica
lly,
a m
anag
emen
t re
view
to v
alid
ate
the
appr
opria
tene
ss o
f G
&T
IFM
IS
appl
icat
ion
and
Ora
cle
data
base
use
r ac
coun
ts w
as n
ot
form
ally
im
plem
ente
d or
per
form
ed b
y th
e O
ffic
e of
th
e C
hief
Fin
anci
al O
ffic
er/F
inan
cial
Sys
tem
Sec
tion
(OC
FO-F
SS)
this
fis
cal
year
. W
e no
ted
that
the
pl
anne
d m
erge
r of
the
G&
T IF
MIS
and
Cor
e IF
MIS
in
stan
ces
occu
rred
in
Febr
uary
201
0, a
nd t
he e
xist
ing
G&
T IF
MIS
Ora
cle
data
base
and
app
licat
ion
serv
er
was
dec
omm
issi
oned
in J
une
2010
. H
owev
er, p
rior t
o th
e m
igra
tion
of G
&T
acco
unts
to th
e IF
MIS
– M
erge
d in
stan
ce i
n Fe
brua
ry 2
010,
a r
ecer
tific
atio
n of
G&
T IF
MIS
app
licat
ion
user
s di
d no
t oc
cur.
Ther
efor
e, t
he
wea
knes
ses o
ver t
he re
certi
ficat
ion
of u
sers
with
acc
ess
to G
&T
IFM
IS f
inan
cial
dat
a ex
iste
d fo
r th
e fir
st tw
o qu
arte
rs o
f the
fisc
al y
ear.
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
th
is f
indi
ng b
ecau
se o
f th
e de
com
mis
sion
ing
of G
&T
IFM
IS i
n Ju
ne 2
010.
A
ny G
&T
IFM
IS a
ccou
nts
whi
ch n
ow e
xist
on
the
IFM
IS –
Mer
ged
inst
ance
will
be
inc
lude
d in
rec
ertif
icat
ion
effo
rts t
hat
need
to
be
perf
orm
ed b
y FE
MA
as
corr
ectiv
e ac
tion
to re
med
iate
N
FR F
EMA
-IT-
10-1
4, w
hich
cite
s a
lack
of c
onsi
sten
t re
certi
ficat
ion
of C
ore/
Mer
ged
IFM
IS a
ccou
nts.
X
3
FEM
A-
IT-1
0-16
The
mer
ger
of C
ore
IFM
IS a
nd G
&T
IFM
IS w
as
perf
orm
ed i
n Fe
brua
ry 2
010,
and
the
G&
T IF
MIS
ap
plic
atio
n an
d da
taba
se
serv
er
wer
e fo
rmal
ly
deco
mm
issi
oned
in
June
201
0.
Whi
le a
n A
TO w
as
gran
ted
for
the
IFM
IS-M
erge
r sy
stem
by
the
FEM
A
Chi
ef In
form
atio
n O
ffic
er o
n Ju
ne 4
, 201
0, p
rior t
o th
e co
mpl
etio
n of
the
mer
ged
inst
ance
, a
C&
A h
ad n
ot
been
pe
rfor
med
ov
er
the
G&
T IF
MIS
in
stan
ce.
Con
sequ
ently
, as
note
d du
ring
the
prio
r ye
ar F
Y 2
009
audi
t, G
&T
IFM
IS o
pera
ted
with
out
an A
TO p
rior
to
its d
ecom
mis
sion
ing.
In
add
ition
, we
dete
rmin
ed th
at
durin
g th
e tim
e th
e sy
stem
was
ope
ratio
nal,
neith
er a
n
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
th
is f
indi
ng b
ecau
se o
f th
e de
com
mis
sion
ing
of G
&T
IFM
IS in
June
201
0.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Info
rmat
ion
Syst
em S
ecur
ity O
ffic
er (
ISSO
) no
r a
Des
igna
ted
Aut
horiz
ing
Aut
horit
y (D
AA
) ha
d be
en
form
ally
des
igna
ted
by F
EMA
man
agem
ent
for
G&
T IF
MIS
.
FEM
A-
IT-1
0-17
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
we
note
d th
e fo
llow
ing
wea
knes
ses
rega
rdin
g sp
ecia
lized
tra
inin
g fo
r FE
MA
em
ploy
ees
and
cont
ract
ors
with
sig
nific
ant
info
rmat
ion
secu
rity
resp
onsi
bilit
ies:
�FE
MA
ha
s no
t fo
rmal
ly
docu
men
ted
or
impl
emen
ted
polic
ies
and
proc
edur
es t
o m
eet
the
requ
irem
ents
ove
r sp
ecia
lized
tra
inin
g fo
r FE
MA
em
ploy
ees
and
cont
ract
ors
with
si
gnifi
cant
in
form
atio
n se
curit
y re
spon
sibi
litie
s in
acc
orda
nce
with
DH
S po
licy.
�W
ith t
he e
xcep
tion
of I
SSO
s, FE
MA
has
not
fo
rmal
ly id
entif
ied
all i
ndiv
idua
ls o
r pos
ition
s w
ith
sign
ifica
nt
info
rmat
ion
secu
rity
resp
onsi
bilit
ies
subj
ect t
o sp
ecia
lized
trai
ning
requ
irem
ents
.
�FE
MA
doe
s no
t tra
ck o
r m
onito
r co
mpl
etio
n of
sp
ecia
lized
tra
inin
g fo
r FE
MA
pe
rson
nel
with
cr
itica
l IT
role
s.
�D
evel
op a
nd i
mpl
emen
t po
licie
s an
d pr
oced
ures
re
quiri
ng i
nitia
l an
d pe
riodi
c sp
ecia
lized
tra
inin
g fo
r in
divi
dual
s w
ith
sign
ifica
nt
info
rmat
ion
secu
rity
resp
onsi
bilit
ies.
�Fo
rmal
ly
iden
tify
spec
ific
role
s an
d po
sitio
ns
poss
essi
ng
sign
ifica
nt
info
rmat
ion
secu
rity
resp
onsi
bilit
ies
that
ar
e su
bjec
t to
sp
ecia
lized
tra
inin
g re
quire
men
ts.
�D
evel
op a
nd im
plem
ent a
mec
hani
sm f
or tr
acki
ng
and
mon
itorin
g co
mpl
ianc
e w
ith
spec
ializ
ed
train
ing
requ
irem
ents
fo
r in
divi
dual
s w
ith
sign
ifica
nt in
form
atio
n se
curit
y re
spon
sibi
litie
s.
X
2
FEM
A-
IT-1
0-18
In F
Y 2
010,
we
note
d th
at t
he N
EMIS
SSP
was
up
date
d in
Nov
embe
r 20
09.
How
ever
, we
dete
rmin
ed
that
the
follo
win
g w
eakn
esse
s con
tinue
to e
xist
:
�N
EMIS
sy
stem
bo
unda
ries,
incl
udin
g id
entif
icat
ion
of
all
hard
war
e an
d so
ftwar
e el
emen
ts th
at c
ompr
ise
the
NEM
IS g
ener
al su
ppor
t sy
stem
an
d su
bsys
tem
s, ha
ve
not
been
fu
lly
defin
ed.
�FE
MA
has
not
doc
umen
ted
the
assi
gnm
ent
of
FEM
A p
erso
nnel
with
sec
urity
res
pons
ibili
ties
for
the
mod
ules
an
d m
ajor
ap
plic
atio
ns
that
ar
e
�Fu
lly
iden
tify
all
hard
war
e an
d so
ftwar
e co
mpo
nent
s of
the
NEM
IS p
latfo
rm a
nd u
pdat
e ap
prop
riate
N
EMIS
sy
stem
do
cum
enta
tion,
in
clud
ing
the
SSP,
to r
efle
ct th
e cu
rren
t ope
ratin
g en
viro
nmen
t as
requ
ired
by D
HS
polic
y an
d N
IST
guid
ance
.
�Es
tabl
ish
and
impl
emen
t a
form
al p
roce
ss f
or
perio
dica
lly
revi
ewin
g an
d as
sess
ing
syst
em
docu
men
tatio
n to
ens
ure
that
sys
tem
bou
ndar
ies
and
hard
war
e an
d so
ftwar
e co
mpo
nent
s ar
e ac
cura
tely
refle
cted
.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
clas
sifie
d as
NEM
IS s
ubsy
stem
s w
ithin
the
curr
ent
NEM
IS S
SP.
�Fo
rmal
ly
assi
gn
and
docu
men
t se
curit
y re
spon
sibi
litie
s of
FE
MA
pe
rson
nel
for
all
com
pone
nts
of N
EMIS
, in
clud
ing
all
iden
tifie
d m
odul
es a
nd m
ajor
app
licat
ions
.
FEM
A-
IT-1
0-19
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
we
note
d th
e fo
llow
ing
wea
knes
ses
rega
rdin
g co
nfig
urat
ion
man
agem
ent
over
net
wor
k de
vice
s su
ch a
s fir
ewal
ls,
rout
ers,
and
switc
hes
that
sup
port
in-s
cope
fin
anci
al
syst
ems:
�C
ompr
ehen
sive
con
figur
atio
n ba
selin
es id
entif
ying
al
l re
leva
nt c
onfig
urat
ion
item
s (C
Is)
with
in t
he
scop
e of
IF
MIS
an
d N
EMIS
ha
ve
not
been
do
cum
ente
d.
�FE
MA
con
figur
atio
n m
anag
emen
t (C
M)
polic
ies
and
proc
edur
es
requ
ire
the
impl
emen
tatio
n of
C
onfig
urat
ion
Stat
us A
ccou
ntin
g (C
SA),
whi
ch
incl
udes
re
cord
ing
appr
oved
co
nfig
urat
ion
docu
men
tatio
n,
perf
orm
ing
Con
figur
atio
n A
udit
(CA
), an
d do
cum
entin
g ph
ysic
al
conf
igur
atio
n au
dits
to
as
sess
co
nfor
man
ce
with
es
tabl
ishe
d ba
selin
es.
How
ever
, re
quire
men
ts
for
the
freq
uenc
y, d
ocum
enta
tion,
and
ret
entio
n of
res
ults
of
thes
e ac
tiviti
es h
ave
not b
een
defin
ed in
exi
stin
g FE
MA
pol
icie
s or
pro
cedu
res.
Add
ition
ally
, th
e re
quire
d C
SA r
epor
ts a
nd C
As
have
not
bee
n pe
rfor
med
for I
FMIS
or N
EMIS
.
�Fo
rmal
ly
esta
blis
h ro
les
and
resp
onsi
bilit
ies
rela
ted
to
over
sigh
t an
d im
plem
enta
tion
of
conf
igur
atio
n m
anag
emen
t pol
icie
s an
d pr
oced
ures
fo
r ne
twor
k de
vice
s, in
clud
ing
firew
alls
an
d ro
uter
s, su
ppor
ting
finan
cial
ap
plic
atio
ns
in
acco
rdan
ce w
ith D
HS
and
FEM
A re
quire
men
ts.
�R
evis
e an
d im
plem
ent
conf
igur
atio
n m
anag
emen
t po
licie
s an
d pr
oced
ures
ove
r do
cum
entin
g an
d m
aint
aini
ng
curr
ent
base
line
conf
igur
atio
ns
for
netw
ork
devi
ces
supp
ortin
g fin
anci
al a
pplic
atio
ns,
incl
udin
g IF
MIS
and
NEM
IS, t
o en
sure
DH
S an
d FE
MA
requ
irem
ents
are
ade
quat
ely
addr
esse
d an
d co
nfig
urat
ion
base
lines
ar
e co
mpr
ehen
sive
ly
docu
men
ted
by F
EMA
. A
dditi
onal
ly, p
olic
ies
and
proc
edur
es
shou
ld
incl
ude
guid
ance
ov
er
requ
irem
ents
suc
h as
doc
umen
tatio
n of
bas
elin
es,
perio
dic
revi
ew a
nd a
uditi
ng,
and
appr
oval
of
base
line
chan
ges f
or n
etw
ork
devi
ces.
�Pe
rfor
m
requ
ired
conf
igur
atio
n m
anag
emen
t ac
tiviti
es, i
nclu
ding
per
iodi
c C
onfig
urat
ion
Stat
us
Acc
ount
ing
and
Con
figur
atio
n A
udit
activ
ities
, for
ne
twor
k de
vice
s su
ppor
ting
finan
cial
app
licat
ions
, in
clud
ing
IFM
IS a
nd N
EMIS
, and
reta
in a
udita
ble
evid
ence
of
thes
e ac
tiviti
es a
s re
quire
d by
FEM
A
polic
y.
X
3
FEM
A-
IT-1
0-20
Con
ditio
ns n
oted
in
FY 2
009
rela
ted
to w
eakn
esse
s ov
er t
he d
ocum
enta
tion
and
test
ing
of t
he N
EMIS
co
ntin
genc
y pl
an c
ontin
ue t
o ex
ist
in F
Y 2
010,
as
follo
ws:
�U
pdat
e th
e N
EMIS
IT
C
ontin
genc
y Pl
an
in
acco
rdan
ce w
ith D
HS
and
NIS
T re
quire
men
ts f
or
syst
ems
cate
goriz
ed a
t the
hig
h im
pact
ava
ilabi
lity
obje
ctiv
e.
Add
ition
ally
, en
sure
th
at
the
Con
tinge
ncy
Plan
com
preh
ensi
vely
add
ress
es t
he
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
�Th
e N
EMIS
IT
C
ontin
genc
y Pl
an
does
no
t ad
equa
tely
an
d co
mpr
ehen
sive
ly
incl
ude
info
rmat
ion
requ
ired
by D
HS
polic
y fo
r sy
stem
s w
ith h
igh
impa
ct a
vaila
bilit
y.
For
exam
ple,
we
note
d th
e fo
llow
ing
wea
knes
ses:
�D
etai
led
info
rmat
ion
over
N
EMIS
sy
stem
ar
chite
ctur
e, s
uch
as t
he d
atab
ase
and
serv
er
nam
es, a
s w
ell a
s in
form
atio
n ov
er th
e va
rious
m
odul
es o
f NEM
IS, h
as n
ot b
een
appr
opria
tely
do
cum
ente
d to
ref
lect
the
cur
rent
ope
ratin
g en
viro
nmen
t.
�Th
e pl
an d
oes
not
suff
icie
ntly
inc
lude
det
ails
ne
cess
ary
to
fully
re
stor
e N
EMIS
an
d de
pend
ent
subs
yste
ms
in
the
even
t of
an
em
erge
ncy.
�Th
e co
ntin
genc
y pl
an d
oes
not s
peci
fy c
ritic
al
role
s, sy
stem
res
ourc
es, o
r sy
stem
/app
licat
ion
reco
very
pr
iorit
ies
in
suff
icie
nt
deta
il to
di
stin
guis
h be
twee
n th
e va
rious
m
odul
es
with
in N
EMIS
.
�Th
e B
usin
ess
Impa
ct A
naly
sis
(BIA
) in
clud
ed
in t
he C
ontin
genc
y Pl
an w
as c
ompl
eted
in
2004
and
is n
ot a
dequ
atel
y do
cum
ente
d.
�Te
stin
g of
the
NEM
IS IT
con
tinge
ncy
plan
has
not
be
en
perf
orm
ed
in
the
past
12
m
onth
s in
ac
cord
ance
with
DH
S po
licy.
num
erou
s su
b-sy
stem
s w
ithin
N
EMIS
so
th
at
deta
iled
info
rmat
ion
exis
ts o
ver t
he c
urre
nt s
yste
m
arch
itect
ure,
crit
ical
pro
cess
ing
prio
ritie
s, de
taile
d re
cove
ry
proc
edur
es
and
othe
r re
quire
d co
mpo
nent
s in
acco
rdan
ce w
ith D
HS
guid
ance
. �
Con
duct
and
doc
umen
t ann
ual t
ests
of t
he N
EMIS
C
ontin
genc
y Pl
an th
at a
ddre
ss a
ll cr
itica
l pha
ses o
f th
e pl
an,
and
upda
te t
he C
ontin
genc
y Pl
an w
ith
less
ons
lear
ned,
as
nece
ssar
y an
d in
acc
orda
nce
with
DH
S an
d N
IST
requ
irem
ents
.
FEM
A-
IT-1
0-21
We
perf
orm
ed a
com
paris
on o
f ac
tive
IFM
IS-M
erge
r, G
&T
IFM
IS,
and
NEM
IS A
cces
s C
ontro
l Sy
stem
(N
AC
S) a
ccou
nts,
as w
ell
as i
ndiv
idua
ls w
ith V
irtua
l Pr
ivat
e N
etw
ork
(VPN
) re
mot
e ac
cess
pr
ivile
ges,
agai
nst
a lis
t of
FEM
A e
mpl
oyee
s th
at h
ad s
epar
ated
fr
om e
mpl
oym
ent s
ince
Oct
ober
1, 2
009
to d
eter
min
e
�Id
entif
y th
e ro
ot c
ause
(s) a
ssoc
iate
d w
ith s
epar
ated
em
ploy
ees
rem
aini
ng
on
FEM
A
info
rmat
ion
syst
ems.
A
s ap
prop
riate
, re
vise
ex
istin
g pr
oced
ures
or
deve
lop
addi
tiona
l pr
oced
ures
ove
r re
mov
al o
f se
para
ted
user
acc
ess
to I
T sy
stem
s to
ad
dres
s w
eakn
esse
s th
at c
ontri
bute
to
untim
ely
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
if an
y se
para
ted
empl
oyee
s re
tain
ed a
ctiv
e ac
coun
ts o
n th
e ap
plic
atio
ns
or
rem
ote
acce
ss
to
the
FEM
A
netw
ork.
The
follo
win
g w
eakn
esse
s wer
e id
entif
ied:
�11
IFM
IS-M
erge
r us
er a
ccou
nts
rem
aine
d ac
tive
and
unlo
cked
afte
r the
acc
ount
hol
der’
s se
para
tion
from
FEM
A.
�3
G&
T IF
MIS
use
r ac
coun
ts r
emai
ned
activ
e an
d un
lock
ed
afte
r th
e ac
coun
t ho
lder
’s
sepa
ratio
n fr
om F
EMA
.
�16
4 N
AC
S ac
coun
ts
with
N
EMIS
po
sitio
ns
assi
gned
at
the
time
of o
ur t
est
wor
k re
mai
ned
activ
e an
d un
lock
ed a
fter
the
acco
unt
hold
er’s
se
para
tion
from
FEM
A.
�33
ind
ivid
uals
ret
aine
d th
e ab
ility
to
acce
ss t
he
FEM
A
netw
ork
rem
otel
y du
e to
ac
tive
VPN
re
mot
e ac
cess
priv
ilege
s af
ter t
he a
ccou
nt h
olde
r’s
sepa
ratio
n fr
om
FEM
A.
All
33
indi
vidu
als
addi
tiona
lly r
etai
ned
an a
ctiv
e N
AC
S ac
coun
t as
de
scrib
ed a
bove
, thu
s al
low
ing
them
to p
oten
tially
ac
cess
NEM
IS a
s wel
l.
rem
oval
of s
epar
ated
indi
vidu
als f
rom
the
syst
ems.
�En
sure
th
at
proc
edur
es
are
impl
emen
ted
cons
iste
ntly
to
re
mov
e sy
stem
an
d ap
plic
atio
n ac
coun
ts f
or a
ll se
para
ted
user
s im
med
iate
ly u
pon
notif
icat
ion
of
sepa
ratio
n,
in
acco
rdan
ce
with
FE
MA
, DH
S an
d N
IST
guid
ance
.
No
corr
ectiv
e ac
tion
spec
ific
to t
he p
ortio
n of
thi
s fin
ding
re
late
d to
G
&T
IFM
IS
will
be
pr
ovid
ed
beca
use
of th
e de
com
mis
sion
ing
of th
at s
yste
m in
Jun
e 20
10.
FEM
A-
IT-1
0-22
In F
Y 2
010,
we
note
d th
at t
he f
ollo
win
g co
nditi
ons
iden
tifie
d in
FY
200
9 re
late
d to
FEM
A L
AN
acc
ount
s co
ntin
ue to
exi
st:
�Th
e FE
MA
LA
N d
omai
n se
curit
y po
licy
does
not
en
forc
e pa
ssw
ord
requ
irem
ents
in a
ccor
danc
e w
ith
DH
S po
licy.
Spe
cific
ally
:
�Th
e FE
MA
LA
N d
oes
not e
nfor
ce a
pas
swor
d hi
stor
y or
pre
vent
reus
e of
pas
swor
ds.
�Th
e FE
MA
LA
N d
oes
not e
nfor
ce c
ompl
exity
re
quire
men
ts, i
nclu
ding
pas
swor
d le
ngth
or t
he
use
of m
ixed
-cas
e al
phan
umer
ic a
nd s
peci
al
Con
figur
e th
e FE
MA
LA
N to
ens
ure
com
plia
nce
with
D
HS
and
FEM
A p
olic
y re
quire
men
ts f
or p
assw
ords
an
d au
then
ticat
or
cont
rol
requ
irem
ents
, in
clud
ing
expi
ratio
n, re
use,
and
leng
th a
nd c
ompl
exity
.
Iden
tify
and
impl
emen
t ap
prop
riate
m
onito
ring
cont
rols
to e
nsur
e th
at a
ll ac
coun
ts o
n th
e FE
MA
LA
N
are
in
com
plia
nce
with
D
HS
requ
irem
ents
fo
r au
thor
izat
ion.
A
dditi
onal
ly,
ensu
re
that
w
here
ap
prop
riate
po
licie
s an
d pr
oced
ures
ar
e fu
rther
de
velo
ped
and/
or
revi
sed
to
ensu
re
cons
iste
nt
impl
emen
tatio
n an
d in
clud
e re
quire
men
ts
for
all
acco
unts
on
the
FEM
A L
AN
, inc
ludi
ng g
ener
ic, s
hare
d
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
char
acte
rs, t
o en
sure
that
stro
ng p
assw
ords
are
us
ed.
�FE
MA
was
una
ble
to p
rovi
de e
vide
nce
of a
ccou
nt
auth
oriz
atio
n fo
r 10
A
ctiv
e D
irect
ory
(AD
) in
divi
dual
use
r acc
ount
s cre
ated
in F
Y 2
010.
�W
hile
po
licie
s an
d pr
oced
ures
ov
er
the
auth
oriz
atio
n of
gen
eric
, sha
red
grou
p, a
nd s
ervi
ce
acco
unts
on
the
FEM
A L
AN
hav
e be
en f
inal
ized
, ap
prov
al
of
thes
e ac
coun
ts
is
not
cons
iste
ntly
do
cum
ente
d ac
cord
ing
to p
olic
y. S
peci
fical
ly, o
f a
sele
ctio
n of
45
gene
ric,
grou
p, a
nd s
ervi
ce L
AN
ac
coun
ts c
reat
ed d
urin
g FY
201
0:
�2
did
not h
ave
a cl
early
def
ined
bus
ines
s ne
ed
or ju
stifi
catio
n do
cum
ente
d;
�26
did
not
hav
e IT
Sec
urity
or
syst
em o
wne
r ap
prov
al d
ocum
ente
d;
�19
w
ere
crea
ted
prio
r to
su
perv
isor
y ce
rtific
atio
n; a
nd
�2
did
not h
ave
any
auth
oriz
ing
docu
men
tatio
n pr
ovid
ed fo
r our
revi
ew.
�FE
MA
ha
s no
t es
tabl
ishe
d pr
oced
ures
an
d im
plem
ente
d a
proc
ess
over
th
e pe
riodi
c re
certi
ficat
ion
of F
EMA
LA
N a
ccou
nts
to e
nsur
e th
at a
cces
s is
stil
l ne
cess
ary
and
appr
opria
te f
or
each
acc
ount
as
requ
ired
by F
EMA
and
DH
S po
licy.
�W
e co
mpa
red
a lis
ting
of a
ctiv
e FE
MA
LA
N/A
D
acco
unts
ag
ains
t a
list
of
FEM
A
empl
oyee
se
para
tions
tha
t ha
d oc
curr
ed s
ince
Oct
ober
1,
2009
and
det
erm
ined
tha
t 85
acc
ount
s re
mai
ned
activ
e an
d un
lock
ed a
fter
the
acco
unt
hold
er’s
grou
p,
serv
ice,
an
d LA
N
end-
user
ac
coun
ts
not
incl
uded
in th
e N
AC
S.
Dev
elop
an
d im
plem
ent
a fo
rmal
pr
oces
s fo
r pe
rfor
min
g a
perio
dic
rece
rtific
atio
n of
all
FEM
A L
AN
ac
coun
ts w
hich
def
ines
req
uire
men
ts a
nd a
ddre
sses
ac
coun
ts
not
incl
uded
du
ring
the
plan
ned
rece
rtific
atio
n of
NEM
IS a
pplic
atio
n ac
cess
. Ev
alua
te a
nd, i
f app
ropr
iate
, rev
ise
exis
ting
proc
edur
es
over
rem
oval
of
sepa
rate
d us
er a
cces
s to
the
FEM
A
LAN
to
en
sure
th
e tim
ely
rem
oval
of
se
para
ted
indi
vidu
als f
rom
the
netw
ork.
Ensu
re th
at p
roce
dure
s ar
e im
plem
ente
d co
nsis
tent
ly to
re
mov
e FE
MA
LA
N a
ccou
nts
for
all
sepa
rate
d us
ers
imm
edia
tely
up
on
notif
icat
ion
of
sepa
ratio
n,
in
acco
rdan
ce w
ith F
EMA
, DH
S an
d N
IST
guid
ance
.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
sepa
ratio
n fr
om F
EMA
.
FEM
A-
IT-1
0-23
In
FY
2010
, w
e de
term
ined
th
at
whi
le
chan
ge
man
agem
ent
proc
edur
es
have
be
en
deve
lope
d an
d im
plem
ente
d fo
r app
licat
ions
hos
ted
by th
e N
FIP
LAN
, in
clud
ing
Trav
erse
, the
doc
umen
ted
proc
edur
es d
o no
t sp
ecifi
cally
add
ress
pat
ch m
anag
emen
t po
licie
s an
d pr
oced
ures
for t
he N
FIP
LAN
in a
ccor
danc
e w
ith D
HS
requ
irem
ents
. Sp
ecifi
cally
, con
trols
ove
r the
app
rova
l, te
stin
g, a
nd d
eplo
ymen
t of
ope
ratin
g sy
stem
pat
ches
ar
e no
t add
ress
ed.
We
reco
mm
end
that
FE
MA
O
CIO
an
d N
FIP
man
agem
ent
final
ize
and
impl
emen
t co
mpr
ehen
sive
pa
tch
man
agem
ent
polic
ies
and
proc
edur
es f
or t
he
NFI
P LA
N s
uppo
rting
Tra
vers
e, i
n ac
cord
ance
with
D
HS
polic
y.
Add
ition
ally
, FE
MA
an
d N
FIP
man
agem
ent
shou
ld
ensu
re
that
th
ese
proc
edur
es
incl
ude
requ
irem
ents
fo
r au
thor
izin
g,
test
ing,
an
d ap
prov
ing
patc
hes
to b
e im
plem
ente
d in
to p
rodu
ctio
n an
d re
spon
ding
to D
HS
Secu
rity
Ope
ratio
ns C
ente
r and
D
HS
EOC
not
ifica
tions
to e
nsur
e co
mpl
ianc
e w
ith th
e tim
ely
impl
emen
tatio
n of
requ
ired
patc
hes.
X
2
FEM
A-
IT-1
0-24
Dur
ing
FY 2
010,
we
note
d th
at w
eakn
esse
s ov
er t
he
Cer
tific
atio
n an
d A
ccre
dita
tion
(C&
A)
of
NFI
P co
ntin
ue to
exi
st.
Spec
ifica
lly,
�FE
MA
ap
prov
ed
Con
ditio
nal
ATO
s fo
r th
e N
FIP/
LSS
on M
ay 2
2, 2
009
and
Aug
ust 2
0, 2
010
for t
wo
one-
year
per
iods
. H
owev
er, w
e no
ted
that
in
the
abse
nce
of a
ful
l ATO
, DH
S po
licy
allo
ws
“int
erim
” A
TOs
only
for
sys
tem
s th
at a
re e
ither
un
der
deve
lopm
ent
test
ing
or i
n th
e pr
otot
ype
phas
e of
dev
elop
men
t, no
t op
erat
iona
l sy
stem
s su
ch a
s th
e N
FIP/
LSS.
A
dditi
onal
ly,
“int
erim
” A
TOs
cann
ot e
xcee
d tw
o co
nsec
utiv
e si
x-m
onth
pe
riods
.
�D
urin
g th
e in
itial
Con
ditio
nal
ATO
per
iod
that
be
gan
on M
ay 2
2, 2
009,
FEM
A d
id n
ot c
ompl
ete
C&
A e
ffor
ts,
incl
udin
g th
e ris
k as
sess
men
t an
d se
curit
y te
stin
g an
d ev
alua
tion
(ST&
E) n
eede
d to
fu
lly a
sses
s ris
k as
soci
ated
with
the
syst
em, s
o th
at
a fu
ll A
TO c
ould
be
issu
ed.
Con
sequ
ently
, fro
m
May
20
10,
whe
n th
e in
itial
C
ondi
tiona
l A
TO
expi
red,
thr
ough
Aug
ust
2010
whe
n th
e se
cond
C
ondi
tiona
l A
TO
was
ap
prov
ed,
the
syst
em
We
reco
mm
end
that
NFI
P co
ntin
ue t
o w
ork
with
the
FE
MA
O
CIO
to
co
mpl
ete
the
rece
rtific
atio
n an
d ac
cred
itatio
n of
the
NFI
P Le
gacy
Ser
vice
s Sy
stem
(L
SS),
incl
udin
g do
cum
enta
tion
of a
ll re
quire
d ar
tifac
ts
in
acco
rdan
ce
with
ap
plic
able
D
HS
polic
ies
and
Fede
ral g
uida
nce.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
oper
ated
with
out a
ny a
utho
rizat
ion.
�D
urin
g ou
r int
egra
ted
audi
t fie
ldw
ork
perio
d, N
FIP
was
una
ble
to p
rovi
de u
s w
ith e
vide
nce
that
C&
A
activ
ities
req
uire
d to
be
perf
orm
ed f
or a
ful
l ATO
to
be
gran
ted
had
been
com
plet
ed.
FEM
A-
IT-1
0-25
Dur
ing
the
FY 2
010
FEM
A In
tegr
ated
Aud
it, w
e no
ted
that
the
follo
win
g co
nditi
ons
rela
ted
to m
anag
emen
t of
FEM
A V
PN a
ccou
nts c
ontin
ue to
exi
st:
�Th
e V
PN R
ules
of
Beh
avio
r fo
r U
sers
Beh
ind
Cor
pora
te
Fire
wal
ls,
date
d D
ecem
ber
5,
2002
, re
quire
s in
divi
dual
’s
man
ager
ap
prov
al
and
Ente
rpris
e Se
rvic
e D
esk
(ESD
) va
lidat
ion
of a
ll V
PN
Acc
ess
Req
uest
fo
rms
prio
r to
gr
antin
g ac
cess
. H
owev
er, a
ppro
val b
y th
e sy
stem
ow
ner o
r a
desi
gnat
ed re
pres
enta
tive
is n
ot re
quire
d.
�V
PN A
cces
s R
eque
st f
orm
s in
clud
e an
app
rova
l bl
ock
title
d “F
or F
EMA
OC
S U
se O
nly,
” an
d th
e fo
rm st
ates
that
all
VPN
requ
ests
mus
t be
appr
oved
by
the
FEM
A O
ffic
e of
Cyb
er S
ecur
ity (
OC
S).
How
ever
, OC
S do
es n
ot c
urre
ntly
exi
st a
s a F
EMA
D
ivis
ion
due
to
FEM
A’s
re
orga
niza
tion.
C
onse
quen
tly, e
xist
ing
polic
ies
and
proc
edur
es d
o no
t re
flect
th
e cu
rren
t se
curit
y m
anag
emen
t st
ruct
ure
at
FEM
A
nor
do
they
as
sign
re
spon
sibi
lity
to a
cur
rent
ent
ity w
ithin
the
agen
cy.
�A
per
iodi
c re
certi
ficat
ion
of F
EMA
VPN
acc
ess
acco
unts
is n
ot c
urre
ntly
per
form
ed to
ens
ure
that
re
mot
e ac
cess
is s
till n
eces
sary
and
app
ropr
iate
for
each
indi
vidu
al.
�O
f the
sel
ectio
n of
45
VPN
Acc
ess
Req
uest
form
s re
view
ed:
�Tw
o di
d no
t sp
ecify
the
dat
e th
at a
cces
s w
as
�R
evis
e an
d im
plem
ent
curr
ent
polic
ies
and
proc
edur
es
for
docu
men
ting,
re
view
ing,
an
d ap
prov
ing
all r
emot
e ac
cess
acc
ount
s to
the
FEM
A
LAN
in
clud
ing
VPN
an
d iP
ass
acce
ss.
Spec
ifica
lly,
role
s an
d re
spon
sibi
litie
s sh
ould
be
defin
ed t
o en
sure
tha
t su
ffic
ient
res
ourc
es a
re
dedi
cate
d to
app
ropr
iate
ly a
utho
rize
acco
unts
on
beha
lf of
the
syst
em o
wne
r or
a d
esig
nee
prio
r to
gr
antin
g re
mot
e ac
cess
, ac
cord
ing
to F
EMA
and
D
HS
polic
y.
�D
evel
op a
nd im
plem
ent p
olic
ies
and
proc
edur
es to
pe
rfor
m a
per
iodi
c re
certi
ficat
ion
of a
ll re
mot
e us
er
acce
ss a
nd re
tain
aud
itabl
e re
cord
s as e
vide
nce
that
re
certi
ficat
ions
are
con
duct
ed a
nd c
ompl
eted
in
acco
rdan
ce w
ith D
HS
and
FEM
A p
olic
y.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
appr
oved
by
the
requ
esto
r’s s
uper
viso
r.
�Th
ree
wer
e gr
ante
d su
perv
isor
y ap
prov
al a
fter
VPN
acc
ess w
as e
stab
lishe
d fo
r the
use
r.
�Th
e se
ctio
n of
eac
h fo
rm th
at re
quire
d “O
CS”
le
vel r
evie
w a
nd a
ppro
val w
as n
ot c
ompl
eted
.
Add
ition
ally
, w
e co
nduc
ted
furth
er
test
wor
k ov
er
rem
ote
acce
ss g
rant
ed th
roug
h th
e iP
ass
utili
ty, w
hich
is
use
d to
pro
vide
dia
l-up
acce
ss to
the
FEM
A n
etw
ork
via
the
VPN
gat
eway
. Th
is a
cces
s is
man
aged
thro
ugh
a se
para
te a
cces
s au
thor
izat
ion
proc
ess
from
VPN
. D
urin
g ou
r te
stw
ork,
we
note
d th
e fo
llow
ing
new
co
nditi
ons i
n FY
201
0 re
late
d to
man
agem
ent o
f acc
ess
to iP
ass:
�W
hile
iPas
s U
ser A
gree
men
t for
ms
requ
ire S
ectio
n C
hief
(or
equ
ival
ent)
appr
oval
and
IT
certi
ficat
ion
for
iPas
s re
mot
e ac
cess
, req
uest
s ar
e no
t app
rove
d by
th
e sy
stem
ow
ner
or
a de
sign
ated
re
pres
enta
tive,
as
re
quire
d by
D
HS
polic
y.
Add
ition
ally
, pol
icie
s an
d pr
oced
ures
do
not e
xist
re
late
d to
the
gran
ting
and
man
agem
ent o
f use
rs o
f th
e iP
ass r
emot
e di
al-u
p ut
ility
.
�O
f the
sel
ectio
n of
45
iPas
s U
ser A
gree
men
t for
ms
revi
ewed
:
�Th
ree
did
not s
peci
fy th
e da
te th
at a
cces
s w
as
appr
oved
by
the
requ
esto
r’s
sect
ion
chie
f (o
r eq
uiva
lent
).
�O
ne w
as g
rant
ed s
uper
viso
ry a
ppro
val
afte
r V
PN a
cces
s was
est
ablis
hed
for t
he u
ser.
�O
ne w
as g
rant
ed s
uper
viso
ry a
ppro
val
by t
he
sam
e in
divi
dual
th
at
the
requ
este
d V
PN
acco
unt
was
fo
r, in
dica
ting
a vi
olat
ion
of
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 7
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
segr
egat
ion
of
dutie
s in
th
e m
anag
emen
t re
view
and
app
rova
l of
inf
orm
atio
n sy
stem
ac
cess
.
FEM
A-
IT-1
0-26
The
follo
win
g w
eakn
esse
s no
ted
in F
Y 2
009
cont
inue
to
exi
st in
FY
201
0:
�IF
MIS
-Mer
ger
appl
icat
ion
user
acc
ount
s w
ere
not
prop
erly
app
rove
d or
aut
horiz
ed.
Spec
ifica
lly,
of
the
25 a
ctiv
e ap
plic
atio
n us
ers
sele
cted
for r
evie
w,
FEM
A
was
un
able
to
pr
ovid
e do
cum
ente
d ev
iden
ce t
hat
initi
al a
ccou
nt c
reat
ion
or t
he m
ost
rece
nt m
odifi
catio
ns t
o ac
coun
t pr
ivile
ges
for
6 ac
coun
ts w
ere
auth
oriz
ed.
�Po
licie
s an
d pr
oced
ures
ove
r th
e m
anag
emen
t of
ac
coun
ts o
n th
e IF
MIS
-Mer
ger O
racl
e da
taba
se d
o no
t spe
cify
requ
irem
ents
for p
erfo
rmin
g a
perio
dic
rece
rtific
atio
n of
dat
abas
e ac
coun
ts to
val
idat
e th
e co
ntin
ued
appr
opria
tene
ss o
f acc
ess.
�IF
MIS
-Mer
ger O
racl
e da
taba
se u
ser a
ccou
nts
wer
e no
t pro
perly
app
rove
d or
aut
horiz
ed. S
peci
fical
ly,
of t
he e
ight
act
ive
data
base
use
rs s
elec
ted
for
revi
ew,
appr
oval
for
six
use
r ac
coun
ts w
as n
ot
docu
men
ted
prio
r to
cr
eatio
n of
th
e ac
coun
ts.
App
rova
l w
as n
ot d
ocum
ente
d fo
r th
ese
acco
unts
un
til a
fter t
he a
udit
requ
est f
or d
ocum
enta
tion
was
re
ceiv
ed.
�Th
e FY
20
10
rece
rtific
atio
n of
IF
MIS
-Mer
ger
Ora
cle
data
base
us
er
acco
unts
w
as
neith
er
com
plet
ed
cons
iste
ntly
no
r in
ac
cord
ance
w
ith
FEM
A
polic
y.
