Footnote 1:  Responses to Security-Related Questions in OMB’s Fiscal Year 2006 Reporting Instructions for FISMA and Agency Privacy Management, dated September 22, 2006 (Report No. 06-019) and Response to Privacy Program Information Request in OMB’s Fiscal Year 2006 Reporting Instructions for FISMA and Agency Privacy Management, dated September 22, 2006 (Report No. 06-018).

Footnote 2:  The OMB defines a significant deficiency as a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems, that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified, and immediate or near-immediate corrective action must be taken. The OMB defines a material weakness as a significant deficiency that the agency head determines to be significant enough to be reported outside the agency (i.e., included in the annual management control report to the President and the Congress).

Footnote 3:  An EA is an agency-wide blueprint that defines, in both business and technological terms, an organization’s current and target operating environments and the organization’s transition between the two. Among other things, the EA defines principles and goals for, and sets direction on, information technology (IT) security. Although the FDIC is not legally required to develop an EA, the FDIC recognizes the value of having an EA and is working to implement an EA.

Footnote 4:  FINANCIAL AUDIT Federal Deposit Insurance Corporation Funds 2005 and 2004 Financial Statements, dated March 2006 (Report No. GAO-06-146).

Footnote 5:  The reportable condition in information system controls, although not considered material, represents a significant deficiency in the design or operation of internal control that could adversely affect the FDIC’s ability to meet its internal control objectives.

Footnote 6:  INFORMATION SECURITY Federal Deposit Insurance Corporation Needs to Improve Its Program, dated August 2006 (Report No. GAO-06-620).

Footnote 7:  OMB A-130, Appendix III was last revised on February 8, 1996 and was republished on November 28, 2000. Various provisions of that appendix are legally binding on the FDIC.

Footnote 8:  FISMA authorizes the Secretary of Commerce to make NIST standards compulsory for executive agencies to the extent determined necessary to improve the efficiency and security of federal information systems. The Secretary of Commerce exercises this authority subject to the direction of the President and in coordination with the OMB Director. Whether a NIST publication is legally binding upon the FDIC depends on the nature of the publication and the statutory basis(es) under which the publication was promulgated.

Footnote 9:  NIST issues information security standards as FIPS PUBs and information security guidance as Special Publications (SP). Appendix I provides additional information about FIPS PUBs and SPs, including the applicability of these publications to the FDIC.

Footnote 10:  OMB A-130, Appendix III, defines a general support system as an interconnected set of information resources under the same direct management and that shares common functionality. A system normally includes hardware, software, information, applications, communications, and people.

Footnote 11:  According to the Application Systems Baseline Inventory management report as of July 31, 2006. The August 29, 2006 DIT Information Security Staff (ISS) risk management inventory, used for FISMA reporting, identified 165 FDIC information systems—150 systems from the Applications Systems Baseline Inventory, 8 general support systems, and 7 contractor systems not included in the Application Systems Baseline Inventory. According to ISS, the remaining 129 systems of the Application Systems Baseline Inventory were no longer in service, or were tools, utilities, configurations, or other objects that were not application systems and, therefore, were not included in the ISS risk management inventory.

Footnote 12:  OMB A-130, Appendix III, defines a major application as one that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information in the application.

Footnote 13:  COBIT® is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT® enables clear policy development and good practice for IT control throughout organizations.

Footnote 14:  Federal agencies must meet the minimum security requirements defined in FIPS PUB 200 through the use of the controls in SP 800-53. The applicability of these publications to the FDIC has not been determined.

Footnote 15:  The CIO provided the FDIC’s New Financial Environment system with an interim authorization to operate while the FDIC addresses security risks identified during the certification and accreditation process. Information systems are not certified and accredited during the interim authorization period.

Footnote 16:  FISMA requires agencies to report any significant deficiency in a policy, procedure, or practice as a material weakness in reporting under the FMFIA. FMFIA requires agencies to evaluate their internal control systems on an annual basis and to report the results of the evaluation, along with any material weaknesses and plans for corrective actions, to the President and the Congress. These requirements were made applicable to the FDIC by the Chief Financial Officers Act of 1990.

Footnote 17:  Our evaluation did not include an assessment of the System and Communications Protection or the Systems and Services Acquisition control families. Appendix II describes the security control testing we performed within each control family.

