independent audit of export- import bank s information ... of exim bank... · years for corrective...

OFFICE OF INSPECTOR GENERAL EXPORT-IMPORT BANK

of the UNITED STATES

Independent Audit of Export-Import Bank’s Information

Security Program Effectiveness for Fiscal Year 2016

March 15, 2017 OIG-AR-17-04

Information about specific vulnerabilities in IT systems has been redacted from the publicly released version of this report. The information withheld was compiled in connection with OIG law enforcement responsibilities and consists of information that, if released publicly, could lead to the circumvention of the law.

Office of Inspector General

811 Vermont Avenue, NW Washington, DC 20571 | Main: 202 565 3908 | Fax: 202 565 3988 exim.gov

To: Howard Spira, Chief Information Officer

From: Terry Settle, Assistant Inspector General for Audits

Subject: Independent Audit of Export-Import Bank’s Information Security Program Effectiveness for Fiscal Year 2016 (OIG-AR-17-04)

Date: March 15, 2017

This memorandum transmits Cotton & Company LLP’s (Cotton & Company) audit report on Export-Import Bank’s (EXIM Bank) Information Security Program for Fiscal Year 2016. Under a contract monitored by this office, we engaged the independent public accounting firm of Cotton & Company to perform the audit. The objective of the audit was to determine whether the EXIM Bank developed and implemented effective information security programs and practices as required by the Federal Information Security Modernization Act of 2014 (FISMA).

Cotton & Company determined that while EXIM Bank has addressed several of the challenges identified during previous FISMA audits, its information security program and practices are not effective overall when assessed against revised Department of Homeland Security (DHS) reporting metrics. EXIM Bank has not effectively implemented a mature information security program. The report contains nine new recommendations and two partially re-issued recommendations from prior years for corrective action. Management concurred with the recommendations and we consider management’s proposed actions to be responsive. The recommendations will be closed upon completion and verification of the proposed actions.

We appreciate the cooperation and courtesies provided to Cotton & Company and this office during the audit. If you have questions, please contact me at (202) 565-3498 or [email protected]. You can obtain additional information about the Export-Import Bank Office of Inspector General and the Inspector General Act of 1978 at www.exim.gov/about/oig.

TLS

cc: C.J. Hall, Acting President and Chairman, Executive Vice President and Chief Operating Officer

Angela Freyre, General Counsel Kenneth Tinsley, Senior Vice President and Chief Risk Officer David Sena, Senior Vice President and Chief Financial Officer Inci Tonguch‐Murray, Deputy Chief Financial Officer John Lowry, Director, Information Technology Security and Systems Assurance George Bills, Partner, Cotton & Company LLP

March 3, 2017

Terry Settle Assistant Inspector General for Audits Export‐Import Bank of the United States 811 Vermont Avenue, NW Washington, DC 20571

Subject: Independent Audit of the Export‐Import Bank’s Information Security Program Effectiveness for Fiscal Year 2016

Dear Ms. Settle:

We are pleased to submit this report in support of audit services provided pursuant to Federal Information Security Modernization Act of 2014 (FISMA) requirements. Cotton & Company LLP conducted an independent performance audit of the Export‐Import Bank of the United States’ (EXIM Bank’s) information security program and practices for the fiscal year ending September 30, 2016. Cotton & Company performed the work from May through December 2016.

We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards (GAGAS), as amended, promulgated by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence that provides a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence we obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

This report is intended solely for the information and use of the Export‐Import Bank of the United States, and is not intended to be and should not be used by anyone other than these specified parties.

Please feel free to contact me with any questions.

Sincerely,

COTTON & COMPANY LLP

George E. Bills, CPA, CISSP, CISA, CIPP Partner

i

AUDIT REPORT OIG-AR-17-04

The Export‐Import Bank of the United States (EXIM Bank) is the official export‐credit agency of the United States. EXIM Bank is an independent, self‐sustaining executive agency and a wholly‐owned U.S. government corporation. EXIM Bank’s mission is to support jobs in the United States by facilitating the export of U.S. goods and services. EXIM Bank provides competitive export financing and ensures a level playing field for U.S. exports in the global marketplace.

The Office of Inspector General, an independent office within EXIM Bank, was statutorily created in 2002 and organized in 2007. The mission of the EXIM Bank Office of Inspector General is to conduct and supervise audits, investigations, inspections, and evaluations related to agency programs and operations; provide leadership and coordination as well as recommend policies that will promote economy, efficiency, and effectiveness in such programs and operations; and prevent and detect fraud, waste, abuse, and mismanagement.

ACRONYMSCIO ChiefInformationOfficerCIGIE CouncilofInspectorsGeneralonIntegrityandEfficiencyCRO ChiefRiskOfficerDHS DepartmentofHomelandSecurityEOL EXIMOnlineFIPS FederalInformationProcessingStandardsFISMA FederalInformationSecurityModernizationActof2014FMS‐NG FinancialManagementSystem–NextGenerationFY FiscalYearGAGAS GenerallyAcceptedGovernmentAuditingStandardsGAO GovernmentAccountabilityOfficeGISRA GovernmentInformationSecurityReformActof2000GSS GeneralSupportSystemIG InspectorGeneralIR IncidentResponseIT InformationTechnologyISCM InformationSecurityContinuousMonitoringNIST NationalInstituteofStandardsandTechnologyOIG OfficeofInspectorGeneralOMB OfficeofManagementandBudgetPOA&M PlanofActionandMilestonesPIV PersonalIdentityVerificationROB RulesofBehaviorSP SpecialPublicationSSP SystemSecurityPlan

ii


Why We Did This Audit TheFederalInformationSecurityModernizationActof2014(FISMA)requiresagenciestodevelop,document,andimplementagency‐wideinformationsecurityprogramstoprotecttheirinformationandinformationsystems.FISMAalsorequiresagenciestoundergoanannualindependentevaluationoftheirinformationsecurityprogramsandpracticestodeterminetheireffectiveness.TofulfillitsFISMAresponsibilities,theOfficeoftheInspectorGeneralcontractedwithCotton&CompanyLLPforanannualindependentevaluationoftheExport‐ImportBank’s(EXIMBankortheBank’s)informationsecurityprogramandpractices.

What We Recommended WepartiallyreissuedtworecommendationsandmadeninenewrecommendationsfortheChiefInformationOfficerto(1)implementprocedurestoevaluateandimprovethematurityandeffectivenessoftheBank’sinformationsecurityprogram,(2)updateagreementswiththird‐partyserviceproviders,(3)improvevulnerabilitymanagement,(4)adequatelydocumentandimplementbaselineconfigurationsettingsforITproducts,(5)implementappropriateaccessmanagementpriortograntingusersaccesstosystems,(6)updateandimplementeffectiverole‐basedsecuritytraining,(7)improvecontrolsaroundsharedsystemaccounts,(8)implementappropriateaccountmanagementcontrolsfortheApplicationProcessingSystem(APS)application,and(9)improveproceduresformanagingsoftwarelicenses.

What Cotton & Company LLP Found EXIMBank’sinformationsecurityprogramandpracticesarenoteffectiveoverallwhenassessedagainstrevisedDepartmentofHomelandSecurity(DHS)reportingmetrics.EXIMBankhasaddressedseveralofthechallengesidentifiedduringpreviousFISMAaudits.Duringthepastyear,EXIMBankfullyimplementedPersonalIdentityVerification(PIV)cardusageforlogicalsystemaccess.Additionally,EXIMBankimprovedthecontrolsaroundtheaccountmanagementprocessfortheInfrastructureGeneralSupportSystem(GSS);improvedremoteaccesstimeoutconfigurations;andadequatelydocumentedandupdateditsconfigurationmanagementplansfortheInfrastructureGSSand .However,underDHSmetrics,EXIMBankhasnoteffectivelyimplementedamatureinformationsecurityprogram.Specifically,theBank’scurrentInformationSecurityContinuousMonitoring(ISCM)andIncidentResponse(IR)policies,plans,procedures,andstrategiesarenotconsistentlyimplementedorganization‐wide,impactingthematurityandeffectivenessofitsoverallinformationsecurityprogram.

TheDHSsignificantlyrevisedtheInspectorGeneral(IG)reportingmetricsforagenciesinfiscalyear(FY)2016,whichresultedinmorerigorousevaluationcriteriaandrequirementsthaninpreviousyears.WhenevaluatingEXIMBank’sinformationsecurityprogramagainsttheDHSFY2016IGFISMAmetrics,whichuseafive‐levelmaturitymodelscale,wefoundthatonlyoneofthefiveNationalInstituteofStandardsandTechnology(NIST)CybersecurityFrameworkareas,theRecoverdomain,waseffectivelyimplementedconsistentwithFISMArequirementsandapplicableDHSandNISTguidelines(i.e.,wasatLevel4orhigher).Theremainingframeworkareas–Identify,Protect,Detect,andRespond–werenoteffectivelyimplemented(i.e.,wereatLevel3orbelow).PerDHS’FY2016IGFISMAmetrics,onlyagencyprogramsthatscoredatorabovetheManagedandMeasureablelevel(Level4)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea.EXIMBank’soverallscoreforitsinformationsecurityprogramwasLevel2:Defined,whichdoesnotrepresentaneffectiveprogram.AsummaryoftheresultsfortheDHSFY2016IGFISMAMetricsisinAppendixD.

Wenoted,however,anumberofnewchallengesidentifiedinthisyear’sFISMAaudit.WhiletheBankeffectivelyimplemented11ofthe14NISTSP800‐53,Rev.4controlsthatwetestedfortheApplicationProcessingSystem(APS)andtheInfrastructureGSS,weidentifiedseveralsignificantareasforimprovement.Specifically,Bankmanagement:

Hasnotimplementedappropriatesecuritycontrolsover usedtoaccessEXIMBankdata.(2014prior‐yearfinding)

DidnoteffectivelyremediatePlanofActionandMilestones(POA&M)itemsinatimelymanner.(2015prior‐yearfinding)

Hasnoteffectivelydocumentedsecurityagreementswiththird‐partyserviceproviders.

Hasnoteffectivelyimplementedavulnerabilitymanagementprogram. Hasnoteffectivelyimplementedbaselineconfigurationsanddocumented

deviationsforinformationtechnology(IT)products. HasnoteffectivelyimplementedAccessManagementcontrols. Hasnoteffectivelyimplementedarole‐basedtrainingprogram. Hasnoteffectivelyimplementedcontrolsaroundtheuseofsharedsystem

accounts. HasnoteffectivelyimplementedAccountManagementcontrolsfortheAPS

application. Hasnoteffectivelyimplementedsoftwarelicensemanagementcontrols.

Foradditionalinformation,contacttheOfficeoftheInspectorGeneralat(202)565‐3908orvisitwww.exim.gov/oig.