Spec
ifica
lly,
we
requ
este
d a
sele
ctio
n of
rec
ertif
icat
ion
form
s fo
r 8
IFM
IS-
Mer
ger d
atab
ase
user
acc
ount
s an
d de
term
ined
that
3
wer
e gr
ante
d to
con
tract
ors,
but C
OTR
app
rova
l
�Id
entif
y an
d im
plem
ent
appr
opria
te
mon
itorin
g co
ntro
ls
to
ensu
re
com
plia
nce
with
in
itial
au
thor
izat
ion
and
mod
ifica
tion
requ
irem
ents
for
ac
coun
ts o
n th
e IF
MIS
-Mer
ger a
pplic
atio
n.
�D
ocum
ent
polic
ies
and
proc
edur
es
over
th
e pe
riodi
c re
certi
ficat
ion
of
all
acco
unts
on
th
e IF
MIS
-Mer
ger d
atab
ase.
�
Ded
icat
e re
sour
ces
to f
ully
impl
emen
t FEM
A a
nd
DH
S re
quire
men
ts
for
a re
certi
ficat
ion
of
all
IFM
IS-M
erge
r dat
abas
e ac
coun
ts a
t lea
st a
nnua
lly,
incl
udin
g re
voki
ng a
cces
s fo
r an
y ac
coun
ts n
ot
curr
ently
in
co
mpl
ianc
e w
ith
the
annu
al
rece
rtific
atio
n.
�Id
entif
y an
d im
plem
ent
appr
opria
te
mon
itorin
g co
ntro
ls
to
ensu
re
com
plia
nce
with
in
itial
au
thor
izat
ion,
m
odifi
catio
n,
and
perio
dic
rece
rtific
atio
n re
quire
men
ts f
or a
ccou
nts
on t
he
IFM
IS-M
erge
r dat
abas
e.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
0
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
was
not
doc
umen
ted.
FEM
A-
IT-1
0-27
As
note
d du
ring
the
FY 2
009
audi
t, th
e fo
llow
ing
wea
knes
ses
in
G&
T IF
MIS
O
racl
e da
taba
se
user
ac
coun
t pa
ssw
ord
cont
rols
con
tinue
d to
exi
st i
n FY
20
10:
�W
e de
term
ined
th
at
FEM
A
perf
orm
ed
man
ual
revi
ews
of in
activ
e G
&T
IFM
IS d
atab
ase
acco
unts
on
a m
onth
ly b
asis
to d
isab
le a
ccou
nts
whi
ch h
ad
not b
een
used
in th
e pr
ior 9
0 da
ys.
How
ever
, sin
ce
G&
T IF
MIS
is
ca
tego
rized
as
a
high
im
pact
sy
stem
, re
view
s ar
e re
quire
d to
dis
able
acc
ount
s th
at h
ave
been
ina
ctiv
e fo
r 45
day
s, ac
cord
ing
to
DH
S po
licy.
�Th
e G
&T
IFM
IS d
atab
ase
acco
unt s
ecur
ity p
olic
y di
d no
t en
forc
e pa
ssw
ord
requ
irem
ents
in
ac
cord
ance
with
DH
S po
licy.
Spe
cific
ally
:
�Th
e da
taba
se
did
not
enfo
rce
a pa
ssw
ord
hist
ory
or p
reve
nt re
use
of p
assw
ords
.
�Th
e da
taba
se
did
not
enfo
rce
com
plex
ity
requ
irem
ents
, in
clud
ing
defin
ition
of
a
pass
wor
d ve
rific
atio
n fu
nctio
n to
ens
ure
stro
ng
pass
wor
ds a
re u
sed.
Sp
ecifi
cally
, pa
ssw
ord
leng
th a
nd re
quire
men
ts o
ver t
he u
se o
f mix
ed-
case
, al
phan
umer
ic a
nd s
peci
al c
hara
cter
s to
en
forc
e re
stric
tions
ove
r th
e us
e of
dic
tiona
ry
wor
ds, a
re n
ot d
efin
ed.
�Th
e da
taba
se
did
not
enfo
rce
pass
wor
d ex
pira
tion
afte
r a
pred
eter
min
ed
leng
th
of
time.
�FE
MA
had
not
est
ablis
hed
a fo
rmal
pro
cess
for
ap
prov
ing
emer
genc
y an
d te
mpo
rary
acc
ess
to th
e
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
th
is f
indi
ng b
ecau
se o
f th
e de
com
mis
sion
ing
of G
&T
IFM
IS in
June
201
0.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
G&
T IF
MIS
dat
abas
e th
at is
com
plia
nt w
ith D
HS
requ
irem
ents
. Sp
ecifi
cally
, em
erge
ncy
and
tem
pora
ry a
cces
s to
the
dat
abas
e fo
r in
divi
dual
s w
ith
elev
ated
pr
ivile
ges,
incl
udin
g ac
cess
fo
r co
ntra
ctor
dev
elop
men
t per
sonn
el, i
s ap
prov
ed b
y th
e Fi
nanc
ial S
yste
ms
Sect
ion
(FSS
) C
hief
and
/or
his/
her s
taff
, not
by
the
FEM
A C
ISO
or a
des
igne
e,
as re
quire
d by
DH
S po
licy.
Add
ition
ally
, a fo
rmal
pr
oces
s sp
ecifi
cally
add
ress
ing
proc
edur
es f
or t
he
gran
ting
of t
empo
rary
acc
ess
to t
he d
atab
ase
and
ensu
ring
that
acc
ess
is re
mov
ed in
a ti
mel
y m
anne
r w
as n
ot d
ocum
ente
d w
ithin
exi
stin
g IF
MIS
acc
ess
cont
rol p
olic
ies
and
proc
edur
es.
Furth
erm
ore,
we
dete
rmin
ed t
hat
thro
ugh
this
pro
cess
the
G&
T IF
MIS
Ora
cle
data
base
ac
cess
w
as g
rant
ed
to
cont
ract
ed
deve
lopm
ent
pers
onne
l in
or
der
to
impl
emen
t da
taba
se
chan
ges
to
G&
T IF
MIS
, w
hich
con
tinue
s to
con
flict
with
seg
rega
tion
of
dutie
s prin
cipl
es.
Whi
le w
e no
ted
that
the
mer
ger o
f the
G&
T IF
MIS
and
C
ore
IFM
IS i
nsta
nces
occ
urre
d in
Feb
ruar
y 20
10 a
nd
the
exis
ting
G&
T IF
MIS
O
racl
e da
taba
se
was
de
com
mis
sion
ed i
n Ju
ne 2
010,
the
wea
knes
ses
note
d ex
iste
d fo
r the
maj
ority
of t
he fi
scal
yea
r.
FEM
A-
IT-1
0-28
Wea
knes
ses n
oted
in F
Y 2
009
over
C&
A o
f the
FEM
A
LAN
an
d su
bsys
tem
s th
at
host
in
-sco
pe
finan
cial
ap
plic
atio
ns c
ontin
ue to
exi
st in
FY
201
0. D
urin
g ou
r FY
201
0 au
dit,
we
note
d th
at F
EMA
has
cla
ssifi
ed
regi
onal
LA
Ns a
s sub
syst
ems a
nd in
clud
ed th
em w
ithin
th
e de
fined
sys
tem
bou
ndar
y of
the
FEM
A S
witc
hed
Net
wor
k (F
SN)-
2. W
e no
ted
the
follo
win
g w
eakn
esse
s in
the
C&
A o
f th
e FS
N-2
Gen
eral
Sup
port
Syst
em
(GSS
) tha
t inc
lude
s the
FEM
A L
AN
s:
�Th
e FS
N-2
GSS
C
&A
was
no
t co
mpl
eted
in
�C
ontin
ue
to
fully
id
entif
y an
d de
coup
le
all
com
pone
nts
of
the
FSN
-2
plat
form
, in
clud
ing
regi
onal
LA
Ns
and
Gen
eral
Su
ppor
t Sy
stem
s, w
hich
hos
t or
sup
port
IFM
IS a
nd N
EMIS
, an
d pe
rfor
m a
ll re
quire
d C
ertif
icat
ion
& A
ccre
dita
tion
activ
ities
ove
r ea
ch c
ompo
nent
as
requ
ired
by
DH
S po
licy
and
NIS
T gu
idan
ce.
�Fo
rmal
ly
assi
gn
and
docu
men
t se
curit
y re
spon
sibi
litie
s fo
r al
l co
mpo
nent
s of
the
FSN
-2
plat
form
, in
clud
ing
regi
onal
LA
Ns
and
Gen
eral
Su
ppor
t Sy
stem
s, w
hich
hos
t or
sup
port
IFM
IS
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
com
plia
nce
with
DH
S an
d N
IST
requ
irem
ents
and
ha
s no
t be
en u
pdat
ed t
o ac
cura
tely
ref
lect
the
cu
rren
t GSS
env
ironm
ent.
Spe
cific
ally
:
�Th
e au
thor
izin
g of
ficia
ls a
nd in
divi
dual
s no
ted
as
resp
onsi
ble
for
the
secu
rity
role
s fo
r m
ultip
le r
egio
nal
LAN
s an
d su
bsys
tem
s ar
e no
t acc
urat
ely
refle
cted
in th
e SS
P in
clud
ed in
th
e C
&A
pac
kage
as
empl
oyee
s w
ith s
peci
fied
role
s no
long
er w
ork
for F
EMA
in th
e ca
paci
ty
note
d.
�W
hile
th
e M
aryl
and
Nat
iona
l Pr
oces
sing
Se
rvic
e C
ente
r is
iden
tifie
d as
a s
ubsy
stem
in
the
over
arch
ing
FSN
-2 G
SS C
&A
pac
kage
SS
P, C
&A
act
iviti
es h
ave
not b
een
perf
orm
ed
over
this
subs
yste
m.
�D
HS
polic
y re
quire
s an
nual
te
stin
g of
IT
co
ntin
genc
y pl
ans
for
info
rmat
ion
syst
ems
with
a h
igh
impa
ct a
vaila
bilit
y ca
tego
rizat
ion,
su
ch a
s th
e FS
N-2
GSS
. H
owev
er, t
he m
ost
rece
nt t
est
of t
he F
SN-2
IT
cont
inge
ncy
plan
w
as p
erfo
rmed
and
doc
umen
ted
durin
g FY
20
08.
�D
HS
polic
y re
quire
s th
at r
isk
asse
ssm
ents
be
cond
ucte
d fo
r in
form
atio
n sy
stem
s no
les
s fr
eque
ntly
tha
n ev
ery
thre
e ye
ars.
How
ever
, th
e m
ost r
ecen
t ST&
E w
as d
ocum
ente
d du
ring
FY 2
006.
�Th
e m
ost r
ecen
t ATO
gra
nted
by
the
FEM
A C
IO
expi
red
on J
anua
ry 2
2, 2
010,
and
the
FSN
-2 G
SS
is c
urre
ntly
ope
ratin
g w
ithou
t au
thor
izat
ion
from
FE
MA
man
agem
ent.
�A
lthou
gh t
he C
&A
pac
kage
ref
eren
ces
vario
us
and
NEM
IS.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
subs
yste
ms
supp
ortin
g an
d ho
stin
g IF
MIS
an
d N
EMIS
, FE
MA
m
anag
emen
t w
as
unab
le
to
iden
tify
and
conf
irm
the
FSN
-2
subs
yste
ms
(incl
udin
g re
gion
al L
AN
s) th
at h
ost t
he p
rodu
ctio
n se
rver
s fo
r N
EMIS
an
d IF
MIS
ap
plic
atio
ns.
Con
sequ
ently
, we
wer
e un
able
to
test
the
hos
ting
envi
ronm
ent
supp
ortin
g fin
anci
al a
pplic
atio
ns i
n-sc
ope
for t
he F
Y 2
010
envi
ronm
ent.
FEM
A-
IT-1
0-29
Dur
ing
the
FY 2
009
FEM
A In
tegr
ated
Aud
it, w
e no
ted
that
a C
&A
of
PAR
S ha
d no
t bee
n pe
rfor
med
and
the
syst
em h
ad n
ot r
ecei
ved
an A
TO s
ince
bec
omin
g op
erat
iona
l in
th
e FE
MA
en
viro
nmen
t.
Whi
le
impr
ovem
ents
wer
e no
ted
in t
his
cond
ition
for
FY
20
10,
we
dete
rmin
ed
that
th
e fo
llow
ing
C&
A
wea
knes
ses o
ver P
AR
S co
ntin
ue to
exi
st:
In F
Y 2
010,
the
PA
RS
data
base
was
inc
lude
d w
ithin
th
e ac
cred
itatio
n bo
unda
ry
for
the
IFM
IS-M
erge
r sy
stem
, w
hich
was
gra
nted
an
ATO
in
June
201
0.
How
ever
, prio
r to
that
dat
e, th
e PA
RS
data
base
was
not
ce
rtifie
d an
d ac
cred
ited
and
cons
eque
ntly
, op
erat
ed
with
out a
n A
TO fo
r the
maj
ority
of F
Y 2
010.
�A
ll ot
her
syst
em c
ompo
nent
s of
PA
RS,
incl
udin
g th
e w
eb
and
appl
icat
ion
serv
ers,
cont
inue
d to
op
erat
e w
ithou
t an
ATO
, and
evi
denc
e th
at C
&A
ef
forts
fo
r th
ese
com
pone
nts
of
PAR
S w
ere
com
plet
ed a
nd a
ppro
ved
by F
EMA
man
agem
ent
coul
d no
t be
obt
aine
d fr
om F
EMA
for
rev
iew
du
ring
the
FY 2
010
audi
t.
�A
t th
e tim
e of
our
tes
t pr
oced
ures
, an
ISS
O h
ad
not
been
fo
rmal
ly
desi
gnat
ed
by
FEM
A
man
agem
ent
for
the
PAR
S w
eb
serv
er
and
appl
icat
ion.
Whi
le w
e w
ere
info
rmed
by
FEM
A IT
Se
curit
y M
anag
emen
t tha
t the
PA
RS
data
base
was
ad
min
iste
red
by a
n IS
SO u
nder
the
Cor
e IF
MIS
,
�Fo
rmal
ly d
esig
nate
an
ISSO
for
the
PA
RS
web
se
rver
and
app
licat
ion
envi
ronm
ent.
�C
ertif
y an
d ac
cred
it th
e PA
RS
web
ser
ver
and
appl
icat
ion
envi
ronm
ent,
incl
udin
g do
cum
enta
tion
of
all
requ
ired
artif
acts
in
ac
cord
ance
w
ith
appl
icab
le D
HS
polic
ies a
nd F
eder
al g
uida
nce.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
we
dete
rmin
ed t
hat
no f
orm
al d
esig
natio
n of
thi
s re
spon
sibi
lity
was
ass
igne
d un
til F
Y 2
010
beca
use
the
PAR
S da
taba
se w
as n
ot in
clud
ed in
the
C&
A
boun
dary
fo
r C
ore
IFM
IS
and
no
addi
tiona
l de
sign
atio
n le
tters
wer
e is
sued
. A
s a
resu
lt, t
he
PAR
S da
taba
se d
id n
ot h
ave
a fo
rmal
des
igna
tion
of s
ecur
ity r
espo
nsib
ilitie
s fo
r th
e m
ajor
ity o
f th
e fis
cal y
ear.
FEM
A-
IT-1
0-30
As
note
d du
ring
the
FY 2
009
audi
t re
late
d to
Cor
e IF
MIS
, w
e de
term
ined
th
at
wea
knes
ses
over
th
e au
thor
izat
ion
of e
mer
genc
y an
d te
mpo
rary
acc
ess
to
the
IFM
IS –
Mer
ger
Ora
cle
data
base
con
tinue
to e
xist
in
FY
201
0. S
peci
fical
ly, F
EMA
has
not
est
ablis
hed
a fo
rmal
pr
oces
s fo
r ap
prov
ing
emer
genc
y an
d te
mpo
rary
acc
ess
to th
e IF
MIS
-Mer
ger d
atab
ase
that
is
com
plia
nt w
ith D
HS
requ
irem
ents
. D
urin
g ou
r FY
20
10
test
ing,
w
e de
term
ined
th
at
emer
genc
y an
d te
mpo
rary
acc
ess
to t
he d
atab
ase
for
indi
vidu
als
with
el
evat
ed p
rivile
ges,
incl
udin
g ac
cess
for
con
tract
or
deve
lopm
ent
pers
onne
l, is
app
rove
d by
the
Fin
anci
al
Syst
ems
Sect
ion
(FSS
) C
hief
and
/or
his/
her
staf
f, no
t by
the
FEM
A C
ISO
or a
des
igne
e, a
s re
quire
d by
DH
S po
licy.
A
dditi
onal
ly,
a fo
rmal
pr
oces
s sp
ecifi
cally
ad
dres
sing
pro
cedu
res
for
the
gran
ting
of t
empo
rary
ac
cess
to
the
data
base
and
ens
urin
g th
at a
cces
s is
re
mov
ed in
a ti
mel
y m
anne
r ha
s no
t bee
n do
cum
ente
d w
ithin
exi
stin
g IF
MIS
-Mer
ger
acce
ss c
ontro
l po
licie
s an
d pr
oced
ures
.
Furth
erm
ore,
we
dete
rmin
ed t
hat
thro
ugh
this
pro
cess
th
e IF
MIS
-Mer
ger O
racl
e da
taba
se a
cces
s is
gra
nted
to
cont
ract
ed
deve
lopm
ent
pers
onne
l in
or
der
to
impl
emen
t da
taba
se c
hang
es t
o IF
MIS
-Mer
ger,
whi
ch
cont
inue
s to
co
nflic
t w
ith
segr
egat
ion
of
dutie
s pr
inci
ples
.
We
reco
mm
end
that
FEM
A d
ocum
ent a
nd im
plem
ent a
fo
rmal
pro
cess
for
gra
ntin
g em
erge
ncy
and
tem
pora
ry
acce
ss t
o th
e IF
MIS
-Mer
ger
data
base
tha
t in
clud
es
guid
ance
ove
r al
l ty
pes
of a
ccou
nts
auth
oriz
ed f
or
tem
pora
ry a
nd e
mer
genc
y ac
cess
, seg
rega
tion
of d
utie
s co
nsid
erat
ions
, an
d ap
prop
riate
app
rova
l fr
om F
EMA
m
anag
emen
t in
acco
rdan
ce w
ith D
HS
polic
y.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
FEM
A-
IT-1
0-31
Dur
ing
our
unan
noun
ced
enha
nced
sec
urity
tes
ting
perf
orm
ed d
urin
g th
e FY
201
0 in
tegr
ated
aud
it, w
e no
ted
that
the
FEM
A S
ecur
ity O
pera
tion
Cen
ter (
SOC
) pr
oact
ivel
y tra
cked
and
rep
orte
d in
cide
nts
rela
ted
to
soci
al
engi
neer
ing
atte
mpt
s pe
rfor
med
at
FE
MA
he
adqu
arte
rs a
nd re
gion
al o
ffic
es th
roug
h im
plem
ente
d ad
hoc
pro
cess
es. H
owev
er, w
eakn
esse
s no
ted
durin
g th
e FY
20
09
inte
grat
ed
audi
t re
late
d to
FE
MA
’s
inci
dent
res
pons
e pr
ogra
m c
ontin
ue t
o ex
ist
in F
Y
2010
.
Spec
ifica
lly,
stan
dard
op
erat
ing
proc
edur
es
for
the
man
agem
ent
of F
EMA
IT
secu
rity
inci
dent
s ha
ve n
ot
been
for
mal
ly a
ppro
ved
and
impl
emen
ted
by F
EMA
m
anag
emen
t. C
onse
quen
tly,
FEM
A
has
not
impl
emen
ted
DH
S po
licy
requ
irem
ents
to
esta
blis
h a
docu
men
ted
and
form
ally
app
rove
d co
mpo
nent
-leve
l in
cide
nt r
espo
nse
fram
ewor
k or
cap
abili
ty,
incl
udin
g ro
les,
resp
onsi
bilit
ies,
and
proc
esse
s re
late
d to
the
id
entif
icat
ion,
eva
luat
ion,
and
reso
lutio
n of
all
secu
rity
inci
dent
s.
We
reco
mm
end
that
FEM
A f
orm
ally
app
rove
and
im
plem
ent p
roce
dure
s fo
r man
agin
g se
curit
y in
cide
nts.
Spec
ifica
lly,
proc
edur
es s
houl
d cl
early
out
line
role
s an
d re
spon
sibi
litie
s re
quire
d to
mai
ntai
n a
cont
inuo
us
inci
dent
re
spon
se
capa
bilit
y an
d de
fine
proc
esse
s re
late
d to
the
iden
tific
atio
n, e
valu
atio
n, a
nd r
esol
utio
n of
all
secu
rity
inci
dent
s, as
req
uire
d by
DH
S an
d FE
MA
pol
icy.
X
3
FEM
A-
IT-1
0-32
In F
Y 2
009,
we
iden
tifie
d w
eakn
esse
s ov
er F
EMA
’s
patc
h m
anag
emen
t pro
gram
as
it re
late
s to
Cor
e IF
MIS
an
d G
&T
IFM
IS.
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
w
e de
term
ined
tha
t w
hile
FEM
A h
as f
inal
ized
and
fo
rmal
ly i
mpl
emen
ted
the
FEM
A O
ffice
of
the
Chi
ef
Info
rmat
ion
Offi
cer
(OC
IO)
Stan
dard
O
pera
ting
Proc
edur
e (S
OP)
for V
ulne
rabi
lity
Patc
h M
anag
emen
t, th
e SO
P w
as
not
appr
oved
un
til
Apr
il 8,
20
10.
Con
sequ
ently
, FE
MA
did
not
hav
e a
form
al p
atch
m
anag
emen
t pr
oced
ure
appl
icab
le
to
the
IFM
IS
envi
ronm
ents
for
a m
ajor
ity o
f th
e fis
cal
year
. Giv
en
the
timin
g of
th
e SO
P’s
appr
oval
, th
e pa
tch
man
agem
ent
proc
edur
es c
ould
not
be
impl
emen
ted
whe
n G
&T
IFM
IS w
as o
pera
tiona
l as
it
was
mer
ged
with
Cor
e IF
MIS
in F
ebru
ary
2010
.
We
reco
mm
end
that
FEM
A f
urth
er d
edic
ate
reso
urce
s to
do
cum
ent
and
fully
im
plem
ent
com
preh
ensi
ve
syst
em-s
peci
fic
patc
h m
anag
emen
t pr
oced
ures
to
en
sure
th
at
IFM
IS-M
erge
r op
erat
ing
syst
em
and
data
base
pat
ches
are
tes
ted
and
depl
oyed
in
a tim
ely
man
ner,
in a
ccor
danc
e w
ith D
HS
and
FEM
A p
olic
y.
No
corr
ectiv
e ac
tion
spec
ific
to t
he p
ortio
n of
thi
s fin
ding
re
late
d to
G
&T
IFM
IS
will
be
pr
ovid
ed
beca
use
of th
e de
com
mis
sion
ing
of th
at s
yste
m in
Jun
e 20
10.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Add
ition
ally
, we
dete
rmin
ed th
at F
EMA
has
not
ful
ly
and
cons
iste
ntly
im
plem
ente
d th
e re
quire
men
ts a
nd
proc
edur
es d
ocum
ente
d in
the
SOP
for
IFM
IS-M
erge
r in
acc
orda
nce
with
FEM
A a
nd D
HS
guid
ance
.
FEM
A-
IT-1
0-33
Wea
knes
ses
note
d in
FY
20
09
over
FE
MA
’s
info
rmat
ion
secu
rity
vuln
erab
ility
m
anag
emen
t pr
ogra
m a
s it
rela
tes
to N
EMIS
con
tinue
to e
xist
in F
Y
2010
. Sp
ecifi
cally
:
�FE
MA
doe
s no
t ha
ve d
ocum
ente
d an
d ap
prov
ed
proc
edur
es
that
es
tabl
ish
form
al
requ
irem
ents
, pr
oces
ses,
and
resp
onsi
bilit
ies
for
perf
orm
ing
regu
lar v
ulne
rabi
lity
scan
s of N
EMIS
.
�Th
e lis
t of N
EMIS
serv
ers c
urre
ntly
scan
ned
by th
e SO
C i
s in
com
plet
e an
d do
es n
ot r
epre
sent
the
cu
rren
t N
EMIS
sys
tem
bou
ndar
y as
def
ined
by
syst
em
owne
rs
and
IT
secu
rity
man
agem
ent.
Add
ition
ally
, N
EMIS
sy
stem
ow
ners
ar
e no
t re
ceiv
ing
listin
gs o
f al
l vu
lner
abili
ties
note
d on
th
eir
syst
em
com
pone
nts
to
ensu
re
corr
ectiv
e ac
tion
is tr
acke
d an
d re
med
iate
d.
�C
orre
ctiv
e ac
tion
over
vul
nera
bilit
ies
iden
tifie
d th
roug
h SO
C in
tern
al s
cans
of
NEM
IS p
rodu
ctio
n se
rver
s is
not
for
mal
ly t
rack
ed v
ia t
he P
lan
of
Act
ions
&
M
ilest
ones
(P
OA
&M
) pr
oces
s, as
re
quire
d by
DH
S po
licy.
�Es
tabl
ish
and
impl
emen
t do
cum
ente
d pr
oced
ures
th
at d
efin
e fo
rmal
req
uire
men
ts,
proc
esse
s, an
d re
spon
sibi
litie
s fo
r pe
rfor
min
g pe
riodi
c vu
lner
abili
ty s
cans
of
NEM
IS p
rodu
ctio
n se
rver
s. A
dditi
onal
ly,
ensu
re
thes
e pr
oced
ures
in
clud
e re
quire
men
ts f
or r
epor
ting
and
track
ing
reso
lutio
n of
wea
knes
ses
iden
tifie
d du
ring
inte
rnal
NEM
IS
vuln
erab
ility
sc
ans
in
acco
rdan
ce
with
D
HS
POA
&M
gui
danc
e.
�R
evis
e lis
ting
of N
EMIS
ser
vers
sca
nned
by
the
FEM
A S
OC
to
ensu
re t
hat
vuln
erab
ility
sca
ns
perf
orm
ed i
nclu
de a
ll N
EMIS
ser
vers
with
in t
he
curr
ent
oper
atin
g en
viro
nmen
t. A
dditi
onal
ly,
deve
lop
and
impl
emen
t pr
oced
ures
to
ensu
re t
hat
this
list
ing
is p
erio
dica
lly re
-eva
luat
ed a
nd u
pdat
ed
as a
ppro
pria
te.
�R
evis
e th
e SO
C d
istri
butio
n lis
ting
of N
EMIS
sy
stem
ow
ners
and
oth
er a
ppro
pria
te I
T se
curit
y m
anag
emen
t to
fu
rther
de
fine
pers
onne
l re
spon
sibl
e fo
r re
med
iatin
g an
d fo
rmal
ly t
rack
ing
all
vuln
erab
ilitie
s id
entif
ied
over
th
e va
rious
N
EMIS
com
pone
nts.
Add
ition
ally
, de
velo
p an
d im
plem
ent p
roce
dure
s to
ens
ure
that
this
list
ing
is
perio
dica
lly
re-e
valu
ated
an
d up
date
d as
ap
prop
riate
.
X
2
FEM
A-
IT-1
0-34
Wea
knes
ses
note
d in
FY
20
09
over
FE
MA
’s
info
rmat
ion
secu
rity
vuln
erab
ility
m
anag
emen
t pr
ogra
m a
s it
rela
tes
to G
&T
IFM
IS a
nd I
FMIS
-M
erge
r con
tinue
to e
xist
in F
Y 2
010.
Spe
cific
ally
:
We
reco
mm
end
that
FEM
A e
stab
lish
and
impl
emen
t do
cum
ente
d pr
oced
ures
th
at
defin
e fo
rmal
re
quire
men
ts,
proc
esse
s, an
d re
spon
sibi
litie
s fo
r pe
rfor
min
g re
gula
r vu
lner
abili
ty
scan
s of
IF
MIS
-M
erge
r. A
dditi
onal
ly,
proc
edur
es
shou
ld
incl
ude
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
�FE
MA
did
not
hav
e do
cum
ente
d an
d ap
prov
ed
proc
edur
es
that
es
tabl
ish
form
al
requ
irem
ents
, pr
oces
ses,
and
resp
onsi
bilit
ies
for
perf
orm
ing
regu
lar
vuln
erab
ility
sca
ns o
f G
&T
IFM
IS a
nd
IFM
IS-M
erge
r.
�Fo
r on
e of
the
thr
ee m
onth
s se
lect
ed f
or t
estin
g,
vuln
erab
ility
sca
ns w
ere
not
perf
orm
ed f
or t
he
G&
T IF
MIS
pro
duct
ion
serv
er.
�Fo
r al
l th
ree
mon
ths
sele
cted
fo
r te
stin
g,
vuln
erab
ilitie
s re
porte
d by
the
FEM
A S
OC
ove
r th
e G
&T
IFM
IS a
nd I
FMIS
-Mer
ger
prod
uctio
n se
rver
s w
ere
not f
orm
ally
trac
ked
via
the
POA
&M
pr
oces
s, as
requ
ired
by D
HS
polic
y.
requ
irem
ents
for
rep
ortin
g an
d tra
ckin
g re
solu
tion
of
wea
knes
ses
iden
tifie
d du
ring
inte
rnal
IFM
IS-M
erge
r vu
lner
abili
ty s
cans
in
acco
rdan
ce w
ith D
HS
POA
&M
gu
idan
ce.
No
corr
ectiv
e ac
tion
spec
ific
to t
he p
ortio
n of
thi
s fin
ding
re
late
d to
G
&T
IFM
IS
will
be
pr
ovid
ed
beca
use
of th
e de
com
mis
sion
ing
of th
at s
yste
m in
Jun
e 20
10.
FEM
A-
IT-1
0-35
In F
Y 2
009,
we
iden
tifie
d w
eakn
esse
s ov
er F
EMA
’s
patc
h m
anag
emen
t pro
gram
rela
ted
to N
EMIS
. D
urin
g th
e FY
201
0 in
tegr
ated
aud
it, w
e de
term
ined
that
whi
le
FEM
A h
as f
inal
ized
and
for
mal
ly i
mpl
emen
ted
the
FEM
A
OC
IO
SOP
for
Vul
nera
bilit
y Pa
tch
Man
agem
ent,
the
SOP
was
not
app
rove
d un
til A
pril
8,
2010
. C
onse
quen
tly,
FEM
A d
id n
ot h
ave
a fo
rmal
pa
tch
man
agem
ent p
roce
dure
app
licab
le to
the
NEM
IS
envi
ronm
ent
for
a m
ajor
ity
of
the
fisca
l ye
ar.
Add
ition
ally
, we
dete
rmin
ed th
at F
EMA
has
not
ful
ly
and
cons
iste
ntly
im
plem
ente
d th
e re
quire
men
ts a
nd
proc
edur
es d
ocum
ente
d in
the
SO
P fo
r al
l N
EMIS
co
mpo
nent
s in
ac
cord
ance
w
ith
FEM
A
and
DH
S gu
idan
ce.
We
reco
mm
end
that
FEM
A fu
rther
doc
umen
t and
fully
im
plem
ent
com
preh
ensi
ve
syst
em-s
peci
fic
patc
h m
anag
emen
t pr
oced
ures
to
en
sure
th
at
NEM
IS
oper
atin
g sy
stem
and
dat
abas
e pa
tche
s ar
e te
sted
and
de
ploy
ed in
a ti
mel
y m
anne
r, in
acc
orda
nce
with
DH
S an
d FE
MA
pol
icy.
Add
ition
ally
, th
ese
polic
ies
and
proc
edur
es
shou
ld
incl
ude
form
al
desi
gnat
ion
of
resp
onsi
bilit
ies
for
over
sigh
t an
d im
plem
enta
tion
of
requ
ired
patc
h m
anag
emen
t ac
tiviti
es f
or a
ll N
EMIS
co
mpo
nent
s to
ensu
re c
ompl
ianc
e at
the
syst
em le
vel.
X
2
FEM
A-
IT-1
0-36
Wea
knes
ses
iden
tifie
d in
FY
200
9 re
late
d to
the
test
ing
of N
EMIS
pro
duct
ion
data
base
bac
kup
tape
s co
ntin
ue
to e
xist
in F
Y 2
010.
Spe
cific
ally
:
�D
urin
g tw
o qu
arte
rs o
f FY
201
0, F
EMA
con
duct
ed
rest
orat
ion
test
s of
bac
kup
tape
s fo
r on
e sp
ecifi
c
�D
evel
op
and
impl
emen
t ba
ckup
po
licie
s an
d pr
oced
ures
to
ensu
re t
hat
all
NEM
IS c
ompo
nent
s ar
e ba
cked
up
an
d ba
ckup
m
edia
is
st
ored
in
/rota
ted
to a
n of
f-si
te fa
cilit
y ac
cord
ing
to F
EMA
an
d D
HS
requ
irem
ents
. �
Rev
ise
or
deve
lop
polic
ies
and
proc
edur
es
to
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
NEM
IS d
atab
ase
whi
le F
EMA
’s S
OP
for
Tape
B
acku
p Te
stin
g do
cum
ents
requ
irem
ents
for
the
te
stin
g of
39
da
taba
ses.
C
onse
quen
tly,
we
dete
rmin
ed
that
FE
MA
di
d no
t re
gula
rly
test
ba
ckup
tap
es c
onta
inin
g al
l N
EMIS
pro
duct
ion
data
base
dat
a du
ring
the
fisca
l yea
r.
�A
dditi
onal
ly,
whi
le w
e no
ted
that
the
Sta
ndar
d O
pera
ting
Proc
edur
e fo
r Ta
pe
Bac
kup
Test
ing
assi
gns
resp
onsi
bilit
y fo
r te
stin
g ba
ckup
tap
es i
n ac
cord
ance
with
a d
efin
ed s
ched
ule
to N
EMIS
IT
secu
rity
man
agem
ent,
adm
inis
trato
rs,
and
syst
em
owne
rs,
the
SOP
was
not
upd
ated
to
refle
ct t
he
requ
ired
sche
dule
for
per
form
ing
tape
res
tora
tion
test
s.
Furth
erm
ore,
we
note
d th
e fo
llow
ing
new
wea
knes
ses
rela
ted
to c
ontro
ls o
ver
the
perf
orm
ance
of
NEM
IS
data
base
bac
kups
:
�FE
MA
has
not
for
mal
ly d
efin
ed a
nd d
ocum
ente
d pr
oced
ures
tha
t ou
tline
pro
cess
es f
or p
erfo
rmin
g ba
ckup
s of
NEM
IS p
rodu
ctio
n da
taba
ses
and
for
rota
ting
and
phys
ical
ly s
ecur
ing
back
up ta
pes
off-
site
.
�FE
MA
w
as
unab
le
to
prov
ide
requ
este
d do
cum
enta
tion
to e
vide
nce
that
any
of
the
39
NEM
IS
prod
uctio
n da
taba
ses
iden
tifie
d in
th
e St
anda
rd O
pera
ting
Proc
edur
e fo
r Ta
pe B
acku
p Te
stin
g ar
e cu
rren
tly b
eing
bac
ked
up.
perio
dica
lly
test
an
d do
cum
ent
test
ing
of
the
NEM
IS b
acku
ps i
n co
mpl
ianc
e w
ith F
EMA
and
D
HS
requ
irem
ents
. In
addi
tion,
ens
ure
that
pol
icie
s an
d pr
oced
ures
ar
e im
plem
ente
d to
pe
rfor
m
perio
dic
rest
orat
ion
test
ing
of
all
NEM
IS
prod
uctio
n da
taba
ses
in
acco
rdan
ce
with
es
tabl
ishe
d re
quire
men
ts.
FEM
A-
IT-1
0-37
Dur
ing
our
soci
al
engi
neer
ing
test
ing,
se
vera
l pe
rson
nel p
rovi
ded
us w
ith u
ser I
Ds a
nd/o
r pas
swor
ds.
It sh
ould
be
note
d th
at s
ever
al p
erso
nnel
tha
t w
e co
ntac
ted
by
phon
e du
ring
our
soci
al
engi
neer
ing
phon
e ca
lls c
halle
nged
our
req
uest
s fo
r us
er a
cces
s
We
reco
mm
end
that
FEM
A m
anag
emen
t re
view
the
ef
fect
iven
ess
of e
xist
ing
secu
rity
awar
enes
s pr
ogra
ms
desi
gned
to
pr
otec
t “n
eed-
to-k
now
” in
form
atio
n,
incl
udin
g IT
sys
tem
acc
ess
cred
entia
ls, a
nd e
nsur
e th
at
indi
vidu
als
are
adeq
uate
ly i
nstru
cted
and
rem
inde
d of
th
eir
role
s in
th
e pr
otec
tion
of
sens
itive
sy
stem
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 8
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
cred
entia
ls b
y lo
okin
g up
our
ass
umed
nam
es i
n th
e FE
MA
di
rect
ory
to
dete
rmin
e if
we
wer
e FE
MA
pe
rson
nel,
requ
estin
g em
ploy
ee I
Ds,
aski
ng f
or h
elp
desk
tic
ket
num
bers
ass
ocia
ted
with
our
cal
ls,
and
repo
rting
our
atte
mpt
s to
supe
rvis
ors.
Whi
le in
divi
dual
s co
ntac
ted
repr
esen
ted
seve
ral o
ffic
es
in m
ultip
le F
EMA
regi
ons
as w
ell a
s H
eadq
uarte
rs, o
ur
sele
ctio
n of
ind
ivid
uals
was
not
sta
tistic
ally
der
ived
. Th
eref
ore,
we
are
unab
le t
o pr
ojec
t th
ese
resu
lts t
o FE
MA
as a
who
le.
info
rmat
ion
from
un
auth
oriz
ed
indi
vidu
als
thro
ugh
form
al,
perio
dic
com
mun
icat
ions
an
d/or
se
curit
y aw
aren
ess t
rain
ing.
FEM
A-
IT-1
0-38
Dur
ing
our
afte
r-ho
urs
phys
ical
se
curit
y te
stin
g co
nduc
ted
on J
uly
20,
2010
, w
e no
ted
inst
ance
s of
im
prop
erly
pro
tect
ed a
uthe
ntic
atio
n cr
eden
tials
, sys
tem
in
form
atio
n, in
form
atio
n te
chno
logy
ass
ets,
and
PII
in
the
faci
litie
s ins
pect
ed.
