Doc:M-09-29 Attachment IG Questions
Annual FISMA Reporting Inspector General Questions
Question 1: System Inventory
Identify the number of agency and contractors systems by component and FIPS 199 impact level (low, moderate, high). Please also identify the number of systems that are used by your agency but owned by another federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level.
Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing
For the Total Number of Systems identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested within in accordance with policy.
Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory
The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.
Does the agency have policies for oversight of contractors? Yes/No
If the answer above is Yes, Is the policy implemented?
The agency has a materially correct inventory of major information systems (including national security systems) operated by or under the control of such agency. Yes/No
Does the agency maintain an inventory of interfaces between the agency systems and all other systems, such as those not operated by or under the control of the agency? Yes/No
Does the agency require agreements for interfaces between systems it owns or operates and other systems not operated by or under the control of the agency? Yes/No
The IG generally agrees with the CIO on the number of agency-owned systems. Yes/No
The IG generally agrees with the CIO on the number of information systems used or operated by a contractor of the agency or other organization on behalf of the agency. Yes/No
The agency inventory is maintained and updated at least annually. Yes/No
If the IG does not indicate that the agency has a materially correct inventory, please identify any known missing major systems by Component/Bureau, the Unique Project Identifier (UPI) associated with the systems as presented in the FY 2009 Exhibit 300 (if known), and indicate if the system is an agency or contractor system.
Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process
Assess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process, providing explanatory detail in the area provided.
Has the Agency developed and documented an adequate policy that establishes a POA&M process for reporting IT security deficiencies and tracking the status of remediation efforts? Yes/No
Has the Agency fully implemented the policy? Yes/No
Is the Agency currently managing and operating a POA&M process?
Is the agency's POA&M process an agency-wide process, incorporating all known IT security weakness, including IG/external audit findings associated with information systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency? Yes/No
Does the POA&M process prioritize IT security weakness to help ensure significant IT security weaknesses are corrected in a timely manner and receive appropriate resources? Yes/No
When an IT security weakness is identified, do program officials (including CIOs, if they own or operate a system) develop, implement, and manage POA&Ms for their system(s)? Yes/No
For Systems Reviewed:
- a. Are deficiencies tracked and remediated in a timely manner? Yes/No
- b. Are the remediation plans effective for correcting the security weakness? Yes/No
- c. Are the estimated dates for remediation reasonable and adhered to? Yes/No
Do Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis (at least quarterly)? Yes/No
Does the Agency CIO centrally track, maintain, and independently review/validate POA&M activities on at least a quarterly basis? Yes/No
Question 5: IG Assessment of the Certification and Accreditation Process
Provide a qualitative assessment of the agency's certification and accreditation process, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (May 2004) for certification and accreditation work initiated after May 2004. This includes use of the FIPS 199 (February 2004), Standards for Security Categorization of Federal Information and Information Systems, to determine a system impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans. Provide explanatory detail in the area provided.
Has the Agency developed and documented an adequate policy for establishing a certification and accreditation process that follows the NIST framework? Yes/No
Is the Agency currently managing and operating a C&A process in compliance with its policies? Yes/No
For systems reviewed, does the C&A process adequately provide:(check all that apply)
- Appropriate risk categories
- Adequate risk assessments
- Selection of appropriate controls
- Adequate testing of controls
- Regular monitoring of system risks and the adequacy of controls
For systems reviewed, is the Authorizing Official presented with complete and reliable C&A information to facilitate an informed system Authorization to Operate decision based on risks and controls implemented? Yes/No
Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process
Provide a qualitative assessment of the agency's process, as discussed in Section D, for protecting privacy-related information, including adherence to existing policy, guidance and standards. Provide explanatory information in the area provided.
Has the Agency developed and documented adequate policies that comply with OMB guidance in M-07-16, M-06-15, and M-06-16 for safeguarding privacy-related information? Yes/No
Is the Agency currently managing and operating a privacy program with appropriate controls in compliance with its policies? Yes/No
Has the Agency developed and documented an adequate policy for Privacy Impact Assessments? Yes/No/NA
Has the Agency fully implemented the policy and is the Agency currently managing and operating a process for performing adequate privacy impact assessments? Yes/No/NA
Question 7: Configuration Management
Is there an agency-wide security configuration policy? Yes/No
What tools, techniques is your agency using for monitoring compliance?
Indicate the status of the implementation of FDCC at your agency :
Agency has documented deviations from FDCC standard configuration. Yes/No
New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology", is included in all contracts related to common security settings. Yes/No.
Question 8: Incident Reporting
How often does the agency comply documented policies and procedures for identifying and reporting incidents internally? Answer will be a percentage range
How often does the agency comply with documented policies and procedures for timely reporting of incidents to US CERT? Answer will be a percentage range
How often does the agency comply documented policy and procedures for reporting to law enforcements? Answer will be a percentage range
Question 9: Security Awareness Training
Has the agency ensured IT security awareness training of all users with log in privileges, including contractors and those employees with significant IT security responsibilities? Provide explanatory detail in the space provided.
Has the Agency developed and documented an adequate policy for identifying all general users, contractors, and system owners/employees who have log in privileges, and providing them with suitable IT security awareness training? Yes/No/NA
Report the following for your agency:
- Total number of people with log in privileges to agency systems
- Number of people with log in privileges to agency systems that received information security awareness training during the past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program" (October 2003).
- Total number of employees with significant information security responsibilities.
- Number of employees with significant security responsibilities that received specialized training, as described in NIST Special Publication 800-16, “Information Technology Security Training Requirements: A Role- and Performance-Based Model” (April 1998)
Question 11: Peer-to-Peer File Sharing
Does the agency explain policies regarding the use peer-to-peer file sharing in IT security awareness training, ethics training, or any other agency-wide training? Yes/No