Executive Summary OIG-AR-17-04Independent Audit of the EXIM Bank’s Information Security Program March 3, 2017 Effectiveness for Fiscal Year 2016

(b) (7)(E)

(b) (7)(E)

iii


Objective ....................................................................................................... 1

Scope and Methodology ................................................................................ 1

Background ................................................................................................... 2

Results: ......................................................................................................... 7

Finding: EXIM Bank Should Improve the Maturity of Its Information Security Program ...................................................................................... 8

Recommendation, Management’s Response, and Evaluation of Management’s Response ........................................................................ 12

Finding: EXIM Bank Should Improve Security Controls over .................................................................................................... 13


Finding: EXIM Bank Should Improve Controls over Its Plan of Action & Milestones Process ................................................................................. 15


Finding: EXIM Bank Should Improve Controls over Agreements with Third-Party Service Providers ................................................................. 17


Finding: EXIM Bank Should Improve Controls over Its Vulnerability Management Program ............................................................................ 19


Finding: EXIM Bank Should Improve Controls over Baseline Configuration Implementation ............................................................... 22


Finding: EXIM Bank Should Improve Controls over Access Management........................................................................................... 23

TABLE OF CONTENTS

(b) (7)(E)

iv



Finding: EXIM Bank Should Improve Controls over Role-Based Training .................................................................................................. 25


Finding: EXIM Bank Should Improve Controls over the Use of Shared Accounts ................................................................................................. 27


Finding: EXIM Bank Should Improve Controls over APS Account Management........................................................................................... 29


Finding: EXIM Bank Should Improve Controls over Software License Management........................................................................................... 30


Appendix A

Federal Laws, Regulations, Policies, and Guidance ................................ 33

Prior Coverage ........................................................................................ 34

Appendix B

Management Comments ......................................................................... 39

Appendix C

Selected Security Controls and Testing Results ..................................... 44

Appendix D

DHS FY 2016 IG FISMA Metrics Results ................................................. 45

1


ThisreportisintendedsolelyfortheinformationanduseoftheExport‐ImportBankoftheUnitedStates,andisnotintendedtobeandshouldnotbeusedbyanyoneotherthanthesespecifiedparties.

Objective

ThisreportpresentstheresultsoftheindependentperformanceauditoftheinformationsecurityprogramoftheExport‐ImportBank(EXIMBankortheBank)forfiscalyear(FY)2016,conductedbyCotton&CompanyLLP.TheobjectivewastodeterminewhetherEXIMBankdevelopedandimplementedeffectiveinformationsecurityprogramsandpracticesasrequiredbytheFederalInformationSecurityModernizationActof2014(FISMA).

Scope and Methodology

TodeterminewhetherEXIMBankdevelopedandimplementedeffectiveinformationsecurityprogramsandpracticesasrequiredbyFISMA,weevaluateditssecurityprogram,plans,policies,andproceduresinplacethroughoutFY2016foreffectivenessasrequiredbyapplicablefederallawsandregulationsandguidanceissuedbytheOfficeofManagementandBudget(OMB)andtheNationalInstituteofStandardsandTechnology(NIST).WeperformedareviewofeachoftheBank’sfourmajorsystems(FinancialManagementSystem–NextGeneration[FMS‐NG],InfrastructureGeneralSupportSystem[GSS],EXIMOnline,and )andperformeddetailedsteps,asoutlinedintheDepartmentofHomelandSecurity(DHS)FY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetricsV1.1.3,toevaluateEXIMBank’spolicies,procedures,andpracticesforkeyareassuchas(i)riskmanagement,(ii)contractorsystem,(iii)configurationmanagement,(iv)identityandaccessmanagement,(v)securityandprivacytraining,(vi)informationsecuritycontinuousmonitoring,(vii)incidentresponse,and(viii)contingencyplanning.

Inaddition,weassessedwhetherEXIMBankhadimplementedselectminimumsecuritycontrolsfromNISTSpecialPublication(SP)800‐53,Revision4,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,foritsApplicationProcessingSystem(APS)andInfrastructureGSS,asrequiredbyFISMA.NISTSP800‐53,Rev.4organizessecuritycontrolsinto18securitycontrolfamilies(e.g.,accesscontrols,contingencyplanningcontrols).TheminimumsecuritycontrolstestedforAPSandtheInfrastructureGSSwerejudgmentallychosenfromselectedsecuritycontrolfamiliesthroughacollaborativeeffortbetweentheEXIMBankOIGandCotton&Company.SeeAppendixCforacompletelistofNISTcontrolsevaluated.

WeconductedinterviewswiththeChiefRiskOfficer(CRO),aswellaswithOfficeoftheChiefInformationOfficer(CIO)personnel.Wealsoreviewedpolicies,procedures,andpracticesforeffectivenessasprescribedbyNISTandOMBguidance,reviewedsystemdocumentationandevidence,andconductedtestingonEXIMBank’scontrols.Forboth

INTRODUCTION

(b) (7)(E)

2


tasks,wefullydocumentedourtestingmethodologythroughthecreationofaplanningmemorandumandauditworkprograms.

WeconductedtheauditonsiteatEXIMBankinWashington,DC,aswellasremotelyattheCotton&CompanyofficeinAlexandria,VA,withfieldworkfromMaytoDecember2016.Cotton&CompanyconductedthisperformanceauditinaccordancewithGenerallyAcceptedGovernmentAuditingStandards(GAGAS),asestablishedintheGovernmentAccountabilityOffice’s(GAO’s)GovernmentAuditingStandards,December2011Revision.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.Webelievethattheevidenceobtainedprovidesareasonablebasisforourfindingsandconclusionsbasedonourauditobjectives.WediscussedourobservationsandconclusionswithmanagementofficialsonJanuary11,2017,andincludedtheircommentswhereappropriate.

SeeAppendixAfordetailsoffederallaws,regulations,policies,andguidance,andforadiscussionofpriorauditcoverage.

Background

TheExport‐ImportBankoftheUnitedStatesisanindependent,self‐sustainingexecutiveagencyandawholly‐ownedUnitedStatesgovernmentcorporation.EXIMBank’scharter,TheExportImportBankActof1945,asamendedthroughPublicLaw114‐94,December4,2015,states:

It is the policy of the United States to foster expansion of exports ofmanufactured goods, agricultural products, and other goods andservices, thereby contributing to the promotion and maintenance ofhigh levels of employment and real income, a commitment toreinvestment and job creation, and the increased development of theproductiveresourcesoftheUnitedStates.

Tofulfillitscharter,EXIMBankassumesthecreditandcountryrisksthattheprivatesectorisunableorunwillingtoaccept.TheBankauthorizesworkingcapitalguarantees,export‐creditinsurance,loanguarantees,anddirectloanstocountertheexportfinancingprovidedbyforeigngovernmentsonbehalfofforeigncompaniesandhelpU.S.exportersremaincompetitive.Themajormission‐criticalsystemssupportingtheseprogramsandtheBank’smissionare:

1. FinancialManagementSystem–NextGeneration(FMS‐NG)

2. InfrastructureGeneralSupportSystem(GSS)

3. EXIMOnline(EOL)

4. (b) (7)(E)

3


EXIMBank’snetworkinfrastructureconsistslargelyofnetworkingdeviceswithvariousserversrunningdifferentoperatingsystemplatforms.Standarddesktoppersonalcomputersandlaptopsrun Thenetworksareprotectedfromexternalthreatsbyarangeofinformationtechnologysecuritydevices,includingdatalosspreventiontoolssuchasfirewalls,intrusiondetectionandpreventionsystems,antivirus,andspam‐filteringsystems.

FederalLaws,Roles,andResponsibilities.OnDecember17,2002,thePresidentsignedintolawtheE‐GovernmentAct(PublicLaw107‐347),whichincludedtheFederalInformationSecurityManagementActof2002.FISMA,asamended,1permanentlyreauthorizedtheframeworkestablishedintheGovernmentInformationSecurityReformActof2000(GISRA),whichexpiredinNovember2002.FISMAcontinuestheannualreviewandreportingrequirementsintroducedinGISRA.Inaddition,FISMAincludesnewprovisionsaimedatfurtherstrengtheningthesecurityofthefederalgovernment’sinformationandinformationsystems,suchasthedevelopmentofminimumstandardsforagencysystems.NISThasbeentaskedtoworkwithfederalagenciesinthedevelopmentofthosestandards.ThestandardsandguidelinesareissuedbyNISTasFederalInformationProcessingStandards(FIPS)andSPs.FIPSprovidetheminimuminformationsecurityrequirementsthatarenecessarytoimprovethesecurityoffederalinformationandinformationsystems,andtheSP800andselected500seriesprovidecomputersecurityguidelinesandrecommendations.Forinstance,FIPSPublication200,MinimumSecurityRequirementsforFederalInformationandInformationSystems,requiresagenciestoadoptandimplementtheminimumsecuritycontrolsdocumentedinNISTSP800‐53.

Federalagenciesarerequiredtodevelop,document,andimplementanagency‐wideinformationsecurityprogramtoprotecttheirinformationandinformationsystems,includingthoseprovidedormanagedbyanotheragency,contractor,orsource.FISMAprovidesacomprehensiveframeworkforestablishingandensuringtheeffectivenessofmanagement,operational,andtechnicalcontrolsoverinformationtechnologythatsupportoperationsandassets.FISMAalsoprovidesamechanismforimprovedoversightoffederalagencyinformationsecurityprograms,asitrequiresagencyheads,incoordinationwiththeirCIOsandSeniorAgencyInformationSecurityOfficers,toreportthesecuritystatusoftheirinformationsystemstoDHSandOMBthroughCyberScope.CyberScope,operatedbyDHSonbehalfofOMB,replacesthelegacypaper‐basedsubmissionprocessandautomatesagencyreporting.Inaddition,OfficesofInspectorsGeneral(OIGs)provideanindependentassessmentofwhethertheagencyisapplyingarisk‐basedapproachtoitsinformationsecurityprogramsandinformationsystems.OIGsmustalsoreporttheirresultstoOMBannuallythroughCyberScope.

1TheFederalInformationSecurityModernizationActof2014amendsFISMA2002to:(1)reestablishtheoversightauthorityoftheDirectorofOMBwithrespecttoagencyinformationsecuritypoliciesandpractices,and(2)setforthauthorityfortheSecretaryofHomelandSecurity(DHS)toadministertheimplementationofsuchpoliciesandpracticesforinformationsystems.

(b) (7)(E)

4


FY2016OIGFISMAMetrics.OnJuly29,2016,DHSissuedFY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetricsV1.1(themetrics).2DHScreatedthemetricsforInspectorsGeneral(IGs)touseinconductingtheirannualindependentevaluationstodeterminetheeffectivenessoftheinformationsecurityprogramandpracticesoftheirrespectiveagency.ThemetricsareorganizedaroundthefiveinformationsecurityfunctionsoutlinedintheNISTCybersecurityFrameworkandareintendedtoprovideagencieswithacommonstructureforidentifyingandmanagingcybersecurityrisksacrosstheenterpriseandprovideIGswithguidanceforassessingthematurityofcontrolstoaddressthoserisks.SeeTable1belowforadescriptionoftheNISTCybersecurityFrameworkSecurityFunctionsandtheassociatedFY2016IGFISMAMetricDomains.

Table1.AligningtheCybersecurityFrameworkSecurityFunctionstotheFY2016IGFISMAMetricDomains

CybersecurityFrameworkSecurityFunctionsFY2016

IGFISMAMetricDomainsIdentify–Theorganization’sabilitytomanageandunderstandcybersecurityrisktosystems,assets,data,andcapabilities.

RiskManagementandContractorSystems

Protect–Theabilitytodevelopandimplementtheappropriatesafeguardstoensuredeliveryofcriticalinfrastructureservices.

ConfigurationManagement,IdentityandAccessManagement,andSecurityandPrivacyTraining

Detect–Theabilitytodevelopandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.

InformationSecurityContinuousMonitoring

Respond–Theabilitytodevelopandimplementtheappropriateactivitiestotakeactionregardingadetectedcybersecurityevent.

IncidentResponse

Recover–Theabilitytodevelopandimplementtheappropriateactivitiestomaintainplansforresilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.