Som
e of
the
inst
ance
s of
impr
oper
ly s
ecur
ed P
II n
oted
in
th
e ta
ble
abov
e co
nsis
ted
of
larg
e st
acks
of
do
cum
ents
or c
ompi
led
spre
adsh
eets
that
con
tain
ed P
II
for
num
erou
s in
divi
dual
s co
nduc
ting
busi
ness
for
or
with
FE
MA
.
Exce
ptio
ns
cate
goriz
ed
as
“Oth
er’
cons
iste
d of
lapt
ops
and
othe
r IT
ass
ets
not p
hysi
cally
se
cure
d/lo
cked
to w
orks
pace
s, un
secu
red
bank
acc
ount
an
d go
vern
men
t tra
vel
card
inf
orm
atio
n, a
nd t
he l
ack
of a
dequ
ate
lock
ing
mec
hani
sms
on a
ser
ver
room
do
or.
Our
se
lect
ion
of
area
s at
ea
ch
faci
lity
that
w
ere
insp
ecte
d w
as n
ot s
tatis
tical
ly d
eriv
ed,
and
ther
efor
e,
we
are
unab
le to
pro
ject
resu
lts to
FEM
A a
s a w
hole
.
We
reco
mm
end
that
FEM
A m
anag
emen
t re
view
the
ef
fect
iven
ess
of e
xist
ing
secu
rity
awar
enes
s pr
ogra
ms
desi
gned
to
prot
ect
elec
troni
c an
d ph
ysic
al d
ata,
PII
, an
d FO
UO
ag
ency
in
form
atio
n an
d en
sure
th
at
indi
vidu
als
are
adeq
uate
ly i
nstru
cted
and
rem
inde
d of
th
eir
role
s in
the
pro
tect
ion
of b
oth
elec
troni
c an
d ph
ysic
al F
EMA
dat
a an
d ha
rdw
are
thro
ugh
form
al,
perio
dic
com
mun
icat
ions
and
/or
secu
rity
awar
enes
s tra
inin
g.
X
2
FEM
A-
IT-1
0-39
As
note
d du
ring
the
FY
2009
au
dit,
wea
knes
ses
cont
inue
to e
xist
ove
r the
seg
rega
tion
of d
utie
s co
ntro
ls
for
the
mig
ratio
n of
IF
MIS
-Mer
ger
chan
ges
into
pr
oduc
tion.
Spe
cific
ally
:
We
reco
mm
end
that
FEM
A d
ocum
ent a
nd im
plem
ent
polic
ies
and
proc
edur
es
to
limit
IFM
IS-M
erge
r de
velo
per
acce
ss t
o th
e pr
oduc
tion
envi
ronm
ent
to
“rea
d on
ly”
and
segr
egat
e th
e re
spon
sibi
lity
for
depl
oyin
g ap
plic
atio
n co
de c
hang
es i
nto
prod
uctio
n
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
0
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
�Th
e FE
MA
dev
elop
men
t co
ntra
ctor
con
tinue
s to
de
ploy
ch
ange
s in
to
the
UN
IX
prod
uctio
n en
viro
nmen
t th
roug
h th
e us
e of
th
e sh
ared
“i
fmis
cm”
acco
unt.
We
note
d th
at F
EMA
cha
nge
man
agem
ent
pers
onne
l ar
e fo
llow
ing
SOPs
tha
t ou
tline
the
con
trols
int
ende
d to
miti
gate
the
ris
k as
soci
ated
w
ith
the
IFM
IS-M
erge
r de
velo
pers
ha
ving
the
abili
ty to
mig
rate
cha
nges
to th
e IF
MIS
-M
erge
r pro
duct
ion
envi
ronm
ent.
In p
artic
ular
, the
O
ffice
of
the
Chi
ef F
inan
cial
Offi
cer
(OC
FO)
IFM
IS
Syst
em
Cha
nge
Requ
est
(SC
R)
SOP
requ
ires
the
lock
ing
and
unlo
ckin
g of
th
e “i
fmis
cm”
acco
unt
by
syst
em
adm
inis
trato
rs
durin
g th
e im
plem
enta
tion
of s
oftw
are
chan
ges
into
pro
duct
ion.
H
owev
er,
we
dete
rmin
ed t
hat
whi
le
the
SCR
SO
P st
ates
th
at
syst
em
adm
inis
trato
rs w
ill p
erio
dica
lly m
onito
r pro
duct
ion
dire
ctor
ies
to d
etec
t upd
ates
, no
form
al p
roce
dure
s or
pr
oces
ses
are
incl
uded
in
th
e SO
P or
do
cum
ente
d el
sew
here
fo
r de
taili
ng
how
to
m
onito
r th
e di
rect
orie
s or
the
req
uire
men
ts f
or
perf
orm
ing
the
revi
ews
to
verif
y th
at
only
au
thor
ized
cha
nges
to th
e “i
fmis
cm”
dire
ctor
y an
d su
b-di
rect
orie
s are
impl
emen
ted
into
pro
duct
ion
by
the
deve
lope
rs.
�W
e de
term
ined
tha
t al
thou
gh i
nfor
mal
rev
iew
s of
th
e di
rect
orie
s w
ere
perf
orm
ed d
urin
g th
e fis
cal
year
, the
y w
ere
not r
outin
ely
relie
d up
on b
y FE
MA
m
anag
emen
t as
the
y di
d no
t pr
ovid
e th
e le
vel
of
deta
il re
quire
d fo
r ad
equa
te
mon
itorin
g,
and
FEM
A p
erso
nnel
wer
e no
t abl
e to
dis
tingu
ish
the
type
s of
cha
nges
mad
e to
the
sys
tem
fro
m t
he
“ifm
iscm
” ac
coun
t.
from
the
dev
elop
men
t co
ntra
ctor
to
an i
ndep
ende
nt
cont
rol
grou
p.
If
busi
ness
ne
eds
requ
ire
that
th
e se
greg
atio
n of
du
ties
cann
ot
be
imm
edia
tely
im
plem
ente
d, F
EMA
sho
uld
docu
men
t and
impl
emen
t po
licie
s an
d pr
oced
ures
to m
itiga
te th
e ris
k as
soci
ated
w
ith
the
segr
egat
ion
of
dutie
s w
eakn
ess
note
d in
ac
cord
ance
with
DH
S gu
idan
ce, i
nclu
ding
a fo
rmal
ized
pr
oces
s fo
r pe
rfor
min
g an
d do
cum
entin
g re
view
s of
ac
tivity
per
form
ed b
y de
velo
pers
with
in t
he I
FMIS
-M
erge
r env
ironm
ent.
FEM
A-
As
note
d du
ring
the
FY
2009
au
dit,
wea
knes
ses
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
1
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
IT-1
0-40
co
ntin
ued
to
exis
t ov
er
the
segr
egat
ion
of
dutie
s co
ntro
ls fo
r the
mig
ratio
n of
G&
T IF
MIS
cha
nges
into
pr
oduc
tion
durin
g FY
201
0.
Spec
ifica
lly,
the
“ifm
iscm
” ac
coun
t w
as u
sed
by t
he
FEM
A d
evel
opm
ent c
ontra
ctor
to d
eplo
y ch
ange
s in
to
the
UN
IX p
rodu
ctio
n en
viro
nmen
t. P
er o
ur re
view
, we
note
d th
at t
he G
&T
IFM
IS a
pplic
atio
n pr
ogra
mm
ers
resp
onsi
ble
for m
aint
aini
ng a
nd d
evel
opin
g ch
ange
s for
th
e G
&T
IFM
IS a
pplic
atio
n w
ere
also
res
pons
ible
for
m
igra
ting
appl
icat
ion
code
cha
nges
into
the
prod
uctio
n en
viro
nmen
t us
ing
the
“ifm
iscm
” ac
coun
t. W
e w
ere
info
rmed
by
FEM
A p
erso
nnel
tha
t th
e co
ntro
ls o
ver
this
acc
ount
did
not
cha
nge
from
FY
200
9 an
d th
at th
e ac
coun
t re
mai
ned
unlo
cked
whi
le G
&T
IFM
IS w
as
oper
atio
nal b
etw
een
Oct
ober
200
9 an
d Ju
ne 2
010
whe
n th
e sy
stem
was
dec
omm
issi
oned
. W
e w
ere
furth
er
info
rmed
by
FE
MA
pe
rson
nel
that
ac
cess
to
th
e “i
fmis
cm”
acco
unt w
as n
ot li
mite
d or
mon
itore
d on
a
perio
dic
basi
s, al
low
ing
the
deve
lopm
ent
cont
ract
or
unre
stric
ted
acce
ss to
the
prod
uctio
n en
viro
nmen
t.
Add
ition
ally
, w
e no
ted
that
FEM
A h
as d
ocum
ente
d po
licie
s an
d pr
oced
ures
that
requ
ire th
e IF
MIS
-Mer
ger
“ifm
iscm
” ac
coun
t to
be lo
cked
and
use
of t
he a
ccou
nt
to
be
mon
itore
d.
H
owev
er,
we
note
d th
at
no
esta
blis
hed
proc
edur
es o
r co
ntro
ls w
ere
in p
lace
for
G
&T
IFM
IS t
o m
itiga
te t
he r
isk
asso
ciat
ed w
ith t
his
acco
unt.
Con
sequ
ently
, w
e de
term
ined
tha
t w
hile
the
G&
T IF
MIS
app
licat
ion
serv
er w
as d
ecom
mis
sion
ed in
Jun
e 20
10,
the
wea
knes
ses
over
se
greg
atio
n of
du
ties
cont
rols
in th
e G
&T
IFM
IS c
onfig
urat
ion
man
agem
ent
proc
ess
cont
inue
d to
exi
st fo
r the
maj
ority
of F
Y 2
010,
an
d pr
ior y
ear N
FR F
EMA
-IT-
09-5
9 is
reis
sued
.
this
fin
ding
bec
ause
of
the
deco
mm
issi
onin
g of
G&
T IF
MIS
in Ju
ne 2
010.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
2
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
FEM
A-
IT-1
0-41
Pass
wor
d,
patc
h m
anag
emen
t, an
d co
nfig
urat
ion
man
agem
ent
wea
knes
ses
wer
e id
entif
ied
durin
g vu
lner
abili
ty a
sses
smen
t tec
hnic
al te
stin
g.
Not
e: D
ue to
the
natu
re o
f thi
s fin
ding
, see
the
tabl
es
in a
ssoc
iate
d N
FR f
or t
he s
peci
fic d
etai
ls o
f th
e co
nditi
ons.
Impl
emen
t th
e sp
ecifi
c co
rrec
tive
actio
ns li
sted
in th
e N
FR fo
r eac
h te
chni
cal c
ontro
l wea
knes
s ide
ntifi
ed.
X
3
FEM
A-
IT-1
0-42
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
we
note
d th
e fo
llow
ing
wea
knes
ses
over
th
e co
mpl
eten
ess
and
accu
racy
of
certa
in C
&A
arti
fact
s th
at s
uppo
rt th
e A
utho
rizin
g O
ffic
ial’s
dec
isio
n to
gra
nt a
n A
TO fo
r the
IF
MIS
– M
erge
r:
�A
risk
ass
essm
ent f
or IF
MIS
-Mer
ger h
ad n
ot b
een
com
plet
ed o
r do
cum
ente
d pr
ior
to g
rant
ing
an
ATO
, in
ac
cord
ance
w
ith
DH
S an
d N
IST
requ
irem
ents
. A
dditi
onal
ly, F
EMA
doe
s no
t pla
n to
con
duct
and
doc
umen
t a r
isk
asse
ssm
ent o
r th
e re
sults
of t
he re
quire
d ris
k as
sess
men
t act
iviti
es fo
r IF
MIS
-Mer
ger
as
FEM
A
man
agem
ent
has
indi
cate
d th
at it
is n
ot re
quire
d fo
r FY
201
0.
�Th
e A
TO w
as s
igne
d in
Jun
e 20
10,
mor
e th
an
thre
e m
onth
s af
ter
the
IFM
IS-M
erge
r sy
stem
was
op
erat
iona
l in
late
Feb
ruar
y 20
10.
�Pe
r ou
r re
view
of
the
secu
rity
asse
ssm
ent
repo
rt,
the
asse
ssm
ent
perf
orm
ed
over
IF
MIS
-Mer
ger
prio
r to
gran
ting
ATO
did
not
incl
ude
eval
uatio
n of
an
y of
the
cont
rols
iden
tifie
d w
ithin
the
SSP.
The
as
sess
men
t w
as
limite
d to
vu
lner
abili
ty
and
com
plia
nce
scan
s.
�Th
e ST
&E
was
not
pro
perly
con
duct
ed b
ecau
se th
e ba
selin
e co
ntro
ls in
the
Req
uire
men
ts T
race
abili
ty
Mat
rix
wer
e no
t co
nsis
tent
w
ith
DH
S re
quire
men
ts.
�U
pdat
e an
d co
mpl
ete
all
requ
ired
C&
A a
rtifa
cts
for I
FMIS
-Mer
ger i
n ac
cord
ance
with
DH
S po
licy
and
NIS
T gu
idan
ce.
�En
sure
th
at
C&
A
artif
acts
, in
clud
ing
the
risk
asse
ssm
ent
or t
he r
esul
ts o
f th
e re
quire
d ris
k as
sess
men
t act
iviti
es, t
he S
T&E,
and
the
Secu
rity
Ass
essm
ent
Rep
ort
(SA
R)
are
cond
ucte
d an
d do
cum
ente
d in
acc
orda
nce
with
est
ablis
hed
DH
S ba
selin
e co
ntro
ls
acco
rdin
g to
th
e se
curit
y ca
tego
rizat
ion
of th
e sy
stem
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
3
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
FEM
A-
IT-1
0-43
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
we
note
d th
at th
e m
ost
rece
nt A
TO f
or N
EMIS
was
sig
ned
on O
ctob
er
29, 2
009.
H
owev
er, w
e id
entif
ied
wea
knes
ses
in t
he
com
plet
enes
s an
d ac
cura
cy o
f ce
rtain
C&
A a
rtifa
cts
that
sup
port
the
Aut
horiz
ing
Off
icia
l’s (
AO
) de
cisi
on
to g
rant
the
ATO
for N
EMIS
. Sp
ecifi
cally
, the
NEM
IS
Ris
k A
sses
smen
t, ST
&E,
and
SA
R w
ere
com
plet
ed in
20
06, a
nd th
us o
utda
ted
as D
HS
polic
y re
quire
s C
&A
ar
tifac
ts s
uppo
rting
ATO
s to
be
upda
ted
with
in th
e 13
m
onth
s pr
ior
to g
rant
ing
the
mos
t re
cent
ATO
, an
d N
IST
requ
ires e
ach
to b
e co
nduc
ted
ever
y 3
year
s.
We
reco
mm
end
that
FEM
A u
pdat
e an
d co
mpl
ete
all
requ
ired
C&
A a
rtifa
cts
for N
EMIS
in a
ccor
danc
e w
ith
DH
S po
licy
and
NIS
T gu
idan
ce.
X
3
FEM
A-
IT-1
0-44
Con
ditio
ns n
oted
in
FY 2
009
rela
ted
to w
eakn
esse
s ov
er c
ontro
ls in
pla
ce to
mon
itor a
nd re
stric
t acc
ess
to
high
ly-p
rivile
ged
syst
em a
ccou
nts
with
in t
he U
NIX
en
viro
nmen
t th
at s
uppo
rts I
FMIS
-Mer
ger
and
G&
T IF
MIS
con
tinue
to e
xist
in F
Y 2
010.
Spe
cific
ally
:
�A
cces
s to
th
e “r
oot”
ac
coun
t is
no
t pr
oper
ly
rest
ricte
d an
d sy
stem
adm
inis
trato
r ac
tiviti
es a
re
not
appr
opria
tely
lo
gged
.
Spec
ifica
lly,
the
pass
wor
d to
acc
ess
the
UN
IX “
root
” ad
min
istra
tor
acco
unt
is s
hare
d be
twee
n th
e ad
min
istra
tors
and
re
mot
e ac
cess
to
the
root
acc
ount
is
not
lock
ed
dow
n.
�Sy
stem
adm
inis
trato
r ac
tions
are
not
mon
itore
d an
d at
tribu
tabl
e to
in
divi
dual
ad
min
istra
tors
. Sp
ecifi
cally
, FEM
A h
as n
ot e
nfor
ced
the
use
of th
e “s
udo”
co
mm
and,
w
hich
re
quire
s sy
stem
ad
min
istra
tors
to
logi
n w
ith t
heir
indi
vidu
al u
ser
ID a
nd t
hen
switc
h ov
er t
o th
e ro
ot a
ccou
nt t
o en
sure
who
is a
cces
sing
the
acco
unt i
s lo
gged
and
au
thor
ized
.
�Sy
stem
log
s an
d re
ports
of
adm
inis
trato
r ac
tivity
, in
clud
ing
the
“sud
o” l
og w
hich
mon
itors
act
ions
pe
rfor
med
by
adm
inis
trato
rs w
hile
act
ing
as t
he
We
reco
mm
end
that
FEM
A d
ocum
ent a
nd im
plem
ent
appr
opria
te
tech
nica
l an
d m
anag
emen
t co
ntro
ls
to
rest
rict
and
mon
itor
acce
ss
to
priv
ilege
d sy
stem
ad
min
istra
tor a
ccou
nts
on th
e IF
MIS
-Mer
ger o
pera
ting
syst
em,
incl
udin
g us
e of
th
e “r
oot”
ac
coun
t, in
ac
cord
ance
with
DH
S an
d FE
MA
pol
icy.
Add
ition
ally
, po
licie
s an
d pr
oced
ures
sho
uld
incl
ude
requ
irem
ents
to
ensu
re t
hat
syst
em l
ogs
and
reco
rds
of a
dmin
istra
tor
activ
ity, i
nclu
ding
the
“roo
t” a
ccou
nt, a
re r
etai
ned
and
revi
ewed
by
IT s
ecur
ity m
anag
emen
t in
depe
nden
t of
th
e sy
stem
ad
min
istra
tion
team
, es
peci
ally
w
here
in
divi
dual
trac
eabi
lity
for t
he a
ccou
nt is
not
pos
sibl
e.
Ther
e is
no
reco
mm
ende
d co
rrec
tive
actio
n sp
ecifi
c to
th
e po
rtion
of
this
fin
ding
rel
ated
to
G&
T IF
MIS
be
caus
e of
the
dec
omm
issi
onin
g of
G&
T IF
MIS
in
June
201
0.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
4
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
“roo
t”
acco
unt,
wer
e no
t re
view
ed
by
FEM
A
man
agem
ent p
erso
nnel
inde
pend
ent o
f th
e sy
stem
ad
min
istra
tion
staf
f.
FEM
A-
IT-1
0-45
In F
Y 2
009,
we
note
d w
eakn
esse
s ov
er s
uita
bilit
y de
term
inat
ions
for
fed
eral
em
ploy
ees
and
cont
ract
ors
with
sen
sitiv
e IT
sys
tem
acc
ess
that
con
tinue
d to
exi
st
in F
Y 2
010.
Spe
cific
ally
, of
15
fede
ral
empl
oyee
po
sitio
ns se
lect
ed fo
r tes
ting:
�Th
ree
did
not
have
ev
iden
ce
of
a co
mpl
eted
ba
ckgr
ound
inve
stig
atio
n on
file
that
met
min
imum
in
vest
igat
ive
requ
irem
ents
sp
ecifi
ed
by
DH
S po
licy.
�Fo
r on
e em
ploy
ee, F
EMA
was
una
ble
to p
rovi
de
any
docu
men
tatio
n to
evi
denc
e th
at th
e em
ploy
ee’s
ba
ckgr
ound
in
vest
igat
ion
was
pe
rfor
med
an
d m
aint
aine
d w
ithin
IS
MS,
FE
MA
’s
pers
onne
l su
itabi
lity
and
inve
stig
atio
n re
cord
keep
ing
utili
ty.
�N
ine
that
are
def
ined
as
“hig
h ris
k” a
ccor
ding
to
FEM
A p
olic
y di
d no
t hav
e an
app
ropr
iate
pos
ition
se
nsiti
vity
des
igna
tion
that
ref
lect
ed th
e ris
k le
vel
requ
ired
by D
HS
polic
y.
Dur
ing
our
FY 2
010
test
wor
k ov
er c
ontra
ctor
s, w
e de
term
ined
th
at
no
form
al
proc
edur
es
have
be
en
deve
lope
d or
impl
emen
ted
by F
EMA
to a
ddre
ss D
HS
requ
irem
ents
sur
roun
ding
the
sui
tabi
lity
scre
enin
g of
co
ntra
ctor
s ac
cess
ing
DH
S IT
sys
tem
s. A
dditi
onal
ly,
we
sele
cted
a p
opul
atio
n of
15
cont
ract
ors
with
acc
ess
to
mul
tiple
FE
MA
in
form
atio
n sy
stem
s w
ho
hold
se
nsiti
ve IT
sec
urity
pos
ition
s at F
EMA
such
as s
yste
m
adm
inis
trato
rs,
data
base
adm
inis
trato
rs,
and
syst
ems
deve
lopm
ent
cont
ract
ors
and
dete
rmin
ed t
hat
FEM
A
has
not
appr
opria
tely
co
nduc
ted
suita
bilit
y
�Fu
rther
def
ine
and
refin
e do
cum
ente
d pr
oces
ses
to
ensu
re
that
ba
ckgr
ound
in
vest
igat
ions
fo
r al
l Fe
dera
l em
ploy
ees
are
perf
orm
ed a
nd p
roce
dure
s ar
e im
plem
ente
d in
ac
cord
ance
w
ith
DH
S di
rect
ives
. �
Re-
eval
uate
an
d as
sign
th
e co
rrec
t po
sitio
n se
nsiti
vity
lev
els
to a
ll Fe
dera
l em
ploy
ees
with
ac
cess
to D
HS
info
rmat
ion
syst
ems
in a
ccor
danc
e w
ith D
HS
polic
y.
Add
ition
ally
doc
umen
t an
d/or
re
vise
, an
d fu
lly i
mpl
emen
t pr
oced
ures
to
ensu
re
that
pro
gram
man
ager
s ar
e aw
are
of r
equi
rem
ents
an
d ap
prop
riate
po
sitio
n se
nsiti
vity
le
vels
ar
e de
sign
ated
for
all
sens
itive
IT
posi
tions
in
the
futu
re.
�D
ocum
ent a
nd f
ully
impl
emen
t pro
cedu
res
with
in
FEM
A A
cqui
sitio
ns,
FEM
A P
erso
nnel
Sec
urity
, an
d FE
MA
IT
to e
nsur
e a
mor
e ce
ntra
lized
and
co
ordi
nate
d pr
oces
s fo
r tra
ckin
g an
d co
mpl
etin
g ba
ckgr
ound
in
vest
igat
ions
ov
er
cont
ract
or
pers
onne
l in
acco
rdan
ce w
ith D
HS
polic
y.
�En
sure
th
at
all
syst
em
owne
rs
docu
men
t an
d co
rrec
tly
defin
e th
e ap
prop
riate
se
nsiti
vity
de
sign
atio
ns
for
cont
ract
or
pers
onne
l ne
edin
g ac
cess
to th
eir
info
rmat
ion
syst
ems
in a
ccor
danc
e w
ith
DH
S po
licy.
A
dditi
onal
ly,
ensu
re
that
po
sitio
n se
nsiti
vity
de
sign
atio
ns
are
assi
gned
ba
sed
on th
e ty
pe o
f priv
ilege
s ne
eded
, and
requ
ire
cont
ract
ors
to h
ave
thei
r su
itabi
lity
inve
stig
atio
ns
com
plet
ed p
rior
to b
eing
gra
nted
acc
ess
to t
he
syst
em
in
acco
rdan
ce
with
FE
MA
an
d D
HS
polic
y.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
5
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
inve
stig
atio
ns.
Spec
ifica
lly:
�Fo
r tw
o, F
EMA
was
una
ble
to p
rovi
de a
ny
docu
men
tatio
n to
ev
iden
ce
that
th
e co
ntra
ctor
’s
reco
rd
was
m
aint
aine
d w
ithin
IS
MS,
incl
udin
g th
e st
atus
of a
ny b
ackg
roun
d in
vest
igat
ions
per
form
ed.
�Si
x di
d no
t ha
ve e
vide
nce
of a
com
plet
ed
back
grou
nd i
nves
tigat
ion
on f
ile t
hat
mee
ts
min
imum
inve
stig
ativ
e re
quire
men
ts s
peci
fied
by D
HS
polic
y.
Of
the
six,
two
had
reco
rds
mai
ntai
ned
with
in
ISM
S;
how
ever
, FE
MA
w
as
unab
le
to
prov
ide
evid
ence
th
at
back
grou
nd
inve
stig
atio
ns
for
each
w
ere
perf
orm
ed.
�N
one
had
posi
tion
sens
itivi
ty
desi
gnat
ions
de
fined
by
FEM
A fo
r the
sen
sitiv
e IT
pos
ition
th
ey h
eld
at t
he t
ime
of o
ur t
est
wor
k, a
s re
quire
d by
DH
S po
licy.
FEM
A-
IT-1
0-46
Dur
ing
the
FY
2010
in
tegr
ated
au
dit,
we
note
d w
eakn
esse
s in
co
ntro
ls
over
th
e co
nfig
urat
ion
man
agem
ent o
f ap
plic
atio
n, w
eb, a
nd d
atab
ase
serv
ers
with
in
the
NEM
IS
prod
uctio
n en
viro
nmen
t. Sp
ecifi
cally
:
1.
Acc
ess
to
the
mul
tiple
ap
plic
atio
n,
web
, an
d da
taba
se
serv
ers
that
co
mpr
ise
the
NEM
IS
prod
uctio
n en
viro
nmen
t fo
r de
ploy
ing
appr
oved
co
de c
hang
es is
lim
ited
to IT
Ent
erpr
ise
Ope
ratio
ns
staf
f. H
owev
er,
no
form
aliz
ed
chan
ge
man
agem
ent
proc
edur
es
exis
t fo
r de
ploy
ing
chan
ges
to e
nsur
e th
e m
ovem
ent
of p
rodu
ctio
n co
de f
or t
he N
EMIS
pro
duct
ion
envi
ronm
ent
is
appr
opria
tely
con
trolle
d.
�D
ocum
ent a
nd im
plem
ent a
form
aliz
ed p
roce
ss a
nd
proc
edur
es
for
depl
oyin
g N
EMIS
ch
ange
s to
en
sure
the
mov
emen
t of
pro
duct
ion
code
for
the
N
EMIS
pro
duct
ion
envi
ronm
ent
is a
ppro
pria
tely
co
ntro
lled.
Proc
edur
es
shou
ld
incl
ude
requ
irem
ents
for r
estri
ctin
g an
d, m
onito
ring
acce
ss
and
docu
men
ting
revi
ews
to
the
NEM
IS
prod
uctio
n en
viro
nmen
t to
en
sure
th
at
the
prin
cipl
es o
f le
ast
priv
ilege
and
seg
rega
tion
of
dutie
s ar
e en
forc
ed,
in
acco
rdan
ce
with
D
HS
guid
ance
. �
Ensu
re
that
ad
equa
te
tech
nica
l co
ntro
ls
are
impl
emen
ted
to
enfo
rce
leas
t pr
ivile
ge
and
segr
egat
ion
of
dutie
s re
quire
men
ts
for
the
impl
emen
tatio
n of
sys
tem
cha
nges
. I
f in
divi
dual
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
6
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
2.
Acc
ess
to a
sha
red
serv
ice
acco
unt i
s us
ed f
or th
e de
ploy
men
t of
Lin
ux c
hang
es.
How
ever
, FE
MA
w
as u
nabl
e to
pro
vide
any
sys
tem
doc
umen
tatio
n or
ass
ocia
ted
artif
acts
dem
onst
ratin
g th
at F
EMA
w
as a
ppro
pria
tely
rest
rictin
g an
d co
ntro
lling
acc
ess
to t
he N
EMIS
pro
duct
ion
appl
icat
ion,
web
, an
d da
taba
se se
rver
s.
acco
unts
are
not
pos
sibl
e fo
r de
ploy
ing
chan
ges,
impl
emen
t lo
gica
l ac
cess
co
ntro
ls,
incl
udin
g co
nfig
urat
ion
of s
yste
m a
udit
logs
, on
NEM
IS
prod
uctio
n se
rver
s to
es
tabl
ish
indi
vidu
al
acco
unta
bilit
y fo
r all
FEM
A p
erso
nnel
with
acc
ess
to t
he e
nviro
nmen
t th
roug
h th
e sh
ared
ser
vice
ac
coun
t, in
ac
cord
ance
w
ith
DH
S an
d FE
MA
po
licy.
A
dditi
onal
ly,
for
thes
e sh
ared
ser
vice
ac
coun
ts,
docu
men
t, im
plem
ent,
and
appr
ove
stan
dard
op
erat
ing
proc
edur
es
for
the
impl
emen
tatio
n an
d fo
rmal
re
view
of
N
EMIS
sy
stem
cha
nges
on
prod
uctio
n se
rver
s. FE
MA
-IT
-10-
47
In F
Y 2
009,
we
note
d th
at F
EMA
’s O
CFO
and
NFI
P fin
anci
al s
yste
ms
deve
lopm
ent a
nd a
cqui
sitio
n pr
ojec
ts
wer
e un
derta
ken
and
prog
ress
ed w
ithou
t (1
) pr
oper
ov
ersi
ght
of
and
dire
ctio
n to
co
ntra
ctor
s, (2
) de
velo
pmen
t an
d ap
prov
al
of
requ
ired
proj
ect
docu
men
tatio
n, (
3) t
he c
ontin
ual
invo
lvem
ent
of t
he
OC
IO
to
ensu
re
appr
opria
te
cons
ider
atio
n an
d in
tegr
atio
n of
IT
se
curit
y,
and
(4)
the
join
t co
mm
unic
atio
n an
d de
cisi
on-m
akin
g of
FEM
A O
CFO
, O
CIO
an
d N
FIP
man
agem
ent.
A
s a
resu
lt,
we
reco
mm
ende
d th
at
FEM
A
man
agem
ent
defin
e an
d im
plem
ent
form
al a
nd r
epea
tabl
e pr
oces
ses
to e
nsur
e th
at f
inan
cial
sys
tem
s de
velo
pmen
t an
d ac
quis
ition
pr
ojec
ts a
re c
ondu
cted
in c
ompl
ianc
e w
ith D
HS
SELC
an
d ac
quis
ition
re
quire
men
ts
as
wel
l as
Fe
dera
l gu
idan
ce.
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
we
dete
rmin
ed
that
FE
MA
m
anag
emen
t ha
s no
t im
plem
ente
d co
rrec
tive
actio
ns o
r dev
elop
ed a
cor
rect
ive
actio
n pl
an
to
addr
ess
the
prio
r ye
ar
wea
knes
ses
note
d.
Spec
ifica
lly, e
ntity
leve
l cor
rect
ive
actio
ns to
inte
grat
e an
d de
velo
p su
ffic
ient
an
d ef
fect
ive
met
hods
of
co
mm
unic
atio
n to
ens
ure
that
sig
nific
ant
finan
cial
-
�D
efin
e an
d im
plem
ent f
orm
al a
nd re
peat
able
ent
ity
leve
l co
ntro
l pr
oces
ses
to e
nsur
e th
at f
inan
cial
sy
stem
s de
velo
pmen
t an
d ac
quis
ition
pro
ject
s ar
e co
nduc
ted
in
com
plia
nce
with
D
HS
Syst
em
Engi
neer
ing
Life
Cyc
le (
SELC
) an
d ac
quis
ition
re
quire
men
ts a
s w
ell
as F
eder
al g
uida
nce.
Th
e pr
oces
ses
shou
ld d
efin
e st
eps
to i
nclu
de,
but
are
not l
imite
d to
, for
mal
app
rova
l of
requ
ired
proj
ect
docu
men
tatio
n,
suff
icie
nt
cont
ract
or
over
sigh
t, de
finiti
ons
of p
roje
ct r
oles
and
res
pons
ibili
ties
so
that
de
cisi
on
mak
ing
incl
udes
th
e ap
prop
riate
in
volv
emen
t of
al
l st
akeh
olde
rs
and
rele
vant
FE
MA
man
agem
ent,
esta
blis
hmen
t of
AD
Es a
t ea
ch S
ELC
pha
se,
and
inte
grat
ion
of I
T se
curit
y co
nsid
erat
ions
thro
ugho
ut a
ll pr
ojec
t pha
ses.
�
Iden
tify
and
form
ally
as
sign
st
akeh
olde
rs
asso
ciat
ed
with
th
e re
med
iatio
n ef
forts
ov
er
alig
ning
th
e D
HS
SELC
m
etho
dolo
gy
with
FE
MA
’s
acqu
isiti
on
deve
lopm
ent
proc
ess
to
ensu
re a
ppro
pria
te p
artic
ipat
ion
from
all
requ
ired
orga
niza
tions
w
ithin
FE
MA
in
bo
th
the
deve
lopm
ent
of
polic
ies
and
proc
edur
es
and
inte
grat
ion
of t
he f
inan
cial
sys
tem
s ac
quis
ition
s lif
e cy
cle
stag
es a
s req
uire
d by
DH
S po
licy.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
7
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
rela
ted
syst
em d
evel
opm
ent
and
acqu
isiti
on p
roje
cts
invo
lve
all r
elev
ant s
take
hold
ers,
incl
udin
g th
e O
CFO
, ha
ve
not
been
es
tabl
ishe
d.
A
dditi
onal
ly,
FEM
A
man
agem
ent
has
not
take
n ac
tion
to e
nhan
ce a
nd
furth
er
deve
lop
curr
ent
acqu
isiti
on
man
agem
ent
proc
esse
s to
en
sure
th
at
orga
niza
tion-
spec
ific
requ
irem
ents
exi
st a
nd a
re i
mpl
emen
ted
so t
hat
each
pr
ojec
t m
eets
or
gani
zatio
nal
mis
sion
ne
eds
and
func
tiona
l an
d te
chni
cal
requ
irem
ents
as
requ
ired
by
DH
S an
d N
IST
guid
ance
.
FEM
A-
IT-1
0-48
FEM
A I
T se
curit
y m
anag
emen
t re
spon
sibili
ties
wer
e no
t con
sist
ently
or
adeq
uate
ly a
ssig
ned
and
perf
orm
ed
over
the
FEM
A P
OA
&M
pro
cess
for F
Y 2
009
IT a
udit
findi
ngs,
in
acco
rdan
ce
with
D
HS
guid
ance
. Sp
ecifi
cally
:
�PO
A&
Ms
crea
ted
by
FEM
A
man
agem
ent
in
resp
onse
to
FY 2
009
IT f
inan
cial
sta
tem
ent
audi
t fin
ding
s w
ere
not c
onsi
sten
tly c
ateg
oriz
ed w
ith th
e ap
prop
riate
crit
ical
ity l
evel
in
acco
rdan
ce w
ith
DH
S po
licy.
Sp
ecifi
cally
, fo
r 52
PO
A&
Ms
prov
ided
by
FEM
A o
n M
ay 3
, 201
0, c
ritic
ality
was
ei
ther
und
efin
ed o
r err
oneo
usly
def
ined
as “
Ann
ual
Ass
essm
ent
Find
ing”
rat
her
than
“In
itial
Aud
it Fi
ndin
g” o
r “R
epea
t Aud
it Fi
ndin
g,”
as re
quire
d.
�FE
MA
man
agem
ent d
id n
ot c
onsi
sten
tly d
ocum
ent
deta
iled
corr
ectiv
e ac
tion
plan
s or
ap
prop
riate
m
ilest
ones
, inc
ludi
ng r
equi
red
test
s of
des
ign
and
effe
ctiv
e im
plem
enta
tion
for
finan
cial
sy
stem
PO
A&
Ms.
�FE
MA
man
agem
ent
did
not
cons
iste
ntly
ass
ign
POA
&M
st
akeh
olde
r ow
ners
hip
for
corr
ectiv
e ac
tion
plan
s or r
elat
ed m
ilest
ones
.
�Es
tabl
ish
and
docu
men
t a
form
aliz
ed p
roce
ss t
o pr
ovid
e IT
se
curit
y m
anag
emen
t ov
ersi
ght
to
ensu
re
that
ad
equa
te
perio
dic
revi
ew
and
asse
ssm
ent o
f se
curit
y co
ntro
ls a
re p
erfo
rmed
and
co
rrec
tive
actio
ns a
re a
ppro
pria
tely
ass
igne
d an
d im
plem
ente
d ov
er i
dent
ified
sec
urity
wea
knes
ses
thro
ugh
the
POA
&M
pro
cess
. �
Ded
icat
e re
sour
ces
to
fully
im
plem
ent
DH
S re
quire
men
ts o
ver t
he P
OA
&M
s fo
r aud
it fin
ding
s of
FEM
A f
inan
cial
sys
tem
s, in
clud
ing
the
prop
er
cate
goriz
atio
n of
aud
it fin
ding
s, do
cum
enta
tion
of
all
stak
ehol
ders
with
rem
edia
tion
resp
onsi
bilit
ies,
and
mon
itorin
g of
PO
A&
M a
ctiv
ities
to
valid
ate
that
co
rrec
tive
actio
ns
are
appr
opria
tely
do
cum
ente
d w
ith
asso
ciat
ed
mile
ston
es
and
evid
ence
of r
emed
iatio
n is
dev
elop
ed a
nd re
tain
ed.
�D
evel
op a
nd i
mpl
emen
t a
train
ing
prog
ram
for
pe
rson
nel w
ith IT
sec
urity
resp
onsi
bilit
ies,
such
as
syst
em o
wne
rs a
nd IS
SOs,
to e
nsur
e th
at th
ey fu
lly
unde
rsta
nd
thei
r ro
les
and
resp
onsi
bilit
ies
to
corr
ectly
cat
egor
ize
the
findi
ngs,
form
ally
def
ine
mile
ston
es,
and
valid
ate
the
docu
men
tatio
n an
d te
stin
g of
the
corr
ectiv
e ac
tion
impl
emen
ted.
�
Dev
elop
an
d im
plem
ent
revi
ew
proc
edur
es
to
ensu
re d
evel
oped
PO
A&
Ms
are
deta
iled
enou
gh to
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
8
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
dem
onst
rate
tha
t th
e ro
ot c
ause
of
the
issu
e ha
s be
en
asse
ssed
an
d th
e m
ilest
ones
ad
dres
s th
e ne
cess
ary
step
s to
ful
ly r
emed
iate
the
wea
knes
ses
as re
quire
d by
DH
S po
licy.
FE
MA
-IT
-10-
49
Dur
ing
the
FY
2010
fo
llow
-up
test
wor
k,
we
dete
rmin
ed th
at w
eakn
esse
s no
ted
in F
Y 2
009
cont
inue
to
exi
st.