Footnote 18:  For the purposes of our evaluation, we consider the FDIC’s Chairman to be the head of the Corporation. Nevertheless, the FDIC’s Board of Directors, by statute, has overall responsibility for managing the Corporation. The Board consists of five members: the Chairman, Vice Chairman, Director, Director of the Office of Thrift Supervision, and Comptroller of the Currency.

Footnote 19:  The FDIC’s Rational Unification Process (RUP®) SDLC methodology includes FDIC-specific security requirements applicable to each phase of the development of an IT project.

Footnote 20:  The Technical Reference Model identifies and describes, among other things, the security services used throughout the agency.

Footnote 21:  The Security Standards Profile identifies the security standards specific to the security services (such as access control and authentication) specified in the agency’s EA.

Footnote 22:  Recent GAO and OIG audits identified internal control weaknesses relating to security policies and standards that had not been adequately incorporated into the design of FDIC information systems.

Footnote 23:  The FDIC is voluntarily implementing (i.e., is not required by statute) a capital planning and investment control process, referred to as the capital planning and investment management (CPIM) process.

Footnote 24:  Such OMB policy and guidance includes, but is not limited to, Circular No. A-11, Preparation, Submission, and Execution of the Budget, and Memoranda M-00-07, Incorporating and Funding Security in Information Systems Investments; and M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments.

Footnote 25:  The CIRC and the CIO Council have responsibilities for reviewing, recommending, and monitoring corporate IT investments.

Footnote 26:  The Board is responsible for recommending cost-effective and efficient corporate solutions by evaluating the degree to which proposed projects align with the target EA.

Footnote 27:  The FDIC generally defines capital investments as projects that have a total investment budget of $3 million or more and other projects deemed to have significant corporate impact. The FDIC prepares a business case containing an aggregate security cost estimate for each capital investment. However, the security cost estimates are used for informational purposes only and are not determined through an analysis of historical costs. At the close of our evaluation, the FDIC was managing three capital investment projects.

Footnote 28:  NIST SP 800-65 defines a major IT investment as, among other things, a system or investment that requires special management attention because of its importance to an agency’s mission or is an integral part of the agency’s EA. The financial justification for one such project at the FDIC, the Deposit Insurance Reform project, did not identify how much of the $9.6 million cost estimate related to information security.

Footnote 29:  PIAs are required under the E-Government Act of 2002 as implemented by OMB’s September 26, 2003 memorandum (M-03-22) entitled, OMB Guidance for Implementing the Privacy Provision of the E Government Act of 2002. PIAs must address the type of information being collected from individuals; why the information is being collected; the intended use of the information; with whom the information will be shared; which notice or opportunities for consent would be provided to individuals regarding the information that is collected and how the information is shared; how the information will be secured; and whether a system of records is being created under the Privacy Act.

Footnote 30:  Common security controls can be applied to one or more information systems.

Footnote 31:  OMB defines “information in an identifiable form” as information in a system or on-line collection that directly identifies an individual (e.g., name, address, Social Security number or other identifying code, telephone number, e-mail address, etc.) or by which an agency intends to identify specific individuals in conjunction with other data elements.

Footnote 32:  RUP® is a vendor-provided methodology that helps ensure security is considered and implemented throughout the SDLC, which includes multiple check points for security testing.

Footnote 33:  The FDIC’s Security Certification and Accreditation Program, dated February 2006 (Report No. 06 007).

Footnote 34:  An ST&E weakness is a system deficiency identified during a security assessment of the system security controls.

Footnote 35:  OMB’s October 17, 2001 memorandum (M-02-01) entitled, Guidance for Preparing and Submitting Security Plans of Action and Milestones, (and subsequent guidance) states that POA&Ms should reflect consolidation with, or be accompanied by, other agency plans to correct security weaknesses found during any review done by, for, or on behalf of the agency. Such reviews include GAO audits, financial system audits, FISMA reviews, and critical infrastructure vulnerability assessments. The applicability of OMB’s POA&M-related memoranda, including M-02-01, is under consideration by the FDIC.

Footnote 36:  FDIC Circular 2150.1, Pre-Exit Clearance Procedures for FDIC Employees, defines procedures for safeguarding FDIC-owned property and interests when employees leave the Corporation. A key component of these procedures is Form 2150/01, Pre-Exit Clearance Record for Employees, which contains a checklist of items that must be completed as part of the employee’s pre-exit clearance process.