ContingencyPlanning

IntheFY2015InspectorGeneralFederalInformationSecurityModernizationActReportingMetrics,theCounciloftheInspectorsGeneralonIntegrityandEfficiency(CIGIE)developedamaturitymodelforevaluatingagencies’InformationSecurityContinuousMonitoringprogram.Thepurposeofthismaturitymodelwasto(1)summarizethestatusofagencies’informationsecurityprogramsandtheirmaturityonafive‐levelscale;(2)providetransparencytoagencyCIOs,seniormanagementofficials,andotherinterestedreadersofIGFISMAreportsregardingwhathasbeenaccomplishedandwhatstillneedstobe

2DHSreleasedthefinalversionoftheFY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetrics,version1.1.3,onSeptember26,2016.

5


implementedtoimprovetheinformationsecurityprogram;and(3)helpensureconsistencyintheannualIGFISMAevaluations.

InadditiontoupdatingthemetricstobetteralignwiththeCybersecurityFrameworkin2016,DHScontinuedtheeffortbeguninFY2015bydevelopingamaturitymodelfortheIncidentResponsedomain,undertheRespondfunctionoftheCybersecurityFramework.ThismaturitymodelsupplementstheInformationSecurityContinuousMonitoringmaturitymodelintroducedin2015,whichmapstotheDetectfunctionoftheCybersecurityFramework.DHShasnotyetdevelopedmaturitymodelsfortheremainingthreefunctionsoftheCybersecurityFramework(i.e.,Identify,Protect,andRecover);however,ithasdevelopedMaturityModelIndicators(Level1‐5assessments)forthosedomains.Theseindicatorsactasasteppingstone,allowingIGstoreachpreliminaryconclusionssimilartothoseachievablewithafullydevelopedmodel.

Thematuritymodelconceptpresentsacontinuumforagenciestomeasuretheirprogressinbuildinganeffectiveinformationsecurityprogram.Thematuritymodelincludesfivelevels,asdescribedinTable2below.AgencieswithprogramsthatscoreatorabovetheManagedandMeasureablelevel(Level4)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea,inaccordancewiththedefinitionofeffectivenessincludedinNISTSP800‐53,Rev.4.

Table2.CapabilityMaturityModelContinuumMaturityLevel Description

Level1:Ad‐hoc Thefunctionalprogram(identify,protect,detect,respond,orrecover)isnotformalizedandtheorganizationperformsfunctionactivitiesinareactivemanner,resultinginanadhocprogramthatdoesnotmeetLevel2requirementsforadefinedprogram.

Level2:Defined Theorganizationhasformalizeditsfunctionalprogramthroughthedevelopmentofcomprehensivefunctionpolicies,procedures,andstrategiesconsistentwithNISTguidanceandotherregulatoryguidance;however,ithasnotconsistentlyimplementedthefunctionpolicies,procedures,andstrategiesorganization‐wide.

Level3:ConsistentlyImplemented

Inadditiontoformalizinganddefiningitsfunctionalprogram(Level2),theorganizationconsistentlyimplementsthefunctionalprogramacrosstheagency;however,itdoesnotcapturequalitativeandquantitativemeasuresanddataontheeffectivenessofthefunctionalprogramacrosstheorganization,orusethesemeasuresanddatatomakerisk‐baseddecisions.

Level4:ManagedandMeasurable

Inadditiontobeingconsistentlyimplemented(Level3),functionalactivitiesarerepeatable,andtheorganizationusesmetricstomeasureandmanagetheimplementationofthefunctionalprogram,achievesituationalawareness,controlongoingrisk,andperformongoingsystemauthorizations.

6


MaturityLevel DescriptionLevel5:Optimized Inadditiontobeingmanagedandmeasurable(Level4),the

organization’sfunctionalprogramisinstitutionalized,repeatable,self‐regenerating,andupdatedinanearreal‐timebasisbasedonchangesinbusiness/missionrequirementsandachangingthreatandtechnologylandscape.

7


TheobjectiveofthisauditwastodeterminewhetherEXIMBankdevelopedandimplementedeffectiveinformationsecurityprogramsandpracticesasrequiredbyFISMA.WenotedthatEXIMBankaddressedseveralofthechallengesidentifiedduringpreviousFISMAaudits.Specifically,EXIMmanagement:

Fullyimplementedtheuseofpersonalidentityverification(PIV)cardsforlogicalsystemaccess.

ImprovedcontrolsaroundtheaccountmanagementprocessesfortheInfrastructureGSSbyensuringthataccountsdonotremainactiveforindividualswhohavenotloggedinwithin90days;accountsforseparatedindividualsdonotremainactive;andEXIMBankperiodicallyreviewsaccountsforappropriateness.

ImprovedremoteaccesscontrolstoensurethatremoteusersaretimedoutordisconnectedfromtheEXIMBanknetworkafteraperiodofinactivity,inaccordancewithEXIMBankpolicy.

AdequatelydocumentedandupdateditsconfigurationmanagementplansforitsInfrastructureGSSand systems.

Nevertheless,wefoundthatEXIMBank’sinformationsecurityprogramandpracticesarenoteffectiveoverall.

EXIMBankhasnoteffectivelyimplementedamatureinformationsecurityprogram.Specifically,theBank’scurrentInformationSecurityContinuousMonitoring(ISCM)andIncidentResponse(IR)policies,plans,procedures,andstrategiesarenotconsistentlyimplementedorganization‐wide,impactingthematurityandeffectivenessofitsoverallinformationsecurityprogram.

DHSsignificantlyrevisedtheIGreportingmetricsforagenciesinFY2016,whichresultedinmorerigorousevaluationcriteriaandassessmentsthaninpreviousyears.WhenevaluatingEXIMBank’sinformationsecuritymeasurementprogramagainsttheDHSFY2016IGFISMAmetrics,afive‐levelmaturitymodelscale,wefoundthatonlyoneofthefiveNISTCybersecurityFrameworkareas,theRecoverdomain,waseffectivelyimplementedconsistentwithFISMArequirementsandapplicableDHSandNISTguidelines(i.e.,wasatLevel4orhigher).Theremainingframeworkareas–Identify,Protect,Detect,andRespond–werenoteffectivelyimplemented(i.e.,wereatLevel3orbelow).PerDHS’FY2016IGFISMAmetricsguidelines,onlyagencyprogramsthatscoredatorabovetheManagedandMeasureablelevel(Level4)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea.EXIMBank’soverallscoreforitsinformationsecurityprogram

RESULTS

Information about specific vulnerabilities in IT systems has been redacted from the publicly released version of this report. The redacted information is sensitive and its disclosure in a widely distributed report might cause loss to Export-Import Bank of the United States. We have provided that information in a separate report intended solely for the information and use of the Export-Import Bank of the United States.

(b) (7)(E)

8


wasLevel2:Defined,whichdoesnotrepresentaneffectiveprogram.AsummaryoftheresultsfortheDHSFY2016IGFISMAMetricsisinAppendixD.

TheseweaknessesexistbecausemanagementhasnotdevelopedandimplementedmanageableandmeasurablemetricstoconsistentlyevaluateandimprovetheeffectivenessoftheBank’sinformationsecurityprogram.Additionally,managementhasnotperformedanassessmentofthematurityofitsinformationsecurityprogramtodeterminewhatimprovementsarenecessarytoachieveafullymeasurableprogram.Bynothavingamatureandeffectiveinformationsecurityprogram,EXIMBankmanagementisatincreasedriskofoperatingwithoutafullunderstandingofitsriskposture,includingpotentialvulnerabilitiestowhichitsinformationsystemsmaybesusceptible.

Wenotedanumberofnewchallengesidentifiedinthisyear’sFISMAaudit.WhiletheBankeffectivelyimplemented11ofthe14NISTSP800‐53,Rev.4controlsthatwetestedfortheAPSandtheInfrastructureGSS,weidentifiedseveralsignificantareasforimprovement.Specifically,Bankmanagement:

Hasnotimplementedappropriatesecuritycontrolsover usedtoaccessEXIMBankdata.(2014prior‐yearfinding)

DidnoteffectivelyremediatePlanofActionandMilestones(POA&M)itemsinatimelymanner.(2015prior‐yearfinding)

Hasnoteffectivelydocumentedsecurityagreementswiththird‐partyserviceproviders.

Hasnoteffectivelyimplementedavulnerabilitymanagementprogram. Hasnoteffectivelyimplementedbaselineconfigurationsanddocumenteddeviations

forinformationtechnology(IT)products. Hasnoteffectivelyimplementedaccessmanagementcontrols. Hasnoteffectivelyimplementedarole‐basedtrainingprogram. Hasnoteffectivelyimplementedcontrolsaroundtheuseofsharedsystemaccounts. HasnoteffectivelyimplementedaccountmanagementcontrolsfortheAPS

application. Hasnoteffectivelyimplementedsoftwarelicensemanagementcontrols.

Wepartiallyreissuedtwoprior‐yearrecommendationsandmadeninenewrecommendationstoaddresstheaboveissues.Theserecommendations,ifimplemented,shouldstrengthenEXIMBank’sinformationsecurityprogramandpractices.EXIMBankmanagement’sresponsestothefindingsidentifiedinourauditareincludedwithinthereportandinAppendixB.

Finding: EXIM Bank Should Improve the Maturity of Its Information Security Program

EXIMBankhasnoteffectivelyimplementedamatureinformationsecurityprogram.Specifically,theBank’scurrentISCMandIRpolicies,plans,procedures,andstrategiesare

(b) (7)(E)

9


notconsistentlyimplementedorganization‐wide,impactingthematurityandeffectivenessofitsoverallinformationsecurityprogram.

DHSsignificantlyrevisedtheIGreportingmetricsforagenciesinFY2016,whichresultedinmorerigorousevaluationcriteriaandrequirementsthanpreviousyears.WhenevaluatingEXIMBank’sinformationsecurityprogramagainsttheDHSFY2016IGFISMAmetrics,afive‐levelmaturitymodelscale,wefoundthatonlyoneofthefiveNISTCybersecurityFrameworkareas,theRecoverdomain,waseffectivelyimplementedconsistentwithFISMArequirementsandapplicableDHSandNISTguidelines(i.e.,wasatLevel4:ManagedandMeasureableorhigher).Theremainingframeworkareas–Identify,Protect,Detect,andRespond–werenoteffectivelyimplemented(i.e.,wereatLevel3orbelow).

EXIMBank’soverallmaturitylevelforitsinformationsecurityprogramscoredatLevel2:Defined.WenotedseveralareasforimprovementinthematurityoftheDetect(ISCM)andRespond(IR)domains,asdescribedbelow.Additionally,whileweidentifiedweaknesseswithsecuritycontrolswithintheIdentify(RiskManagementandContractorSystems)andProtect(ConfigurationManagement,IdentityandAccessManagement,andSecurityandPrivacyTraining)domains,theseweresecurityweaknessesthatindividuallyimpactedtheeffectivenessoftheBank’sinformationsecurityprogramandrequiredspecificrecommendations.Asaresult,thoseweaknessesareaddressedintheremainingfindingsandrecommendationsofthisreport,andnotaspartofthisfinding.