Spec
ifica
lly, w
e de
term
ined
that
no
addi
tiona
l po
licie
s an
d pr
oced
ures
to
esta
blis
h a
proc
ess
for
impl
emen
ting
chan
ge c
ontro
ls f
or t
he m
aint
enan
ce o
f sy
stem
sec
urity
fun
ctio
ns h
ave
been
dev
elop
ed b
y FE
MA
or
the
IT d
evel
oper
of
IFM
IS-M
erge
r. F
EMA
ha
s no
t ade
quat
ely
ensu
red
that
app
ropr
iate
priv
ilege
s gr
ante
d to
us
ers
are
crea
ted,
do
cum
ente
d,
and
appr
oved
.
We
wer
e in
form
ed b
y FE
MA
per
sonn
el th
at th
e sy
stem
se
curit
y fu
nctio
ns a
re c
reat
ed a
nd m
odifi
ed to
pro
vide
ad
ditio
nal
func
tiona
lity
unde
r sp
ecifi
c m
enus
in
the
IFM
IS-M
erge
r ap
plic
atio
n.
As
a re
sult,
thes
e ch
ange
s to
the
men
u pr
ovid
e ad
ditio
nal
func
tiona
lity
to t
he
user
s w
ith a
cces
s to
tho
se m
enus
. H
owev
er,
curr
ent
docu
men
tatio
n ov
er I
FMIS
-Mer
ger,
incl
udin
g ac
cess
au
thor
izat
ion
form
s, ch
ange
man
agem
ent
plan
s an
d Sy
stem
Sec
urity
Pla
ns, d
o no
t de
fine
how
to
man
age
and
docu
men
t cha
nges
to th
ese
func
tions
to e
nsur
e th
at
appr
oved
ch
ange
s ar
e m
ade
and
appr
opria
te
and
trace
able
acc
ess i
s gra
nted
to IF
MIS
-Mer
ger u
sers
.
Whi
le
FEM
A
has
rece
ived
th
e IF
MIS
Se
curit
y Fu
nctio
ns
Ref
eren
ce
Gui
de
date
d 20
07
from
th
e so
ftwar
e ve
ndor
, we
dete
rmin
ed th
at th
e do
cum
enta
tion
is
a te
chni
cal
refe
renc
e m
anua
l th
at
defin
es
the
capa
bilit
ies
of th
e sy
stem
, usa
ge o
f th
e va
rious
sys
tem
se
curit
y fu
nctio
ns,
men
u op
tions
an
d re
late
d pe
rmis
sion
s fo
r ea
ch f
unct
ion.
H
owev
er,
the
guid
e do
es n
ot a
ddre
ss t
he m
anag
emen
t of
the
se s
yste
m
�D
edic
ate
reso
urce
s to
ass
ess
the
usag
e of
IFM
IS-
Mer
ger
syst
em s
ecur
ity f
unct
ions
aga
inst
DH
S po
licy
requ
irem
ents
and
det
erm
ine
gaps
that
exi
st
with
in e
xist
ing
syst
em d
ocum
enta
tion
over
the
se
curit
y fu
nctio
ns.
�D
evel
op a
nd i
mpl
emen
t po
licie
s an
d pr
oced
ures
do
cum
entin
g th
e pr
oces
s of
add
ing,
del
etin
g, a
nd
mod
ifyin
g IF
MIS
-Mer
ger
syst
em
secu
rity
func
tions
to e
nsur
e th
at p
rope
r con
trols
are
in p
lace
fo
r ap
prov
ing,
te
stin
g an
d do
cum
entin
g th
ese
func
tions
prio
r to
im
plem
enta
tion,
in
acco
rdan
ce
with
DH
S po
licy.
Th
ese
polic
ies
and
proc
edur
es
shou
ld
incl
ude
requ
irem
ents
ov
er
inde
pend
ent
mon
itorin
g of
th
e cr
eatio
n,
mod
ifica
tion
and
dele
tion
of
syst
em
secu
rity
func
tions
, an
d re
quire
men
ts f
or u
pdat
ing
syst
em d
ocum
enta
tion
to re
flect
the
impa
ct o
f the
cha
nges
to u
ser a
ccou
nt
priv
ilege
s. �
Dev
elop
and
impl
emen
t pro
cedu
res
to e
nsur
e th
at
func
tions
upd
ated
thro
ugh
the
chan
ge m
anag
emen
t pr
oces
s ar
e fo
rmal
ly a
ppro
ved
and
docu
men
ted
and
that
app
ropr
iate
sys
tem
doc
umen
tatio
n fo
r IF
MIS
-Mer
ger
syst
em
secu
rity
func
tions
is
up
date
d an
d re
tain
ed,
in a
ccor
danc
e w
ith D
HS
polic
y.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 9
9
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
secu
rity
func
tions
fro
m a
cha
nge
cont
rol
and
acce
ss
cont
rol p
ersp
ectiv
e fo
r FEM
A.
Add
ition
ally
, the
gui
de
does
not
inc
lude
req
uire
men
ts f
or u
pdat
ing
syst
em
docu
men
tatio
n an
d tra
ckin
g th
ese
syst
em
secu
rity
func
tion
chan
ges t
o pr
ivile
ges i
n th
e sy
stem
.
Con
sequ
ently
, ba
sed
on o
ur t
estw
ork,
we
conc
lude
d th
at
a fo
rmal
ized
pr
oces
s fo
r m
odify
ing
spec
ific
IFM
IS-M
erge
r sys
tem
sec
urity
func
tions
to e
nsur
e th
at
appr
opria
te
priv
ilege
s ar
e cr
eate
d,
docu
men
ted,
ap
prov
ed, a
nd m
onito
red
does
not
exi
st.
FEM
A-
IT-1
0-50
Dur
ing
the
FY
2010
FE
MA
in
tegr
ated
au
dit,
we
dete
rmin
ed
that
th
e fo
llow
ing
cond
ition
s re
late
d au
thor
izat
ion
of e
xter
nal
conn
ectio
ns t
o th
e FE
MA
V
PN c
ontin
ue to
exi
st:
�Tw
o-fa
ctor
aut
hent
icat
ion
is n
ot u
sed
for
VPN
ac
cess
, as r
equi
red
by D
HS
polic
y.
�Th
e ex
istin
g do
cum
enta
tion
that
de
fines
th
e pr
oces
s fo
r gr
antin
g an
d m
aint
aini
ng V
PN a
cces
s to
th
e FE
MA
ne
twor
k do
es
not
incl
ude
requ
irem
ents
fo
r ad
min
iste
ring
the
site
su
rvey
pr
oces
s, in
clud
ing
requ
irem
ents
fo
r th
e au
thor
izat
ion
of th
e si
tes
surv
eys,
rece
rtific
atio
n of
si
te
surv
eys,
and
the
secu
rity
requ
irem
ents
as
soci
ated
with
the
vario
us a
spec
ts o
f the
pro
cess
.
�FE
MA
has
not
form
ally
iden
tifie
d an
d do
cum
ente
d th
e ro
les
and
resp
onsi
bilit
ies
nece
ssar
y w
ithin
FE
MA
to p
rope
rly a
utho
rize
and
adm
inis
ter
VPN
ac
cess
to in
divi
dual
s us
ing
non-
DH
S eq
uipm
ent t
o ac
cess
the
FEM
A n
etw
ork.
�A
cces
s fo
r st
ate
emer
genc
y m
anag
emen
t age
ncie
s an
d FE
MA
con
tract
ors
to lo
ad th
e V
PN c
lient
ont
o st
ate
or c
ontra
ctor
ow
ned
equi
pmen
t to
conn
ect t
o
�Im
plem
ent
and
requ
ire t
wo-
fact
or a
uthe
ntic
atio
n fo
r al
l re
mot
e ac
cess
to
the
FEM
A n
etw
ork,
as
requ
ired
by D
HS
polic
y an
d FI
PS 1
40-2
. �
Rev
ise
and
impl
emen
t pol
icie
s an
d pr
oced
ures
for
do
cum
entin
g,
revi
ewin
g,
and
appr
ovin
g th
e se
curit
y co
ntro
ls
in
plac
e ov
er
non-
DH
S eq
uipm
ent
conn
ectin
g to
the
FEM
A n
etw
ork
via
VPN
ac
cess
. Sp
ecifi
cally
, cl
early
de
fine
and
docu
men
t a
form
aliz
ed
proc
ess
for
the
auth
oriz
atio
n, r
evie
w,
and
mai
nten
ance
of
VPN
ac
cess
agr
eem
ents
bet
wee
n FE
MA
and
ext
erna
l en
titie
s. A
dditi
onal
ly,
ensu
re
that
w
ithin
th
e po
licie
s an
d pr
oced
ures
, ap
prop
riate
ro
les
and
resp
onsi
bilit
ies
over
the
pro
cess
are
def
ined
to
incl
ude
auth
oriz
atio
ns
by
the
CIS
O/IS
SM
to
conn
ect t
o no
n-D
HS
equi
pmen
t. �
Ensu
re th
at a
gree
men
ts r
elat
ed to
VPN
acc
ess
are
revi
ewed
and
rec
ertif
ied
whe
n a
maj
or s
yste
m
chan
ge o
ccur
s or
eve
ry th
ree
year
s, in
acc
orda
nce
with
DH
S po
licy.
�
Form
ally
iden
tify
and
docu
men
t app
ropr
iate
rol
es
and
resp
onsi
bilit
ies
rela
ted
to
man
agem
ent
of
rem
ote
acce
ss t
o th
e FE
MA
net
wor
k, i
nclu
ding
iP
ass a
nd V
PN.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
00
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
the
FEM
A
LAN
is
ap
prov
ed
by
the
SOC
. H
owev
er, D
HS
polic
y re
quire
s th
at a
ny n
on-D
HS
equi
pmen
t con
nect
ing
to a
DH
S ne
twor
k m
ust b
e au
thor
ized
by
the
Com
pone
nt C
ISO
/ISSM
.
�FE
MA
’s V
PN R
ules
of B
ehav
ior
for
Use
rs B
ehin
d C
orpo
rate
Fir
ewal
ls,
date
d D
ecem
ber
5, 2
002,
re
quire
s an
Inte
r-A
genc
y V
PN A
gree
men
t bet
wee
n FE
MA
an
d ex
tern
al
orga
niza
tions
be
fore
pe
rmitt
ing
VPN
acc
ess
to t
he F
EMA
net
wor
k th
roug
h no
n-G
over
nmen
t iss
ued
equi
pmen
t suc
h as
co
ntra
ctor
or s
tate
age
ncy
wor
ksta
tions
. H
owev
er,
we
dete
rmin
ed th
at In
ter-
Age
ncy
VPN
Agr
eem
ents
ha
ve
not
been
do
cum
ente
d an
d th
at
this
re
quire
men
t is
in
cons
iste
nt
with
D
HS
polic
y,
whi
ch r
equi
res
ISA
s or
(M
OU
s/M
OA
s pr
ior
to
esta
blis
hing
a V
PN c
onne
ctio
n fr
om e
quip
men
t op
erat
ing
on a
n ex
tern
al n
etw
ork.
�FE
MA
’s
appr
oval
of
re
ques
ts
for
netw
ork
conn
ectio
ns to
ext
erna
l org
aniz
atio
ns th
roug
h V
PN
acce
ss fo
r rem
ote
user
s is b
ased
on
secu
rity
cont
rol
info
rmat
ion
subm
itted
by
the
exte
rnal
ent
ities
via
si
te s
urve
ys.
Bas
ed u
pon
our
revi
ew o
f ex
istin
g si
te s
urve
ys a
nd th
e si
te s
urve
y pr
oces
s, w
e no
ted
that
:
�Th
e si
te s
urve
ys d
o no
t co
ntai
n th
e le
vel
of
tech
nica
l gr
anul
arity
des
crib
ing
the
exte
rnal
ne
twor
k se
curit
y co
ntro
ls
requ
ired
to
appr
opria
tely
ap
prov
e a
conn
ectio
n to
th
e FE
MA
LA
N,
and
the
FEM
A S
OC
doe
s no
t in
depe
nden
tly
verif
y th
e ac
cura
cy
of
info
rmat
ion
in t
he s
ite s
urve
ys s
ubm
itted
by
exte
rnal
en
titie
s pr
ior
to
appr
ovin
g th
e co
nnec
tion
and
subs
eque
ntly
gra
ntin
g V
PN
acce
ss to
use
rs.
�D
ocum
ent a
nd im
plem
ent p
olic
ies
and
proc
edur
es
to e
nsur
e th
at fo
rmal
ized
ISA
s, M
OU
s, or
MO
As,
delin
eatin
g se
curit
y re
spon
sibi
litie
s by
FEM
A a
nd
exte
rnal
org
aniz
atio
ns w
hen
conn
ectin
g th
roug
h no
n-D
HS
equi
pmen
t to
the
FEM
A n
etw
ork
via
VPN
acc
ess
are
used
. S
uch
agre
emen
ts s
houl
d in
clud
e ev
iden
ce
of
valid
atio
n by
FE
MA
m
anag
emen
t th
at s
ecur
ity c
ontro
ls i
n pl
ace
on
exte
rnal
ent
ity n
etw
orks
are
app
ropr
iate
and
satis
fy
requ
irem
ents
for
min
imum
sec
urity
con
trols
on
DH
S an
d FE
MA
sys
tem
s pr
ior
to c
onne
ctio
n in
ac
cord
ance
with
DH
S po
licy.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
01
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
�D
HS
guid
ance
indi
cate
s th
at a
sin
gle
ISA
may
be
use
d fo
r mul
tiple
con
nect
ions
pro
vide
d th
at
the
secu
rity
accr
edita
tion
is t
he s
ame
for
all
conn
ectio
ns c
over
ed b
y th
at I
SA.
How
ever
, w
e de
term
ined
tha
t th
e se
curit
y ac
cred
itatio
n of
th
e co
nnec
ting
netw
orks
is
no
t be
ing
eval
uate
d by
th
e FE
MA
SO
C
durin
g th
e re
view
of
site
sur
veys
to
ensu
re t
he s
ecur
ity
requ
irem
ents
are
app
ropr
iate
ly im
plem
ente
d.
FEM
A-
IT-1
0-51
In
FY
2009
, w
e id
entif
ied
wea
knes
ses
over
co
nfig
urat
ion
man
agem
ent
cont
rols
rel
ated
to
NEM
IS
prog
ram
lib
rarie
s an
d di
rect
orie
s w
ithin
th
e TD
L en
viro
nmen
t. D
urin
g th
e FY
201
0 in
tegr
ated
aud
it, w
e de
term
ined
tha
t th
e fo
llow
ing
wea
knes
ses
cont
inue
to
exis
t:
�C
ontro
ls
to
segr
egat
e ac
cess
w
ithin
th
e TD
L en
viro
nmen
t ha
ve
not
been
ap
prop
riate
ly
impl
emen
ted.
Spe
cific
ally
, IT
Syst
ems
Inte
grat
ion
pers
onne
l do
no
t gr
ant
sepa
rate
pr
ivile
ges
to
deve
lopm
ent c
ode,
whi
ch is
mov
ed to
TD
L by
the
syst
ems d
evel
oper
, and
pre
-pro
duct
ion
code
, whi
ch
has
com
plet
ed U
ser
Acc
epta
nce
Test
ing
(UA
T)
and
is
pend
ing
depl
oym
ent
to
the
NEM
IS
prod
uctio
n en
viro
nmen
t. A
s a
resu
lt, d
evel
oper
s ha
ve re
ad, w
rite
and
exec
ute
priv
ilege
s to
all
code
in
the
TDL
envi
ronm
ent.
�C
ode
appr
oved
for
im
plem
enta
tion
is n
ot l
ocke
d do
wn
with
in
the
TDL
envi
ronm
ent
prio
r to
de
ploy
men
t to
prod
uctio
n.
Add
ition
ally
, whi
le a
n ad
-hoc
rev
iew
is p
erfo
rmed
ove
r th
e di
rect
orie
s to
m
onito
r th
e m
odifi
catio
n da
tes
on t
he p
rodu
ctio
n co
de d
irect
orie
s, th
is p
roce
ss i
s no
t pe
rfor
med
co
nsis
tent
ly o
r do
cum
ente
d to
miti
gate
the
ris
k as
soci
ated
w
ith
not
rest
rictin
g ac
cess
to
th
e
�D
ocum
ent a
nd im
plem
ent f
orm
aliz
ed p
olic
ies
and
proc
edur
es fo
r res
trict
ing
and
mon
itorin
g ac
cess
to
the
NEM
IS T
DL
dire
ctor
ies
to e
nsur
e th
at t
he
prin
cipl
es o
f le
ast
priv
ilege
and
seg
rega
tion
of
dutie
s ar
e en
forc
ed,
in
acco
rdan
ce
with
D
HS
guid
ance
. Th
e pr
oces
s sh
ould
in
clud
e re
quire
men
ts
over
pe
riodi
c m
onito
ring
and
docu
men
ted
revi
ews
of N
EMIS
TD
L di
rect
orie
s to
ve
rify
that
no
chan
ges
have
occ
urre
d af
ter
the
appr
oval
of N
EMIS
syst
em c
hang
es.
�Im
plem
ent
tech
nica
l co
ntro
ls w
ithin
the
NEM
IS
TDL
envi
ronm
ent
to l
imit
deve
lope
rs’
acce
ss t
o pr
e-pr
oduc
tion
dire
ctor
ies
cont
aini
ng
“loc
ked”
ap
plic
atio
n co
de
chan
ges
to
“rea
d on
ly”.
If
busi
ness
nee
ds r
equi
re t
hat
the
segr
egat
ion
of
dutie
s can
not b
e im
med
iate
ly im
plem
ente
d, F
EMA
sh
ould
do
cum
ent
and
impl
emen
t po
licie
s an
d pr
oced
ures
to
com
pens
ate
for
the
risk
asso
ciat
ed
with
the
segr
egat
ion
of d
utie
s w
eakn
ess
note
d, in
ac
cord
ance
with
DH
S gu
idan
ce.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
02
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
appr
oved
cod
e.
FEM
A-
IT-1
0-52
Con
ditio
ns n
oted
in
FY 2
009
rela
ted
to w
eakn
esse
s ov
er v
ulne
rabi
lity
asse
ssm
ents
for t
he W
indo
ws
serv
er
envi
ronm
ent
with
in t
he N
FIP
LAN
sup
porti
ng t
he
Trav
erse
app
licat
ion
cont
inue
to
exis
t in
FY
201
0.
Spec
ifica
lly:
�W
hile
pro
cedu
res
have
bee
n de
velo
ped,
the
NFI
P co
ntra
ctor
has
not
ful
ly i
mpl
emen
ted
the
proc
ess
for
cond
uctin
g in
tern
al
vuln
erab
ility
sc
ans
for
info
rmat
ion
syst
ems
and
for
asse
ssin
g, r
epor
ting,
an
d co
rrec
ting
iden
tifie
d w
eakn
esse
s th
roug
h th
e PO
A&
M P
roce
ss i
n ac
cord
ance
with
FEM
A a
nd
DH
S gu
idan
ce.
�FE
MA
doe
s no
t ha
ve d
ocum
ente
d an
d ap
prov
ed
proc
edur
es
that
es
tabl
ish
form
al
requ
irem
ents
, pr
oces
ses,
and
resp
onsi
bilit
ies
for
cond
uctin
g m
onito
ring
and
over
sigh
t of
reg
ular
vul
nera
bilit
y sc
ans
perf
orm
ed
over
th
e N
FIP
LAN
w
hich
su
ppor
ts
Trav
erse
to
m
eet
DH
S vu
lner
abili
ty
asse
ssm
ent r
equi
rem
ents
.
�Fu
rther
mor
e, w
hile
ad
hoc
scan
s w
ere
perf
orm
ed
in p
revi
ous
year
s by
the
con
tract
or,
evid
ence
of
perio
dic
NFI
P ne
twor
k sc
anni
ng c
ondu
cted
in F
Y
2010
cou
ld n
ot b
e ob
tain
ed.
Add
ition
ally
, w
e in
quire
d w
ith F
EMA
and
det
erm
ined
tha
t sc
ans
over
th
e N
FIP
LAN
su
ppor
ting
the
Trav
erse
ap
plic
atio
n w
ere
not
perf
orm
ed b
y th
e FE
MA
SO
C.
�D
ocum
ent
and
impl
emen
t fo
rmal
po
licie
s an
d pr
oced
ures
th
at
outli
ne
the
proc
esse
s an
d re
quire
men
ts f
or p
erfo
rmin
g in
tern
al v
ulne
rabi
lity
scan
s ov
er a
ll N
FIP
info
rmat
ion
syst
ems
as w
ell a
s th
e pr
oces
s fo
r ass
essi
ng, r
epor
ting,
and
cor
rect
ing
wea
knes
ses
iden
tifie
d du
ring
scan
s as
req
uire
d by
FE
MA
and
DH
S po
licy.
�
Ensu
re
that
po
licie
s an
d pr
oced
ures
fo
rmal
ly
desi
gnat
e re
spon
sibi
litie
s of
FE
MA
O
CIO
an
d N
FIP
IT
secu
rity
man
agem
ent
for
the
impl
emen
tatio
n, m
onito
ring,
and
ove
rsig
ht o
f th
e vu
lner
abili
ty s
cann
ing
proc
ess,
so th
at th
e sc
ope
of
vuln
erab
ility
sca
ns c
ondu
cted
inc
lude
all
NFI
P w
orks
tatio
ns a
nd s
erve
rs a
nd in
clud
e re
quire
men
ts
for
form
ally
tra
ckin
g an
d m
onito
ring
the
rem
edia
tion
of v
ulne
rabi
litie
s id
entif
ied
durin
g th
e in
tern
al
scan
s of
th
e N
FIP
LAN
th
roug
h th
e PO
A&
M p
roce
ss, i
n ac
cord
ance
with
DH
S po
licy.
X
2
FEM
A-
IT-1
0-53
Dur
ing
our
FY 2
010
inte
grat
ed a
udit
test
wor
k, w
e no
ted
that
NFI
P ha
s no
t est
ablis
hed
or im
plem
ente
d an
ef
fect
ive
proc
ess
to p
erio
dica
lly r
ecer
tify
user
acc
ess,
incl
udin
g se
rvic
e ac
coun
ts,
on t
he T
RR
P m
ainf
ram
e.
Cur
rent
ly,
NFI
P re
quire
s us
ers
to
sign
se
curit
y
�C
ompl
ete
the
revi
sion
, do
cum
enta
tion,
and
ful
l im
plem
enta
tion
of T
RR
P ac
cess
con
trol
polic
ies
and
proc
edur
es,
and
ensu
re t
hat
they
inc
lude
a
form
aliz
ed p
roce
ss f
or t
he r
ecer
tific
atio
n of
all
acco
unts
on
th
e m
ainf
ram
e,
incl
udin
g se
rvic
e
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
03
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
awar
enes
s an
d tra
inin
g ce
rtific
atio
ns o
n an
ann
ual
basi
s. H
owev
er,
no r
evie
w o
f us
ers’
acc
ess
and
priv
ilege
s is
con
duct
ed b
y m
anag
emen
t on
a p
erio
dic
basi
s to
ens
ure
syst
em a
cces
s re
mai
ns a
ppro
pria
te a
nd
com
men
sura
te w
ith j
ob r
espo
nsib
ilitie
s in
acc
orda
nce
with
DH
S gu
idan
ce.
Add
ition
ally
, we
note
d th
roug
h in
spec
tion
of th
e TR
RP
acce
ss p
roce
dure
s th
at n
o pr
oces
s ha
s be
en e
stab
lishe
d to
for
mal
ly d
ocum
ent
both
the
app
rova
l an
d bu
sine
ss
need
for s
ervi
ce a
ccou
nts.
acco
unts
, on
an
annu
al b
asis
to
dete
rmin
e th
at
acce
ss re
mai
ns a
ppro
pria
te a
nd c
omm
ensu
rate
with
jo
b re
spon
sibi
litie
s in
ac
cord
ance
w
ith
DH
S po
licy.
�
Doc
umen
t and
impl
emen
t pol
icie
s an
d pr
oced
ures
ov
er th
e cr
eatio
n of
ser
vice
acc
ount
s to
ens
ure
that
th
ey a
re a
ppro
pria
tely
aut
horiz
ed a
nd t
hat
a cl
ear
busi
ness
ne
ed
is
esta
blis
hed
and
docu
men
ted
just
ifyin
g th
e cr
eatio
n an
d us
e of
the
se t
ypes
of
acco
unts
in a
ccor
danc
e w
ith D
HS
polic
y.
FEM
A-
IT-1
0-54
Dur
ing
the
FY 2
010
inte
grat
ed a
udit,
we
dete
rmin
ed
that
wea
knes
ses
exis
ted
in th
e im
plem
enta
tion
of D
HS
SELC
req
uire
men
ts o
ver
the
IFM
IS-M
erge
r Pr
ojec
t. Sp
ecifi
cally
, th
roug
hout
the
life
cycl
e of
the
pro
ject
, FE
MA
man
agem
ent
did
not
adeq
uate
ly d
efin
e an
d im
plem
ent
requ
ired
elem
ents
of
th
e D
HS
SELC
pr
oces
s, in
clud
ing:
�A
det
aile
d an
d co
mpr
ehen
sive
Pro
ject
Tai
lorin
g Pl
an t
o de
fine
requ
ired
stag
es, a
ctiv
ities
, arti
fact
s an
d ex
it cr
iteria
for
the
pro
ject
per
DH
S SE
LC
guid
ance
was
not
dev
elop
ed a
nd a
ppro
ved
by
FEM
A m
anag
emen
t.
�A
ppro
vals
fo
r pr
ojec
t cr
itica
l do
cum
enta
tion
dem
onst
ratin
g th
at
all
requ
ired
stak
ehol
ders
re
view
ed
and
appr
oved
th
e re
sults
be
fore
ad
vanc
ing
to s
ubse
quen
t SEL
C s
tage
s co
uld
not b
e pr
ovid
ed.
�FE
MA
cou
ld n
ot p
rovi
de a
Dat
a M
igra
tion
Plan
an
d Te
st S
trate
gy to
dem
onst
rate
that
crit
ical
DH
S SE
LC
requ
irem
ents
w
ere
docu
men
ted
and
appr
oved
pr
ior
to
impl
emen
tatio
n of
th
e da
ta
mig
ratio
n.
We
reco
mm
end
that
FEM
A m
anag
emen
t con
duct
and
do
cum
ent
a le
sson
s le
arne
d re
port
rela
ted
to
the
IFM
IS-M
erge
r pr
ojec
t pe
r D
HS
SELC
gui
danc
e.
By
cond
uctin
g su
ch a
n ac
tivity
, FEM
A m
anag
emen
t w
ill
be a
ble
to m
aint
ain
a re
cord
of l
esso
ns le
arne
d in
ord
er
to
incr
ease
th
e pr
obab
ility
of
su
cces
s fo
r fu
ture
ac
quis
ition
s th
roug
h th
e im
prov
emen
t of
pro
cess
es,
tool
s, an
d ot
her p
roje
ct re
late
d en
titie
s.
Add
ition
ally
, w
e de
term
ined
th
at
the
root
ca
use
asso
ciat
ed w
ith t
he w
eakn
esse
s no
ted
over
the
SEL
C
proc
ess
is r
elat
ed t
o th
e en
tity
leve
l co
ntro
l is
sue
iden
tifie
d in
FE
MA
-IT-
10-4
7,
FEM
A
Man
agem
ent
Nee
ds
to
Impr
ove
Plan
ning
, M
anag
emen
t, an
d C
omm
unic
atio
n R
elat
ed
to
Fina
ncia
l Sy
stem
s D
evel
opm
ent
and
Acq
uisi
tion
Proj
ects
. W
hile
the
IF
MIS
-Mer
ger
proj
ect
has
been
com
plet
ed, c
orre
ctiv
e ac
tion
over
the
est
ablis
hmen
t of
a p
roce
ss t
o pr
ovid
e ov
ersi
ght
to
the
impl
emen
tatio
n of
th
e SE
LC
met
hodo
logy
mus
t be
com
plet
ed.
Ple
ase
see
NFR
FE
MA
-IT-
10-4
7 fo
r re
com
men
datio
ns r
elat
ed t
o th
e es
tabl
ishm
ent o
f thi
s pro
cess
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
04
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
�Sy
stem
sec
urity
req
uire
men
ts a
nd m
ilest
ones
wer
e no
t do
cum
ente
d an
d in
tegr
ated
int
o ke
y pr
ojec
t do
cum
enta
tion,
suc
h as
Bus
ines
s R
equi
rem
ents
do
cum
ents
, pro
ject
sche
dule
s, Pr
ojec
t Man
agem
ent
Plan
s, an
d R
isk
Man
agem
ent P
lans
.
�Pr
ojec
t do
cum
enta
tion
incl
udin
g th
e Pr
ojec
t M
anag
emen
t Pla
n, th
e R
isk
Man
agem
ent P
lan,
and
B
usin
ess
Req
uire
men
ts
docu
men
ts
wer
e no
t up
date
d an
d re
vise
d th
roug
hout
th
e pr
ojec
t du
ratio
n as
requ
ired
by th
e D
HS
SELC
.
�K
ey in
form
atio
n su
ch a
s ro
les
and
resp
onsi
bilit
ies
of
all
stak
ehol
ders
, gu
idel
ines
fo
r de
velo
ping
bu
sine
ss
requ
irem
ents
do
cum
enta
tion,
re
quire
men
ts
for
stag
e re
view
s, an
d ke
y ex
it cr
iteria
bef
ore
mov
ing
to t
he n
ext
stag
e of
the
pr
ojec
t w
ere
not
inte
grat
ed
into
th
e pr
ojec
t sc
hedu
le, P
roje
ct P
lan,
and
Com
mun
icat
ions
Pla
n.
�FE
MA
m
anag
emen
t di
d no
t pr
ovid
e ad
equa
te
over
sigh
t of
th
e co
ntra
ctor
s im
plem
entin
g th
e IF
MIS
-Mer
ger
Proj
ect.
Spec
ifica
lly,
docu
men
ted
evid
ence
sup
porti
ng t
he a
ppro
val,
valid
atio
n, a
nd
rete
ntio
n of
req
uire
d ar
tifac
ts a
ssoc
iate
d w
ith t
he
data
mig
ratio
n an
d ot
her
key
proj
ect m
anag
emen
t do
cum
ents
cou
ld n
ot b
e pr
ovid
ed b
y FE
MA
or
wer
e in
suff
icie
nt b
ased
on
DH
S re
quire
men
ts.
FEM
A-
IT-1
0-55
Dur
ing
our
FY 2
010
inte
grat
ed a
udit
test
wor
k, w
e no
ted
the
follo
win
g w
eakn
esse
s re
late
d to
th
e m
anag
emen
t an
d m
onito
ring
of u
ser
acco
unts
and
ac
tivity
on
the
NFI
P LA
N su
ppor
ting
Trav
erse
:
�N
FIP
has
not e
stab
lishe
d or
impl
emen
ted
a fo
rmal
pr
oces
s to
per
iodi
cally
rec
ertif
y al
l ac
coun
ts w
ith
acce
ss t
o th
e N
FIP
LAN
sup
porti
ng T
rave
rse,
as
�C
ompl
ete
the
revi
sion
, do
cum
enta
tion,
and
ful
l im
plem
enta
tion
of a
cces
s co
ntro
l po
licie
s an
d th
e N
FIP
LAN
sy
stem
ac
coun
t m
anag
emen
t pr
oced
ures
to a
lign
with
DH
S re
quire
men
ts su
ch a
s re
certi
ficat
ion
of a
ccou
nts
and
audi
t lo
g re
view
s. Sp
ecifi
cally
, ens
ure
that
they
incl
ude
a fo
rmal
ized
pr
oces
s for
the
rece
rtific
atio
n of
all
acco
unts
on
the
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
05
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
requ
ired
by D
HS
and
FEM
A p
olic
y. S
peci
fical
ly,
six
syst
em a
nd/o
r se
rvic
e ac
coun
ts o
n th
e FE
MA
LA
N
rem
aine
d ac
tive
abse
nt
an
acce
ptab
le
docu
men
ted
busi
ness
nee
d an
d ju
stifi
catio
n.
We
wer
e in
form
ed b
y N
FIP
man
agem
ent
that
the
se
acco
unts
wer
e no
lon
ger
need
ed,
and
they
wer
e re
mov
ed fr
om th
e sy
stem
dur
ing
test
wor
k.
�A
udit
logs
gen
erat
ed a
nd r
evie
wed
on
the
NFI
P LA
N d
o no
t in
clud
e ch
ange
s to
use
r ac
coun
t pr
ivile
ges a
s req
uire
d by
DH
S an
d FE
MA
pol
icy.
�A
udit
logs
for
the
NFI
P LA
N a
re n
ot r
etai
ned
for
at le
ast 9
0 da
ys, i
n ac
cord
ance
with
DH
S po
licy.
NFI
P LA
N,
incl
udin
g se
rvic
e ac
coun
ts,
on a
n an
nual
ba
sis
to
dete
rmin
e if
acce
ss
rem
ains
ap
prop
riate
an
d co
mm
ensu
rate
w
ith
job
resp
onsi
bilit
ies i
n ac
cord
ance
with
DH
S po
licy.
�
Doc
umen
t and
impl
emen
t pol
icie
s an
d pr
oced
ures
ov
er th
e cr
eatio
n of
ser
vice
acc
ount
s to
ens
ure
that
th
ey a
re a
ppro
pria
tely
aut
horiz
ed a
nd t
hat
a cl
ear
busi
ness
ne
ed
is
esta
blis
hed
and
docu
men
ted
just
ifyin
g th
e cr
eatio
n an
d us
e of
the
se t
ypes
of
acco
unts
in a
ccor
danc
e w
ith D
HS
polic
y.
�C
onfig
ure
the
NFI
P LA
N a
udit
logs
to
incl
ude
chan
ges
to u
ser
acco
unt p
rivile
ges
and
ensu
re th
at
stor
age
capa
city
se
tting
s of
au
dit
logs
ar
e co
nfig
ured
to r
etai
n th
e lo
gs fo
r 90
day
s on
line
as
requ
ired
by D
HS
and
FEM
A p
olic
y.
FEM
A-
IT-1
0-56
Dur
ing
our
FY 2
010
inte
grat
ed a
udit,
we
note
d th
e fo
llow
ing
wea
knes
ses
rela
ted
to th
e m
onito
ring
of u
ser
acco
unts
and
act
ivity
on
the
TRR
P m
ainf
ram
e:
�Se
greg
atio
n of
dut
ies
is n
ot p
rope
rly im
plem
ente
d ov
er t
he r
evie
w a
nd m
aint
enan
ce o
f TR
RP
audi
t lo
gs.
Spec
ifica
lly, t
he T
RR
P sy
stem
adm
inis
trato
r is
res
pons
ible
for
rev
iew
ing
TRR
P au
dit l
ogs,
and
a se
cond
inde
pend
ent r
evie
wer
is n
ot re
quire
d.
�A
udit
logs
gen
erat
ed a
nd r
evie
wed
on
the
TRR
P m
ainf
ram
e do
not
incl
ude
chan
ges
to u
ser a
ccou
nt
priv
ilege
s as r
equi
red
by D
HS
and
FEM
A p
olic
y.
�D
evel
op
and
impl
emen
t TR
RP
audi
t lo
ggin
g po
licie
s an
d pr
oced
ures
tha
t in
clud
e re
quire
men
ts
for a
udit
log
conf
igur
atio
ns a
nd th
e re
view
of l
ogs
by I
T se
curit
y m
anag
emen
t in
depe
nden
t of
the
sy
stem
adm
inis
tratio
n te
am i
n ac
cord
ance
with
D
HS
polic
y.
�C
onfig
ure
the
TRR
P au
dit l
ogs
to in
clud
e ch
ange
s to
use
r acc
ount
priv
ilege
s as
requ
ired
by D
HS
and
FEM
A p
olic
y.
X
2
FEM
A-
IT-1
0-57
Dur
ing
our
FY 2
010
inte
grat
ed a
udit
test
wor
k, w
e no
ted
that
NFI
P ha
s no
t est
ablis
hed
or im
plem
ente
d a
form
al p
roce
ss t
o au
thor
ize
or p
erio
dica
lly r
evie
w
rem
ote
acce
ss
to
the
LAN
ho
stin
g th
e TR
RP
mai
nfra
me
envi
ronm
ent
in a
ccor
danc
e w
ith D
HS
and
NIS
T gu
idan
ce.
�D
evel
op,
docu
men
t, an
d fu
lly i
mpl
emen
t po
licie
s an
d pr
oced
ures
ove
r do
cum
entin
g, r
evie
win
g, a
nd
appr
ovin
g re
mot
e ac
cess
to th
e N
FIP
LAN
hos
ting
the
TRR
P m
ainf
ram
e en
viro
nmen
t in
acc
orda
nce
with
FEM
A a
nd D
HS
requ
irem
ents
. �
Dev
elop
, do
cum
ent,
and
fully
im
plem
ent
polic
ies
and
proc
edur
es
to
perf
orm
a
perio
dic
rece
rtific
atio
n of
all
rem
ote
user
acc
ess
and
reta
in
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
06
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
audi
tabl
e re
cord
s as
evi
denc
e th
at r
ecer
tific
atio
ns
are
cond
ucte
d an
d co
mpl
eted
in
acco
rdan
ce w
ith
DH
S an
d FE
MA
pol
icy.
FE
MA
-IT
-10-
58
Whi
le
impr
ovem
ents
w
ere
note
d ov
er
the
docu
men
tatio
n of
Tr
aver
se
chan
ge
man
agem
ent
proc
edur
es d
urin
g th
e FY
201
0 in
tegr
ated
aud
it te
st
wor
k, w
e de
term
ined
that
cer
tain
wea
knes
ses
iden
tifie
d in
FY
20
09
cont
inue
to
ex
ist
over
th
e Tr
aver
se
conf
igur
atio
n m
anag
emen
t pro
cess
in c
ompr
ehen
sive
ly
addr
essi
ng
FEM
A
and
DH
S ch
ange
m
anag
emen
t po
licy.
For
exa
mpl
e, w
e de
term
ined
that
:
�Es
tabl
ishe
d pr
oced
ures
do
not i
nclu
de g
uida
nce
for
initi
al a
ppro
vals
as w
e w
ere
info
rmed
that
Tra
vers
e cu
rren
tly d
oes
not
fall
unde
r re
view
of
the
NFI
P C
hang
e C
ontro
l Boa
rd (C
CB
).