Footnote 37:  In our March 30, 2004 Audit Report No. 04-016 entitled, FDIC’s Personnel Security Program, we recommended, among other things, that the FDIC (a) review employees in moderate-risk level positions to ensure that appropriate background investigations have been performed and (b) re-assess low-risk-level employee positions having access to sensitive data in major applications to ensure that background investigations are completed for these employees commensurate with their access privileges.

Footnote 38:  FDIC Circular 1610.1, FDIC Physical Security Program, states that administrative officers are responsible for approving form FDIC 1620/01 for all new employees, interns, detailees, and others who require an FDIC identification badge. Once completed and approved, the form is forwarded to DOA Corporate Services Branch.

Footnote 39:  Circular 1360.13, DIRM’s [Division of Information Resources Management] Contingency Planning Program Policy, dated November 22, 2004. DIT formerly operated under the title of DIRM.

Footnote 40:  The FDIC did not incorporate the BIA into the overall business continuity documentation for reference purposes in the event of plan activation as recommended by NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. In addition, the mainframe recovery plan did not address NIST recommended security controls related to training, exercise and testing schedules, and plan maintenance.

Footnote 41:  The FDIC implemented Remedy to track requests through system life-cycle stages (i.e., request, approval, implementation, and closure).

Footnote 42:  CA-Endeavor® is a software product providing automated support for change, configuration, or version control.

Footnote 43:  Examples of system software for the mainframe include Multiple Virtual Storage, Virtual Telecommunications Access Method, and Job Entry Subsystems.

Footnote 44:  KPMG, under contract to the FDIC OIG, performed the audit work for this report.

Footnote 45:  FDIC Circulars 1210.18, FDIC Records Management Program; 1210.1, FDIC Records Retention and Disposal Schedule; and 1210.4, Records Disposition.

Footnote 46:  The FDIC has determined that 5 Code of Federal Regulations Part 930, Subpart C, Information Security Responsibilities for Employees Who Manage or Use Federal Information Systems, applies to the Corporation.

Footnote 47:  Circular 1360.16, Mandatory Information Security Awareness Training, requires users of the FDIC’s network to complete an annual Web-based information security awareness orientation. The circular states that new employees shall log on and review the FDIC Information Security Awareness Web site and orientation as soon as their network access is granted. Failure to do so within 5 working days of receiving a network ID may result in revoking employee and contractor access to FDIC systems and applications. The orientation includes information about laws, regulations, and policies related to computer security; rules of behavior for systems and major applications; tips on effective security; and links to additional sources of information.

Footnote 48:  For example, a user may not log into the network within 5 days of the creation of the user’s account.

Footnote 49:  NIST released FIPS PUB 201 in response to Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, on August 27, 2004. HSPD 12 requires the development and agency implementation of a mandatory, government-wide standard for secure and reliable forms of identification. The FDIC is not required to implement HSPD-12; however, the FDIC has decided to voluntarily comply with HSDP-12.

Footnote 50:  Least privilege refers to the security objective of restricting user access to only those IT resources needed to perform official duties. Applying the principle of least privilege can mitigate damage to system resources resulting from accidents, errors, or unauthorized use.

Footnote 51:  Such policies and procedures include, but are not limited to, Circular 1360.15, Access Control for Automated Information Systems, dated September 24, 2003; Circular 1370.1, Periodic Review of Mainframe Resource Access, dated July 17, 1995; the FDIC’s Access Control Procedures and Guidelines, dated December 2002; and Information Security Manager’s (ISM) Guide, dated August 2005.

Footnote 52:  OIG Audit Report No. 06-012 entitled, Security Controls Over the FDIC’s Wireless Data Communications, dated March 2006.

Footnote 53:  Circular 1360.15, Access Control for Automated Information Systems.

Footnote 54:  On December 21, 2004, OMB revised the circular, which became effective in fiscal year 2006, to strengthen requirements for conducting management’s assessment of internal control over financial reporting and to emphasize the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities. The circular implements the FMFIA. This Act is applicable to the FDIC because of provisions in the Chief Financial Officers Act of 1990 regarding annual reporting by government corporations on their internal accounting and administrative control systems. The FDIC has determined that as long as it develops internal controls that are consistent with the goals of FMFIA, the FDIC will have met its legal obligations under the circular.

Footnote 55:  OMB A-130, Appendix III, establishes minimum controls for federal automated information security programs. The FDIC has determined that portions of the circular apply to the FDIC, while other portions do not apply. The FDIC has also determined that OMB A-130, Appendix III, requires the FDIC to implement and maintain an information security program consistent with government-wide policies, standards, and procedures issued by OMB and the Department of Commerce.