AreasforimprovementintheDetectdomainincludethefollowing:

o TheBankiscurrentlyintheprocessoffillingtwoITSecuritypositionstoimprovethemanagementandeffectivenessoftheISCMprogram.Thesepositionshaveyettobefilled,limitingtheresources(people,processes,andtechnology)toeffectivelyimplementISCMactivities.ThisalsoappliestotheIRprocessdiscussedbelowintheResponddomainareasforimprovement.

o TheorganizationhasnotdefinedhowitwillintegrateISCMactivitieswithorganizationalrisktolerance,thethreatenvironment,andbusiness/missionrequirements.

o ISCMprocessesarenotconsistentlyperformedacrosstheorganization.

o EXIMBank’squalitativeandquantitativeperformancemeasuresusedtoevaluatetheeffectivenessofitsISCMprogramarenotconsistentlycaptured,analyzed,andusedacrosstheorganizationinaccordancewithestablishedrequirementsfordatacollection,storage,analysis,retrieval,andreporting.

o EXIMBankdoesnothaveformalizedordefinedprocessesforcollectingandconsideringlessonslearnedtoimproveISCMprocesses.

10


o EXIMBankhasnotfullyimplementedtechnologyinautomationareasandcontinuestorelyonmanual/proceduralmethodsininstanceswhereautomationwouldbemoreeffective.Inaddition,whileautomatedtoolsareimplementedtosupportsomeISCMactivities,thetoolsarenotinteroperable.

AreasforimprovementintheResponddomainincludethefollowing:

o TheBankhasnotdefinedhowitwillintegrateIRactivitieswithorganizationalriskmanagement,continuousmonitoring,continuityofoperations,andothermission/businessareas,asappropriate.

o TheBankhasnotdefinedhowitwillcollaboratewithDHSandotherparties,asappropriate,toprovideon‐site,technicalassistance/surgeresources/specialcapabilitiesforquicklyrespondingtoincidents.

o TheBankhasnotidentifiedordefinedthequalitativeandquantitativeperformancemeasuresthatwillbeusedtoassesstheeffectivenessoftheIRprogram,performtrendanalysis,achievesituationalawareness,andcontrolongoingrisk.

o TheBankhasnotdefineditsprocessesforcollectingandconsideringlessonslearnedandincidentdatatoimprovesecuritycontrolsandIRprocesses.

o TheBankhasnotfullyimplementedautomationtechnologiestosupportitsIRprocessesandcontinuestorelyonmanual/proceduralmethodsininstanceswhereautomationwouldbemoreeffective.Inaddition,whileautomatedtoolsareimplementedtosupportsomeIRactivities,thetoolsarenotinteroperabletotheextentpracticable,donotcoverallcomponentsoftheorganization’snetwork,and/orhavenotbeenconfiguredtocollectandretainrelevantandmeaningfuldataconsistentwiththeorganization’sincidentresponsepolicy,plans,andprocedures.

o

o TheBankhasnotestablished,anddoesnotconsistentlymaintain,acomprehensivebaselineofnetworkoperationsandexpecteddataflowsforusersandsystems.

TheseweaknessesexistbecausemanagementhasnotdevelopedandimplementedmanageableandmeasurablemetricstoconsistentlyevaluateandimprovetheeffectivenessoftheBank’sinformationsecurityprogram.Additionally,managementhasnotperformedanassessmentofthematurityofitsinformationsecurityprogramtodeterminewhatimprovementsarenecessarytoachieveafullymeasurableprogram.

(b) (7)(E)

11


Bynothavingamatureandeffectiveinformationsecurityprogram,EXIMBankmanagementisatincreasedriskofoperatingwithoutafullunderstandingofitsriskposture,includingpotentialvulnerabilitiestowhichitsinformationsystemsmaybesusceptible.

Thefollowingguidanceisrelevanttothiscontrolactivity:

OMBM‐17‐05,FiscalYear2016‐2017GuidanceonFederalInformationSecurityandPrivacyManagementRequirements,datedNovember4,2016,states:

InFY2016,theFISMAmetricswerealignedtothefivefunctionsoutlinedintheNationalInstituteofStandardsandTechnology's(NIST)FrameworkforImprovingCriticalInfrastructureCybersecurity:Identify,Protect,Detect,Respond,andRecover.TheNISTCybersecurityFrameworkisarisk‐basedapproachtomanagingcybersecurity,whichisrecognizedbybothgovernmentandindustryandprovidesagencieswithacommonstructureforidentifyingandmanagingcybersecurityrisksacrosstheenterprise.Additionally,OMBworkedwithDHS,theFederalChiefInformationOfficer(CIO)Council,andtheCouncilofInspectorsGeneralonIntegrityandEfficiencytoensureboththeCIOmetricsandInspectorsGeneralmetricsalignwiththeCybersecurityFrameworkandprovidecomplementaryassessmentsoftheeffectivenessofagencies'informationsecurityprograms.

FederalagenciesaretoreportalloftheircybersecurityperformanceinformationthroughDHS'sCyberScopereportingsystem.

NISTSP800‐55,Rev.1,PerformanceMeasurementGuideforInformationSecurity,datedJuly2008,states:

Anumberofexistinglaws,rules,andregulations—includingtheClinger‐CohenAct,theGovernmentPerformanceandResultsAct(GPRA),theGovernmentPaperworkEliminationAct(GPEA),andtheFederalInformationSecurityManagementAct(FISMA)–citeinformationperformancemeasurementingeneral,andinformationsecurityperformancemeasurementinparticular,asarequirement.Inadditiontolegislativecompliance,agenciescanuseperformancemeasuresasmanagementtoolsintheirinternalimprovementeffortsandlinkimplementationoftheirinformationsecurityprogramstoagency‐levelstrategicplanningefforts.

Thefollowingfactorsmustbeconsideredduringdevelopmentandimplementationofaninformationsecuritymeasurementprogram: Measuresmustyieldquantifiableinformation(percentages,averages,and

numbers); Datathatsupportsthemeasuresneedstobereadilyobtainable; Onlyrepeatableinformationsecurityprocessesshouldbeconsideredfor

measurement;and Measuresmustbeusefulfortrackingperformanceanddirectingresources.

12


… Thetypesofmeasuresthatcanrealisticallybeobtained,andthatcanalsobeusefulforperformanceimprovement,dependonthematurityoftheagency’sinformationsecurityprogramandtheinformationsystem’ssecuritycontrolimplementation.Althoughdifferenttypesofmeasurescanbeusedsimultaneously,theprimaryfocusofinformationsecuritymeasuresshiftsastheimplementationofsecuritycontrolsmatures.

Recommendation, Management’s Response, and Evaluation of Management’s Response

Recommendation1:

WerecommendthattheEXIMBankCIO:

a. PerformanassessmentofEXIMBank’scurrentinformationsecurityprogramtoidentifythecost‐effectivesecuritymeasuresrequiredtoachieveafullymatureprogram.

b. ImplementappropriateprocessesandprocedurestoimprovetheinformationsecurityprogramandalignitwithLevel4:ManagedandMeasurableIGmetrics.

Management’sResponse:

TheBankconcurswiththisrecommendation.

TheBank’sOfficeofChiefInformationOfficer(OCIO)willperformanassessmentofEXIMBank’scurrentinformationsecurityprogramtoidentifythecost‐effectivesecuritymeasuresrequiredtoachieveafullymatureprogram.

OCIOwillconductagapanalysisandoncethesegapsareidentified,theywillbetriagedonthosegapsthatareatahigherlevelofprioritythanothersandwillthenestimatethecostandlevelofeffortrequiredtoclosethesegaps.Theimplementationwillbeamulti‐yeareffort.TheBank’sOCIOanticipateshavingapreparedassessmentandinitialplanbySeptember1,2017.

Regardingthesecondpartoftherecommendation,OCIOwilldevelopprocessesandproceduresrequiredtoenhancetheBank’sITsecurityprograminordertoachievelevel4intheMaturityModelacrosstheboard.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankperformsanassessmentofitscurrentinformationsecurityprogramtoidentifysecuritymeasurestoachieveafullymaturesecurityprogram,aswellastoimprovethesecurityprogramtoalignitwithLevel4:ManagedandMeasurableIGmetrics.

13


Finding: EXIM Bank Should Improve Security Controls over

TheFY2014FISMAauditidentifiedthefollowingweaknessesrelatedtothesecurityof:

EXIMBankemployeeswereabletouse toaccesstheirEXIMBankemail,

While weregenerallyprohibitedfromaccessingtheBank’sinternalresources,therewerespecialinstancesinwhich hadbeenconfiguredtodoso.WenotedthatEXIMBankdidnothaveinplacepolicy,procedures,orconfigurationguidancetoensurethatthesespecialinstanceswereapprovedandthat securedbeforeconnecting.

TheBankdidnothavecontrolsinplacetoenforce

FY2016testingnotedthattheBankacquired managementsoftwaretoallowtheCIOtomonitorandenforcesecuritycontrolson

Additionally,EXIMimplementedsecuritycontrolstoprevent fromaccessingtheBank’sinternalresources.Thetestingthereforeconfirmedthatthefirsttwoweaknessesidentifiedin2014weresuccessfullyremediated.

However,the2016auditfoundthattheweaknessoriginallyidentifiedinFY2014relatedtohasnotyet

beencompletelyremediated.FY2016testingfoundthatthe managementsoftwaredeployedbytheBankisable

3

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

14


Withoutpropersecuritycontrolsoverall ,thereisincreasedriskthatdatastored couldbecompromisedoraccessedbyunauthorizedindividuals.


NISTSP ,states:

NISTSP :

NISTSP states:

FIPS states:


Recommendation:

InourFY2014FISMAauditreport,werecommendedthattheEXIMBankCIOdeploycontrolsthat:

a.

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

15


b. Restricttheinstallationofunapprovedormalicioussoftware.

c. Preventunauthorized fromconnectingtointernalEXIMBankresources.

AsofFY2016,RecommendationAremainsopen;wearethereforenotissuinganynewrecommendationsrelatedtothisfinding.SeeAppendixAforacompletelistingofthestatusofprior‐yearFISMAauditfindings.Management’sResponse:

TheBankconcurswiththisrecommendation.OCIOwilladdress#1oftheremainingopenrecommendationto

heBankexpectstohavethiseffortcompletedbyApril1,2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequately

Finding: EXIM Bank Should Improve Controls over Its Plan of Action & Milestones Process

AsinitiallyidentifiedinourFY2015FISMAauditreport,wefoundduringourFY2016testingthatcontrolsremainedinadequatetoensurethatappropriatePOA&Mmanagementcontrolsareinplace.Specifically,wenotedthefollowing:

Forthe theBankhadnotresolved andthescheduledcompletiondatespassedwithnomilestoneupdates.

For ,theBankhadnotstartedaddressing ,andthescheduledcompletiondatepassedwithnomilestoneupdates.

ManagementstatedthattheywereawarethatthePOA&MshadpassedtheirscheduledcompletiondatesbutdidnotwanttochangetheoriginalscheduledcompletiondatesuntiltheBankhaddeterminednewremediationplans.PerEXIMpolicy,notationsforanymodificationstotheoriginalPOA&Mentryormilestonesaretobemadeseparatelyandidentifiedas“changestomilestones”;however,testingnotedthatthesemodificationswerenotbeingdocumentedasrequired.WithoutadequatePOA&Mmanagement,theBankmayremainexposedtoknownvulnerabilitiesthatcouldbeexploitedbyinternalandexternalthreats.

(b) (7)(E)

(b) (7)(E) (b) (7)(E)

(b) (7)(E) (b) (7)(E)

(b) (7)(E)

(b) (7)(E)

16



EXIMPOA&MPolicy,version04,effectiveMarch10,2016states:

6.11Reportingonremediationprogressmustbeaccomplishednotlessfrequentlythanquarterly.