�R
equi
rem
ents
fo
r m
anag
ing
the
chan
ge
man
agem
ent
prog
ram
hav
e no
t be
en a
dequ
atel
y es
tabl
ishe
d an
d im
plem
ente
d to
ens
ure
that
NFI
P C
CB
and
/or
TRC
app
rova
ls a
re g
rant
ed p
rior
to
impl
emen
ting
chan
ges
into
th
e Tr
aver
se
prod
uctio
n en
viro
nmen
t, as
requ
ired
by F
EMA
and
D
HS
polic
y.
�A
dequ
ate
over
sigh
t and
invo
lvem
ent f
rom
FEM
A
man
agem
ent
is
not
inte
grat
ed
into
th
e co
nfig
urat
ion
man
agem
ent
requ
irem
ents
. Sp
ecifi
cally
, FE
MA
is
not
invo
lved
in
test
ing
and/
or re
view
ing
test
ing
and
appr
ovin
g ch
ange
s to
Tr
aver
se p
rior t
o im
plem
enta
tion.
�Tr
aver
se c
hang
es a
re n
ot re
quire
d to
be
test
ed p
rior
to im
plem
entin
g th
e ch
ange
into
pro
duct
ion
as n
o te
stin
g en
viro
nmen
t exi
sts.
�Li
mite
d te
stin
g re
quire
men
ts
exis
t to
gu
ide
pers
onne
l in
the
dev
elop
men
t of
tes
t pl
ans
and
�En
sure
the
NFI
P co
ntra
ctor
con
tinue
s to
ded
icat
e re
sour
ces
to e
stab
lish
and
impl
emen
t do
cum
ente
d po
licie
s an
d pr
oced
ures
ove
r th
e Tr
aver
se c
hang
e m
anag
emen
t pr
oces
s fo
r no
n-em
erge
ncy
and
emer
genc
y ch
ange
s w
hich
are
in
line
with
DH
S co
nfig
urat
ion
man
agem
ent
requ
irem
ents
. Pa
rticu
lar e
mph
asis
mus
t be
plac
ed o
n ap
prov
al b
y th
e N
FIP
CC
B
and/
or
TRC
, in
itial
ch
ange
ap
prov
als,
test
ing
and
test
ing
requ
irem
ents
, fin
al
appr
oval
s, an
d re
tent
ion
of
requ
ired
chan
ge
man
agem
ent
artif
acts
to
tra
ck
all
chan
ges
thro
ugho
ut t
heir
lifec
ycle
. Th
ese
phas
es s
houl
d al
so
incl
ude
an
inte
grat
ed
proc
ess
to
addr
ess
syst
em
chan
ge
requ
irem
ents
an
d st
akeh
olde
r ch
ange
req
uire
men
ts t
o en
sure
ade
quat
e te
stin
g an
d ap
prov
als
are
com
plet
ed b
y th
e ap
prop
riate
pa
rties
. �
Esta
blis
h an
d im
plem
ent
a fo
rmal
pr
oces
s to
co
nduc
t us
er
acce
ptan
ce
test
ing
in
a te
st
envi
ronm
ent
prio
r to
im
plem
enta
tion
in
prod
uctio
n.
�A
lloca
te q
ualif
ied
NFI
P m
anag
emen
t and
OC
IO IT
se
curit
y re
sour
ces
to p
rovi
de a
dequ
ate
over
sigh
t fo
r th
e co
nfig
urat
ion
man
agem
ent
proc
ess.
Ove
rsig
ht
activ
ities
sh
ould
en
com
pass
re
quire
men
ts
such
as
a
NFI
P Pr
ogra
m
Con
figur
atio
n M
anag
emen
t B
oard
res
pons
ible
for
m
anag
ing
and
parti
cipa
ting
in
the
NFI
P C
CB
an
d/or
TR
C to
ens
ure
that
all
requ
ired
elem
ents
in
the
conf
igur
atio
n m
anag
emen
t pr
oces
s ar
e fo
rmal
ly d
efin
ed a
nd i
mpl
emen
ted
in a
ccor
danc
e w
ith D
HS
and
FEM
A g
uida
nce.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
07
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
guid
ance
ove
r the
test
ing
that
sho
uld
be p
erfo
rmed
an
d do
cum
ente
d.
Add
ition
ally
, ro
les
and
resp
onsi
bilit
ies
over
test
pla
n pr
oced
ures
to e
nsur
e th
at
plan
s ar
e su
ffic
ient
, do
cum
ent
expe
cted
ou
tcom
es, a
nd a
re r
evie
wed
and
app
rove
d pr
ior
to
deve
lopm
ent,
are
not d
ocum
ente
d.
�R
equi
rem
ents
fo
r Tr
aver
se
emer
genc
y ch
ange
s ha
ve n
ot b
een
form
ally
def
ined
.
�D
edic
ate
the
reso
urce
s to
fully
revi
ew a
nd fi
naliz
e ap
prov
al o
f al
l N
FIP
cont
ract
or’s
con
figur
atio
n m
anag
emen
t pol
icie
s an
d pr
oced
ures
to e
nsur
e th
e re
vise
d pr
oced
ures
ar
e co
mpl
iant
w
ith
DH
S re
quire
men
ts.
FEM
A-
IT-1
0-59
Whi
le
impr
ovem
ents
w
ere
note
d ov
er
the
docu
men
tatio
n of
TR
RP
chan
ge
man
agem
ent
proc
edur
es
durin
g th
e FY
20
10
inte
grat
ed
audi
t te
stw
ork,
w
e de
term
ined
th
at
certa
in
wea
knes
ses
iden
tifie
d in
FY
200
9 co
ntin
ue to
exi
st o
ver t
he T
RR
P co
nfig
urat
ion
man
agem
ent p
roce
ss in
com
preh
ensi
vely
ad
dres
sing
FE
MA
an
d D
HS
chan
ge
man
agem
ent
polic
y. F
or e
xam
ple,
we
dete
rmin
ed th
at:
�R
equi
rem
ents
fo
r m
anag
ing
the
chan
ge
man
agem
ent
prog
ram
hav
e no
t be
en a
dequ
atel
y es
tabl
ishe
d an
d im
plem
ente
d to
ens
ure
that
CC
B
and/
or
TRC
ap
prov
als
are
gran
ted
prio
r to
im
plem
entin
g ch
ange
s in
to t
he T
RR
P pr
oduc
tion
envi
ronm
ent,
as r
equi
red
by F
EMA
and
DH
S po
licy.
Spe
cific
ally
:
�W
hile
a C
CB
has
bee
n es
tabl
ishe
d by
NFI
P m
anag
emen
t, ad
equa
te
over
sigh
t an
d in
volv
emen
t fro
m F
EMA
man
agem
ent h
as n
ot
been
in
tegr
ated
in
to
the
conf
igur
atio
n m
anag
emen
t re
quire
men
ts
incl
udin
g m
anda
tory
FEM
A p
artic
ipat
ion
in t
he C
CB
an
d C
CB
app
rova
l of c
hang
es a
fter t
estin
g ha
s oc
curr
ed.
�FE
MA
man
agem
ent,
incl
udin
g IT
sec
urity
and
fin
anci
al p
erso
nnel
, are
not
invo
lved
in te
stin
g
�En
sure
the
NFI
P co
ntra
ctor
con
tinue
s to
ded
icat
e re
sour
ces
to e
stab
lish
and
impl
emen
t do
cum
ente
d po
licie
s an
d pr
oced
ures
ove
r th
e TR
RP
chan
ge
man
agem
ent
proc
ess
for
non-
emer
genc
y an
d em
erge
ncy
chan
ges
whi
ch a
re i
n lin
e w
ith D
HS
conf
igur
atio
n m
anag
emen
t re
quire
men
ts.
Parti
cula
r em
phas
is
mus
t be
pl
aced
on
in
itial
ch
ange
app
rova
ls, t
estin
g an
d te
stin
g re
quire
men
ts,
final
app
rova
ls,
and
rete
ntio
n of
req
uire
d ch
ange
m
anag
emen
t ar
tifac
ts
to
track
al
l ch
ange
s th
roug
hout
the
ir lif
ecyc
le.
Thes
e ph
ases
sho
uld
also
in
clud
e an
in
tegr
ated
pr
oces
s to
ad
dres
s sy
stem
ch
ange
re
quire
men
ts
and
stak
ehol
der
chan
ge r
equi
rem
ents
to
ensu
re a
dequ
ate
test
ing
and
appr
oval
s ar
e co
mpl
eted
by
the
appr
opria
te
parti
es.
�A
lloca
te q
ualif
ied
NFI
P m
anag
emen
t and
OC
IO IT
se
curit
y re
sour
ces
to p
rovi
de a
dequ
ate
over
sigh
t fo
r th
e co
nfig
urat
ion
man
agem
ent
proc
ess.
Ove
rsig
ht
activ
ities
sh
ould
en
com
pass
re
quire
men
ts
such
as
a
NFI
P Pr
ogra
m
Con
figur
atio
n M
anag
emen
t B
oard
res
pons
ible
for
m
anag
ing
and
parti
cipa
ting
in
the
NFI
P C
CB
an
d/or
TR
C to
ens
ure
that
all
requ
ired
elem
ents
in
the
conf
igur
atio
n m
anag
emen
t pr
oces
s ar
e fo
rmal
ly d
efin
ed a
nd i
mpl
emen
ted
in a
ccor
danc
e w
ith D
HS
and
FEM
A g
uida
nce.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
08
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
and/
or
revi
ewin
g te
stin
g an
d ap
prov
ing
chan
ges t
o TR
RP
prio
r to
impl
emen
tatio
n.
�C
CB
rev
iew
s ar
e no
t co
nduc
ted
for
appr
oval
of
fin
al c
hang
es p
rior
to i
mpl
emen
tatio
n in
to
prod
uctio
n as
req
uire
d by
FEM
A a
nd D
HS
guid
ance
.
�Li
mite
d te
stin
g re
quire
men
ts
exis
t to
gu
ide
pers
onne
l in
the
dev
elop
men
t of
tes
t pl
ans
and
guid
ance
ov
er
the
test
ing,
in
clud
ing
user
ac
cept
ance
tes
ting,
tha
t sh
ould
be
perf
orm
ed a
nd
docu
men
ted
prio
r to
app
rova
l and
impl
emen
tatio
n in
to
prod
uctio
n.
Add
ition
ally
, ro
les
and
resp
onsi
bilit
ies
over
test
pla
n pr
oced
ures
to e
nsur
e th
at
plan
s ar
e su
ffic
ient
, do
cum
ent
expe
cted
ou
tcom
es, a
nd a
re r
evie
wed
and
app
rove
d pr
ior
to
deve
lopm
ent,
are
not d
ocum
ente
d.
�R
equi
rem
ents
for
TR
RP
emer
genc
y ch
ange
s ha
ve
not b
een
form
ally
def
ined
in w
ritin
g.
Furth
erm
ore,
we
perf
orm
ed t
estw
ork
over
ini
tial
and
final
app
rova
ls f
or a
sel
ectio
n of
25
TRR
P ch
ange
s m
ade
in F
Y 2
010
and
note
d th
e fo
llow
ing
exce
ptio
ns:
�D
ocum
enta
tion
for
3 of
the
25 c
hang
es c
ould
not
be
pro
vide
d
�17
of
22
ch
ange
s te
sted
di
d no
t ha
ve
initi
al
appr
oval
s do
cum
ente
d pr
ior
to
deve
lopi
ng
the
chan
ge
�9
of 2
2 ch
ange
s te
sted
cha
nges
did
not
hav
e al
l the
re
quire
d ap
prov
als p
rior t
o im
plem
enta
tion
�1
of 2
2 ch
ange
s te
sted
was
im
plem
ente
d pr
ior
to
�D
edic
ate
the
reso
urce
s to
fully
revi
ew a
nd fi
naliz
e ap
prov
al o
f al
l N
FIP
cont
ract
or’s
con
figur
atio
n m
anag
emen
t pol
icie
s an
d pr
oced
ures
to e
nsur
e th
e re
vise
d pr
oced
ures
ar
e co
mpl
iant
w
ith
DH
S re
quire
men
ts.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
09
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
chan
ge d
ocum
enta
tion
bein
g co
mpl
eted
FEM
A-
IT-1
0-60
Wea
knes
ses i
dent
ified
in F
Y 2
009
rela
ted
to c
ontro
ls to
re
stric
t ac
cess
an
d co
ntro
l m
ovem
ent
of
Trav
erse
pr
ogra
m l
ibra
ries
and
data
con
tinue
to
exis
t in
FY
20
10.
Spec
ifica
lly:
�Im
plem
enta
tion
proc
edur
es o
ver
Trav
erse
cha
nges
ha
ve n
ot b
een
esta
blis
hed,
and
cur
rent
pro
cess
es d
o no
t inc
orpo
rate
seg
rega
tion
of d
utie
s re
quire
men
ts.
Spec
ifica
lly,
NFI
P IT
co
ntra
ctor
s us
e th
eir
indi
vidu
ally
as
sign
ed
syst
em
adm
inis
trato
r ac
coun
ts t
o lo
gon
and
crea
te s
essi
ons
to a
llow
a
third
-par
ty d
evel
opm
ent v
endo
r to
inst
all T
rave
rse
syst
em c
hang
es.
�N
FIP
does
no
t ha
ve
a fo
rmal
pr
oces
s fo
r m
onito
ring
chan
ges
that
th
e ve
ndor
m
akes
in
Tr
aver
se w
hile
logg
ed in
as a
n ad
min
istra
tor.
�In
acc
orda
nce
with
pol
icy,
enf
orce
req
uire
men
ts
over
ind
ivid
ual
user
acc
ount
s by
not
allo
win
g ve
ndor
s to
a u
se a
sys
tem
adm
inis
trato
r’s
acco
unt
to a
cces
s th
e sy
stem
and
dep
loy
chan
ges
into
pr
oduc
tion.
�
Doc
umen
t and
impl
emen
t pol
icie
s an
d pr
oced
ures
to
lim
it Tr
aver
se d
evel
oper
and
app
licat
ion
supp
ort
vend
or a
cces
s to
the
NFI
P pr
oduc
tion
envi
ronm
ent
to “
read
onl
y” t
hrou
gh a
n as
sign
ed u
ser
acco
unt
and
segr
egat
e th
e re
spon
sibi
lity
for
depl
oyin
g ap
plic
atio
n co
de c
hang
es in
to p
rodu
ctio
n fr
om th
e de
velo
pmen
t/sup
port
vend
or
to
an
inde
pend
ent
cont
rol
grou
p.
Add
ition
ally
, pr
oced
ures
sho
uld
incl
ude
impl
emen
tatio
n pr
oces
s re
quire
men
ts f
or
cont
rolli
ng a
cces
s to
pro
duct
ion
dire
ctor
ies.
If
busi
ness
nee
ds r
equi
re t
hat
the
segr
egat
ion
of
dutie
s ca
nnot
be
imm
edia
tely
impl
emen
ted,
FEM
A
shou
ld
docu
men
t an
d im
plem
ent
polic
ies
and
proc
edur
es to
miti
gate
the
risk
asso
ciat
ed w
ith th
e se
greg
atio
n of
du
ties
wea
knes
s no
ted
in
acco
rdan
ce
with
D
HS
guid
ance
, in
clud
ing
a fo
rmal
ized
pr
oces
s fo
r pe
rfor
min
g an
d do
cum
entin
g re
view
s of
act
ivity
per
form
ed b
y th
ird-p
arty
ve
ndor
s w
ithin
th
e Tr
aver
se
envi
ronm
ent.
X
2
FEM
A-
IT-1
0-61
As
note
d du
ring
the
FY 2
009
audi
t, w
eakn
esse
s ov
er
cont
inge
ncy
plan
ning
for
bot
h th
e Tr
aver
se a
nd T
RR
P sy
stem
s con
tinue
to e
xist
in F
Y 2
010.
Spe
cific
ally
:
�W
hile
th
e N
FIP
Lega
cy
Syst
em
Serv
ices
(N
FIP/
LSS)
Con
tinge
ncy
Plan
, w
hich
per
tain
s to
th
e co
ntin
genc
y pl
anni
ng a
roun
d Tr
aver
se a
nd th
e N
FIP
LAN
, ha
s be
en u
pdat
ed f
or F
Y 2
010,
the
fo
llow
ing
elem
ents
are
not
in
com
plia
nce
with
�D
evel
op,
docu
men
t, an
d fu
lly i
mpl
emen
t an
IT
Con
tinge
ncy
Plan
for N
FIP
com
pone
nts,
incl
udin
g TR
RP
and
Trav
erse
. A
dditi
onal
ly,
ensu
re t
hat
cont
inge
ncy
plan
ning
do
cum
enta
tion
incl
udes
de
taile
d in
stru
ctio
ns fo
r res
torin
g op
erat
ing
syst
em
softw
are
and
criti
cal a
pplic
atio
ns in
the
even
t of
a di
sast
er,
cont
inge
ncy,
or
disr
uptio
n of
ser
vice
in
acco
rdan
ce
with
D
HS
and
NIS
T po
licy
requ
irem
ents
for
sys
tem
s ca
tego
rized
at
the
high
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
10
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
DH
S an
d N
IST
requ
irem
ents
:
�Th
e N
FIP/
LSS
IT C
ontin
genc
y Pl
an d
oes
not
docu
men
t de
taile
d in
stru
ctio
ns f
or r
esto
ring
oper
atin
g sy
stem
s an
d cr
itica
l ap
plic
atio
ns i
n th
e ev
ent
of
a di
sast
er,
cont
inge
ncy,
or
di
srup
tion
of se
rvic
e.
�Th
e N
FIP/
LSS
IT C
ontin
genc
y Pl
an d
oes
not
desi
gnat
e th
e cu
rren
t al
tern
ate
proc
essi
ng
faci
lity
for t
he o
pera
ting
envi
ronm
ent.
�Te
stin
g of
the
NFI
P/LS
S IT
Con
tinge
ncy
Plan
ha
s no
t be
en p
erfo
rmed
in
the
12 m
onth
s, as
re
quire
d by
DH
S po
licy.
�FE
MA
an
d N
FIP
man
agem
ent
have
no
t do
cum
ente
d or
app
rove
d a
curr
ent I
T C
ontin
genc
y Pl
an fo
r the
mai
nfra
me
envi
ronm
ent s
uppo
rting
the
TRR
P sy
stem
in a
ccor
danc
e w
ith F
EMA
and
DH
S re
quire
men
ts.
�C
ontin
genc
y te
stin
g ov
er
TRR
P w
as
not
suff
icie
ntly
con
duct
ed i
n ac
cord
ance
with
DH
S an
d N
IST
requ
irem
ents
. W
hile
a l
imite
d di
sast
er
reco
very
test
of t
he N
FIP
mai
nfra
me
envi
ronm
ent,
incl
udin
g TR
RP,
was
per
form
ed i
n O
ctob
er 2
009
to te
st r
esto
ratio
n of
dat
a, a
ll el
emen
ts r
equi
red
to
be t
este
d un
der
the
DH
S re
quire
men
ts f
or a
n IT
C
ontin
genc
y Pl
an w
ere
not
suff
icie
ntly
add
ress
ed
and
coul
d no
t be
used
to v
alid
ate
the
effe
ctiv
enes
s of
th
e or
gani
zatio
n’s
cont
inge
ncy
plan
ning
co
ntro
ls.
�Th
e N
FIP
cont
ract
or’s
Con
tinui
ty o
f O
pera
tion
Plan
(CO
OP)
for T
rave
rse
and
TRR
P co
uld
not b
e pr
ovid
ed fo
r aud
itor r
evie
w.
impa
ct a
vaila
bilit
y ob
ject
ive.
�
Con
duct
and
doc
umen
t an
nual
tes
ts o
f th
e TR
RP
and
Trav
erse
IT
Con
tinge
ncy
Plan
(s)
that
add
ress
al
l cr
itica
l ph
ases
of
th
e pl
an(s
), an
d up
date
co
ntin
genc
y pl
anni
ng d
ocum
enta
tion
with
les
sons
le
arne
d, a
s ne
cess
ary
and
in a
ccor
danc
e w
ith D
HS
and
NIS
T re
quire
men
ts.
�D
edic
ate
reso
urce
s to
est
ablis
h an
d im
plem
ent
an
alte
rnat
e pr
oces
sing
site
for
the
NFI
P sy
stem
s in
ac
cord
ance
with
DH
S po
licy
requ
irem
ents
. �
Unt
il an
alte
rnat
e pr
oces
sing
site
is
esta
blis
hed,
de
velo
p an
d su
bmit
an e
xcep
tion
for
appr
oval
in
acco
rdan
ce
with
D
HS
polic
y,
and
ensu
re
that
co
mpe
nsat
ing
cont
rols
ove
r the
lack
of a
n al
tern
ate
proc
essi
ng s
ite h
ave
been
im
plem
ente
d an
d ar
e ef
fect
ive,
and
doc
umen
tatio
n of
thei
r eff
ectiv
enes
s is
mai
ntai
ned
as a
udita
ble
reco
rds.
�D
ocum
ent,
impl
emen
t, an
d m
aint
ain
the
NFI
P C
OO
P to
ens
ure
requ
ired
elem
ents
for
Tra
vers
e an
d TR
RP
are
incl
uded
in
acco
rdan
ce w
ith D
HS
guid
ance
for h
igh
impa
ct sy
stem
s.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
11
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
FEM
A-
IT-1
0-62
Con
ditio
ns n
oted
in
FY 2
009
rela
ted
to w
eakn
esse
s ov
er t
he N
EMIS
con
figur
atio
n m
anag
emen
t pr
oces
s co
ntin
ue to
exi
st in
FY
201
0.
Bas
ed o
n ou
r te
stw
ork,
w
e co
nclu
ded
that
NEM
IS c
onfig
urat
ion
man
agem
ent
is n
ot a
dequ
atel
y an
d ce
ntra
lly c
ontro
lled,
doc
umen
ted,
or
man
aged
thr
ough
out
the
lifec
ycle
of
the
FEM
A
conf
igur
atio
n m
anag
emen
t pr
oces
s. S
peci
fical
ly,
we
iden
tifie
d th
e fo
llow
ing
wea
knes
ses:
�N
EMIS
co
nfig
urat
ion
man
agem
ent
polic
y an
d pr
oced
ures
whi
ch o
utlin
e FE
MA
’s r
espo
nsib
ilitie
s an
d pr
oces
ses
for
initi
atin
g, m
onito
ring,
tes
ting,
an
d ap
prov
ing
NEM
IS
non-
emer
genc
y an
d em
erge
ncy
chan
ges
that
are
dev
elop
ed u
nder
the
va
rious
de
velo
pmen
t co
ntra
cts
have
no
t be
en
docu
men
ted
and
appr
oved
by
FEM
A m
anag
emen
t, in
acc
orda
nce
with
DH
S an
d FE
MA
pol
icy.
�FE
MA
do
es
not
have
a
cent
raliz
ed
prog
ram
m
anag
emen
t fu
nctio
n or
pro
cess
to
mon
itor
and
track
NEM
IS S
oftw
are
Cha
nge
Req
uest
s (S
CR
s)
thro
ugho
ut
the
conf
igur
atio
n m
anag
emen
t lif
ecyc
le,
from
in
itial
ap
prov
al
thro
ugh
impl
emen
tatio
n in
to th
e pr
oduc
tion
envi
ronm
ent.
�D
ocum
ent
and
esta
blis
h a
cent
raliz
ed
and
inte
grat
ed
chan
ge
man
agem
ent
proc
ess
over
N
EMIS
to
en
sure
th
at
adeq
uate
co
ntro
ls
are
impl
emen
ted
thro
ugho
ut
the
lifec
ycle
of
th
e co
nfig
urat
ion
man
agem
ent p
roce
ss, i
n ac
cord
ance
w
ith D
HS
and
FEM
A p
olic
y.
�Fo
rmal
ly
desi
gnat
e FE
MA
m
anag
emen
t re
spon
sibi
litie
s fo
r ov
ersi
ght
and
impl
emen
tatio
n of
con
trols
for
ini
tiatin
g, m
onito
ring,
tes
ting,
and
ap
prov
ing
all
NEM
IS
non-
emer
genc
y an
d em
erge
ncy
chan
ges;
�
Esta
blis
h a
cent
raliz
ed, f
orm
al p
roce
ss to
mon
itor,
docu
men
t, an
d tra
ck N
EMIS
sof
twar
e ch
ange
s th
roug
hout
th
e co
nfig
urat
ion
man
agem
ent
lifec
ycle
, fr
om
initi
al
appr
oval
th
roug
h im
plem
enta
tion
into
the
prod
uctio
n en
viro
nmen
t.
X
3
FEM
A-
IT-1
0-63
Dur
ing
the
FY
2010
in
tegr
ated
au
dit,
we
note
d w
eakn
esse
s ov
er
the
IFM
IS-M
erge
r C
onfig
urat
ion
Man
agem
ent
Plan
.
Bas
ed
on
our
test
wor
k,
we
conc
lude
d th
at t
he I
FMIS
con
figur
atio
n m
anag
emen
t pr
oces
s do
es
not
mee
t co
mpr
ehen
sive
ch
ange
m
anag
emen
t pr
oces
s re
quire
men
ts a
nd p
roce
dure
s as
re
quire
d by
DH
S an
d N
IST
guid
ance
bec
ause
it is
not
ad
equa
tely
doc
umen
ted.
Fo
r ex
ampl
e, w
e id
entif
ied
the
follo
win
g w
eakn
esse
s:
�Th
e IF
MIS
CM
P pr
ovid
ed in
Jul
y 20
10 is
in d
raft
and
has n
ot b
een
upda
ted
to re
flect
the
new
IFM
IS-
�R
evis
e,
docu
men
t an
d fu
lly
impl
emen
t a
com
preh
ensi
ve
conf
igur
atio
n m
anag
emen
t pr
ogra
m
that
in
clud
es
a C
onfig
urat
ion
Man
agem
ent P
lan
for I
FMIS
-Mer
ger,
whi
ch a
ligns
w
ith a
ll ap
plic
able
DH
S an
d FE
MA
req
uire
men
ts
and
refle
cts
the
curr
ent
IFM
IS-M
erge
r op
erat
ing
envi
ronm
ent a
nd a
ll ap
plic
able
IT c
ompo
nent
s. �
Incl
ude
in
polic
ies
and
proc
edur
es
(a)
clea
rly
defin
ed a
nd f
orm
aliz
ed r
espo
nsib
ilitie
s fo
r ch
ange
m
anag
emen
t ov
ersi
ght
bodi
es
incl
udin
g a
Con
figur
atio
n/C
hang
e C
ontro
l B
oard
an
d (b
) su
ffic
ient
ly
deta
iled
resp
onsi
bilit
ies
and
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
12
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
Mer
ger
oper
atin
g en
viro
nmen
t. S
peci
fical
ly,
the
plan
inc
lude
s C
ore
IFM
IS a
nd G
&T
IFM
IS,
but
does
not
add
ress
the
IFM
IS-M
erge
r in
stan
ce t
hat
bega
n op
erat
ions
in F
ebru
ary
2010
.
�In
fras
truct
ure
info
rmat
ion
for
the
in-s
cope
ap
plic
atio
ns
does
no
t in
clud
e th
e se
rver
in
form
atio
n fo
r G
&T
IFM
IS,
whi
ch
was
op
erat
iona
l w
hen
the
plan
was
las
t re
vise
d in
N
ovem
ber 2
009.
�Th
e C
CB
ha
s no
t be
en
form
ally
an
d fu
lly
inte
grat
ed i
nto
the
FEM
A c
hang
e m
anag
emen
t pr
oces
s. W
hile
we
wer
e in
form
ed th
at a
CC
B f
or
IFM
IS w
as e
stab
lishe
d on
Mar
ch 2
2, 2
010,
we
dete
rmin
ed th
at th
e re
quire
men
ts o
ver t
he ro
les a
nd
resp
onsi
bilit
ies
as w
ell
as t
he m
embe
rshi
p of
the
C
CB
wer
e no
t cl
early
def
ined
, im
plem
ente
d, a
nd
docu
men
ted
to e
nsur
e th
at D
HS
requ
irem
ents
are
m
et.
�M
embe
rshi
p of
th
e “S
CR
R
evie
w
Team
” re
spon
sibl
e fo
r ini
tial a
ppro
val f
or d
evel
opm
ent o
f an
y ch
ange
s to
the
app
licat
ion
is n
ot f
orm
ally
de
fined
.
�R
equi
rem
ents
th
at
secu
rity
impa
ct
anal
yses
be
pe
rfor
med
prio
r to
impl
emen
tatio
n of
cha
nges
hav
e no
t bee
n do
cum
ente
d.
�Li
mite
d te
stin
g re
quire
men
ts e
xist
to g
uide
FEM
A
pers
onne
l in
the
dev
elop
men
t of
tes
t pl
ans
and
guid
ance
ove
r the
test
ing
that
sho
uld
be p
erfo
rmed
an
d do
cum
ente
d.
Add
ition
ally
, ro
les
and
resp
onsi
bilit
ies
over
test
pla
n pr
oced
ures
to e
nsur
e th
at
plan
s ar
e su
ffic
ient
, do
cum
ent
expe
cted
ou
tcom
es, a
nd a
re r
evie
wed
and
app
rove
d pr
ior
to
requ
irem
ents
for s
ecur
ity im
pact
ana
lyse
s, te
st p
lan
deve
lopm
ent,
and
appr
oval
for n
on-e
mer
genc
y an
d em
erge
ncy
chan
ge p
roce
dure
s.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
13
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e R
isk
Rat
ing
deve
lopm
ent,
are
not d
ocum
ente
d.
�R
equi
rem
ents
ove
r em
erge
ncy
chan
ges
have
not
be
en d
efin
ed in
writ
ing.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
14
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
� Federal Law Enforcement Training Center
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 115
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Fede
ral L
aw E
nfor
cem
ent a
nd T
rain
ing
Cen
ter
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
FLET
C-
IT-1
0-01
D
urin
g ou
r FY
201
0 re
view
of F
LETC
’s c
onfig
urat
ion
man
agem
ent
polic
ies
and
proc
edur
es,
we
note
d th
at
FLET
C d
oes n
ot c
ondu
ct th
e fo
llow
ing:
�
Mom
entu
m a
nd G
lync
o A
rea
Net
wor
k (G
AN
) ch
ange
s ar
e no
t bei
ng d
ocum
ente
d th
roug
hout
the
chan
ge c
ontro
l pro
cess
from
the
test
ing
of c
hang
es
to t
he f
inal
app
rova
l of
the
cha
nges
prio
r to
im
plem
enta
tion,
and
; �
Dis
tribu
tion
and
impl
emen
tatio
n of
Mom
entu
m
and
GA
N c
hang
es a
re n
ot b
eing
con
trolle
d.
The
FLET
C m
anag
emen
t will
upd
ate
and
enfo
rce
curr
ent
proc
edur
es t
o en
sure
cha
nges
are
ful
ly
docu
men
ted
thro
ugho
ut th
e ch
ange
con
trol p
roce
ss
to in
clud
e th
e re
sults
of t
estin
g th
e ch
ange
, rev
iew
of
the
cha
nge
test
res
ults
, an
d fin
al a
ppro
val
to
proc
eed
with
the
impl
emen
tatio
n.
X
2
FLET
C-
IT-1
0-02
D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t au
dit,
we
note
d se
vera
l w
eakn
esse
s w
ith
the
logi
cal
acce
ss
cont
rols
fo
r th
e G
lync
o A
dmin
istra
tive
Net
wor
k (G
AN
).
Dur
ing
our
revi
ew i
n FY
201
0, w
e re
view
ed t
he
logi
cal a
cces
s co
ntro
ls o
ver t
he G
AN
. Pe
r our
revi
ew,
we
note
d th
at F
LETC
has
rem
edia
ted
all o
f the
logi
cal
acce
ss c
ontro
ls o
ver t
he G
AN
; how
ever
, KPM
G n
oted
th
at t
he G
AN
was
con
figur
ed t
o re
set
the
lock
out
coun
ter a
fter 2
0 m
inut
es.
This
doe
s no
t mee
t the
DH
S 43
00A
req
uire
men
t of
24
hour
s. U
pon
notif
icat
ion,
FL
ETC
im
med
iate
ly
rem
edia
ted
the
conf
igur
atio
n is
sue.
How
ever
, the
con
figur
atio
n w
as in
appr
opria
tely
co
nfig
ured
for t
he m
ajor
ity o
f the
fisc
al y
ear.
Due
to re
med
iatio
n of
this
find
ing
with
in th
e fis
cal
year
, no
reco
mm
enda
tion
is re
quire
d.
X
3
FLET
C-
IT-1
0-03
In
FY
20
09,
KPM
G
cond
ucte
d A
fter-
Hou
rs
wal
kthr
ough
te
stin
g to
co
mpl
emen
t ou
r IT
au
dit
test
ing
effo
rts a
s pa
rt of
the
FY 2
010
DH
S Fi
nanc
ial
Stat
emen
t A
udit
and
Aud
it of
Int
erna
l C
ontro
l ov
er
Fina
ncia
l R
epor
ting.
W
e al
so p
erfo
rmed
afte
r-ho
urs
Fina
nce
Div
isio
n, B
uild
ing
66 S
afeg
uard
ing
of P
II
and
Cre
dit
Car
d da
ta:
Mod
ifica
tions
to
Bui
ldin
g 66
hav
e re
cent
ly b
een
com
plet
ed w
hich
pro
vide
se
cure
file
sto
rage
room
s an
d en
try c
ontro
ls fo
r all
acce
ss p
oint
s in
the
bui
ldin
g.
An
SOP
will
be
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
16
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
phys
ical
sec
urity
tes
ting
to i
dent
ify r
isks
rel
ated
to
non-
tech
nica
l as
pect
s of
IT
secu
rity.
Th
ese
non-
tech
nica
l IT
secu
rity
aspe
cts i
nclu
de p
hysi
cal a
cces
s to
equi
pmen
t tha
t hou
ses
finan
cial
dat
a an
d in
form
atio
n re
sidi
ng o
n th
e de
sks
of F
LETC
per
sonn
el,
whi
ch
coul
d be
use
d by
oth
ers
to i
napp
ropr
iate
ly a
cces
s fin
anci
al in
form
atio
n.
For
our
revi
ew i
n FY
201
0 fo
llow
up
test
wor
k w
as
perf
orm
ed a
t var
ious
FLE
TC b
uild
ings
in th
e G
lync
o,
Geo
rgia
com
plex
. Th
e de
sign
ated
FLE
TC T
echn
ical
Po
int
of C
onta
ct a
nd r
epre
sent
ativ
es f
rom
the
DH
S O
ffic
e of
In
spec
tor
Gen
eral
, th
e D
HS
Off
ice
of
Info
rmat
ion
Secu
rity,
an
d th
e FL
ETC
O
ffic
e of
Ph
ysic
al S
ecur
ity a
ccom
pani
ed K
PMG
to
mon
itor
test
ing
and
valid
ate
the
resu
lts.
Afte
r ga
inin
g ac
cess
to
the
fac
ilitie
s, w
e in
spec
ted
a ra
ndom
sel
ectio
n of
de
sks
and
offic
es, l
ooki
ng f
or it
ems
such
as
impr
oper
pr
otec
tion
of
syst
em
pass
wor
ds,
unse
cure
d in
form
atio
n sy
stem
har
dwar
e, d
ocum
enta
tion
mar
ked
FOU
O, a
nd u
nloc
ked
netw
ork
sess
ions
. O
ur s
elec
tion
of d
esks
and
off
ices
was
not
sta
tistic
ally
der
ived
, and
th
eref
ore
we
are
unab
le t
o pr
ojec
t re
sults
to
the
com
pone
nt o
r de
partm
ent
as a
who
le.
We
revi
ewed
ov
er 9
0 de
sks a
nd c
ubic
les w
ithin
the
four
loca
tions
.
draf
ted
to a
ddre
ss S
afeg
uard
ing
of P
II a
nd C
redi
t C
ard
data
in th
e Fi
nanc
e D
ivis
ion,
impl
emen
t use
of
the
secu
re fi
le s
tora
ge ro
oms,
and
addr
ess
entry
co
ntro
ls f
or a
cces
s po
ints
in
the
build
ing.
Th
is
will
be
deve
lope
d an
d im
plem
ente
d by
Nov
embe
r 15
, 201
0.
Add
ition
ally
, spe
cific
req
uire
men
ts f
or
Safe
guar
ding
of
PII
and
Cre
dit
Car
d da
ta w
ill b
e ad
ded
to e
ach
Fina
nce
Div
isio
n em
ploy
ee’s
FY
20
11 (a
nd fu
ture
) Ann
ual P
erfo
rman
ce W
ork
Plan
to
ens
ure
ther
e is
no
mis
unde
rsta
ndin
g re
gard
ing
each
em
ploy
ee’s
resp
onsi
bilit
ies i
n th
is a
rea.
Fina
nce
Off
ice,
B
uild
ing
66
Use
r N
ame
and
Pass
wor
ds:
Rem
edia
l tra
inin
g w
ill b
e co
nduc
ted
rega
rdin
g sa
fegu
ardi
ng U
ser N
ame
and
Pass
wor
ds.
Add
ition
ally
, sp
ecifi
c re
quire
men
ts
for
safe
guar
ding
Use
r N
ame
and
Pass
wor
ds w
ill b
e ad
ded
to e
ach
Fina
nce
Div
isio
n em
ploy
ee’s
FY
20
11 (a
nd fu
ture
) Ann
ual P
erfo
rman
ce W
ork
Plan
to
ens
ure
ther
e is
no
mis
unde
rsta
ndin
g re
gard
ing
each
em
ploy
ee’s
resp
onsi
bilit
ies i
n th
is a
rea.
For
the
CIO
Ope
ratio
ns a
nd S
uppo
rt D
ivis
ion
(OSD
) in
Bld
g 68
1, r
emed
ial
train
ing
will
be
cond
ucte
d to
ens
ure
empl
oyee
s an
d co
ntra
ctor
s lo
ck
thei
r do
ors
and
safe
guar
d se
nsiti
ve
info
rmat
ion.
O
SD w
ill e
nsur
e th
e w
orks
tatio
n sc
reen
save
r fea
ture
is e
nabl
ed o
n its
wor
ksta
tions
.
FLET
C-
IT-1
0-04
D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t aud
it, K
PMG
de
term
ined
that
logs
of a
udita
ble
even
ts in
the
Gyl
nco
Adm
inis
trativ
e N
etw
ork
(GA
N)
are
not
bein
g re
view
ed to
iden
tify
pote
ntia
l inc
iden
ts.