Footnote 56:  GAO Executive Guide, Information Security Management: Learning From Leading Organizations; OMB A-130, Appendix III; SP 800 14; SP 800 12; and SP 800 53.

Footnote 57:  FISMA, codified in pertinent part to titles 40 and 44, United States Code (U.S.C.), is similar to Title X of the Homeland Security Act of 2002 (Pub. L. No. 107-269), which also bears the name Federal Information Security Management Act of 2002. In signing the E-Government Act of 2002 into law, the President stated that the executive branch will construe the E-Government Act of 2002 as permanently superseding the Homeland Security Act of 2002 in those instances where both Acts prescribe different amendments to the same provisions of the U.S.C. Also, see 44 U.S.C. § 3549 regarding the effect of the E-Government Act on existing law.

Footnote 58:  The FDIC has determined that portions of the Circular apply to the FDIC.

Footnote 59:  The FDIC had determined that this statute, Title III of which contains FISMA, is legally binding on the FDIC.

Footnote 60:  The FDIC has determined that portions of the FMFIA are applicable to the FDIC by reference in the Chief Financial Officers Act. In general, the goals of FMFIA are that agency obligations and costs comply with applicable law; assets are guarded against waste, loss, etc.; and revenue and expenditures are properly accounted for, so that reliable financial statements can be prepared.

Footnote 61:  The FDIC has determined that the Clinger-Cohen Act does not apply to the FDIC. The Clinger-Cohen Act imposes obligations and responsibilities on “executive agencies” as defined in the Office of Federal Procurement Policy Act, which does not include the FDIC. However, the FDIC has indicated that it intends to follow the spirit of the Act.

Footnote 62:  The Act requires most federal agencies, including the FDIC, to develop a strategic plan that broadly defines the agency's mission and vision, an annual performance plan that translates the vision and goals of the strategic plan into measurable objectives, and an annual performance report that compares actual results against planned goals.

Footnote 63:  The FDIC has determined that the portions of this Act that are applicable to government corporations are also applicable to the FDIC.

Footnote 64:  The Act, which is applicable to the FDIC, requires agencies to have appropriate administrative, technical and physical safeguards over the security and confidentiality of agency records

Footnote 65:  The FDIC has determined that this provision applies to the FDIC.

Footnote 66:  The FDIC has determined that HSPD-7 applies to the Corporation.

Footnote 67:  According to OMB guidance for implementing HSPD-12, government corporations are encouraged to comply with the directive. The FDIC is voluntarily complying with this directive.

Footnote 68:  This circular governs the federal budgeting process and contains requirements for identifying and tracking various agency costs. The FDIC prepares budgetary data for OMB’s review but not approval.

Footnote 69:  The FDIC has determined that this circular is applicable to the FDIC; specifically, as long as the FDIC’s internal controls are consistent with the goals of the FMFIA, the FDIC will have met its obligations under this circular.

Footnote 70:  The FDIC determined that this memorandum, which implements OMB Circular Nos. A-130 and A-11, was not applicable to the FDIC.

Footnote 71:  The FDIC is reviewing this memorandum to determine its applicability to the FDIC.

Footnote 72:  This memorandum implements section 208 of the E-Government Act, which applies to the FDIC.

Footnote 73:  The applicability of this memorandum has not been determined; however, the FDIC has taken steps to implement it.

Footnote 74:  The applicability of this memorandum, which deals with protecting information remotely accessed, has not been determined, but the FDIC has taken steps to implement it.

Footnote 75:  This memorandum requires agencies to report computer incidents to a central federal incident-reporting center. Although legal applicability has not been determined, the FDIC has taken steps to implement this memorandum.

Footnote 76:  Because the FDIC is not an executive agency for purposes of the publication, this publication is not legally applicable to the FDIC, but the FDIC follows its principles.

Footnote 77:  The applicability of this publication has not been determined, but the FDIC intends to voluntarily comply with it.

Footnote 78:  The FDIC is voluntarily complying with FIPS PUB 201.

Footnote 79:  The manual provides guidance for reviewing information system controls that affect the integrity, confidentiality, and availability of computerized data.

Footnote 80:   In general, these NIST SPs are, by their own terms, guidelines (rather than mandatory requirements) for agencies in implementing their IT operations. However, the current applicability of SP 800-53 to the FDIC has not been determined.