6.12OncethePOA&Mhasbeenreported,changesarenottobemadetotheoriginaldescriptionoftheweakness,keymilestonesandscheduledcompletiondates,orsource.Notationsforanymodificationstotheoriginalentryaretobemadeseparatelyandidentifiedas“ChangestoMilestones.”

NISTSP800‐53,Rev.4,CA‐5,PlanofAction&Milestones,states:

Control:Theorganization:a.Developsaplanofactionandmilestonesfortheinformationsystemtodocumenttheorganization’splannedremedialactionstocorrectweaknessesordeficienciesnotedduringtheassessmentofthesecuritycontrolsandtoreduceoreliminateknownvulnerabilitiesinthesystem;andb.Updatesexistingplanofactionandmilestones[Assignment:organization‐definedfrequency]basedonthefindingsfromsecuritycontrolsassessments,securityimpactanalyses,andcontinuousmonitoringactivities.

NISTSP800‐53,Rev.4,PM‐4,PlanofAction&MilestonesProcess,states:

Control:Theorganization:a.Implementsaprocessforensuringthatplansofactionandmilestonesforthesecurityprogramandassociatedorganizationalinformationsystems:

1.Aredevelopedandmaintained;2.Documenttheremedialinformationsecurityactionstoadequatelyrespondtorisktoorganizationaloperationsandassets,individuals,otherorganizations,andtheNation;and3.ArereportedinaccordancewithOMBFISMAreportingrequirements.

b.Reviewsplansofactionandmilestonesforconsistencywiththeorganizationalriskmanagementstrategyandorganization‐wideprioritiesforriskresponseactions.


Recommendation:

InourFY2015FISMAauditreport,werecommendedthattheEXIMBankCIOimplementaprocesstoensurethattheBankreviewsallsystemPOA&Msatanorganization‐definedfrequency,andthatitupdatesmilestonestoreflectactionstakentoremediatePOA&Mitems.

17


AsofFY2016,therecommendationnotedremainsopen;wearethereforenotissuinganynewrecommendationsrelatedtothisfinding.SeeAppendixAforacompletelistingofthestatusofprior‐yearFISMAauditfindings.


TheBankconcurswiththisrecommendation.TheBank’sOCIOwillimplementaprocesstoreviewandupdatesystemPOA&MsbyaddinganewcolumntoourPOA&Mtrackingspreadsheettoprovideup‐to‐dateinformationregardingopenPOA&Mswhichareatriskofnotmeetingtheirscheduledcompletiondatesandforwhichanapprovedremediationplandoesnotyetexist.ThiswillpermitmanagementtomakethePOA&Mprocessconsistent,whilemakingittransparentwhenaremediationisnotcompletedwhenplanned.ThenewinformationcolumninthePOA&MspreadsheetwillbeaddedandinusebyMarch15,2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankreviewsallsystemPOA&Msatanorganization‐definedfrequency,andthatitupdatesmilestonestoreflectactionstakentoremediatePOA&Mitems.

Finding: EXIM Bank Should Improve Controls over Agreements with Third-Party Service Providers

ControlsarenotadequatetoensurethatEXIMBank’sagreementsspecifyhowinformationsecurityperformanceismeasured,reported,andmonitoredoncontractororotherentity‐operatedsystems,asappropriate.Specifically,wenotedthatEXIMBankcurrentlyhasaMemorandumofUnderstandingwiththeGeneralServicesAdministration(GSA)forseveralHumanResources(HR)andpayroll‐relatedservices.However,theexistingagreementsdonotidentifyhowinformationsecurityperformanceshouldbemeasured,reported,andmonitored.EXIMmanagementstatedthatGSAisoneofalimitednumberofagenciesthatprovidetheseservices,whichEXIMBankisrequiredtouse,andthattheBankhaslimitedleverageregardingtheinformationdocumentedintheagreement.EXIMmanagementalsostatedthatitperiodicallyreviewstheGSAsystemsecurityplanforthesystemtogainassurancethatGSAisappropriatelyimplementingasecurityprogramconsistentwithFISMArequirements;however,theBankdoesnotperformthisreviewinaccordancewithadefinedfrequency.Withoutdocumentingrequirementsrelatedtosecurityperformancemeasurement,reporting,andmonitoringwithintheestablishedagreement,thereisanincreasedriskthatEXIMBankmaybeunawareofthesecurityrisksoveritsdata.Thefollowingguidanceisrelevanttothiscontrolactivity:

18


EXIMInfrastructureGSSSSP,SA‐9,ExternalInformationSystemServices,states:

TheBank:a. Requiresthatprovidersofexternalinformationsystemservices(ExchangeOnline)

complywithorganizationalinformationsecurityrequirementsandemploysapplicableFedRAMPand800‐53rev4ModeratelevelcontrolsinaccordancewithapplicableFISMA,OMBExecutiveOrders,directives,Ex‐ImBankpolicies,regulations,CISandUSGCBstandards,andNISTguidance;

b. incorporatessecurityrequirementsintocontracts,interagencyserviceagreements(ISA),andmemorandumsofunderstanding(MOU),anddocumentsintheserviceagreement,thegovernmentoversightanduserrolesandresponsibilitieswithregardtoexternalinformationsystemservices;

c. Employsorganization‐definedContinuousMonitoringprocessesmethods,andtechniquesdefinedintheCMPolicytomonitorsecuritycontrolcompliancebyexternalserviceprovidersonanongoingbasis.3rdPartyServiceProvidersarerequiredtopermitEx‐ImBanktheabilitytomonitorthecontractor’ssecuritycompliance,includingaccessrequiredtoauditandperformvulnerabilitytestingwithincontractorfacilitiesemployedunderthecontractandanysubcontracts.Ex‐ImBankmonitorssecuritycontrolsinaccordancewithrequirementdefinedinthisSSP.SecuritycontrolcomplianceismonitoredaspartoftheBank’scontinuousmonitoringactivities.

NISTSP800‐35,GuidetoInformationTechnologySecurityServices,section4.5.1,MonitorServiceProviderPerformance,states:

Thetargetssetforthintheserviceagreementshouldbecomparedwiththemetricsgathered.Althoughmetricswillprovideservice‐leveltargets,theorganizationmayalsowanttouseenduserevaluationsorcustomersatisfactionlevelsurveystoevaluateperformance.TheITsecuritymanagerswillhavetoworkwithotheroperationalmanagers(suchascustomerservicemanagers)toensurethattheserviceproviderismeetingservicetargets.TheITsecuritymanagersalsoneedtoensureserviceprovidersarecomplyingwithITsecuritypolicyandprocesses,aswellasapplicablelawsandregulations.ITsecuritymanagersmustensureduringtheoperationsphasethattheserviceproviderdoesnotcompromiseprivate,confidential,personal,ormission‐sensitivedata.Compliancereportswillhelpwiththiseffort.Theserviceagreementshouldhaveincludedclausesthatspecifypenaltiesand/orremediesfornoncomplianceandmanagementshouldemploythesewhentheserviceproviderdoesnotperformasthecontractdictates.


Recommendation2:

19


WerecommendthattheEXIMBankCIOreviewandupdateallagreementswiththird‐partyserviceproviderstoensurethattheagreementsspecifyhowinformationsecurityperformanceismeasured,reported,andmonitored.



TheBank’sOCIOhasreviewedtheagreementswithallthird‐partyserviceprovidersandhasfoundtheHumanResourcesandPayrollProcessingagreementwiththeGeneralServicesAdministrationistheonlysuchagreementmissingthelanguagerequestedwithintheOIG’srecommendation.Further,theBankisintheprocessofreviewingthedocumentationanddraftagreementswiththeInteriorBusinessCenterwhichwillreplacetheagreementwiththeGSA.TheBank’sOCIOwillensurethatthenewagreementwillspecifyhowinformationsecurityperformancewillbemeasured,reported,andmonitored.ThiseffortwillbecompletedbythedateofchangeovertotheIBCHRandpayrollprocessingsystem,anticipatedtobeJune2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankupdatesallagreementswiththird‐partyserviceproviderstoensurethattheyspecifyhowinformationsecurityperformanceismeasured,reported,andmonitored.

Finding: EXIM Bank Should Improve Controls over Its Vulnerability Management Program

ControlsarenotadequatetoensurethatEXIMBankremediatesknownconfiguration‐relatedvulnerabilitiesinatimelymanner.

.Asaresult,EXIMBank’soperationofthe

EXIMBankmanagementstatedthattheBankintendstodecommissionall

bytheendof2016,butwererequiredtocontinueoperatingthemuntilthenduetocurrentbusinessneeds.Bankmanagementalsoinformedusthatitwasnotprioritizingremediationof duetoanupcomingFY2017migrationto asthe wouldberemediatedbytheupcomingupgrade.

Operatinganenvironmentinwhich Inparticular,running

presentsriskfrombothasecurityandanoperationalperspective.(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E) (b) (7)(E)

(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E) (b) (7)(E)

(b) (7)(E)

20



EXIMBankVulnerabilityManagementProgram,datedJuly8,2016,states:

I.VulnerabilityScanningWecurrentlyuse forvulnerabilityscanning.

II.IdentificationandprioritizationofVulnerabilitiesIdentificationandprioritizationofpotentialvulnerabilitiesidentifiedinthescanningreportsisatimeandlaborintensivemanualprocess.ITsecurityspecialistsrevieweachreportforcritical,highandmoderatevulnerabilities;verifythattheyarenotfalsepositives;andselectconfirmedvulnerabilitiesforremediationand/orriskacceptance.Wehaverefinedthisprocesssothatwecanatleastavoidanalyzingrecurringvulnerabilitiesfoundbysubsequentscansbyrecordingrecurrentfindingsaseither“FalsePositive”or“authorizedexceptions”(whichappliestopotentialvulnerabilitiesforwhicharemediationdoesnotexistorforwhichtherecommendedremediationcannotbedeployedforsomebusinessorperformancereason).Authorizedexceptionsareauthorizedforaperiodoftime(uptooneyear),sothattheycannotbecomepermanentlyauthorized.III.Remediation

NISTSP800‐53,Rev.4,RA‐5,VulnerabilityScanning,states:

Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization‐definedfrequencyand/orrandomlyinaccordancewithorganization‐definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported;b.Employsvulnerabilityscanningtoolsandtechniquesthatfacilitateinteroperabilityamongtoolsandautomatepartsofthevulnerabilitymanagementprocessbyusingstandardsfor:1.Enumeratingplatforms,softwareflaws,andimproperconfigurations;2.Formattingchecklistsandtestprocedures;and

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

21


3.Measuringvulnerabilityimpact;c.Analyzesvulnerabilityscanreportsandresultsfromsecuritycontrolassessments;d.Remediateslegitimatevulnerabilities[Assignment:organization‐definedresponsetimes]inaccordancewithanorganizationalassessmentofrisk;ande.Sharesinformationobtainedfromthevulnerabilityscanningprocessandsecuritycontrolassessmentswith[Assignment:organization‐definedpersonnelorroles]tohelpeliminatesimilarvulnerabilitiesinotherinformationsystems(i.e.,systemicweaknessesordeficiencies).

NISTSP800‐53,Rev.4,SI‐2,FlawRemediation,states:

Theorganization:a.Identifies,reports,andcorrectsinformationsystemflaws;b.Testssoftwareandfirmwareupdatesrelatedtoflawremediationforeffectivenessandpotentialsideeffectsbeforeinstallation;c.Installssecurity‐relevantsoftwareandfirmwareupdateswithin[Assignment:organization‐definedtimeperiod]ofthereleaseoftheupdates;andd.Incorporatesflawremediationintotheorganizationalconfigurationmanagementprocess.