Dur
ing
our
FY 2
010
revi
ew, K
PMG
det
erm
ined
tha
t FL
ETC
has
im
plem
ente
d th
e Se
curit
y In
form
atio
n
FLET
C’s
cu
rren
t SI
M
solu
tion
prov
ides
no
ca
pabi
lity
to c
orre
late
or
aggr
egat
e au
dit
logs
w
hich
res
ults
in
an a
rduo
us,
un-tr
acka
ble
and
unm
anag
eabl
e au
dit
log
revi
ew
proc
ess
whe
n ha
ndlin
g m
illio
ns o
f re
cord
s ea
ch d
ay.
FLET
C is
cu
rren
tly i
n th
e pr
oces
s of
pro
curin
g A
rcSi
ght
ESM
as
a re
plac
emen
t SI
M s
olut
ion
to a
ddre
ss
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
17
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
Man
agem
ent
Syst
em
(SIM
) w
ith
capa
bilit
ies
to
man
age
and
stor
e lo
gs o
f au
dita
ble
even
ts.
How
ever
, w
e de
term
ined
tha
t m
anag
emen
t do
es n
ot h
ave
a fo
rmal
pro
cess
for
rev
iew
ing
the
audi
t lo
gs o
n a
perio
dic
basi
s.
thes
e an
d ot
her
shor
tcom
ings
with
the
cur
rent
so
lutio
n. A
rcSi
ght E
SM a
llow
s for
bot
h si
mpl
ified
an
d ex
cept
iona
lly c
ompl
ex e
vent
cor
rela
tion
rule
au
thor
ship
.
FLET
C w
ill d
eplo
y th
e A
rcSi
ght
ESM
sol
utio
n du
ring
FY 2
011.
Use
rs,
such
as
ISSO
s, w
ill b
e pr
ovid
ed
focu
sed
dash
boar
ds
with
co
rrel
ated
in
form
atio
n pe
rtine
nt
to
thei
r ar
eas
of
resp
onsi
bilit
y.
Aud
it lo
gs w
ill b
e re
view
ed a
s co
rrel
ated
and
agg
rega
ted
data
and
can
be
drill
ed
dow
n to
in d
etai
l and
revi
ewed
whe
n su
spic
ious
or
anom
alou
s re
cord
s ar
e fo
und.
Cus
tom
ized
repo
rts
and
auto
mat
ed a
lerts
will
be
conf
igur
ed f
or e
ach
syst
em a
nd t
ailo
red
for
the
audi
t lo
g re
view
er.
Aud
it lo
gs o
f acc
ess
to th
e SI
M it
self
will
als
o be
ge
nera
ted
and
revi
ewed
to
ensu
re u
sers
suc
h as
IS
SO’s
and
the
SOC
are
util
izin
g th
e sy
stem
and
re
view
ing
audi
t re
cord
s an
d re
spon
ding
to
the
conf
igur
ed a
utom
ated
ale
rts in
a ti
mel
y m
anne
r.
FLET
C-
IT-1
0-05
D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t aud
it, K
PMG
de
term
ined
tha
t ac
cess
con
trol
wea
knes
ses
exis
ted
over
M
omen
tum
ac
cess
au
thor
izat
ions
fo
r us
er’s
pr
ofile
s cre
ated
or m
odifi
ed d
urin
g th
e fis
cal y
ear.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent a
udit,
KPM
G
dete
rmin
ed th
at a
cces
s co
ntro
l wea
knes
ses
still
exi
sted
ov
er
Mom
entu
m
acce
ss
auth
oriz
atio
ns
for
user
’s
prof
iles
crea
ted
or m
odifi
ed d
urin
g th
e fis
cal
year
. Sp
ecifi
cally
, w
e le
arne
d th
at n
ew u
sers
and
pro
file
chan
ges a
re n
ot b
eing
trac
ked
by F
LETC
.
FLET
C
has
impl
emen
ted
prof
ile
logg
ing,
ho
wev
er,
due
to t
he o
verw
helm
ing
volu
me
of
even
ts lo
gged
by
the
syst
em, t
his
has
prov
en to
be
unus
able
in te
rms
of id
entif
ying
rel
evan
t act
ivity
. FL
ETC
is
wor
king
to
bette
r an
alyz
e an
d m
anag
e th
e pr
ofile
log
ging
rep
orts
. A
n SO
P w
ill b
e dr
afte
d to
im
plem
ent
man
agem
ent
over
sigh
t fo
r M
omen
tum
ac
cess
au
thor
izat
ions
fo
r us
er’s
pr
ofile
s cr
eate
d or
mod
ified
dur
ing
the
fisca
l yea
r. Th
is p
roce
ss w
ill b
e de
velo
ped
and
impl
emen
ted
by N
ovem
ber 3
0, 2
010.
X
3
FLET
C-
IT-1
0-06
D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t au
dit,
we
note
d se
vera
l w
eakn
esse
s ar
ound
acc
ess
cont
rols
for
th
e St
uden
t Inf
orm
atio
n Sy
stem
(SIS
) inc
ludi
ng:
The
FLET
C
will
up
date
th
e ex
istin
g R
isk
Acc
epta
nce
to i
nclu
de t
he p
assw
ord
exce
ptio
ns
note
d in
the
cond
ition
abo
ve.
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
18
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
�SI
S is
con
figur
ed to
hav
e a
pass
wor
d hi
stor
y of
two
pass
wor
ds st
ored
. �
SIS
is n
ot c
onfig
ured
to re
set t
he a
ccou
nt
faile
d lo
gon
coun
ter
�U
sers
wer
e no
t loc
ked
out a
fter t
hree
inva
lid
acce
ss a
ttem
pts.
�SI
S sy
stem
adm
inis
trato
rs sh
are
a ‘r
oot’
user
nam
e an
d pa
ssw
ord
to p
erfo
rm
adm
inis
trativ
e re
spon
sibi
litie
s. �
A sa
mpl
e of
aud
it lo
gs th
at tr
ack
chan
ges t
o sy
stem
dat
a co
uld
not b
e pr
ovid
ed.
�U
ser p
rofil
e cr
eatio
n is
not
trac
ked
and
a lis
ting
of p
rofil
e cr
eatio
n da
tes c
ould
not
be
prov
ided
. �
Evid
ence
of p
erio
dic
revi
ew o
f use
r acc
ount
s co
uld
not b
e pr
ovid
ed.
In F
Y 2
010,
we
inqu
ired
with
FLE
TC a
nd n
oted
that
al
thou
gh s
ome
corr
ectiv
e ac
tions
hav
e ta
ken
plac
e, th
e fo
llow
ing
has n
ot y
et b
een
impl
emen
ted.
�
Use
rs a
re n
ot b
eing
lock
ed o
ut a
fter 3
inva
lid
atte
mpt
s. �
SIS
pass
wor
d le
ngth
min
imum
is c
onfig
ured
a
min
imum
of s
ix.
�SI
S do
es n
ot re
quire
a c
ombi
natio
n of
al
phab
etic
, num
eric
, and
spec
ial c
hara
cter
s. �
Aud
it lo
gs th
at tr
ack
chan
ges t
o sy
stem
dat
a ar
e no
t bei
ng re
view
ed.
�
Prof
ile c
reat
ion
and
chan
ges a
re n
ot b
eing
tra
cked
and
a li
stin
g of
pro
file
upda
tes c
ould
no
t be
prov
ided
. �
Perio
dic
revi
ew o
f use
r acc
ount
s is n
ot b
eing
co
nduc
ted.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
19
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
� Immigration and Customs Enforcement
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 120
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Imm
igra
tion
and
Cus
tom
s Enf
orce
men
t
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
ICE-
IT-
10-0
1 D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t aud
it, K
PMG
pe
rfor
med
an
insp
ectio
n of
a s
ampl
e of
per
sonn
el th
at
had
term
inat
ed/tr
ansf
erre
d fr
om
thei
r em
ploy
men
t w
ith I
CE
durin
g th
e fis
cal
year
. K
PMG
req
uest
ed
evid
ence
that
exi
t cle
aran
ce fo
rms
wer
e co
mpl
eted
for
each
em
ploy
ee
to
dete
rmin
e IC
E m
anag
emen
t’s
com
plia
nce
with
exi
t cle
aran
ce p
roce
dure
s. O
f the
25
term
inat
ed/tr
ansf
erre
d IC
E pe
rson
nel
sam
pled
, ev
iden
ce o
f com
plia
nce
with
exi
t cle
aran
ce p
roce
dure
s co
uld
not b
e pr
ovid
ed fo
r 12
empl
oyee
s.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent a
udit,
KPM
G
was
info
rmed
that
a p
olic
y an
d pr
oced
ure
has
not b
een
deve
lope
d fo
r th
e Pe
rson
nel
Exiti
ng P
roce
ss.
IC
E m
anag
emen
t sta
ted
that
the
Off
ice
of H
uman
Cap
ital
(OH
C)
has
impl
emen
ted
a m
ulti-
year
mis
sion
act
ion
plan
to a
ddre
ss th
is a
nd v
ario
us o
ther
issu
es, b
ut th
ere
has b
een
no c
orre
ctiv
e ac
tion
take
n at
this
tim
e.
ICE
shou
ld
esta
blis
h an
d im
plem
ent
a po
licy
gove
rnin
g th
e ex
it cl
eara
nce
proc
ess,
iden
tifyi
ng
the
proc
edur
es
sepa
ratin
g em
ploy
ees
and
cont
ract
ors
mus
t ta
ke t
o en
sure
the
ret
urn
and\
or
safe
guar
ding
of
gove
rnm
ent
prop
erty
, eq
uipm
ent,
and
syst
ems;
and
the
role
s an
d re
spon
sibi
litie
s of
IC
E of
fices
invo
lved
in th
e ex
it cl
eara
nce
proc
ess.
X
3
ICE-
IT-
10-0
2 D
urin
g th
e FY
200
9 au
dit,
KPM
G i
nqui
red
of I
CE
OC
IO p
erso
nnel
abo
ut F
FMS
pass
wor
d se
tting
s. W
e de
term
ined
tha
t th
e FF
MS
pass
wor
d se
tting
s re
quire
th
e us
e of
an
unde
rsco
re a
nd d
oes
not a
llow
the
use
of
any
othe
r spe
cial
cha
ract
ers s
uch
as !,
@, #
, $, %
, or *
, w
hich
is
not
com
plia
nt w
ith D
HS
polic
y.
The
DH
S po
licy
requ
ires
that
pas
swor
ds c
onta
in a
com
bina
tion
of a
lpha
betic
, num
eric
, and
spec
ial c
hara
cter
s.
Dur
ing
the
FY 2
010
audi
t, w
e pe
rfor
med
fol
low
-up
inqu
iry t
o de
term
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
th
e FF
MS
pass
wor
d se
tting
co
ntro
l w
eakn
ess
has
not b
een
rem
edia
ted.
IC
E m
anag
emen
t
ICE
shou
ld
upda
te
the
FFM
S pa
ssw
ord
conf
igur
atio
n se
tting
s to
ens
ure
that
the
y ar
e in
co
mpl
ianc
e w
ith D
HS
4300
A p
olic
ies.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
21
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
stat
ed th
at a
cha
nge
to th
e sy
stem
has
bee
n re
ques
ted
to i
nclu
de t
wo
addi
tiona
l ch
arac
ters
in
the
pass
wor
d co
mpl
exity
. Th
e sp
ecia
l cha
ract
ers
that
will
be
adde
d on
ce t
he c
hang
e is
im
plem
ente
d ar
e th
e #,
$,
and
unde
rsco
re.
K
PMG
no
ted
that
O
racl
e us
es
the
follo
win
g ch
arac
ters
(!,
@,
%,
^, &
, *)
as
func
tion
key,
th
eref
ore,
th
ey
cann
ot
be
incl
uded
in
th
e pa
ssw
ord
com
plex
ity.
The
rem
edia
tion
com
plet
ion
date
is sc
hedu
led
for N
ovem
ber 2
010.
ICE-
IT-
10-0
3 D
urin
g th
e FY
200
9 au
dit,
KPM
G i
nqui
red
of I
CE
OC
IO p
erso
nnel
abo
ut t
he p
roce
ss f
or r
ecer
tifyi
ng
FFM
S us
er a
cces
s (r
evie
w o
f ac
cess
priv
ilege
s) a
nd
foun
d th
at t
his
proc
ess
is n
ot f
orm
ally
doc
umen
ted.
Fu
rther
mor
e, K
PMG
fou
nd t
hat
the
revi
ew f
or t
he
acce
ss
priv
ilege
s fo
r ea
ch
FFM
S ac
coun
t is
no
t ad
equa
tely
rec
orde
d an
d no
aud
it tra
il is
ava
ilabl
e to
su
ppor
t tha
t a re
certi
ficat
ion
was
com
plet
ed.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e pe
rfor
med
follo
w-u
p in
quiry
to d
eter
min
e th
e st
atus
of
this
wea
knes
s an
d le
arne
d th
at p
roce
dure
s ha
ve b
een
docu
men
ted
and
impl
emen
ted
for
the
FFM
S re
certi
ficat
ion
proc
ess,
how
ever
, a
form
al p
olic
y ha
s no
t be
en
docu
men
ted.
KPM
G
foun
d th
at
user
s’
logi
cal a
cces
s pr
ivile
ges
wer
e re
view
ed, r
ecor
ded,
and
m
aint
aine
d, t
here
fore
thi
s po
rtion
of
the
PY N
FR a
s be
en r
emed
iate
d.
How
ever
, pe
r in
quiry
with
IC
E m
anag
emen
t, K
PMG
fou
nd t
hat
a fo
rmal
pol
icy
still
do
es
not
exis
t fo
r th
e re
certi
ficat
ion
of
FFM
S ac
coun
ts.
ICE
man
agem
ent
shou
ld e
stab
lish
and
impl
emen
t po
licie
s an
d pr
oced
ures
to f
orm
ally
doc
umen
t the
re
certi
ficat
ion
of
FFM
S us
er
priv
ilege
s. Th
is
activ
ity is
the
resp
onsi
bilit
y of
OFM
and
the
ISSO
. Th
is p
roce
ss s
houl
d in
clud
e a
met
hod
to d
ocum
ent
user
re
certi
ficat
ion
and
a pr
oces
s to
m
aint
ain
evid
ence
of t
he re
view
s.
X
ICE-
IT-
10-0
4 D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t aud
it, K
PMG
pe
rfor
med
an
insp
ectio
n of
a l
istin
g of
FFM
S us
ers
and
thei
r as
sign
ed
role
s/re
spon
sibi
litie
s an
d de
term
ined
th
at
six
user
s ha
d O
rigin
ator
, Fu
nds
Cer
tific
atio
n O
ffic
ial,
and
App
rovi
ng O
ffic
ial p
rofil
es
ICE
shou
ld e
nfor
ce p
olic
ies
and
proc
edur
es t
o en
sure
tha
t as
sign
ed r
oles
and
res
pons
ibili
ties
are
com
men
sura
te w
ith p
erso
nnel
job
func
tions
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
22
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
that
wer
e in
vio
latio
n of
FFM
S se
greg
atio
n of
dut
ies
polic
ies.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e pe
rfor
med
follo
w-u
p in
quiry
to d
eter
min
e th
e st
atus
of
this
wea
knes
s and
lear
ned
that
dra
ft FF
MS
segr
egat
ion
of d
uty
polic
y is
in p
lace
, but
, is
not b
eing
fol
low
ed.
In a
dditi
on, K
PMG
insp
ecte
d a
listin
g of
FFM
S us
ers
and
thei
r as
sign
ed
role
s/re
spon
sibi
litie
s an
d de
term
ined
th
at
one
use
r ha
d O
rigin
ator
, Fu
nds
Cer
tific
atio
n O
ffic
ial,
and
a A
ppro
ving
O
ffic
ial
prof
ile, w
hich
is a
vio
latio
n of
the
FFM
S se
greg
atio
n of
dut
ies p
olic
y.
ICE-
IT-
10-0
5 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t aud
it, K
PMG
de
term
ined
tha
t FF
MS
audi
t lo
gs w
ere
not
gene
rate
d or
rev
iew
ed d
urin
g th
e pe
riod
Oct
ober
200
9 th
roug
h Fe
brua
ry 2
010.
A
s of
Mar
ch 2
010,
the
log
s w
ere
gene
rate
d an
d re
view
ed,
how
ever
, no
su
ppor
ting
evid
ence
co
uld
be
prov
ided
.
Add
ition
ally
, w
e de
term
ined
that
aud
it lo
g po
licy
and
proc
edur
es h
ave
been
dra
fted,
how
ever
, th
ey h
ave
not
been
fin
aliz
ed,
appr
oved
, and
impl
emen
ted.
ICE
Off
ice
of F
inan
cial
Man
agem
ent (
OFM
) w
ill
final
ize,
see
k ap
prov
al,
and
form
ally
im
plem
ent
the
draf
t pol
icy
and
proc
edur
es.
In th
e m
eant
ime,
th
e dr
aft p
olic
y w
ill b
e us
ed to
pro
vide
an
accu
rate
au
dit l
og.
X
3
ICE-
IT-
10-0
6 D
urin
g th
e FY
200
9 fin
anci
al s
tate
men
t aud
it, K
PMG
de
term
ined
that
wea
knes
ses
exis
t ove
r A
DEX
acc
ess.
Spec
ifica
lly, K
PMG
fou
nd th
at 1
4 us
ers,
whi
ch w
ere
sepa
rate
d fr
om I
CE,
stil
l ha
d ac
tive
AD
EX a
ccou
nts
that
wer
e no
t rem
oved
upo
n th
eir t
erm
inat
ion/
trans
fer.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e pe
rfor
med
follo
w-u
p in
quiry
to d
eter
min
e th
e st
atus
of
this
wea
knes
s an
d le
arne
d th
at IC
E ha
s im
plem
ente
d a
com
pens
atin
g co
ntro
l th
at w
ill d
isab
le u
sers
acc
ount
af
ter
45 d
ays
of i
nact
ivity
to
miti
gate
the
con
trol
wea
knes
s. H
owev
er,
KPM
G f
ound
tha
t a
sepa
rate
d
Ensu
re im
plem
enta
tion
of th
e IC
E Ex
it C
lear
ance
D
irect
ive
whi
ch w
ill e
stab
lish
the
proc
ess
for
sepa
ratin
g em
ploy
ees,
both
Fe
dera
l an
d co
ntra
ctor
s, an
d fo
rmal
ize
a pr
oces
s to
ens
ure
that
se
para
ting
empl
oyee
s ha
ve th
eir
acce
ss to
all
ICE
info
rmat
ion
tech
nolo
gy sy
stem
s rem
oved
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
23
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
empl
oyee
’s a
ccou
nt w
as n
ot d
isab
led
in a
tim
ely
man
ner
as
the
acco
unt
was
ac
cess
ed
afte
r th
e em
ploy
ee’s
ter
min
atio
n da
te.
The
refo
re,
the
45-d
ay
win
dow
was
inap
prop
riate
ly d
elay
ed. I
n ad
ditio
n, w
e de
term
ined
that
DH
S ac
cess
con
trols
pol
icie
s ar
e no
t be
ing
follo
wed
as
user
s ar
e no
t pro
perly
iden
tifie
d an
d au
then
ticat
ed.
Bas
ed o
n IC
E m
anag
emen
t’s r
espo
nse
to th
is w
eakn
ess
“eith
er a
noth
er u
ser l
ogge
d on
as
the
term
inat
ed
user
or
In
form
atio
n Te
chno
logy
Fi
eld
Off
icer
(I
TFO
) lo
gged
in
us
ing
the
term
inat
ed
empl
oyee
’s c
rede
ntia
ls.”
IC
E-IT
-10
-07
Dur
ing
the
FY 2
010
finan
cial
stat
emen
t aud
it, K
PMG
de
term
ined
that
seve
ral p
hysi
cal a
nd e
nviro
nmen
tal
cont
rols
exi
st w
ithin
the
OC
S D
atac
ente
r. Sp
ecifi
cally
, w
e no
ted
the
follo
win
g:
�O
CS
Dat
a C
ente
r Ris
k A
sses
smen
t is n
ot
docu
men
ted.
�
Re-
entry
pro
cedu
res f
or p
erso
nnel
afte
r an
emer
genc
y ev
acua
tion
are
not d
ocum
ente
d.
�Fi
re su
ppre
ssio
n te
stin
g do
cum
enta
tion
is n
ot
mai
ntai
ned.
�
Wat
er d
amag
e w
as v
isib
le o
n th
e da
ta c
ente
r w
all w
here
FFM
S se
rver
s are
hou
sed
with
no
inci
dent
repo
rt of
the
even
t. �
UPS
test
ing
docu
men
tatio
n is
not
mai
ntai
ned.
As
of J
uly
2010
FFM
S ha
s be
en m
oved
fro
m th
e D
epar
tmen
t of
Com
mer
ce O
CS
to D
ata
Cen
ter
2 (D
C2)
. D
C2
will
be
revi
ewed
and
mon
itore
d to
en
sure
co
mpl
ianc
e w
ith
all
phys
ical
an
d da
ta
secu
rity
requ
irem
ents
.
X
2
ICE-
IT-
10-0
8 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
dete
rmin
ed th
at th
e en
viro
nmen
tal c
ontro
ls in
the
PCN
co
mpu
ter
room
nee
d im
prov
emen
t. Sp
ecifi
cally
, w
e fo
und
that
en
viro
nmen
tal
test
re
sults
ar
e no
t do
cum
ente
d an
d m
aint
aine
d fo
r the
follo
win
g de
vice
s:
AC
un
its,
fire
extin
guis
hers
, an
d ba
ck-u
p po
wer
su
pply
.
Ensu
re
that
en
viro
nmen
tal
syst
ems
(Hea
t V
entil
atio
n A
ir C
ondi
tione
r, fir
e ex
tingu
ishe
rs,
and
Uni
vers
al P
ower
Sup
ply)
are
tes
ted
annu
ally
w
ith te
st re
sults
mad
e av
aila
ble
for r
evie
w.
X
2
ICE-
IT-
10-0
9 So
cial
eng
inee
ring
is d
efin
ed a
s th
e ac
t of a
ttem
ptin
g to
man
ipul
ate
or d
ecei
ve p
eopl
e in
to t
akin
g ac
tion
that
is
in
cons
iste
nt
with
D
HS
polic
ies,
such
as
di
vulg
ing
sens
itive
info
rmat
ion
or a
llow
ing/
enab
ling
Soci
al
Engi
neer
ing
is
cove
red
in
the
Ann
ual
Info
rmat
ion
Ass
uran
ce
Aw
aren
ess
Trai
ning
(I
AA
T) –
whi
ch i
s a
requ
irem
ent
for
all
ICE
empl
oyee
s. T
he I
AA
T sh
ould
con
tinue
to
stre
ss
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
24
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
com
pute
r sy
stem
acc
ess.
The
term
typi
cally
app
lies
to
trick
ery
or
dece
ptio
n fo
r th
e pu
rpos
e of
in
form
atio
n ga
ther
ing,
or c
ompu
ter s
yste
m a
cces
s.
Dur
ing
the
cour
se o
f our
soci
al e
ngin
eerin
g te
st w
ork,
th
e ob
ject
ive
was
prim
arily
foc
used
on
atte
mpt
ing
to
iden
tify
user
ID
s an
d pa
ssw
ords
. P
osin
g as
DH
S te
chni
cal s
uppo
rt em
ploy
ees,
atte
mpt
s w
ere
mad
e to
ob
tain
this
type
of a
ccou
nt in
form
atio
n by
con
tact
ing
rand
omly
sel
ecte
d em
ploy
ees
by te
leph
one.
A s
crip
t w
as u
sed
to a
sk f
or a
ssis
tanc
e fr
om th
e IC
E us
er in
re
solv
ing
a ne
twor
k is
sue
in t
he c
ompo
nent
. F
or
each
per
son
we
atte
mpt
ed to
cal
l, w
e no
ted
whe
ther
th
e in
divi
dual
was
rea
ched
and
whe
ther
we
obta
ined
an
y in
form
atio
n fr
om th
em th
at s
houl
d no
t hav
e be
en
shar
ed w
ith u
s ac
cord
ing
to
DH
S po
licy.
Our
se
lect
ion
of d
esks
and
off
ices
was
not
sta
tistic
ally
de
rived
, and
ther
efor
e w
e ar
e un
able
to p
roje
ct re
sults
to
the
com
pone
nt o
r dep
artm
ent a
s a w
hole
.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e le
arne
d th
at
ICE
cont
inue
s to
pr
omot
e se
curit
y aw
aren
ess
train
ing
by d
istri
butin
g a
wee
kly
new
slet
ter
to
empl
oyee
s an
d co
ntra
ctor
s ab
out
secu
rity
awar
enes
s. H
owev
er, K
PMG
foun
d th
at th
e pr
ior y
ear
secu
rity
wea
knes
s stil
l exi
sts.
soci
al
engi
neer
ing
risks
an
d gr
eate
r ou
treac
h sh
ould
be
achi
eved
.
ICE-
IT-
10-1
0 W
e pe
rfor
med
afte
r-ho
urs
phys
ical
sec
urity
test
ing
to
iden
tify
risks
rel
ated
to
non-
tech
nica
l as
pect
s of
IT
secu
rity.
Th
ese
non-
tech
nica
l IT
sec
urity
asp
ects
in
clud
e ph
ysic
al
acce
ss
to
equi
pmen
t th
at
hous
es
finan
cial
dat
a an
d in
form
atio
n re
sidi
ng o
n an
IC
E em
ploy
ee’s
des
k w
hich
cou
ld b
e us
ed b
y ot
hers
to
inap
prop
riate
ly
acce
ss
finan
cial
in
form
atio
n.
The
test
ing
was
per
form
ed a
t va
rious
IC
E lo
catio
ns t
hat
proc
ess
and/
or m
aint
ain
com
pone
nt f
inan
cial
dat
a.
Afte
r ga
inin
g ac
cess
to
the
faci
litie
s vi
a an
IC
E
Secu
rity
Aw
aren
ess
is
cove
red
in
the
Ann
ual
IAA
T –
whi
ch
is
a re
quire
men
t fo
r al
l IC
E em
ploy
ees.
The
IA
AT
shou
ld c
ontin
ue t
o st
ress
se
curit
y aw
aren
ess
risks
an
d gr
eate
r ou
treac
h sh
ould
be
achi
eved
.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
25
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
empl
oyee
des
igna
ted
to a
ssis
t w
ith a
nd m
onito
r ou
r te
stw
ork,
we
insp
ecte
d a
rand
om s
elec
tion
of d
esks
an
d of
fices
lo
okin
g fo
r ite
ms
such
as
im
prop
er
prot
ectio
n of
sy
stem
us
er
nam
es
and
pass
wor
ds,
unse
cure
d in
form
atio
n sy
stem
ha
rdw
are,
do
cum
enta
tion
cont
aini
ng P
II o
r m
arke
d FO
UO
, and
un
lock
ed n
etw
ork
sess
ions
. O
ur s
elec
tion
of d
esks
an
d of
fices
was
not
sta
tistic
ally
der
ived
, and
ther
efor
e w
e ar
e un
able
to
proj
ect
resu
lts t
o th
e co
mpo
nent
or
depa
rtmen
t as
a w
hole
. Fo
r ea
ch lo
catio
n vi
site
d, w
e no
ted
the
type
of
unse
cure
d in
form
atio
n or
pro
perty
w
e id
entif
ied
and
incl
uded
the
tota
l exc
eptio
ns n
oted
by
loc
atio
n, a
s w
ell
as b
y ty
pe o
f in
form
atio
n or
pr
oper
ty id
entif
ied.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e le
arne
d th
at
ICE
cont
inue
s to
pr
omot
e se
curit
y aw
aren
ess
train
ing
and
dist
ribut
es a
wee
kly
new
slet
ter
to
empl
oyee
s an
d co
ntra
ctor
s ab
out
secu
rity
awar
enes
s. H
owev
er,
KPM
G f
ound
tha
t se
curit
y w
eakn
esse
s stil
l exi
st.
ICE-
IT-
10-1
1 In
FY
200
9, w
e fo
und
that
IC
E la
cked
pol
icie
s an
d pr
oced
ures
requ
iring
com
plet
ion
of a
trai
ning
pro
gram
by
per
sonn
el in
IT se
curit
y po
sitio
ns.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e le
arne
d th
at to
cor
rect
the
prio
r yea
r NFR
, IC
E fo
llow
s D
HS
4300
A
polic
y fo
r tra
inin
g pe
rson
nel
in
IT
secu
rity
posi
tions
, the
refo
re, t
his
porti
on o
f the
NFR
is
clos
ed.
How
ever
, dur
ing
our t
estw
ork
we
dete
rmin
ed
that
wea
knes
ses
still
exi
st o
ver
train
ing
pers
onne
l in
IT
sec
urity
pos
ition
s. S
peci
fical
ly, w
e de
term
ined
that
27
out
of 4
5 IT
sec
urity
per
sonn
el h
ave
not c
ompl
eted
sp
ecia
lized
trai
ning
.
OC
IO w
ill p
rovi
de m
anag
emen
t ov
ersi
ght
and
guid
ance
for
tra
inin
g pe
rson
nel
with
sig
nific
ant
resp
onsi
bilit
ies f
or in
form
atio
n se
curit
y.
X
2
ICE-
IT-
10-1
2 D
urin
g th
e FY
201
0 fin
anci
al st
atem
ent a
udit,
KPM
G
dete
rmin
ed th
at p
hysi
cal s
afeg
uard
wea
knes
ses e
xist
at
ICE
shou
ld e
nsur
e th
at r
e-en
try p
roce
dure
s ar
e pr
oper
ly d
ocum
ente
d at
the
Cla
rksv
ille
data
cen
ter
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
26
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
the
DC
2 da
tace
nter
. Sp
ecifi
cally
, we
dete
rmin
ed th
e fo
llow
ing:
�
Re-
entry
pro
cedu
res a
fter a
n em
erge
ncy
have
be
en im
plem
ente
d, h
owev
er, t
he p
roce
dure
s ar
e no
t doc
umen
ted.
�
FFM
S se
rver
is in
appr
opria
tely
mar
ked
with
a
labe
l tha
t ide
ntifi
es th
e ap
plic
atio
n/da
ta o
n th
e se
rver
.
and
mak
e ce
rtain
th
at
serv
ers
are
not
inap
prop
riate
ly id
entif
ied.
ICE-
IT-
10-1
3 D
urin
g K
PMG
’s
inte
rnal
vu
lner
abili
ty
asse
ssm
ent
effo
rts o
f IC
E’s
FFM
S ne
twor
k, s
erve
rs a
nd d
atab
ases
pe
rfor
med
in
Aug
ust
2010
, KPM
G i
dent
ified
sev
eral
H
igh/
M
ediu
m
Ris
k vu
lner
abili
ties,
rela
ted
to
conf
igur
atio
n m
anag
emen
t suc
h as
: �
Hot
St
andb
y R
oute
r Pr
otoc
ol
(HSR
P)
defa
ult
inst
alla
tion
on C
isco
rout
ers a
nd sw
itche
s �
Def
ault
“Ora
cle
List
ener
Pr
ogra
m
(tnsl
snr)
” se
rvic
e pa
ssw
ord
on se
rver
inst
alla
tion
�O
utda
ted
Mic
roso
ft O
pera
ting
Syst
ems
�B
onjo
ur (
also
kno
wn
as Z
eroC
onf
or m
DN
S)
liste
ning
pro
toco
l �
Rem
ote
web
ser
ver
HTM
L fo
rm f
ield
s tra
nsm
its
data
in c
lear
text
ICE
shou
ld t
ake
the
nece
ssar
y st
eps
to b
egin
ex
amin
ing
the
defa
ult
conf
igur
atio
n in
stal
latio
ns
and
syst
em s
ervi
ces
inst
alle
d on
FFM
S de
vice
s an
d de
term
ine
if th
e de
faul
t con
figur
atio
ns c
an b
e se
t to
incr
ease
FFM
S’s
secu
rity
or, i
n th
e ca
se o
f un
nece
ssar
y sy
stem
ser
vice
s, de
lete
d to
red
uce
FFM
S vu
lner
abili
ty to
atta
ck.
X
3
ICE-
IT-
10-1
4 D
urin
g K
PMG
’s
inte
rnal
vu
lner
abili
ty
asse
ssm
ent
effo
rts o
f IC
E’s
FFM
S ne
twor
k se
rver
s an
d da
taba
ses
perf
orm
ed i
n A
ugus
t 20
10, K
PMG
ide
ntifi
ed s
ever
al
Hig
h/ M
ediu
m R
isk
vuln
erab
ilitie
s, re
late
d to
sev
eral
co
nfig
urat
ion
and
patc
h m
anag
emen
t w
eakn
esse
s w
ithin
the
con
figur
atio
n of
the
FFM
S IC
E an
d C
IS
Ora
cle
data
base
inst
ance
s suc
h as
: �
Cle
ar te
xt p
assw
ords
stor
ed in
dat
abas
e �
Out
date
d pa
tche
s �
Tabl
e se
curit
y co
nfig
urat
ions
�
Use
r acc
ount
priv
ilege
s
ICE
shou
ld t
ake
the
nece
ssar
y st
eps
to b
egin
ap
plyi
ng t
he a
ppro
pria
te F
FMS
data
base
pat
ches
to
ens
ure
patc
h co
mpl
ianc
e.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
27
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
�Pa
ssw
ord
setti
ngs f
or u
sers
and
dat
abas
e
ICE-
IT-
10-1
5 D
urin
g K
PMG
’s
inte
rnal
vu
lner
abili
ty
asse
ssm
ent
effo
rts o
f IC
E’s
FFM
S ne
twor
k se
rver
s an
d da
taba
ses
perf
orm
ed i
n A
ugus
t 20
10, K
PMG
ide
ntifi
ed s
ever
al
Hig
h/ M
ediu
m R
isk
vuln
erab
ilitie
s, re
late
d to
mis
sing
or
inad
equa
te p
atch
es su
ch a
s:
�M
icro
soft
Patc
hes
�A
dobe
Rea
der
�A
pach
e To
mca
t �
Java
Run
time
Envi
ronm
ent (
JRE)
�
Ora
cle
Dat
abas
e (s
erve
r ins
talla
tion)
�
HP
Syst
em M
anag
emen
t �
Inte
rnet
Exp
lore
r �
MyS
QL
data
base
ICE
shou
ld t
ake
the
nece
ssar
y st
eps
to b
egin
ap
plyi
ng t
he a
ppro
pria
te F
FMS
patc
hes
to t
he
FFM
S ne
twor
k se
rver
s an
d da
taba
ses
to e
nsur
e pa
tch
com
plia
nce.
X
3
ICE-
IT-
10-1
6 D
urin
g K
PMG
’s
inte
rnal
vu
lner
abili
ty
asse
ssm
ent
effo
rts o
f IC
E’s
AD
EX n
etw
ork
serv
ers
and
devi
ces
perf
orm
ed in
Aug
ust 2
010,
KPM
G id
entif
ied
a de
faul
t in
stal
latio
n an
d co
nfig
urat
ions
for
the
HSR
P on
the
C
isco
rout
ers.
ICE
shou
ld e
nsur
e th
at p
assw
ord
conf
igur
atio
n se
tting
s are
pro
perly
and
eff
ectiv
ely
appl
ied.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
28
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
� Office of Financial Management � Office of Chief Information Officer
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 129
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Off
ice
of F
inan
cial
Man
agem
ent
Off
ice
of C
hief
Info
rmat
ion
Off
icer
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CO
NS-
IT-1
0-01
D
urin
g ou
r fo
llow
-up
on t
his
prio
r ye
ar i
ssue
, w
e no
ted
that
the
fol
low
ing
pass
wor
d co
nfig
urat
ions
for
th
e D
HS
Inte
rnet
dom
ain,
whi
ch c
ontro
ls a
cces
s to
the
DH
STIE
R a
nd C
FO V
isio
n, a
re n
ot i
n co
mpl
ianc
e w
ith D
HS
4300
A re
quire
men
ts:
�Th
e ac
coun
t loc
kout
cou
nter
is c
onfig
ured
to re
set
afte
r 30
min
utes
rath
er th
an (2
4 ho
urs
as re
quire
d by
DH
S po
licy;
and
�
Wor
ksta
tion
idle
se
ssio
ns
term
inat
ion
is
conf
igur
ed t
o lo
ck w
orks
tatio
ns a
fter
15 m
inut
es
of i
nact
ivity
rat
her
than
5 a
s re
quire
d by
DH
S po
licy.
We
reco
mm
end
that
D
HSN
ET
logi
cal
acce
ss
conf
igur
atio
n be
al
igne
d w
ith
DH
S 43
00A
re
quire
men
ts
conc
erni
ng
acco
unt
lock
out
and
wor
ksta
tion
idle
sess
ion
term
inat
ion.
X
1
OC
IO-
IT-1
0-01
D
HS
is i
n th
e pr
oces
s of
bec
omin
g fu
lly c
ompl
iant
w
ith th
e Fe
dera
l Des
ktop
Cor
e C
onfig
urat
ion
(FD
CC
) se
curit
y co
nfig
urat
ions
. Ea
ch D
HS
com
pone
nt a
genc
y ha
s be
gun
test
ing
or im
plem
entin
g th
e FD
CC
sec
urity
co
nfig
urat
ions
; how
ever
, ful
l com
plia
nce
with
FD
CC
se
curit
y co
nfig
urat
ions
for a
ll D
HS
com
pone
nts
is n
ot
plan
ned
to b
e co
mpl
eted
unt
il th
e en
d of
FY
201
1.
We
reco
mm
end
that
the
DH
S O
CIO
: �
Fina
lize
the
DH
S H
arde
ning
G
uide
s fo
r W
indo
ws
desk
top
oper
atin
g sy
stem
s an
d di
strib
ute
them
to a
ll D
HS
com
pone
nt a
genc
ies.
�C
ontin
ue
with
th
e fu
ll im
plem
enta
tion
of
FDC
C s
ecur
ity c
onfig
urat
ions
acr
oss
all
DH
S co
mpo
nent
age
ncie
s.
X
2
OC
IO-
IT-1
0-02
D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t, w
e no
ted
two
wea
knes
ses
with
in D
HS
polic
ies
that
req
uire
fur
ther
ev
alua
tion
and
clar
ifica
tion.
Th
e fo
llow
ing
obse
rvat
ions
w
ere
note
d fo
r m
anag
emen
t co
nsid
erat
ion
over
acc
ess
to P
II a
nd S
egre
gatio
n of
D
utie
s prin
cipl
es:
�D
HS
Sens
itive
Sys
tem
s Po
licy
(DH
S M
D 4
300A
Se
ctio
n 3.
14.1
) re
fers
to
the
DH
S H
andb
ook
for
Safe
guar
ding
Sen
sitiv
e PI
I. W
e fo
und
that
sect
ion
2.4.
4 is
too
broa
d w
hen
asse
ssin
g th
at w
hen
PII i
s
DH
S sh
ould
re
vise
th
e D
HS
Han
dboo
k fo
r Sa
fegu
ardi
ng S
ensi
tive
PII t
o cl
arify
that
acc
ess
to
PII b
e re
stric
ted
to th
ose
with
a n
eed
to k
now
.
DH
S sh
ould
re
vise
D
HS
4300
A
Polic
y an
d H
andb
ook,
7.1
.1, S
ectio
n 5.
3 A
uditi
ng, t
o cl
arify
th
at t
he r
evie
w o
f lo
gs s
houl
d be
ind
epen
dent
ad
herin
g to
segr
egat
ion
of d
utie
s prin
cipl
es.
X
1
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
30
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
phys
ical
ly s
ecur
e; a
ll st
aff
with
acc
ess
to t
he
wor
kspa
ce h
ave
a “n
eed
to k
now
” an
d ca
n ac
cess
th
e PI
I. �
A v
iola
tion
of s
egre
gatio
n of
dut
ies
exis
ts w
ithin
th
e D
HS
4300
A S
ectio
n V
ersi
on 7
.1.1
, Se
ctio
n 5.
3 A
uditi
ng.
The
polic
y al
low
s th
e sy
stem
ad
min
istra
tor
to
revi
ew
the
audi
t re
cord
s fo
r fin
anci
al
syst
ems
or
for
syst
ems
host
ing
or
proc
essi
ng P
II o
n a
mon
thly
bas
is.
The
revi
ew o
f th
e au
dit l
ogs
shou
ld b
e in
depe
nden
t (e.
g., s
yste
m
adm
inis
trato
r of
a s
epar
ate
appl
icat
ion,
sec
urity
ad
min
istra
tor)
si
nce
the
syst
em
adm
inis
trato
r ty
pica
lly h
as fu
ll ac
cess
righ
ts a
nd th
e au
thor
ity to
m
ake
chan
ges
to
the
syst
em
that
m
ay
go
unno
ticed
.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
31
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology - Notice of Findings and
Recommendations – Detail
� Transportation Security Administration
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 132
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Tra
nspo
rtat
ion
Secu
rity
Adm
inis
trat
ion
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
TSA
-IT-
10-0
1 To
com
plem
ent o
ur I
T au
dit t
estin
g ef
forts
as
part
of th
e FY
20
10
DH
S In
tegr
ated
A
udit,
w
e al
so
perf
orm
ed
soci
al
engi
neer
ing
and
afte
r ho
urs
phys
ical
sec
urity
test
ing
Dur
ing
our t
estin
g w
e id
entif
ied
the
follo
win
g
Dur
ing
our a
fter-
hour
s ph
ysic
al s
ecur
ity te
stin
g, w
e id
entif
ied
one
inst
ance
of a
n un
secu
red
lapt
op c
ompu
ter;
Dur
ing
our s
ocia
l eng
inee
ring
test
ing,
we
wer
e pr
ovid
ed w
ith
thre
e us
er’s
pas
swor
ds.
We
reco
mm
end
TSA
in th
e ar
ea o
f phy
sica
l Se
curit
y to
: �
Con
tinue
to
ex
ecut
e th
e IT
Se
curit
y A
war
enes
s Tra
inin
g pr
ogra
m;
�C
ondu
ct
inte
rnal
Ph
ysic
al
Secu
rity
wal
kthr
ough
on
a bi
-ann
ual b
asis
; �
Con
duct
one
-on-
one
train
ing
with
ind
ivid
uals
fa
iling
phy
sica
l sec
urity
afte
r-ho
urs t
estin
g;
�Ta
ke a
dmin
istra
tive
actio
ns,
if ne
eded
, on
a
case
-by-
case
bas
is; a
nd
�TS
A w
ill c
ondu
ct a
com
mun
icat
ions
cam
paig
n to
add
ress
the
effe
cts
of im
prop
er h
andl
ing
of
Phys
ical
Sec
urity
.
We
reco
mm
end
TSA
in
th
e ar
ea
of
soci
al
engi
neer
ing
to:
�C
ontin
ue
to
exec
ute
the
IT
Secu
rity
Aw
aren
ess T
rain
ing
prog
ram
; �
Con
duct
inte
rnal
Soc
ial E
ngin
eerin
g te
stin
g on
a
quar
terly
bas
is;
�C
ondu
ct o
ne-o
n-on
e tra
inin
g w
ith i
ndiv
idua
ls
faili
ng so
cial
eng
inee
ring
atte
mpt
s. �
TSA
w
ill
take
ad
min
istra
tive
actio
ns,
if ne
eded
, on
a ca
se-b
y-ca
se b
asis
. �
TSA
will
con
duct
a c
omm
unic
atio
ns c
ampa
ign
via
broa
dcas
t w
arni
ng
agai
nst
soci
al
engi
neer
ing.
X
1
TSA
-IT-
10-0
2 C
ore
Acco
untin
g Sy
stem
(C
AS)
& F
inan
cial
Pro
cure
men
t D
eskt
op (F
PD)
Dur
ing
our
FY 2
010
IT t
est
wor
k, w
e de
term
ined
tha
t TS
A
had
crea
ted
an In
tern
al S
tand
ard
Ope
ratin
g Pr
oced
ure
(ISO
P)
We
reco
mm
end
TSA
to
ta
ke
the
follo
win
g co
rrec
tive
actio
ns:
CA
S/FP
D:
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
33
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
to d
etai
l how
qua
rterly
acc
ess
revi
ews
wer
e to
be
perf
orm
ed.
We
com
pare
d a
listin
g of
TSA
CA
S an
d FP
D u
sers
to
the
mas
ter l
istin
g of
use
rs w
ho n
eede
d m
odifi
catio
ns o
r del
etio
ns
for t
hree
qua
rters
(Q1,
Q2,
and
Q3)
. W
e di
d no
t ide
ntify
any
ex
cept
ions
for
Q1
and
Q2;
how
ever
, for
the
3rd q
uarte
r, on
e C
AS
user
was
not
del
eted
or m
odifi
ed w
ithin
50
days
afte
r the
en
d of
the
com
plet
ion
of t
he 3
rd q
uarte
r. I
n ad
ditio
n, w
e no
ted
115
FPD
use
rs w
ere
not d
elet
ed o
r mod
ified
with
in 5
1 da
ys a
fter t
he c
ompl
etio
n of
the
3rd
quar
ter.
Sunf
low
er
Dur
ing
our F
Y 2
010
test
wor
k, w
e de
term
ined
that
the
Off
ice
of P
rope
rty M
anag
emen
t (O
PM)
perf
orm
s m
onth
ly a
cces
s re
view
s ov
er S
unflo
wer
use
r ac
coun
ts.
OPM
run
s th
ree
Sunf
low
er r
epor
ts e
ach
mon
th,
and
the
Dep
uty
Prop
erty
M
anag
emen
t O
ffic
ials
(D
PMO
s) a
nd O
PM A
cces
s M
anag
er
revi
ew th
e re
ports
and
pro
vide
dat
es a
nd in
itial
s by
eac
h us
er
revi
ewed
. H
owev
er,
for
the
thre
e m
onth
s sa
mpl
ed,
we
dete
rmin
ed
that
th
ree
Sunf
low
er
user
s, w
ho
had
upda
te
priv
ilege
s, ha
d no
t ha
d th
eir
acce
ss r
emov
ed i
n a
timel
y m
anne
r. A
ll us
ers
wer
e re
view
ed i
n Ja
nuar
y, b
ut t
wo
wer
e no
t rem
oved
unt
il Ju
ly, a
nd th
e ot
her
user
was
not
rem
oved
un
til A
ugus
t.
�H
ave
FIN
CEN
upd
ate
its h
elpd
esk
proc
edur
es
to p
rovi
de t
he c
orre
ct g
uide
lines
so
that
its
he
lpde
sk s
taff
will
no
long
er g
rant
add
ition
al
Stan
dard
FPD
role
s th
at w
ere
not r
eque
sted
on
Acc
ount
Acc
ess
Req
uest
(A
AR
). TS
A s
houl
d cl
osel
y m
onito
r th
e re
ques
ts i
mpl
emen
ted
by
FIN
CEN
to e
nsur
e th
at th
e up
date
d pr
oced
ures
ar
e be
ing
follo
wed
. �
TSA
sho
uld
impr
ove
the
timel
ine
and
proc
ess
of i
ts Q
uarte
rly R
evie
w.
TSA
sho
uld
upda
te
its
proc
edur
es
to
mon
itor
the
timel
ines
s, ac
cura
cy a
nd q
ualit
y of
the
Qua
lity
Rev
iew
pr
oces
s.
a.
Upd
ate
Qua
rterly
Rev
iew
ISO
P to
ad
d th
e ex
pect
ed
timel
ine
to
com
plet
e th
e qu
arte
rly re
view
. b.
C
ondu
ct
timel
y fo
llow
-up
and
revi
ew
of
the
actu
al
FIN
CEN
im
plem
enta
tion
of t
he A
AR
s to
en
sure
th
at
the
AA
Rs
wer
e im
plem
ente
d as
requ
este
d.
�TS
A s
houl
d w
ork
with
FIN
CEN
to
iden
tify
and
impl
emen
t the
bes
t sol
utio
n to
rem
ove
the
one
Sunf
low
er ro
le fr
om th
e us
er’s
pro
file.
�
TSA
sho
uld
wor
k w
ith F
INC
EN t
o re
sear
ch
and
iden
tify
optio
ns to
enh
ance
the
auto
mat
ed
AA
R p
roce
ss.
Sunf
low
er:
�TS
A w
ill p
rovi
de m
ore
train
ing
and
over
sigh
t fo
r an
y ne
w a
cces
s m
anag
er t
o en
sure
the
pr
oces
s is t
horo
ughl
y fo
llow
ed.
�TS
A w
ill c
lose
ly m
onito
r an
d fo
llow
-up
with
FI
NC
EN t
o en
sure
req
uest
s ar
e im
plem
ente
d tim
ely
and
corr
ectly
.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
34
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
�TS
A
will
re
view
an
d id
entif
y al
tern
ate
repo
rting
pr
oces
ses
in
case
s of
te
chni
cal
diff
icul
ties
whe
re s
uper
viso
rs c
anno
t ac
cess
th
e m
aste
r file
s on
Shar
ePoi
nt.
TSA
-IT-
10-0
3 D
urin
g ou
r FY
201
0 au
dit t
est w
ork,
we
sele
cted
a s
ampl
e of
th
e fo
llow
ing
form
s re
quire
d by
the
TSA
dire
ctiv
e an
d de
term
ined
the
follo
win
g:
�Fo
rm 1
403
Com
pute
r A
cces
s A
gree
men
t: Pe
r th
e TS
A
IT
Secu
rity
Polic
y H
andb
ook,
al
l TS
A
pers
onne
l, in
clud
ing
cont
ract
ors,
are
requ
ired
to r
evie
w a
nd s
ign
Form
14
03:
Com
pute
r A
cces
s A
gree
men
t up
on
com
men
cem
ent
of w
orki
ng f
or t
he a
genc
y.
Our
tes
ting
note
d th
at o
f th
e fiv
e fo
rms
sam
pled
, on
e fo
rm w
as
com
plet
ed o
ne m
onth
afte
r the
use
r was
gra
nted
acc
ess
to
a TS
A sy
stem
.
We
reco
mm
end
that
TS
A
take
th
e fo
llow
ing
corr
ectiv
e ac
tion:
Su
perv
isor
s an
d C
ontra
ctin
g O
ffic
er’s
Tec
hnic
al
Rep
rese
ntat
ives
w
ithin
ea
ch
prog
ram
of
fice
in
TSA
sho
uld
ensu
re, a
s re
quire
d by
the
IT S
ecur
ity
Polic
y H
andb
ook,
that
evi
denc
e be
mai
ntai
ned
on
file
for
each
TSA
em
ploy
ee a
nd c
ontra
ctor
the
C
ompu
ter A
cces
s A
gree
men
t for
m, s
igne
d pr
ior t
o an
y fin
anci
al sy
stem
acc
ess i
s gra
nted
.
X
1
TSA
-IT-
10-0
4 D
urin
g th
e FY
201
0 IT
aud
it, w
e de
term
ined
tha
t TS
A h
as
fully
im
plem
ente
d th
e TS
A I
SOP:
Pro
cess
for
Val
idat
ion
of
Con
trols
ove
r the
USC
G S
crip
t Pro
cess
to m
onito
r scr
ipts
run
at F
INC
EN.
Spec
ifica
lly,
we
note
d th
at
TSA
ha
s im
plem
ente
d an
ex
tens
ive
revi
ew o
f the
scr
ipts
that
impa
ct T
SA o
n a
wee
kly,
m
onth
ly, q
uarte
rly a
nd a
d ho
c ba
sis.
Add
ition
ally
, a b
asel
ine
revi
ew w
as p
erfo
rmed
to e
nsur
e th
at a
ll sc
ripts
that
wer
e ru
n in
pro
duct
ion
prio
r to
4/1
/201
0, t
his
was
app
roxi
mat
ely
160
scrip
ts a
nd th
at th
ey w
ere
revi
ewed
for
thei
r pu
rpos
e an
d th
e fin
anci
al im
pact
of t
he s
crip
ts w
ere
unde
rsto
od b
y th
e va
rious
st
akeh
olde
rs in
the
scrip
t rev
iew
pro
cess
, whi
ch in
clud
ed th
e Sc
ript
Tech
nica
l Le
ad,
Scrip
t M
odul
e Le
ads
(SM
Ls),
and
Subj
ect
Mat
ter
Expe
rts (
SMEs
). A
ny s
crip
t th
at w
as n
ot
incl
uded
in th
e ba
selin
e re
view
was
con
side
red
new
and
was
in
clud
ed in
the
wee
kly,
mon
thly
, qua
rterly
and
ad
hoc
revi
ew
proc
ess.
The
rev
iew
s co
nduc
ted
by T
SA in
clud
ed v
alid
atio
n an
d ve
rific
atio
n st
eps
to e
nsur
e th
at t
he C
oast
Gua
rd i
s pr
oper
ly t
rack
ing
the
TSA
scr
ipts
and
tha
t th
ose
scrip
ts g
o th
roug
h th
e pr
oper
con
figur
atio
n m
anag
emen
t pro
cess
es.
We
reco
mm
end
that
TSA
wor
k w
ith t
he D
HS
Chi
ef
Fina
ncia
l O
ffic
er
and
the
DH
S C
hief
In
form
atio
n O
ffic
er t
o en
sure
tha
t C
oast
Gua
rd
Hea
dqua
rters
' com
plet
es, i
n a
timel
y m
anne
r, th
e pl
anne
d co
rrec
tive
actio
ns to
: �
Upd
ate
the
scrip
ting
polic
ies
and
proc
edur
es
to i
nclu
de a
dditi
onal
and
mor
e de
taile
d te
st
docu
men
tatio
n;
�D
evel
op tr
aini
ng th
at a
ddre
sses
all
aspe
cts
of
scrip
t tes
ting
(incl
udin
g do
cum
enta
tion
of te
st
docu
men
ts)
and
prov
ide
train
ing
to
appr
opria
te C
M st
aff;
�D
evel
op a
n R
P w
ith a
ssoc
iate
d su
ppor
ting
busi
ness
cas
e(s)
to a
ddre
ss th
e da
taba
se a
udit
logg
ing
requ
irem
ents
; �
Dev
elop
pr
oced
ures
an
d pe
rfor
m
regu
lar
acco
unt
reva
lidat
ion
for
Sere
na
to
ensu
re
priv
ilege
s rem
ain
appr
opria
te; a
nd
�C
ondu
ct
an
asse
ssm
ent
over
th
e IC
FOR
pr
oces
s re
late
d to
ide
ntify
ing
and
eval
uatin
g
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
35
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
We
note
d no
exc
eptio
ns d
urin
g ou
r tes
ting
of th
e TS
A S
crip
t C
onfig
urat
ion
Man
agem
ent O
vers
ight
Pro
cess
.
Con
figur
atio
n M
anag
emen
t C
ontro
ls O
ver
the
Coa
st G
uard
Sc
riptin
g Pr
oces
s
The
anal
ysis
co
nduc
ted
over
th
e C
oast
G
uard
sc
ript
conf
igur
atio
n m
anag
emen
t pro
cess
ref
lect
s th
e as
sess
men
t of
the
cont
rol
envi
ronm
ent
for
the
entir
e fis
cal
year
. W
eakn
esse
s id
entif
ied
over
the
proc
ess
are
risks
that
exi
sted
in
the
env
ironm
ent
from
Oct
ober
200
9 to
Sep
tem
ber
2010
un
less
oth
erw
ise
note
d.
�B
ased
upo
n fo
llow
-up
test
wor
k pe
rfor
med
in F
Y 2
010,
w
e de
term
ined
tha
t so
me
prev
ious
ly n
oted
wea
knes
ses
wer
e re
med
iate
d (p
artic
ular
ly i
n th
e se
cond
hal
f of
FY
20
10),
whi
le o
ther
con
trol d
efic
ienc
ies
cont
inue
d to
exi
st.
The
rem
aini
ng c
ontro
l de
ficie
ncie
s th
at w
ere
pres
ent
thro
ugho
ut F
Y 2
010
vary
in s
igni
fican
ce, h
owev
er th
ree
key
area
s th
at i
mpa
ct t
he C
oast
Gua
rd S
crip
t co
ntro
l en
viro
nmen
t ar
e:
1) S
crip
t Te
stin
g R
equi
rem
ents
, 2)
Sc
ript T
estin
g En
viro
nmen
t, an
d 3)
Scr
ipt A
udit
Logg
ing
Proc
ess.
-Sc
ript
Test
ing
Req
uire
men
ts:
Lim
ited
test
ing
requ
irem
ents
exi
st t
o gu
ide
FIN
CEN
sta
ff i
n th
e de
velo
pmen
t of
tes
t pl
ans
and
guid
ance
ove
r th
e fu
nctio
nal
test
ing
that
sh
ould
be
pe
rfor
med
. A
dditi
onal
ly,
we
dete
rmin
ed
that
th
ere
are
no
deta
iled
requ
irem
ents
ove
r th
e re
view
and
test
ing
of
func
tiona
l cha
nges
to th
e da
ta.
FIN
CEN
onl
y tra
cks
and
docu
men
ts t
he n
umbe
r of
tra
nsac
tions
upd
ated
on
scr
ipts
tha
t ha
ve a
fin
anci
al i
mpa
ct a
nd n
ot t
he
deta
iled
dolla
r am
ount
s as
soci
ated
with
the
finan
cial
im
pact
tran
sact
ions
.
scrip
ts th
at h
ave
a fin
anci
al s
tate
men
t im
pact
. Th
is
asse
ssm
ent
can
be
incl
uded
in
th
e C
onfig
urat
ion
Man
agem
ent O
vers
ight
Pro
cess
as
par
t of
Coa
st G
uard
’s a
nnua
l A-1
23 e
ffor
ts
or
perf
orm
ed
inde
pend
ent
of
the
A-1
23
proc
ess.
We
reco
mm
end
that
this
ass
essm
ent
(1) b
e pe
rfor
med
ear
ly in
the
FY 2
011,
in ti
me
to re
med
iate
def
icie
ncie
s be
fore
the
end
of th
e th
ird
quar
ter,
and
(2)
invo
lve
proc
ess
docu
men
tatio
n an
d su
ffic
ient
tes
ting
to f
ully
as
sess
bot
h de
sign
and
ope
ratin
g ef
fect
iven
ess
of c
ontro
ls.
The
obj
ectiv
e be
ing
to h
ave
a re
liabl
e pr
oces
s an
d in
tern
al c
ontro
ls in
pla
ce
that
allo
w th
e au
dito
r to
test
, and
rely
on
thos
e co
ntro
ls, d
urin
g th
e fo
urth
qua
rter o
f FY
201
1.
TSA
Spe
cific
Rec
omm
enda
tion:
Con
tinue
to
co
nduc
t an
as
sess
men
t ov
er
the
ICFO
R
proc
ess
rela
ted
to
iden
tifyi
ng
and
eval
uatin
g sc
ripts
tha
t ha
ve a
fin
anci
al s
tate
men
t im
pact
.
Find
ings
w
ill
be
com
mun
icat
ed
and
coor
dina
ted
with
USC
G,
as a
ppro
pria
te.
Thi
s as
sess
men
t ca
n be
inc
lude
d in
the
tes
ting
of t
he
TSA
Scr
ipt C
onfig
urat
ion
Man
agem
ent O
vers
ight
Pr
oces
s as
par
t of
TSA
’s a
nnua
l A
-123
eff
orts
. Fu
rther
, we
reco
mm
end
that
this
ass
essm
ent (
1) b
e pe
rfor
med
ea
rly
in
the
FY
2011
, in
tim
e to
re
med
iate
def
icie
ncie
s be
fore
the
end
of th
e th
ird
quar
ter,
and
(2)
invo
lve
proc
ess
docu
men
tatio
n an
d su
ffic
ient
tes
ting
to f
ully
ass
ess
both
des
ign
and
oper
atin
g ef
fect
iven
ess
of
cont
rols
.
The
obje
ctiv
e be
ing
to h
ave
a re
liabl
e pr
oces
s an
d in
tern
al c
ontro
ls in
pla
ce th
at a
llow
the
audi
tor
to
test
, and
rel
y on
thos
e co
ntro
ls, d
urin
g th
e fo
urth
qu
arte
r of F
Y 2
011.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
36
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
-Sc
ript T
estin
g En
viro
nmen
t: N
ot a
ll sc
ript c
hang
es
wer
e te
sted
in
th
e ap
prop
riate
C
AS
Suite
te
st
envi
ronm
ents
as
requ
ired.
FI
NC
EN m
anag
emen
t in
form
ed u
s th
at th
e te
stin
g en
viro
nmen
ts, C
AS4
and
LU
FSFQ
T3, w
ere
offli
ne fo
r the
se e
xcep
tions
due
to
a re
fres
h of
the
data
base
s an
d th
at te
ster
s us
ed C
AS3
an
d A
lpha
as
alte
rnat
e te
stin
g en
viro
nmen
ts in
stea
d.
How
ever
, FI
NC
EN m
anag
emen
t in
form
ed K
PMG
th
at
thes
e en
viro
nmen
ts
are
refr
eshe
d on
an
as
ne
eded
bas
is a
nd n
o fu
rther
inf
orm
atio
n co
uld
be
prov
ided
ove
r ho
w f
requ
ently
the
CA
S3 a
nd A
lpha
da
taba
ses
wer
e re
fres
hed
to v
erify
tha
t th
e sc
ripts
w
ere
adeq
uate
ly
test
ed
in
the
appr
opria
te
envi
ronm
ent.
Fu
rther
mor
e,
we
dete
rmin
ed
that
gu
idan
ce i
s no
t pr
ovid
ed o
ver
the
use
of a
ltern
ate
test
ing
envi
ronm
ents
for
the
tes
ting
of s
crip
ts t
o en
sure
they
are
ade
quat
ely
test
ed.
-Sc
ript A
udit
Logg
ing
Proc
ess:
The
CA
S, F
PD, a
nd
Sunf
low
er d
atab
ases
are
logg
ing
chan
ges
to ta
bles
as
wel
l as
su
cces
sful
an
d un
succ
essf
ul
logi
ns.
How
ever
, no
rec
onci
liatio
n be
twee
n th
e sc
ripts
run
an
d th
e ch
ange
s m
ade
to th
e da
taba
se ta
bles
is b
eing
pe
rfor
med
to m
onito
r the
scr
ipt a
ctiv
ities
and
ens
ure
that
all
scrip
ts r
un h
ave
been
app
rove
d th
roug
h ch
ange
m
anag
emen
t sc
ript
syst
em
(CM
SS)
or
Sere
na.
In a
dditi
on, w
e no
ted
that
FIN
CEN
has
not
es
tabl
ishe
d a
form
al p
roce
ss t
o m
onito
r an
d re
view
ch
ange
s m
ade
to t
he S
unflo
wer
dat
abas
e in
clud
ing
the
tabl
es a
nd a
ctiv
ities
mod
ified
by
the
data
base
ad
min
istra
tors
.
Inte
rnal
C
ontro
l O
ver
Fina
ncia
l R
epor
ting
– Fi
nanc
ial
Stat
emen
t Im
pact
.
The
USC
G h
as e
stab
lishe
d ce
rtain
pro
cess
es t
o id
entif
y an
d as
sess
the
val
idity
of
scrip
ts t
hat
may
hav
e a
finan
cial
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
37
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
stat
emen
t im
pact
[o
n bo
th
USC
G
and
TSA
fin
anci
al
stat
emen
ts].
Thi
s pr
oces
s is
per
form
ed b
y on
e pr
imar
y in
divi
dual
, an
d tw
o id
entif
ied
back
up
pers
onne
l, w
ho
perf
orm
s a
revi
ew o
f th
e sc
ript
for
accu
racy
and
pro
prie
ty,
prov
ides
fee
dbac
k to
the
sour
ce, a
nd u
ltim
atel
y ap
prov
es th
e ap
plic
atio
n. T
his
proc
ess
has
certa
in c
ontro
l def
icie
ncie
s th
at
have
bee
n co
mm
unic
ated
to
USC
G (
see
NFR
# C
G-I
T-10
-05
), w
hich
hav
e le
ad,
in p
art,
to T
SA’s
ado
ptio
n of
cer
tain
re
dund
ant
cont
rols
to
re
view
TS
A
scrip
ts
for
prop
riety
. Fu
rther
mor
e, t
he r
atio
nale
doc
umen
ting
the
impa
ct o
f th
e sc
ript,
whe
ther
dee
med
as
havi
ng f
inan
cial
impa
ct o
r no
t, is
no
t do
cum
ente
d an
d re
tain
ed.
In
addi
tion,
with
in t
he C
AS
Suite
env
ironm
ent,
ther
e ar
e ov
er 2
00 s
crip
ts ru
n on
a w
eekl
y ba
sis.
Dur
ing
FY 2
010,
thr
ough
thi
s re
view
TSA
has
di
scov
ered
var
ious
err
ors
that
USC
G w
as re
quire
d to
cor
rect
. Th
e ex
cept
ions
not
ed b
y TS
A a
re in
dica
tive
of w
eakn
esse
s in
th
e U
SCG
pro
cess
.
We
also
co
nsid
er
this
co
ntro
l as
pect
to
be
pr
inci
pally
im
porta
nt
for
TSA
to
m
onito
r C
oast
G
uard
’s
corr
ectiv
e ac
tions
tak
en.
In a
dditi
on, T
SA s
houl
d co
nsid
er, a
s pa
rt of
th
eir
annu
al A
-123
eff
orts
, ad
ding
the
ir ow
n A
-123
tes
ting
proc
edur
es in
iden
tifyi
ng a
nd e
valu
atin
g th
e fin
anci
al im
pact
of
TSA
scrip
ting
at th
e C
oast
Gua
rd.
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
38
Appendix B
Department of Homeland Security Information Technology Management Letter
September 30, 2010
Department of Homeland Security FY 2010 Information Technology
Notification of Findings and Recommendations – Detail
� United States Citizenship and Immigration Services
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 139
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
Not
ice
of F
indi
ngs a
nd R
ecom
men
datio
ns –
Det
ail
Uni
ted
Stat
es C
itize
nshi
p an
d Im
mig
ratio
n Se
rvic
es
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
CIS
-IT-
10-0
1 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
the
acce
ss r
oles
at t
he
Nat
iona
l B
enef
its C
ente
r (N
BC
) fo
r C
LAIM
S3 L
AN
ha
ve n
ot b
e de
fined
and
doc
umen
ted.
U
SCIS
has
be
gun
som
e co
rrec
tive
actio
n; h
owev
er,
thes
e is
sues
ha
ve n
ot b
een
fully
rem
edia
ted.
The
USC
IS O
ffic
e of
Info
rmat
ion
Tech
nolo
gy w
ill
final
ize
the
CLA
IMS
3 LA
N
Acc
ount
M
anag
emen
t Pr
oced
ures
th
at
addr
ess
acco
unt
iden
tific
atio
n,
set-u
p,
rece
rtific
atio
n,
and
term
inat
ion
and
acce
ss r
eque
st f
orm
mai
nten
ance
. Th
ese
proc
edur
es re
flect
how
all
CLA
IMS
3 LA
N
acco
unts
will
be
man
aged
at
each
fac
ility
tha
t ut
ilize
s the
CLA
IMS
3 LA
N.
X
3
CIS
-IT-
10-0
2 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
the
wea
knes
s ha
s no
t be
en r
emed
iate
d fo
r C
LAIM
S3 L
AN
per
iodi
c us
er
acce
ss r
evie
ws.
USC
IS h
as b
egun
som
e co
rrec
tive
actio
n; h
owev
er,
thes
e is
sues
hav
e no
t be
en f
ully
re
med
iate
d.
The
USC
IS O
IT w
ill c
ontin
ue to
revi
ew C
LAIM
S 3
LAN
acc
ount
s fo
r th
ose
that
hav
e be
en in
activ
e fo
r 45
day
s m
anua
lly a
nd t
o re
mov
e us
er’s
tha
t ap
pear
on
th
e O
ffic
e of
H
uman
C
apita
l an
d Tr
aini
ng (
HC
T) a
ttriti
on b
i-wee
kly
list.
OIT
will
fin
aliz
e th
e C
LAIM
S 3
LAN
A
ccou
nt
Man
agem
ent
Proc
edur
es
that
ad
dres
s ac
coun
t id
entif
icat
ion,
se
t-up,
re
certi
ficat
ion,
an
d te
rmin
atio
n an
d ac
cess
req
uest
form
mai
nten
ance
. O
IT w
ill c
ontin
ue to
wor
k w
ith th
e O
IT A
ccou
nt
Man
agem
ent
Gro
up,
the
IT P
roje
ct M
anag
er a
nd
each
inst
alla
tion
site
to r
ecer
tify
CLA
IMS
3 LA
N
acco
unts
and
ens
ure
a cu
rren
t an
d va
lid a
cces
s re
ques
t for
m i
s fil
ed.
OIT
will
con
tinue
to w
ork
with
HC
T to
ens
ure
thei
r ex
it cl
eara
nce
proc
ess
incl
udes
pro
cedu
res
to p
rom
ptly
not
ify O
IT w
hen
empl
oyee
s le
ave
or tr
ansf
er.
OIT
will
als
o fin
aliz
e th
e U
SCIS
Acc
ount
Man
agem
ent,
Man
agem
ent
Dire
ctiv
e (A
genc
y Po
licy)
.
X
3
CIS
-IT-
10-0
3 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
e pr
ior y
ear N
FR a
nd le
arne
d th
at th
e w
eakn
ess
still
ex
ist
for
inco
mpl
ete
or i
nade
quat
e ac
cess
req
uest
fo
rms
for
CLA
IMS
3 LA
N a
nd C
LAIM
S 4.
U
SCIS
The
USC
IS O
IT w
ill fi
naliz
e th
e C
LAIM
S 3
LAN
an
d C
LAIM
S 4
Acc
ount
Man
agem
ent P
roce
dure
s th
at
addr
ess
acco
unt
iden
tific
atio
n,
set-u
p,
rece
rtific
atio
n, a
nd te
rmin
atio
n an
d ac
cess
req
uest
fo
rm m
aint
enan
ce.
OIT
will
con
tinue
to
wor
k
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
40
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
has
begu
n so
me
corr
ectiv
e ac
tion;
how
ever
, th
ese
issu
es h
ave
not b
een
fully
rem
edia
ted.
w
ith th
e O
IT A
ccou
nt M
anag
emen
t Gro
up, t
he IT
Pr
ojec
t M
anag
er
and
each
in
stal
latio
n si
te
to
rece
rtify
C
LAIM
S 3
LAN
an
d C
LAIM
S 4
acco
unts
and
ens
ure
a cu
rren
t an
d va
lid a
cces
s re
ques
t for
m is
file
d.
CIS
-IT-
10-0
4 In
FY
200
9, K
PMG
per
form
ed a
n in
spec
tion
of a
sa
mpl
e of
per
sonn
el t
hat
had
term
inat
ed/tr
ansf
erre
d fr
om th
eir
empl
oym
ent w
ith U
SCIS
dur
ing
the
fisca
l ye
ar.
KPM
G r
eque
sted
evi
denc
e th
at e
xit
clea
ranc
e fo
rms
wer
e co
mpl
eted
for e
ach
empl
oyee
to d
eter
min
e U
SCIS
m
anag
emen
t’s
com
plia
nce
with
te
rmin
atio
n/tra
nsfe
r pr
oced
ures
.
Of
the
28
term
inat
ed/tr
ansf
erre
d U
SCIS
pe
rson
nel
sam
pled
, ev
iden
ce o
f com
plia
nce
with
exi
t cle
aran
ce p
roce
dure
s co
uld
not b
e pr
ovid
ed fo
r 19
empl
oyee
s.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e le
arne
d th
at U
SCIS
Hum
an R
esou
rce
Div
isio
n re
vise
d th
e ex
istin
g te
rmin
ated
/tran
sfer
red
proc
edur
es f
or e
xit
proc
essi
ng;
how
ever
, th
e pr
oced
ures
hav
e no
t be
en
appr
oved
nor
impl
emen
ted.
We
reco
mm
end
USC
IS m
anag
emen
t is
sue
and
adhe
re to
exi
t cle
aran
ce p
olic
ies
and
proc
edur
es to
be
follo
wed
in th
e ev
ent o
f tra
nsfe
r, te
rmin
atio
n or
se
para
tion
of
fede
ral
and
cont
ract
pe
rson
nel.
Res
ourc
es
shou
ld
be
mad
e av
aila
ble
to
com
mun
icat
e th
e up
date
d pr
oced
ures
to p
erso
nnel
, tra
in m
issi
on s
uppo
rt st
aff w
ho h
ave
a cr
itica
l rol
e in
the
upd
ated
pro
cess
, an
d en
forc
e an
d m
onito
r co
mpl
ianc
e w
ith th
e ex
it pr
oced
ures
and
pol
icie
s.
X
2
CIS
-IT-
10-0
5 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
equ
ipm
ent
and
med
ia
polic
ies
and
proc
edur
es a
re n
ot c
urre
nt.
USC
IS h
as
begu
n so
me
corr
ectiv
e ac
tion;
how
ever
, th
ese
issu
es
have
not
bee
n fu
lly re
med
iate
d.
The
USC
IS O
IT w
ill f
inal
ize
the
USC
IS M
edia
Pr
otec
tion
Man
agem
ent
Dire
ctiv
e an
d th
e U
SCIS
M
edia
Pro
tect
ion
Proc
edur
es a
nd e
nsur
e th
ey a
re
read
ily a
vaila
ble
to U
SCIS
per
sonn
el.
OIT
will
co
ntin
ue to
wor
k w
ith th
e O
ffic
e of
Adm
inis
tratio
n to
ens
ure
ther
e is
a s
tand
ardi
ze p
roce
ss t
o la
bel,
track
, sa
nitiz
e, r
efur
bish
, an
d/or
des
troy
USC
IS
med
ia u
sing
app
rove
d eq
uipm
ent a
nd so
ftwar
e.
X
1
CIS
-IT-
10-0
6 D
urin
g K
PMG
’s i
nter
nal
vuln
erab
ility
ass
essm
ent
of
FFM
S pe
rfor
med
in
Aug
ust
2010
, K
PMG
ide
ntifi
ed
seve
ral H
igh/
Med
ium
Ris
k vu
lner
abili
ties,
rela
ted
to
the
follo
win
g:
�FF
MS
mai
nfra
me
prod
uctio
n
data
base
s w
ere
inst
alle
d an
d co
nfig
ured
with
out b
asel
ine
secu
rity
USC
IS w
ill m
onito
r th
e M
issi
on A
ctio
n Pl
ans
(MA
P) o
f the
ass
ocia
ted
ICE
NFR
s: IT
-10-
12, I
T-10
-13,
IT-
10-1
4, I
T-10
-15
and
requ
est
perio
dic
stat
us u
pdat
es.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
41
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
conf
igur
atio
ns,
incl
udin
g th
e U
SCIS
O
racl
e in
stan
ce
�FF
MS
serv
ers h
ave
mis
sing
or i
nade
quat
e pa
tche
s
In a
dditi
on, w
e fo
und
phys
ical
saf
egua
rd w
eakn
esse
s at
the
DH
S D
C2
data
cen
ter,
whi
ch i
mpa
ct U
SCIS
op
erat
ions
. Sp
ecifi
cally
, we
dete
rmin
ed th
e fo
llow
ing:
�
Re-
entry
pro
cedu
res
afte
r an
em
erge
ncy
have
be
en i
mpl
emen
ted;
how
ever
, th
e pr
oced
ures
are
no
t doc
umen
ted.
�
FFM
S se
rver
is
inap
prop
riate
ly m
arke
d w
ith a
la
bel
that
ide
ntifi
es t
he a
pplic
atio
n/da
ta o
n th
e se
rver
. C
IS-I
T-10
-07
Dur
ing
the
FY 2
009
finan
cial
sta
tem
ent a
udit,
KPM
G
perf
orm
ed i
nspe
ctio
n of
the
CLA
IMS
4 pa
ssw
ord
conf
igur
atio
n se
tting
s. Pe
r ou
r in
spec
tion,
KPM
G
dete
rmin
ed t
hat
CLA
IMS
4 ha
s be
en c
onfig
ured
to
proh
ibit
pass
wor
d re
use
for 6
gen
erat
ions
, whi
ch d
oes
not m
eet t
he D
HS
4300
A r
equi
rem
ent o
f 8
pass
wor
d ge
nera
tions
. D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed i
nqui
ry f
ollo
w-u
p to
det
erm
ine
the
stat
us
of
this
w
eakn
ess
and
lear
ned
that
th
e w
eakn
ess
has
not
been
rem
edia
ted
for
CLA
IMS4
pa
ssw
ord
conf
igur
atio
n.
USC
IS h
as b
egun
som
e co
rrec
tive
actio
n; h
owev
er, t
hese
issu
es h
ave
not b
een
fully
rem
edia
ted.
The
USC
IS O
IT w
ill c
ontin
ue to
eva
luat
e th
e ris
k im
pose
d on
th
e C
LAIM
S 4
syst
em
by
not
chan
ging
the
pass
wor
d hi
stor
y fr
om 6
to 8
. If i
t is
deem
ed t
hat
the
risk
is l
ow,
OIT
will
sub
mit
a W
aive
rs a
nd E
xcep
tions
Req
uest
For
m to
the
DH
S C
ISO
. If
the
risk
is d
eem
ed m
ediu
m o
r hig
h, O
IT
will
con
tinue
to im
plem
ent t
he p
assw
ord
chan
ges
as o
utlin
ed in
the
FY 2
009
USC
IS O
IT M
AP.