Recommendation3:


a. Continuewiththeireffortsto toreducetheirexposuretovulnerabilitiesthatcannotberemediated.

b. thatexistacrossalloperatingplatformsintheBank’snetworkenvironment.



InOctober2016,theBank’sOCIOcompletedtheir byremovingthe

.Additionally,theBank’sOCIOwill

ontheBank'snetwork.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeableto

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

22


adequatelyensurethattheBank

Finding: EXIM Bank Should Improve Controls over Baseline Configuration Implementation

ControlsarenotadequatetoensurethatEXIMBankimplementsbaselineconfigurationsforITsystemsinaccordancewithdocumentedprocedures,oridentifiesanddocumentsdeviationsfromconfigurationsettings.Specifically,weidentified thateachhad deviationsfromthedocumentedconfigurationsettings.EXIMmanagementwasunabletojustifythesedeviations.Inaddition,EXIMBankstilluses

EXIMmanagementstatedthatitisintheprocessofupgradingall andall andthatitwill

BankmanagementstatedthattheBankhadabusinessneedforeachbaselinedeviation;however,ithadnotcompletelydocumentedthesedeviationsforthe becausetheBankwasintheprocessofmigratingto inFY2017,whichwillfullyre‐baselinethesystems.

Withoutimplementingappropriatebaselineconfigurationsettingsorappropriatemanagementapprovalwheredeviationsarenecessary,EXIMisatincreasedriskofhavinginsecuresettings,whichcouldleadtoexploitsofknownvulnerabilities.


NISTSP800‐53,Rev.4,CM‐6,ConfigurationSettings,states:

Control:Theorganization:a. Establishesanddocumentsconfigurationsettingsforinformationtechnology

productsemployedwithintheinformationsystemusing[Assignment:organization‐definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;

b. Implementstheconfigurationsettings;c. Identifies,documents,andapprovesanydeviationsfromestablishedconfiguration

settingsfor[Assignment:organization‐definedinformationsystemcomponents]basedon[Assignment:organization‐definedoperationalrequirements];and

d. Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.

(b) (7)(E)(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E) (b) (7)(E)

(b) (7)(E)

(b) (7)(E) (b) (7)(E)

(b) (7)(E)

(b) (7)(E)

23



Recommendation4:


a. DocumentandimplementbaselineconfigurationsettingsforallinformationtechnologyproductsdeployedwithintheBank.

b. DocumentjustificationsorcompensatingcontrolsforanydeviationsfromestablishedbaselineconfigurationsettingsforeachoftheinformationtechnologyproductsdeployedwithintheBank.



InFY2016,theBank’sOCIOdevelopedandimplementedpolicyandproceduresforchangeandconfigurationmanagementforallITsystems.InFY2017,theBank’sOCIOwilldevelopandimplementanindependentverificationprocesstoensurethatbaselineconfigurationswithapproveddeviationsarecompliedwith.Anynewdeviationswillproceedthroughareviewandapprovalprocess.TheBankexpectstohavethiseffortcompletedbyAugust1,2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankdocumentsandimplementsbaselineconfigurationsettingsforallinformationtechnologyproductsdeployedanddocumentsdeviationsfromestablishedbaselines.

Finding: EXIM Bank Should Improve Controls over Access Management

ControlsarenotadequatetoensurethatindividualsrequiringaccesstoEXIMinformationandinformationsystemssignappropriateaccessagreementspriortoobtainingaccess.Specifically,wenotedthroughtheauditon‐boardingprocessthatEXIMBankdidnotrequiretheauditorstosigntheEXIMRulesofBehavior(RoB)documentpriortoobtainingnetworkaccess.

ThisweaknessexistsbecauseEXIMBankincorporatessigningtheRoBintotheirsecurityawarenesstraining,andtheBank’spolicystatesthatemployeeshavea10‐daygraceperiodtocompletethistraining.ThispolicyisnotincompliancewithFISMAandDHSrequirements,whichstatethatindividualsmustprovideasignedacknowledgementoftheirunderstandingandagreementtoabidebytheRoBpriortogainingaccesstofederal

24


information.Inaddition,EXIMBankdoesnotfollowuponorenforceitsinternal10‐daygraceperiod,anduserscancontinuetoaccessthenetworkafterthisperiodwithoutcompletingthetrainingorsigningtheRoB.

WithoutappropriatecontrolsinplaceforensuringthatemployeessignaRoBpriortoobtainingaccesstotheBank’snetworks,thereisanincreasedriskofindividualsperforminginappropriateorunauthorizedactivities,whichcouldleadtounintentionaluse,access,andexposureofsensitivedata.

Thefollowingguidanceisrelevantforthiscontrolactivity:

NISTSP800‐53,Rev.4,PL‐4,RulesofBehavior,states:

Control:Theorganization:a.Establishesandmakesreadilyavailabletoindividualsrequiringaccesstotheinformationsystem,therulesthatdescribetheirresponsibilitiesandexpectedbehaviorwithregardtoinformationandinformationsystemusage;b.Receivesasignedacknowledgmentfromsuchindividuals,indicatingthattheyhaveread,understand,andagreetoabidebytherulesofbehavior,beforeauthorizingaccesstoinformationandtheinformationsystem;

NISTSP800‐53,Rev.4,PS‐6,AccessAgreements,states:

Control:Theorganization:a.Developsanddocumentsaccessagreementsfororganizationalinformationsystems;b.Reviewsandupdatestheaccessagreements[Assignment:organization‐definedfrequency];andc.Ensuresthatindividualsrequiringaccesstoorganizationalinformationandinformationsystems:

1.Signappropriateaccessagreementspriortobeinggrantedaccess;and2.Re‐signaccessagreementstomaintainaccesstoorganizationalinformationsystemswhenaccessagreementshavebeenupdatedor[Assignment:organization‐definedfrequency].

25



Recommendation5:


a. Updatetheiron‐boardingprocesstoseparatetheacknowledgementoftheRoBfromthesecurityawarenesstrainingandrequireuserstoacknowledgeandsigntheRoBpriortoobtainingnetworkaccess,orimprovetheirexistingsecuritytrainingprocedurestoensurethatallpersonnelreceivesecuritytrainingandsigntheBank’sRoBagreementpriortoobtainingaccesstotheBank’sdata.

b. Implementprocedurestoformallytrackcompliancewiththeupdatedprocess.Management’sResponse:


TheBank’sOCIOwilldevelopandimplementanon‐boardingprocesswhichrequiresallusers(employees,contractors,temps,andinterns)toexecuteasignedRulesofBehaviorAgreementwiththeBankpriortobeinggrantedanynetworkorsystemaccess.TheBankexpectstohavethiseffortcompletedbyApri12017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankrequiresallpersonneltosigntheBank’sRoBagreementbeforeobtainingaccesstotheBank’sdata.

Finding: EXIM Bank Should Improve Controls over Role-Based Training

ControlsarenotadequatetoensurethatEXIMBankidentifiesandtracksthestatusofspecializedsecurityandprivacytrainingforallpersonnel(toincludeemployees,contractors,andotherorganizationusers)thathavesignificantinformationsecurityandprivacyresponsibilitiesrequiringsuchtraining.Specifically,wenotedthattheBankhasidentifiedonlyfourrolesthathavespecializedsecurityresponsibilitiesandarerequiredtotakerole‐basedsecuritytraining,including:

• CIO• Director,ITSecurityandSystemAssurance• Director,InfrastructureOperations• InformationSystemSecurityOfficer

26


NISTSP800‐53,Rev.4states,“Organizationsprovideenterprisearchitects,informationsystemdevelopers,softwaredevelopers,acquisition/procurementofficials,informationsystemmanagers,system/networkadministrators,personnelconductingconfigurationmanagementandauditingactivities,personnelperformingindependentverificationandvalidationactivities,securitycontrolassessors,andotherpersonnelhavingaccesstosystem‐levelsoftware,adequatesecurity‐relatedtechnicaltrainingspecificallytailoredfortheirassignedduties.”WenotedthatEXIMBankhasnotidentifiedthemajorityoftherecommendedrolesasrequiringspecializedsecuritytrainingandhasnotrequiredemployeesintheserolestotakesuchtraining.

Thisweaknessexistsbecausemanagementhasfocusedonmanagement‐levelroles,giventhetimeandcostassociatedwithtrackingtrainingforasignificantlylargercohortofpersonnel.Withoutappropriatesecurity‐relatedtrainingforthoseinvolvedinsecurityactivities,thelikelihoodthatemployeeswillincorrectlyconfigureormanagesystemsisincreased,whichinturnincreasestheoverallvulnerabilityrisktotheBank’ssystemsanddata.


NISTSP800‐53,Rev.4,AT‐3,Role‐BasedSecurityTraining,states:

Control:Theorganizationprovidesrole‐basedsecuritytrainingtopersonnelwithassignedsecurityrolesandresponsibilities:a.Beforeauthorizingaccesstotheinformationsystemorperformingassignedduties;b.Whenrequiredbyinformationsystemchanges;andc.[Assignment:organization‐definedfrequency]thereafter.SupplementalGuidance:Organizationsdeterminetheappropriatecontentofsecuritytrainingbasedontheassignedrolesandresponsibilitiesofindividualsandthespecificsecurityrequirementsoforganizationsandtheinformationsystemstowhichpersonnelhaveauthorizedaccess.Inaddition,organizationsprovideenterprisearchitects,informationsystemdevelopers,softwaredevelopers,acquisition/procurementofficials,informationsystemmanagers,system/networkadministrators,personnelconductingconfigurationmanagementandauditingactivities,personnelperformingindependentverificationandvalidationactivities,securitycontrolassessors,andotherpersonnelhavingaccesstosystem‐levelsoftware,adequatesecurity‐relatedtechnicaltrainingspecificallytailoredfortheirassignedduties.Comprehensiverole‐basedtrainingaddressesmanagement,operational,andtechnicalrolesandresponsibilitiescoveringphysical,personnel,andtechnicalsafeguardsandcountermeasures.Suchtrainingcanincludeforexample,policies,procedures,tools,andartifactsfortheorganizationalsecurityrolesdefined.Organizationsalsoprovidethetrainingnecessaryforindividualstocarryouttheirresponsibilitiesrelatedtooperationsandsupplychainsecuritywithinthecontextoforganizationalinformationsecurityprograms.Role‐ basedsecuritytrainingalsoappliestocontractorsprovidingservicestofederalagencies.

27



Recommendation6:


a. Identifyanddocumentacomprehensivelistofallroleswithinformationsecurityresponsibilities.

b. Documentandimplementprocedurestoensurethatalloftheidentifiedroles

receiveannualrole‐basedsecuritytraining.Management’sResponse:


TheBank’sOCIOwilldefinethoseroleswhichpossessspecializedsecurityresponsibilitiesandidentifyallstaffthatfittotheseroles.TheOCIOwilldevelopprocedurestoensurethatallpersonnelwithspecializedsecurityresponsibilitiesrevisedrolebasedtrainingannually.Implementationoftheseprocedureswillbedocumentedwithtrainingmaterials,attendancerosters,andcompletiondates.TheBankexpectstohavethiseffortcompletedbyJuly1,2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankidentifiesacomprehensivelistofallrolesrequiringspecializedsecuritytraining,andthattheseindividualsreceiverole‐basedtrainingannually.

Finding: EXIM Bank Should Improve Controls over the Use of

EXIMBankhasnotimplementedappropriatecontrolsoverthefrequencyofreviewsandupdatesto .Specifically,wenotedthatEXIMusesa

Thisfrequencydoesnotcomplywiththedocumentedpolicyandincreasestheriskthatindividualsnolongerwiththeagencycouldstillhaveknowledgeanduseof .Additionally,whileBank

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E) (b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E) (b) (7)(E)(b) (7)(E)

(b) (7)(E)

28


Uponreceivingnotificationofthisfinding,EXIMmanagementacknowledgedtheerrorandstatedthattheBankwouldconsiderestablishinganewpolicytochangethepasswordmorefrequently.


NISTSP800‐53,Rev.4,AC‐2,AccountManagement,states:

Control:Theorganization:… f.Creates,enables,modifies,disables,andremovesinformationsystemaccountsinaccordancewith[Assignment:organization‐definedproceduresorconditions];g.Monitorstheuseof,informationsystemaccounts;…k.Establishesaprocessforreissuingshared/groupaccountcredentials(ifdeployed)whenindividualsareremovedfromthegroup.


Recommendation7:

WerecommendthattheEXIMBankCIOimplementareviewandupdateof onafrequencythatiscompliantwithEXIMBank’sdocumentedpolicies

andprocedures.

(b) (7)(E) (b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

29




TheBank’sOCIOwillreviewtheirproceduresfor forall andreviseourpolicyorproceduresasneededtoensurethat

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankreviewsand inaccordancewithestablishedBankpolicy.

Finding: EXIM Bank Should Improve Controls over APS Account Management

ControlsarenotadequatetoensurethatEXIMBankdisablesAPSaccountsforindividualsthathavenotloggedintotheapplicationformorethan90days.Specifically,weidentified129activeAPSaccountsforindividualsthathavenotloggedinformorethan90days,whichviolatesEXIMBankpolicy.

EXIMBankmanagementstatedthattheAPSapplicationreliesontheInfrastructureGSSforsinglesign‐onauthenticationandthereforereliesonthedisablingofnetworkaccountstosatisfythiscontrolrequirement.However,byrelyingontheGSSratherthanimplementingapplication‐levelcontrols,thereisincreasedriskthatindividualsthathaveanactivenetworkaccountbutthatnolongerrequireaccesstotheAPSapplicationcouldhaveunnecessaryorexcessiveprivilegeswithinAPS.


APSSSP,AC‐2,AccountManagement,states:

ControlisPartiallyInheritedasaCommonControl.SeeInfrastructureSSP/SCMforcontrolimplementationdescriptions.

TheInfrastructureGSSSSP/SCM,AC‐2(1),AccountManagement,states:

ForNetworkaccess,theBank,employsautomatedmechanismstosupportthemanagementofnetworkaccountsbydeactivatingdormantaccountsafter90daysofinactivity.

(b) (7)(E) (b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

30


NISTSP800‐53,Rev.4,AC‐2,AccountManagement,states:

Control:Theorganization:… f.Creates,enables,modifies,disables,andremovesinformationsystemaccountsinaccordancewith[Assignment:organization‐definedproceduresorconditions];g.Monitorstheuseof,informationsystemaccounts;…h.Notifiesaccountmanagers:1.Whenaccountsarenolongerrequired;2.Whenusersareterminatedortransferred;and3.Whenindividualinformationsystemusageorneed‐to‐knowchanges;

…j.Reviewsaccountsforcompliancewithaccountmanagementrequirements[Assignment:organization‐definedfrequency];


Recommendation8:

WerecommendthattheEXIMBankCIOdocumentandimplementprocedurestoperiodicallyreviewanddisableAPSaccountsthathavenotbeenusedformorethan90days.Management’sResponse:


TheBank’sOCIOcurrentlyconductsmonthlyapplicationaccountreviewsandwillamendtheirAPSuseraccountmanagementprocedurestodisableallAPSuseraccountsafter90daysofnotbeingaccessed.TheBankexpectstohavethiseffortcompletedbyJune1,2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankdisablesallAPSaccountsafter90daysofinactivity.

Finding: EXIM Bank Should Improve Controls over Software License Management

ControlsarenotadequatetoensurethatEXIMBankappropriatelyusessoftwareinaccordancewithcontractagreementsandcopyrightlaws.Specifically,wenotedthatasof

31


October30,2016,theBankwasusing33 and licensesinexcessofitspurchasedlicenseamounts.

BankmanagementstatedtheBank’ssoftwareneedsfluctuate,andtheBankroutinelyexceedsitspurchasedlicenseamountsinordertomeetstakeholderneeds.

agreementallowstheBanktoexceedthepurchasedlicenseamounts.Accordingtothisagreement,attheendofthefiscalyear,theBankisrequiredto“true‐up”itslicensesbyreconcilingtheactivelicensesandeitherpurchasinganyexcesslicensesrequired,orremovingthem.WhileBankmanagementreconcileditssoftwarelicensesattheendofFY2016,itdidnotfollowthroughwithpurchasingorremovingtheexcesslicensesthatexistedasofSeptember30,2016.Asaresult,theBankenteredFY2017withexcesslicenses.

Bynotpurchasingorremovingtheexcesslicenses,theBankisatincreasedriskofnon‐compliancewithestablishedvendoragreements.


OMBM‐16‐12,CategoryManagementPolicy16‐1:ImprovingtheAcquisitionandManagementofCommonInformationTechnology:SoftwareLicensing,datedJune2,2016,states:

FITARAprovidesnewauthoritiesandresponsibilitiesthatChiefInformationOfficers(CIOs)canusetoimprovetheiragencies’ITmanagementpoliciesandpractices.Toimprovecoveredagencies’softwaremanagementpractices,CIOs,incoordinationwithChiefAcquisitionOfficers(CAOs)andChiefFinancialOfficers(CFOs),musttakethefollowingsteps:…

2)Maintainacontinualagency‐wideinventoryofsoftwarelicenses,includingalllicensespurchased,deployed,andinuse,aswellasspendingonsubscriptionservices(toincludeprovisional(i.e.cloud)softwareasaserviceagreement(SaaS)).Agenciesmustbetterunderstandthetrueusageofcertaintypesofsoftware.

3)Analyzeinventorydatatoensurecompliancewithsoftwarelicenseagreements,consolidateredundantapplications,andidentifyothercost‐savingopportunities.

NISTSP800‐53,Rev.4,CM‐10,SoftwareUsageRestrictions,states:

Control:Theorganization:a.Usessoftwareandassociateddocumentationinaccordancewithcontractagreementsandcopyrightlaws;b.Trackstheuseofsoftwareandassociateddocumentationprotectedbyquantitylicensestocontrolcopyinganddistribution;andc.Controlsanddocumentstheuseofpeer‐to‐peerfilesharingtechnologytoensurethatthiscapabilityisnotusedfortheunauthorizeddistribution,display,performance,orreproductionofcopyrightedwork.

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

32



Recommendation9:


a. Removeallinstancesof softwarethathavenotbeenproperlylicensedorauthorizedbythevendor,ormakearrangementswith topurchasethecurrentexcessamount.

b. DocumentandimplementprocedurestoperiodicallyreviewandreconcilethenumberofsoftwarelicensesusedforallsoftwareproductstoensurethattheBankisincompliancewithitsvendoragreements.



TheBankisnowinfullcompliancewiththequantitiesof softwarecurrentlyownedbytheBank.Further,theOCIOwilldevelopwrittenprocedurestoimplementtheprocesscurrentlyusedtoreviewcompliancewithoursoftwarelicensequantities.TheBankexpectstohavethiseffortcompletedbyApril1,2017.

EvaluationofManagement’sResponse:Ifimplementedproperly,webelievethattheprocessmanagementhasdefinedaboveforremediatingthisissuewillbeabletoadequatelyensurethattheBankremovesallinstancesofsoftwarethathavenotbeenproperlylicensed,andthatitimplementsdocumentedproceduresforperiodicallyreviewingandreconcilinglicensequantities.

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

33


Federal Laws, Regulations, Policies, and Guidance

Aspartofourtestsofinternalcontrols,wereviewedEXIMBank’sinformationsecurityprogramtodetermineitseffectiveness,asprescribedbyapplicablefederallawsandregulationsrelatedtoinformationsecurity,includingbutnotlimitedto:

FederalInformationSecurityModernizationActof2014

FY2016InspectorGeneralFederalInformationSecurityModernizationActReportingMetricsV1.1.3

NISTSPsandFIPS,particularly:

o SP800‐53,Rev.4,SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations

o SP800‐53A,Rev.4,AssessingSecurityandPrivacyControlsinFederalInformationSystemsandOrganizations:BuildingEffectiveAssessmentPlans

o SP800‐34,Rev.1,ContingencyPlanningGuideforFederalInformationSystems

o SP800‐37,Rev.1,GuideforApplyingtheRiskManagementFrameworktoFederalInformationSystems

o SP800‐30Rev.1,GuideforConductingRiskAssessments

o SP800‐60,Rev.1,VolumeIRevision1:GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories

o SP800‐61,Rev.2,ComputerSecurityIncidentHandlingGuide

o FIPSPublication199,StandardsforSecurityCategorizationofFederalInformationandInformationSystems

APPENDIX A

34


Prior Coverage

Thefollowingtableshowsthestatusofallprior‐yearauditfindingsandrecommendations,includingtheyearofinitialdiscoveryandthecurrentstatus.Allre‐issueditemsareaddressedindetailinthe“Results”sectionofthereport.

Finding RecommendationFY

IdentifiedFY2016Status

DuringourFY2011testing,wefoundthatEXIMBankhadnotdevelopedanddocumentedaplanfortheimplementationofPIVcardsasthecommonmeansofauthenticationforaccesstotheagency’sfacilities,networks,andinformationsystems,asdirectedinOMB‐M‐11‐11.Inaddition,EXIMBankwasnotemployingPIVmultifactorauthenticationmechanismsforusersconnectingtotheBank’snetworksinternally.TheCIOstatedthatactionhadnotbeentakentoimplementPIVaccesstoEXIMBank’sinternalnetworkduetootherpriorities.GiventhataplanhadnotbeendevelopedforPIVimplementation,thedateforupgradingthenetwork’sacceptanceforitsusewasunknown.DuringourFY2013testing,wenotedthatEXIMBankhaddevelopedaplanfortheimplementationanduseofPIVcardstoachievemultifactorauthenticationforaccesstotheEXIMBanknetworkandhadrolledoutapilotprogramtobegintheimplementation.However,thisprogramwasstillinthetestingphaseandhadnotbeendeployedthroughouttheagency.ForFY2015,wefoundthattheBankhadcompletedPIVimplementationforlogicalaccessforBankemployees;however,thiswasnotfullyrolledoutuntiltheendofthefiscalyear,inSeptember2015.WealsofoundthattheBankhadnotyetfullyimplementedPIVaccessforallcontractorsaccessingtheBank’s

WerecommendthattheCIOfullyimplementtheuseofPIVcardstoachievemultifactorauthenticationtotheEXIMBanknetworkforallaccess,asrequiredbyOMBM‐11‐11.

2012 Closed

35




networks.UntilEXIMBankhasfullyimplementedtheuseofPIVcards,itwillnotbeincompliancewithOMBrequirementsandwillhaveanincreasedriskofunauthorizedaccess.

ControlsarenotadequatetoensurethatEXIMBankhasimplementedeffectiveaccountmanagementprocessesfortheInfrastructureGSS.