X
2
CIS
-IT-
10-0
8 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
ine
ffec
tive
safe
guar
ds
still
exi
st o
ver
phys
ical
acc
ess
to s
ensi
tive
faci
litie
s an
d re
sour
ces.
USC
IS h
as b
egun
som
e co
rrec
tive
actio
n; h
owev
er,
thes
e is
sues
hav
e no
t be
en f
ully
re
med
iate
d.
The
USC
IS O
IT w
ill c
ontin
ue t
o fin
aliz
e th
e M
edia
Pr
otec
tion
Proc
edur
es
for
the
Ver
mon
t Se
rvic
e C
ente
r. O
IT w
ill te
st V
SC’s
OIT
Vis
itor
Polic
y an
d Pr
oced
ures
to
ensu
re t
hey
addr
ess
the
phys
ical
sec
urity
con
cern
s lis
ted
in t
he c
ondi
tion
stat
emen
t.
X
1
CIS
-IT-
10-0
9 In
FY
200
9, w
e de
term
ined
tha
t th
e U
SCIS
lac
ks
polic
ies
and
proc
edur
es
over
au
dit
logg
ing
of
appl
icat
ion
and
serv
er a
udit
logs
for C
LAIM
S 3
LAN
OIT
will
con
tinue
to fi
naliz
e th
e U
SCIS
Aud
it an
d A
ccou
ntab
ility
M
anag
emen
t D
irect
ive
and
impl
emen
t ent
erpr
ise
audi
t log
ging
sof
twar
e. O
IT
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
42
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
and
CLA
IMS
4 sy
stem
. Sp
ecifi
cally
, we
lear
ned
that
C
LAIM
S3 L
AN
gen
erat
es a
udit
logs
; ho
wev
er,
the
USC
IS d
oes
not r
equi
re th
at th
e lo
gs a
re r
evie
wed
or
mai
ntai
ned.
In
add
ition
, w
e de
term
ined
tha
t th
e U
SCIS
doe
s no
t hav
e po
licie
s or
pro
cedu
res
in p
lace
fo
r m
aint
aini
ng a
nd r
evie
win
g th
e au
dit
logs
. F
or
CLA
IMS4
, w
e no
ted
that
C
ompu
ter
Serv
ice
Cor
pora
tion
(CSC
) con
tract
ors
capt
ure
and
revi
ew th
e lo
gs o
f use
r acc
ess
to C
LAIM
S4; h
owev
er, n
o re
view
s of
sig
nific
ant c
hang
es in
the
appl
icat
ion
or to
sys
tem
fil
es a
re c
ondu
cted
. A
dditi
onal
ly,
no p
olic
ies
or
proc
edur
es h
ave
been
est
ablis
hed
for
cond
uctin
g an
d m
onito
ring
the
audi
t log
revi
ews.
Dur
ing
the
FY 2
010
finan
cial
sta
tem
ent
audi
t, w
e le
arne
d th
at U
SCIS
has
beg
un s
ome
corr
ectiv
e ac
tion;
ho
wev
er, t
hese
issu
es h
ave
not b
een
fully
rem
edia
ted.
Th
eref
ore,
this
find
ing
is b
eing
reis
sued
.
will
ens
ure
CLA
IMS
3 LA
N a
nd C
LAIM
S 4
audi
t lo
gs a
re p
rovi
ded
to t
he e
nter
pris
e au
dit
logg
ing
softw
are
for
anal
ysis
. O
nce
the
inte
grat
ion
of
CLA
IMS
3 LA
N
and
CLA
IMS
4 an
d th
e en
terp
rise
audi
t lo
ggin
g so
ftwar
e is
co
mpl
ete,
de
velo
p C
LAIM
S 3
LAN
and
CLA
IMS
4 au
dit
and
acco
unta
bilit
y pr
oced
ures
.
CIS
-IT-
10-1
0 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
wea
k lo
gica
l ac
cess
co
ntro
ls s
till e
xist
ove
r CLA
IMS
4. U
SCIS
has
beg
un
som
e co
rrec
tive
actio
n; h
owev
er, t
hese
issu
es h
ave
not
been
fully
rem
edia
ted.
The
USC
IS O
ffic
e of
Inf
orm
atio
n Te
chno
logy
(O
IT)
will
fin
aliz
e th
e C
LAIM
S 4
Acc
ount
M
anag
emen
t Pr
oced
ures
th
at
addr
ess
acco
unt
iden
tific
atio
n,
set-u
p,
rece
rtific
atio
n,
and
term
inat
ion
and
acce
ss r
eque
st f
orm
mai
nten
ance
. O
IT w
ill c
ontin
ue to
wor
k w
ith th
e O
IT A
ccou
nt
Man
agem
ent
Gro
up,
the
IT P
roje
ct M
anag
er a
nd
each
in
stal
latio
n si
te
to
rece
rtify
C
LAIM
S 4
acco
unts
and
ens
ure
a cu
rren
t an
d va
lid a
cces
s re
ques
t fo
rm i
s fil
ed.
OIT
will
als
o fin
aliz
e th
e U
SCIS
A
ccou
nt
Man
agem
ent,
Man
agem
ent
Dire
ctiv
e (A
genc
y Po
licy)
.
OIT
will
con
tinue
to r
evie
w C
LAIM
S 4
acco
unts
fo
r th
ose
that
hav
e be
en i
nact
ive
for
45 d
ays
man
ually
and
to
rem
ove
user
s th
at a
ppea
r on
the
O
ffic
e of
HC
T at
tritio
n bi
-wee
kly
list.
OIT
will
co
ntin
ue t
o w
ork
with
HC
T to
ens
ure
thei
r ex
it
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
43
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
clea
ranc
e pr
oces
s in
clud
es p
roce
dure
s to
pro
mpt
ly
notif
y O
IT w
hen
empl
oyee
s lea
ve o
r tra
nsfe
r.
The
HC
T m
ust
final
ize
Exit
Cle
aran
ce P
roce
ss
polic
ies
and
proc
edur
es
and
ensu
re
that
th
ese
docu
men
ts
are
diss
emin
ated
ag
ency
-wid
e.
Spec
ifica
lly,
ensu
re
that
co
ntra
ctin
g of
ficer
s, co
ntac
ting
offic
ers’
te
chni
cal
repr
esen
tativ
es,
man
ager
s and
supe
rvis
ors a
re in
form
ed a
bout
thes
e do
cum
ents
and
und
erst
and
thei
r im
porta
nce.
CIS
-IT-
10-1
1 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
perf
orm
ed in
quiry
follo
w-u
p to
det
erm
ine
the
stat
us o
f th
is w
eakn
ess
and
lear
ned
that
CLA
IMS3
LA
N s
till
lack
s po
licy
and
proc
edur
es f
or s
epar
ated
em
ploy
ees.
USC
IS h
as b
egun
som
e co
rrec
tive
actio
n; h
owev
er,
thes
e is
sues
hav
e no
t bee
n fu
lly re
med
iate
d.
The
USC
IS O
IT w
ill c
ontin
ue to
revi
ew C
LAIM
S 3
LAN
acc
ount
s fo
r th
ose
that
hav
e be
en in
activ
e fo
r 45
day
s m
anua
lly a
nd t
o re
mov
e us
er’s
tha
t ap
pear
on
the
Off
ice
of H
CT
attri
tion
bi-w
eekl
y lis
t. O
IT
will
fin
aliz
e th
e C
LAIM
S 3
LAN
A
ccou
nt
Man
agem
ent
Proc
edur
es
that
ad
dres
s ac
coun
t id
entif
icat
ion,
set
-up,
rec
ertif
icat
ion,
and
te
rmin
atio
n an
d ac
cess
req
uest
for
m m
aint
enan
ce.
OIT
will
con
tinue
to
wor
k w
ith H
CT
to e
nsur
e th
eir e
xit c
lear
ance
pro
cess
incl
udes
pro
cedu
res
to
prom
ptly
not
ify O
IT w
hen
empl
oyee
s le
ave
or
trans
fer.
OIT
w
ill
also
fin
aliz
e th
e U
SCIS
A
ccou
nt M
anag
emen
t Dire
ctiv
e (A
genc
y Po
licy)
.
The
HC
T m
ust
final
ize
Exit
Cle
aran
ce P
roce
ss
polic
ies
and
proc
edur
es
and
ensu
re
that
th
ese
docu
men
ts
are
diss
emin
ated
ag
ency
-wid
e.
Spec
ifica
lly,
ensu
re
that
co
ntra
ctin
g of
ficer
s, co
ntac
ting
offic
ers’
te
chni
cal
repr
esen
tativ
es,
man
ager
s and
supe
rvis
ors a
re in
form
ed a
bout
thes
e do
cum
ents
and
und
erst
and
thei
r im
porta
nce.
X
2
CIS
-IT-
10-1
2 D
urin
g th
e FY
201
0 fin
anci
al s
tate
men
t au
dit,
we
lear
ned
that
th
e IT
se
curit
y aw
aren
ess
train
ing
wea
knes
s ha
s no
t be
en r
emed
iate
d, t
here
fore
, th
is
findi
ng w
as re
issu
ed.
For i
nitia
l inf
orm
atio
n se
curit
y aw
aren
ess
train
ing,
O
IT w
ill c
ontin
ue t
o up
date
and
pro
vide
tra
inin
g m
ater
ials
for
the
Off
ice
of H
CT
New
Em
ploy
ee
Orie
ntat
ion
Prog
ram
(N
EOP)
. T
he H
CT
shou
ld
X
2
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
44
App
endi
x B
D
epar
tmen
t of H
omel
and
Secu
rity
In
form
atio
n Te
chno
logy
Man
agem
ent L
ette
r Se
ptem
ber 3
0, 2
010
NFR
#N
o C
ondi
tion
Rec
omm
enda
tion
New
Is
sue
Rep
eat
Issu
e Se
veri
ty
Rat
ing
cont
inue
to
impl
emen
t th
e N
EOP
agen
cy-w
ide.
H
CT
mus
t pr
ovid
e O
IT a
mon
thly
rep
ort
of a
ll ne
w h
ires
and
the
date
the
y co
mpl
eted
ini
tial
info
rmat
ion
secu
rity
awar
enes
s tra
inin
g du
ring
NEO
P.
For
annu
al
info
rmat
ion
secu
rity
awar
enes
s re
fres
her
train
ing,
OIT
will
con
tinue
to
use
the
Dep
artm
ent
of S
tatu
s (D
OS)
Com
pute
r Se
curit
y A
war
enes
s Tr
aini
ng
(CSA
T)
tool
to
pr
ovid
e in
form
atio
n se
curit
y aw
aren
ess
train
ing
to
all
USC
IS
empl
oyee
s w
ith
acce
ss
to
agen
cy
info
rmat
ion
syst
ems.
CIS
-IT-
10-1
3 D
urin
g ro
ll fo
rwar
d te
stin
g fo
r th
e FY
201
0 fin
anci
al
stat
emen
t au
dit,
KPM
G
perf
orm
ed
insp
ectio
n of
A
ctiv
e D
irect
ory
and
Exch
ange
(A
DEX
) ac
cess
re
ques
t for
ms.
Per
our
insp
ectio
n, K
PMG
det
erm
ined
th
at o
ne o
ut o
f th
e fo
rty-f
ive
acce
ss f
orm
s re
ques
ted
was
not
pro
vide
d. A
dditi
onal
ly, t
hree
out
of t
he fo
rty-
five
acce
ss f
orm
s re
ques
ted
wer
e cr
eate
d on
the
sam
e da
y of
the
requ
est.
The
Off
ice
of
Info
rmat
ion
Tech
nolo
gy
will
fin
aliz
e an
d is
sue
the
USC
IS M
D o
n In
form
atio
n Sy
stem
Acc
ount
Man
agem
ent.
The
MD
stip
ulat
es
polic
es o
n re
cord
s m
anag
emen
t of
acce
ss r
eque
sts
and
stan
dard
izes
th
e U
SCIS
N
etw
ork
Acc
ess
Req
uest
For
m.
X
2
CIS
-IT-
10-1
4 IC
E -
Dur
ing
KPM
G’s
in
tern
al
vuln
erab
ility
as
sess
men
t ef
forts
of
ICE’
s A
DEX
net
wor
k se
rver
s an
d de
vice
s pe
rfor
med
in
A
ugus
t 20
10,
KPM
G
iden
tifie
d a
defa
ult i
nsta
llatio
n an
d co
nfig
urat
ions
for
th
e H
SRP
on th
e C
isco
rout
ers.
USC
IS
- A
lthou
gh
USC
IS
does
no
t ha
ve
dire
ct
resp
onsi
bilit
y fo
r th
e co
ntro
ls o
ver
AD
EX a
nd I
CE
finan
cial
ap
plic
atio
ns,
USC
IS
does
ha
ve
a re
spon
sibi
lity
to
proa
ctiv
ely
man
age
its
serv
ice
prov
ider
rela
tions
hip
with
ICE.
USC
IS s
houl
d re
quire
IC
E to
pro
vide
a d
etai
led
Cor
rect
ive
Act
ion
Plan
(C
AP)
co
ntai
ning
th
e pl
anne
d re
med
iatio
n of
th
e se
curit
y vu
lner
abili
ties a
ffec
ting
USC
IS d
ata
inte
grity
.
USC
IS w
ill m
onito
r th
e M
AP
of t
he a
ssoc
iate
d N
FR#
ICE-
IT-1
0-16
and
req
uest
per
iodi
c st
atus
up
date
s.
X
3
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
45
A
ppen
dix
B
Dep
artm
ent o
f Hom
elan
d Se
curi
ty
Info
rmat
ion
Tech
nolo
gy M
anag
emen
t Let
ter
Sept
embe
r 30,
201
0
Info
rmat
ion
Tec
hnol
ogy
Man
agem
ent L
ette
r fo
r th
e FY
201
0 Fi
nanc
ial S
tate
men
t Aud
it Pa
ge 1
46
Appendix C
Department of Homeland Security Information Technology Management Letter
September 30, 2010
APPENDIX C
Status of Prior Year Notices of Findings and Recommendations and Comparison to
Current Year Notices of Findings and Recommendations at DHS
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 147
Disposition
NFR No. Description Closed Repeat
CBP-IT-09-03 Contractor Tracking Deficiencies X CBP-IT-09-12 Install 10-11CBP-IT-09-13 Complete List of CBP Workstations 10-11 CBP-IT-09-21 Review of Changes to Security Profiles in ACS 10-14 CBP-IT-09-27 Administrator Access Authorization Weaknesses X CBP-IT-09-29 Completion of CF-241 Forms for Terminated Employees 10-09 CBP-IT-09-34 Installation of Anti-Virus Protection 10-11 CBP-IT-09-41 Weaknesses in the Process of Separating CBP Contractors 10-08 CBP-IT-09-44 Completion of Non Disclosure Agreements for US CBP 10-10
ContractorsCBP-IT-09-45 Log configuration weakness for System. X CBP-IT-09-48 Lack of Effective ACS Access Change Log Review Procedures 10-19 CBP-IT-09-56 ACE Audit Log Reviews 10-03 CBP-IT-09-57 NDC LAN Audit Logs X CBP-IT-09-58 Novell Password Settings X CBP-IT-09-59 Formal Procedures for Mainframe System Utility Logs X CBP-IT-09-60 Configuration for Mainframe Security Violation Control Option 10-20 CBP-IT-09-61 Completion of Initial Background Investigations and Periodic 10-21
Background Reinvestigations for CBP Employees and ContractorsCBP-IT-09-62 Rules of Behavior Not Consistently Signed by CBP Employees X
and Contractors CBP-IT-09-63 ACE does not disable accounts after 45 days X CBP-IT-09-64 ACS PGA ISAs Not Completely Documented 10-16 CBP-IT-09-65 Documentation of ACE Access Change Requests 10-06 CBP-IT-09-66 Separated Employees on ACE Access Listing 10-01 CBP-IT-09-67 Inadequate Documentation of ACS Access Change Requests 10-17 CBP-IT-09-68 Vulnerabilities in Configuration and Patch Management X CBP-IT-09-69 Inadequate SAP Profile Change Review X CBP-IT-09-70 Overuse of ACS Emergency/Temporary Access Roles X CBP-IT-09-71 Inadequate Documentation of SAP Emergency/Temporary X
Access Requests CBP-IT-09-72 ACE Segregation of Duties Controls are Not In Place 10-02 CBP-IT-09-73 Inadequate Documentation of ACE SCO Access Requests and X
Approvals CBP-IT-09-74 Inadequate Protection of CBP Information and Property 10-05
10-07
CG-IT-09-10 Contractor Background Investigation Weakness 10-02 Weaknesses with Specialized Role-based Training for 10-10
CG-IT-09-14 Individuals with Significant Security Responsibilities CG-IT-09-23 Shore Asset Management (SAM) Audit Log Review Weakness 10- 22 CG-IT-09-25 WINS Access Controls Need Strengthening X CG-IT-09-31 Weaknesses Exist in the Configuration Management Controls 10-05
Appendix C Department of Homeland Security
Information Technology Management Letter September 30, 2010
Current Year Notices of Findings and Recommendations
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 148
Appendix C Department of Homeland Security
Information Technology Management Letter September 30, 2010
Over the Scripting Process CG-IT-09-32 Lack of Documented Contractor Tracking System Reconciliation
Procedures X
CG-IT-09-33 Lack of a Consistent Contractor, Civilian, and Military Account Termination Process for Coast Guard Systems
10-01
CG-IT-09-34 WINS Change Control Weakness X CG-IT-09-40 Civilian Background Investigation Weakness 10-03 CG-IT-09-42 Non-Compliance with Federal Financial Management
Improvement Act (FFMIA) – Information Technology 10-24
CG-IT-09-43 Recertification Weakness within the User Management System (UMS)
X
CG-IT-09-45 FINCEN data center access is not restricted to appropriately authorized personnel
X
CG-IT-09-46 Configuration and Patch Management - Vulnerability Assessment
X
CG-IT-09-49 JUMPS Audit Log Review Weakness X CG-IT-09-50 Audit Trail Weaknesses within the Direct Access Application 10-28 CG-IT-09-51 Audit Trail Weaknesses within the Global Pay Application X CG-IT-09-52 Recertification Weakness within the Direct Access Application 10-12 CG-IT-09-53 Security Awareness Issues Associated with the Protection of
Sensitive Information 10-06
CIS-IT-09-01 Inefficient definition and documentation of access roles at the National Benefits Center for CLAIMS3 LAN
10-01
CIS-IT-09-02 Periodic user access reviews are not performed for CLAIMS3 LAN users.
10-02
CIS-IT-09-03 Incomplete or inadequate access request forms for CLAIMS3 LAN and CLAIMS4 system users.
10-03
CIS-IT-09-04 Periodic Active Directory (ADEX) system administrator access reviews are not performed at USCIS.
X
CIS-IT-09-06 Weak data center access controls exist X CIS-IT-09-07 Equipment and media policies and procedures are not current. 10-05 CIS-IT-09-08 Weak access controls for security software exist within the
Password Issuance and Control System (PICS). X
CIS-IT-09-09 Weak access controls exist in CLAIMS3 LAN. X CIS-IT-09-10 Weak password configuration controls around CLAIMS4. 10-07 CIS-IT-09-11 Background investigations are not conducted in a timely manner. X CIS-IT-09-12 Procedures for transferred/terminated personnel exit processing
are not finalized 10-04
CIS-IT-09-13 Ineffective safeguards over physical access to sensitive facilities and resources
10-08
CIS-IT-09-14 Weak access controls exist within FFMS X CIS-IT-09-15 Lack of policies and procedures for CLAIMS 3 LAN and
CLAIMS 4 audit logs 10-09
CIS-IT-09-16 Weak logical access controls exist over CLAIMS 4 10-10 CIS-IT-09-17 Training for IT security personnel is not mandatory X CIS-IT-09-18 Lack of policies and procedures for separated CLAIMS3 LAN
accounts 10-11
CIS-IT-09-19 IT Security Awareness Training compliance is not monitored 10-12
CIS-IT-09-20 Default installation and configuration of Cisco routers on ICE 10-14
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 149
Appendix C Department of Homeland Security
Information Technology Management Letter September 30, 2010
Network Impact USCIS Operations.
CONS-IT-09-13 Evidence of Security Management Review of DHSTIER’s Oracle Activity Audit Reports is Not Retained
X
CONS-IT-09-14 CFO Vision Password Parameters are Not Configured in Accordance with DHS Policy
10-01
CONS-IT-09-15 Operating System Patch Management Procedures for DHSTIER and CFO Vision Not Documented.
X
CONS-IT-09-16 Periodic Review of DHS Stennis Data Center Access Privileges is Not Performed
X
FEMA-IT-09-02 Configuration Management Weaknesses on IFMIS, NEMIS, and Key Support Servers (vulnerability assessment finding)
10-41
FEMA-IT-09-03 Weaknesses Exist over Recertification of Access to IFMIS 10-14 FEMA-IT-09-06 Documentation Supporting the IFMIS User Functions Does Not
Exist 10-49
FEMA-IT-09-12 NEMIS Access Controls Need Improvement 10-01 FEMA-IT-09-13 Employee Termination Process for Removing System Access
Should be More Proactive 10-21
FEMA-IT-09-17 System Programmers Have the Ability to Migrate Code into the IFMIS Production Environment
10-39
FEMA-IT-09-19 Monitoring of NEMIS System Software Needs Improvement 10-04 FEMA-IT-09-22 Alternate Processing Site for NEMIS Has Not Been Established 10-02 FEMA-IT-09-24 NEMIS Backups Are Not Tested in Accordance with Policy 10-36 FEMA-IT-09-25 The NEMIS Contingency Plan Is Not Tested 10-20 FEMA-IT-09-28 NEMIS Configuration Management Process for Non-Emergency
Changes Needs Improvement 10-62
FEMA-IT-09-29 NEMIS Emergency Change Process Needs Improvement 10-62
FEMA-IT-09-38 Segregation of Duties Not Enforced for Traverse X FEMA-IT-09-39 Traverse Contingency Plan Not Tested and NFIP Disaster
Recovery and COOP Needs Improvement 10-61
FEMA-IT-09-45 IFMIS User Access is not Managed in Accordance with Account Management Procedures
10-26
FEMA-IT-09-46 IFMIS System Interconnections Agreements Have Not Been Reauthorized
X
FEMA-IT-09-48 Corrective Action over NEMIS Vulnerabilities is Not Formally Documented
10-33
FEMA-IT-09-50 Weaknesses Exist over IFMIS Application and Database Audit Logging
10-11
FEMA-IT-09-51 NEMIS Oracle Audit Logging is Not Tracked 10-09 FEMA-IT-09-52 Existing NEMIS Patch Management Guidance Needs to be
Implemented 10-35
FEMA-IT-09-38 Segregation of Duties Not Enforced for Traverse X FEMA-IT-09-39 Traverse Contingency Plan Not Tested and NFIP Disaster
Recovery and COOP Needs Improvement 10-61
FEMA-IT-09-45 IFMIS User Access is not Managed in Accordance with Account Management Procedures
10-26
FEMA-IT-09-46 IFMIS System Interconnections Agreements Have Not Been Reauthorized
X
FEMA-IT-09-48 Corrective Action over NEMIS Vulnerabilities is Not Formally Documented
10-33
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 150
Appendix C Department of Homeland Security
Information Technology Management Letter September 30, 2010
FEMA-IT-09-50 Weaknesses Exist over IFMIS Application and Database Audit Logging
10-11
FEMA-IT-09-51 NEMIS Oracle Audit Logging is Not Tracked 10-09 FEMA-IT-09-52 Existing NEMIS Patch Management Guidance Needs to be
Implemented 10-35
FEMA-IT-09-77 FEMA and NFIP Planning, Management and Communication Related to Financial Systems Development and Acquisition Projects Needs to be Improved
10-47
FEMA-IT-09-78 Weaknesses Exist in the NEMIS Configuration Management Process under the EADIS contract
10-62
FEMA-IT-09-79 Weaknesses Exist over Management of FEMA LAN Accounts 10-22 FEMA-IT-09-80 Vulnerability Assessments of the NFIP LAN is Inadequate 10-52 FEMA-IT-09-81 Improvements are Needed in Core and G&T IFMIS Internal
Scanning Procedures and Processes 10-34
FEMA-IT-09-82 Core and G&T IFMIS Patch Management Weaknesses 10-32 FEMA-IT-09-83 EADIS NEMIS Access Restrictions to Program Directories
Needs Improvement 10-51
FEMA-IT-09-84 PARS Database Security Controls are Not Appropriately Established 10-05
FEMA-IT-09-85 TRRP Password Configurations have not been Configured in Accordance with DHS Policy
X
FEMA-IT-09-86 Weaknesses Exist over the Implementation of Traverse System Changes 10-60
FEMA-IT-09-87 Weaknesses Exist in FEMA’s Incident Response Program 10-31 FEMA-IT-09-88 Weaknesses exist over access authorizations for TRRP 10-53 FEMA-IT-09-89 Weaknesses exist over FEMA Background Investigations for
Federal Employees and Contractors 10-45
FEMA-IT-09-90 FEMA LAN Certification and Accreditation Package is not Adequate 10-28
FEMA-IT-09-91 FEMA Contractor Tracking Program is Inadequate 10-10
FLETC-IT-09-03 Momentum System Software is Not Logged or Reviewed X FLETC-IT-09-26 System Engineering Lifecycle (SELC) is not finalized X FLETC-IT-09-31 Configuration Management Weaknesses on the Procurement
Desktop, Momentum, and GSS. X
FLETC-IT-09-33 Momentum Audit Logs are not Reviewed 10-04 FLETC-IT-09-34 GAN audit logs are not reviewed 10-05 FLECT-IT-09-35 Weak access controls around Momentum 10-02 FLETC-IT-09-36 Ineffective logical access controls over the Glynco
Administrative Network 10-03
FLETC-IT-09-37 Physical Security and Security Awareness Issues Identified during Enhanced Security Testing
10-06
FLETC-IT-09-38 Ineffective logical access controls over SIS X
ICE-IT-09-11 Ineffective physical security controls at facility entrances X ICE-IT-09-12 Ineffective/non-compliant account lockout counter settings X ICE-IT-09-13 Ineffective password settings in FFMS 10-02 ICE-IT-09-14 Ineffective ADEX user access recertification process X ICE-IT-09-15 Ineffective FFMS access recertification process 10-03 ICE-IT-09-16 Terminated/transferred personnel are not removed from ADEX
in a timely manner 10-06
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 151
Appendix C Department of Homeland Security
Information Technology Management Letter September 30, 2010
ICE-IT-09-17 Segregation of duty policies are not enforced in FFMS 10-04 ICE-IT-09-18 Background reinvestigations are not conducted in a timely
manner for contractors. X
ICE-IT-09-19 Procedures for transferred/terminated personnel exit processing are not allowed.
X 10-01
ICE-IT-09-20 Training for IT security personnel is not mandatory 10-11 ICE-IT-09-21 Vulnerability Assessment - Network devices were installed with
default configuration settings and protocols; inadequate patches; and weak/ generic passwords.
10-13 through 10-16
ICE-IT-09-22 Physical Security and Security Awareness Issues Identified during Enhanced Security Testing
10-09
ICE-IT-09-23 IT Security Awareness Training requirements are not enforced X
OCIO-IT-09-03 DHS has not fully implemented the FDCC security configurations requirements.
10-01
TSA-IT-10-20 TSA Computer Access Agreement Process TSA-IT-10-03
TSA-IT-10-23 Configuration Management Controls Over the Coast Guard Scripting Process (Included a specific TSA condition)
X
TSA-IT-10-28 Physical Security and Security Awareness Issues Identified during Enhanced Security Testing
TSA-IT-10-01
TSA-IT-10-29 CAS, FPD, and Sunflower Access Recertification TSA-IT-10-02
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 152
1 ".I)'-Il;l.tllltni ·,fll,,""I"n.I .... llrlh\\ ,L'hill~l"n. 1)( ~115:!X
HomelandSecurity
\lEMORAi\l>l'MI'OR: Fr,1Jlk DeJ"ll-1Assistant !nspl.';.:tor (il'ncra!InljlrllWlio!l I ~dlllnJogy :\udil"
FROM: I'C""' Slwrn!\ciin" Chid I111t:llH.:ml
f~~ . r_ .. r
. <-Ricl1.ml Spin.:~ ~('hier In rornVHion ()I lied
Robcrt \\'e,,1 \:~ .... _ '""-Chicr' Illl: ml1.11inn Su;urity ()!Ti(Tl"
Slll.JLCT: lJrart i\udll I{,,'porl . IIJ(imll(/{iui1 1(chn%gvlfut/agl..'JIIl'iIlI t'ller /fw f-T JIJf{) IJI/S Financiol ,\'Ialenwnl (Ilidif J'(J1"
Official { ',e ( JUI.1· (( lfe .. PmiL'u ,\"0. (ll( ;-11·03 :-11:. /.\f(;,\.((;
\\ l,,' 11;1\"e I\;\'i""\'cd thi,; OITi1.:e Drih...: 11lSPI.'(ltIf (j~ncri.ll·..; (O!O) dlJ.1L audil l'l'Jwn.h7/rJl"/iliI!wll lechno!of.!..\' A.Jullagen/c/'J! LCf{l'l' r/TAJI.)/(u'I''j" 20/fj /)//S Fimll/L'wf.)"I((h'1IiL'111 "/Ildit. d.lled fkt:...:lllhcr t) .20}11. We I..'(JJlL'ur \\ ilh tho: '·irWllcilll ... ~ 'll:m..S~nlnt~ fimlill).!,S \.'tll,t ..linl:d "iLlllll ~ \Illr ~Illdi( l"':pl In.
<I'h~ 1)11;'; ('hi~'f Illl'lrtl1<Hillll ()lliL:.:r \Cl(}) ,Int! ChIcI' Fin,llH;ial Of!icer (CH)1 uIlllinuc 10
work l\lil1il~ in "':lb\lrlng thl' lillld~ rcmedl;ll i,lll of financial ~) sh~lll Seellrll)" \\'~<1l..lle'sst:s
i.md :iII'Chgtlll-,)ing tlh: I)t::parlll\t:lll' s in!()J'Jllal ion :;yslCtrl:=; ct)ntfC>l::' (I)'i/if()nmcni. i\lajl'Wi1cti\'ilics illl:IIlJ~':
• ls";Ul.'t1I!l.,!'T ](}f(j 11/fc/"Ho{ COl/lmf I'II/\'hook ,lfwuw:('I11{'!1f A.\'.'/ll"tIi/u flmn'.D(;/Ii",' \\1Jicb indud~:, IJII;,\' apprpudlill J\Il'llllh':lllillg ami h::-;tillg !.Ill' tksignL'J !.:c!ivl.:tll.'sS 01 iilWKi;11 !'.~ S!I.-'Ill 1111; If/ll,nion I...·chll"lllg~ (i..'II..:r:r! ('Illllro!., (/"f o('s).
o I ·l,d,lk'...! lh~' ( H I [)(',i~n,lll'd ~~'h..'lll' I.i:;t Il.l!" j. Y ~oln as a n:stl!t 1I1'lh... 1"1 t.tl A·I" ~ ,1 ... 't..""f11l,'nl' jlL'rli.llllh:d ill I, Y .2009 'I hl'ji",'pl..'L:ilics lhl.' lil1<.llh,:i:d s~ .,1l.:111"; lll:l!
rL'ql1lr\' ;lddlliol1,1! l11;lll;I~l..'lI1l'lll :lI.:t:01l1llahilil) hi ellsure el"fcclive cOl1lrols I'xiSI overlil1,ll1L'tall\:P\l!1in~.
() Ik\ I,:h'pl,:d ;md illlplcllll.'llh.:d 1ll1ldifil".Hillll~ to thl,,' St:lllll' of A~ 123 ass\.'ssmClll:-; fur I· Y201111\1 pcrfnrlll \"l'rilrl.:.ltillll ,llld \alidathltl rrnl:l'ourcs III ensurc Plan" 01" I\diull and\ \ik,,!llllL';o;. t PC l. \8: \ I, I .lddn..:;..,.., n Illi C~llsesor Jinancial system "l'l..'uril~ l.:lllllrll]
ddit:iclH:iL'~ idl'lHilicd from thl." lill,1llci~d ,tatclllcni audils and Fcdl.:r~d Illlornmlil1!lSl'curtty .\1unagl'll1tlll ;'\l:l (FISi\·lt\) Ulll111ai as:"~""smcnts. V<1lidatioll and n:rificntiol1(V&VI pru(:cdllrcs \\"cr..: p(,.~rfonllcd al till.: folliH"ing COlllpOnCtlts·---U,S, Cili/,(,:llship
Appendix D Department of Homeland Security
Information Technology Management Letter September 30, 2010
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 153
.U1J Immigr~lli,lll Servi(l's, IlTlllllgnHiull and l'u~I(1rns I~llrorel'lncnt. Customs ,mel~;"'d";:'l':',lt~-:tloll, h"x!l:r;ll LI','. hHim::cm~nl 'I r;linillc Center. lh~ 01 IS \ (:m:lI2.I.'IllClU
l-'trccWI';l!l..' ;11hl I ·.S. S(:l.:r~t Sc\"\'il:!.:. 'I h.... V & V dYolls I:Ol1si."ll.'d 1)1 ,1 tJm,,:c·ph:I."'I..'da:'SCSSlllcnt apIll'tlac11:
I. Assess currl'lll :-,wt••: bascLllln IT \',,!iljl':ltipll~ of Finding::. ,Ull!
RI,,·l.'UllIlIll.'lll!alions I~ I· Rs i ,11ld 0,\ IB ('irclIbr A- J 2':; aSst:Ss1l1cnt gi1PS~
Ciai 11 ulltll.'r<.;l:lnd ilit' t 1\' 1\.'fHl.:di,lti .. In ;1i..·1 i \ j I iL'S ;\Jll! , llot caus~ '1lll.l1~ .,;.,. <lDl;
.l, TC,,1 ..k-<.;lgll ,1I11.l opl..'I"ll ill~ 1..·t"lI..'l.:li, I.:ll.:...." 01' 1\:Il1Cdlitkd COlli I \lh.
• IsslIcd 1111..' I Y ~OIO 1>1 I~ Inlimllalid!l Sl.'..:uril~ 1\:rlill'lll:IIlI.:C 1)I;ln \.-vhidl indudcs theII..'qllil'i,,:l1ll.'nts III \."I1:.Ufl.· h'~ lin'Ill\.·i,,1 ..,~,..,L ... m sl.'ull'iL~ \"IlIlLroh ure h"..,h:d ;l1lrtuall~ andqu:dit.\ PI), \8.. ~ Is an,: tlI.:H:lop;,:d ;llld l:01l1pk'll'd limd~.
• l',llllillLh,,:d Ir;II..''';II;= oj' .\- f'::~ 11 (i{' \\I..'<'l"lh:S'l.'~ Ihl"llllgh lhl.· \\l'<1kl1l:ss l'cmcdi,lIi\)\lm~Ll'ic 011 tIKI' 1;-. \ 1;\ S..,:oree'lrd.
• l'rm idL'd 1'( ),\&i\·I training wllil.:h ilH:lul!l::, nlOt cause analysis 11"3illing to PI IS('ompllllClll'i.
• IIlIPfl1\l.'d pr\lL:l"'\S li}r tr:lCkll1g 1·1 audil rn:olllillcnd,tlioll:-i ItH dil~~iji(,'d systems tl)I..'IlSurC Ir;Il.:~ahiliL~ to PI )"&~,ls in Clu..,,,ifieu 1.\1'.
Addill\Ill"III~ In I \- ~l)l J. I)ll~ kl'; L:Undlll.:lI."d individual rlS,", 8:'iSCSsmcnts nnd r~qLJircd
dd,likd hri\.,tin!-,s Frolll fill dllll{Jl.llll.:nh 1.'l1/111ihuling ((I tIll.' Ill<llr.:ria! \\l,<tkncss condilillJ1 at,hI..' Ikp,II'tl1h.'IH. 'J h":l'rinnry gnab II["lh.... sl..' Ilh.:: ...'lillgS Wo..:ll.' 10 dl.'kl'll1inl.: "utili r..:adill';~"....·vllltt~ll\.' thl.: d"h:l.:li\\:n...:s:-; \,)1' llll'l,;ol'rl.'l;li\·I.' ;lI.:llLHIS. and Ill..-lIlify <tp.:as wll ... I'\.· additillilalrclLl.H.:.... Gill h... r!;II..· ...d '111 .1IIh~ll1i1k\1 C\lI\lfllb
TltL: 1)1·1~ {TO and ('II.> r\."J1):llll rllll~ Ctlllllllilll'd 10 wod'llIg Ingdl1cf 10 SlUll'\.' DI ISlin<lm.:iat ...~ <.;tt:lllS alld l.:\llllillllC 10 rais~ 11K' sli.mdmds 11.11' II (;( "s I~ll' :->I.'l.:uring <Ill I)I!",fill<llH.:l,tl ,y<.;tl.'llI:- inlfXIlli.lllllll.
[1 ~'llt h.I\\.' ~lll.\ lIU\"stions \)1" "'uuld like uddiliunal Infi)lmatil)ll. ph.'il:'>t' cont<\ct Ellll.'''~
Csulai.., 1"0, Campli;IIKe Dir\.'l:IIJr at CW.2) 3S7-61 13 or Mkhael \\.·L:l1\I,)\\. OCTO.Dircc!llr !\lLem"l ('o11I,d Progr<tlll i'v1<lna.~:;;mcnl () nicc ElL (~02) 44"-51 06.
Appendix D Department of Homeland Security
Information Technology Management Letter September 30, 2010
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 154
Appendix E Department of Homeland Security
Information Technology Management Letter September 30, 2010
Report Distribution
Department of Homeland Security
Secretary Deputy Secretary General Counsel Chief of Staff Deputy Chief of Staff Executive Secretariat Under Secretary, Management Chief Information Officer Chief Financial Officer Chief Information Security Officer Assistant Secretary for Office of Policy Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs DHS GAO OIG Audit Liaison Chief Information Officer, Audit Liaison
Office of Management and Budget
Chief, Homeland Security Branch DHS OIG Budget Examiner
Congress
Congressional Oversight and Appropriations Committees, as appropriate
Information Technology Management Letter for the FY 2010 Financial Statement Audit Page 155
ADDITIONAL INFORMATION AND COPIES To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. OIG HOTLINE To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal misconduct relative to department programs or operations: • Call our Hotline at 1-800-323-8603; • Fax the complaint directly to us at (202) 254-4292; • Email us at [email protected]; or • Write to us at:
DHS Office of Inspector General/MAIL STOP 2600, Attention: Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528.
The OIG seeks to protect the identity of each writer and caller.