1. Ensurethattheaccountreviewprocessisconductedinaccordancewithorganizationalpoliciesandprocedures.

2. Ensurethatinactive

accountsaredisabledafteraperiodof90days,inaccordancewithorganizationalpolicyandprocedures.

3. Ensurethataccounts

forterminatedindividualsareremovedimmediatelyuponseparation.

2013 Closed

InourFY2014FISMAauditreport,wefoundthatcontrolswerenotadequatetoensurethatremoteusersaretimedoutordisconnectedfromtheEXIMBanknetworkinaccordancewithEXIMBankpolicy.Specifically,wefound:

Remoteconnectionsthroughthevirtualprivatenetwork(VPN)didnottimeout.EXIMBankpolicyrequiresremoteconnectionstotimeoutafter30minutesofinactivity.

Remoteconnectionsdisconnectedafter8hours.EXIMBankpolicy


1. Ensurethatremoteaccesspoliciesandsettingsareappropriatelyconfiguredandimplemented.

2. TestallNISTSP800‐53,Rev.4securitycontrolstoensurethattheyareappropriatelyoperatingasintended.

2014 Closed

36




requiresremoteconnectionstodisconnectafter6hours.

Remotedesktopconnectionsettingsweresettotimeoutafter1hourratherthantherequired30minutes.

DuringourFY2015testing,wenotedthat,whiletheaboveweaknesseswereremediated,controlsoverremoteaccessstillneedimprovement.Specifically,wenotedthatremoteusersarerequiredtousetwo‐factorauthenticationtologintoEXIMBank’snetwork.AfterloggingontotheVPN ,usersnotusinganEXIMBankmachinemustthenremotedesktop(RDP)intoaBankmachineinordertoaccessBankresources.However,wefoundthatthesystemdoesnotforceuserstologontoRDPtoaccessthenetwork.Non‐BankmachinescanbeconfiguredtoskipovertheRDPstepaftersuccessfullyconnectingtotheVPN,insteaddirectlyaccessingEXIMresources,whichviolatesBankpolicy.

ControlsarenotadequatetoensurethatEXIMBankdataaccessiblefrom

isadequatelyprotected.InFY2015,wenotedthattheBankhasacquiredsoftwarethatwillenableittoenforcesecuritycontrolson

.Thissoftwarehasbeenconfiguredandimplementedfor

.

WerecommendthattheEXIMBankCIOdeploy securitycontrolsthat:

1.

2. Restricttheinstallation

ofunapprovedormalicioussoftware.

3. Prevent

fromconnectingtointernalEXIMBankresources.

2014 Reissued

Numbers2and3closed;Number

1remainsopen

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

37




ControlsarenotadequatetoensurethatallEXIMBanksystemsecurityplans(SSPs)areappropriatelydocumentedtoaddressallapplicableNIST800‐53,Rev.4controls.Specifically,wenotedthattheFMS‐NGSSPdidnotaddressNIST800‐53,Rev.4privacycontrols.

WerecommendthattheEXIMBankCIOupdatetheFMS‐NGSSPtoidentifyanddocumentallapplicableNISTSP800‐53,Rev.4controls.

2015 Closed

ControlsarenotadequatetoensurethatEXIMBankhasdocumentedconfigurationmanagementplansthataddressconfigurationmanagementrequirementsforallofitssystems.Specifically,wenotedthatEXIMBankdidnotprovideconfigurationmanagementplansfortheInfrastructureGSSand systems.TheBankstatedthatplansdidexist;however,theplanswerenotconsistentlyupdatedorwereoutdated.Asaresult,theBankwouldnotprovidetheplanstotheauditors.Withoutappropriateconfigurationmanagementplansthataddresshowtomovechangesthroughchangemanagementprocesses;howtoupdateconfigurationsettingsandbaselines;howtomaintaininformationsystemcomponentinventories;howtocontroldevelopment,test,andoperationalenvironments;andhowtodevelop,release,andupdatekeydocuments,theBankmaybesusceptibletounauthorizedandmalicioussystemchanges.

WerecommendthattheEXIMBankCIOdocumentconfigurationmanagementplansfortheInfrastructureGSSand systemsthat:

a. Addressroles,

responsibilities,andconfigurationmanagementprocessesandprocedures.

b. Establishaprocessforidentifyingconfigurationitemsthroughoutthesystemdevelopmentlifecycleandformanagingtheconfigurationoftheconfigurationitems.

c. Definetheconfiguration

itemsfortheinformationsystemandplacetheconfigurationitemsunderconfigurationmanagement.

d. Protecttheconfiguration

managementplanfromunauthorizeddisclosureandmodification.

2015 Closed

ControlsarenotadequatetoensurethattheBankperformedappropriate

WerecommendthattheEXIMBankCIOensurethattestingof

2015 Closed

(b) (7)(E)

(b) (7)(E)

38




contingencyplanningactivitiesinFY2015.Specifically,wefoundthatinFY2015,theBankdidnotperformitsannualcontinuityofoperationsplan(COOP)exercisethatvalidatestheBank’sabilitytocontinueoperationsintheeventofadisaster.TheBankstatedthatduetoalapseinitsauthority,resourceconstraintsandre‐prioritizationpreventeditfromcoordinatingandexecutingtheplan.WithoutvalidationofCOOPcapabilities,theBankmaynotbeawareoftheplan’seffectivenessorpotentialweaknessesthatrequireremediation.Inaddition,thereisanincreasedriskthattheBankwillbeunabletoperformitsmissionintheeventthatsystemsareunavailableforextendedperiodsoftime.

theCOOPplanisperformedonanannualbasistoensurethattheBankispreparedtocontinueoperationsandappropriatelyrespondtopotentialdisasters.

ControlsarenotadequatetoensurethatappropriatePOA&Mmanagementcontrolsareinplace.Specifically,wenotedthefollowing:

Forthe ,theBankhadnotstartedaddressingPOA&Ms

ndthescheduledcompletiondatespassedwithnomilestoneupdates.

Forthe ,theBankhadnotstartedaddressingPOA&M

,andthescheduledcompletiondatepassedwithnomilestoneupdates.

WerecommendthattheEXIMBankCIOimplementaprocesstoensurethatallsystemPOA&Msarereviewedonanorganization‐definedfrequencyandthatmilestonesareupdatedtoreflectactionstakentoremediatePOA&Mitems.

2015 Reissued

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

39


Management Comments

APPENDIX B

(b) (7)(E)

40


(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

41


(b) (7)(E)

42


(b) (7)(E)

(b) (7)(E)(b) (7)(E) (b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E) (b) (7)(E)(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

43


(b) (7)(E)(b) (7)(E) (b) (7)(E)(b) (7)(E)(b) (7)(E)(b) (7)(E)

(b) (7)(E)

(b) (7)(E)

44


Selected Security Controls and Testing Results

800‐53Control

ControlTitle System Results

AC‐2 AccountManagement APS Controlsarenoteffective

AU‐2 AuditEvents APS Controlsareeffective

AU‐6 AuditReview,Analysis,andReporting APS Controlsareeffective

CM‐2 BaselineConfiguration APS Controlsareeffective

CM‐3 ConfigurationChangeControl APS Controlsareeffective

CM‐6 ConfigurationSettings APS Controlsarenoteffective

IA‐2 IdentificationandAuthentication APS Controlsareeffective

CM‐8 InformationSystemComponentInventory

GSS Controlsareeffective

CM‐10 SoftwareUsageRestrictions GSS Controlsarenoteffective

CM‐11 User‐InstalledSoftware GSS Controlsareeffective

MP‐1 MediaProtectionPolicyandProcedures GSS Controlsareeffective

MP‐2 MediaAccess GSS Controlsareeffective

MP‐4 MediaStorage GSS Controlsareeffective

MP‐5 MediaTransport GSS Controlsareeffective

APPENDIX C

45


DHS FY 2016 IG FISMA Metrics Results

ThefollowingtablesrepresenteachoftheNISTCybersecurityFrameworkdomainsthatwereviewedtorespondtotheFY2016IGFISMAMetrics.Eachofthefivedomainareas(Identify,Protect,Detect,Respond,andRecover)hadspecificcontrolobjectivesthatweevaluated,andeachobjectivewasassociatedwithamaturitylevel.ThetablesbelowrepresentthenumberofobjectivesthatweevaluatedforeachCybersecurityFramework,theirassociatedmaturitylevel,andwhetherthecontrolobjectivewas“met”or“notmet.”Thenumberofcontrolobjectives“met”foreachlevelwithintherespectivedomainsdeterminedtheoverallscoreforthatdomain.PerDHS’FY2016IGFISMAmetrics,onlyagencyprogramsthatscoreatoraboveLevel4:ManagedandMeasureable(13points)foraNISTFrameworkFunctionhaveeffectiveprogramswithinthatarea.

Furthermore,thepointallotmentforeachlevelofmaturityisdeterminedbymeetingalloftherequirementsinthepreviouslevel(s),andhalformoreofthelevelcurrentlyunderassessment.Forexample,anagencyisconsideredtobeatlevel3ifithasmetallofthelevel1andlevel2requirementsandhalformoreofthelevel3requirements.

Identify

Level Met Not Met % Points Possible

Level 1: Ad‐hoc 0 0 100% 3 3

Level 2: Defined 2 2 50% 4 4

Level 3: Consistently Implemented 9 2 82% 6

Level 4: Managed and Measureable 5 1 83% 5

Level 5: Optimized Achieve 100% of Level 4 Capabilities 2

Level 2: Defined Effective No 7 20

Protect


Level 1: Ad‐hoc 0 0 100% 3 3

Level 2: Defined 2 3 40% 4



Level 5: Optimized Achieve 100% of Level 4 Capabilities 2

Level 1: Ad‐hoc Effective No 3 20

Detect


Level 1: Ad‐hoc 10 0 100% 3 3



APPENDIX D

46



Level 5: Optimized 0 7 0% 2


Respond


Level 1: Ad‐hoc 12 0 100% 3 3




Level 5: Optimized 0 8 0% 2


Recover


Level 1: Ad‐hoc 0 0 100% 3 3


Level 3: Consistently Implemented 6 0 100% 6 6

Level 4: Managed and Measureable 3 0 100% 5 5

Level 5: Optimized Achieve 100% of Level 4 Capabilities 2 2

Level 5: Optimized Effective Yes 20 20

Area Level Points Possible Effective

Identify Level 2: Defined 7 20 No

Protect Level 1: Ad‐hoc 3 20 No

Detect Level 2: Defined 7 20 No

Respond Level 2: Defined 7 20 No

Recover Level 5: Optimized 20 20 Yes

Total 44 100

Effective No

47


To Report Fraud, Waste, or Abuse, Please Contact:

Email: [email protected]

Telephone: 1‐888‐OIG‐EXIM(1‐888‐644‐3946)

Fax: (202)565‐3988

Address: OfficeofInspectorGeneral Export‐ImportBankoftheUnitedStates 811VermontAvenue,NW Suite138 Washington,DC20571

Comments and Suggestions

Ifyouwishtocommentonthequalityorusefulnessofthisreportorsuggestideasforfutureaudits,pleasecontactTerrySettle,AssistantInspectorGeneralforAudits,[email protected](202)565‐3498.Comments,suggestions,andrequestscanalsobemailedtotheattentionoftheAssistantInspectorGeneralforAuditsattheaddresslistedabove.

Office of Inspector General Export-Import Bank of the United States 811 Vermont Avenue, NW Washington, DC 20571 202-565-3908 www.exim.gov/about/oig

independent audit of export- import bank s information ... of exim bank... · years for corrective...

Documents