DHS OIG, OIG-14-99, Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened (2014)

DHS OIG

Section: Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened

Effective: 6/5/2014

Bluebook Citation: DHS OIG, OIG-14-99, Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened (2014)

Department of Homeland Security 2IÀFHRI,QVSHFWRU*HQHUDO Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened OIG-14-99 June 2014 OFFICE OF INSPECTOR GENERAL Department of Homeland Security June 5, 2014 MEMORANDUM FOR: FROM: SUBJECT: Mark Schwartz Chief Information Officer United States Citizenship and Immigration Services Richard Harsche {)J j ~- Acting Assistant Inspector General Office of Information Technology Audits Radio Frequency Identification Security at USC/5 Is Managed Effectively, But Can Be Strengthened Attached for your information is our final report, Radio Frequency Identification Security at USC/SIs Managed Effectively, But Con Be Strengthened. We incorporated the formal comments from United States Citizenship and Immigration Services in the final report. The report contains three recommendations aimed at improving the effectiveness ofthe radio frequency identification program. Your office concurred with all three recommendations.

As prescribed by the Deportment of Homeland Security Directive 077-01, Follow-Up and Resolutions for Office of Inspector General Report Recommendations, within 90 days of the date of this memorandum, please provide our office with a written response that includes your (1) agreement or disagreement, (2) corrective action plan, and (3) target completion date for each recommendation. Also, please include responsible parties and any other supporting documentation necessary to inform us about the current status of the recommendation. Based on information provided in management's response to the draft report, we consider all three recommendations open and resolved. Once your office has fully implemented the recommendations, please submit a formal closeout letter to us within 30 days so that we may dose the recommendations.

The memorandum should be accompanied by evidence of completion of agreed-upon corrective actions. Please email a signed PDF copy of all responses and closeout requests to [email protected], Consistent with our responsibility under the Inspector General Act, we will provide copies of our report to appropriate congressional committees with oversight and OFFICE OF INSPECTOR GENERAL Department of Homeland Security appropriation responsibility over the Department of Homeland Security. We will post the report on our website for public dissemination. Please call me with any questions, or your staff may contact Chiu-Tong Tsang, Director, Information Security Audit Division, at (202) 254-5472.

Attachment www.oig.dhs.gov 2 OIG-14-99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security  TableofContents  ExecutiveSummary.............................................................................................................1  Background........................................................................................................................2  ResultsofAudit...................................................................................................................5  InfrastructureEstablishedToManageRFIDTechnologyEffectively......................5  ImprovementsNeededToStrengthenRFIDManagement....................................6  CPSTRSecurityPatchesWereNotDeployedTimely........................................6 Recommendation.............................................................................................8 ManagementCommentsandOIGAnalysis.....................................................8  AssessmentsofICPSSecurityControlsWereNotPerformedTimely..............8 Recommendation.............................................................................................9 ManagementCommentsandOIGAnalysis.....................................................9  SomeICPSUsersHadNotCompletedAnnualPrivacyAwarenessTraining...10 Recommendation...........................................................................................10 ManagementCommentsandOIGAnalysis...................................................11  Appendixes  AppendixA:Objectives,Scope,andMethodology............................................12 AppendixB:ManagementCommentstotheDraftReport...............................13 AppendixC:MajorContributorstoThisReport................................................15 AppendixD:ReportDistribution........................................................................16  Abbreviations  CPSTR DHS FISMA ICPS IT NPS CardPersonalizationSystemTechnologyRefreshment DepartmentofHomelandSecurity FederalInformationSecurityManagementAct IntegratedCardProductionSystem informationtechnology NationalProductionSystem www.oig.dhs.gov  OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security OIT PII RFID USCIS   WHTI OfficeofInformationTechnology personallyidentifiableinformation radiofrequencyidentification UnitedStatesCitizenshipandImmigrationServices WesternHemisphereTravelInitiative www.oig.dhs.gov  OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security ExecutiveSummary  UnitedStatesCitizenshipandImmigrationServices(USCIS)managesthepermanent residentcardprogram.Permanentresidentcards,commonlyknownasgreencards, provideidentificationforcitizensofothercountrieswhohavebeengranted authorizationtoliveandworkintheUnitedStatesonapermanentbasis.The permanentresidentcardscurrentlyproducedbyUSCISuseradiofrequency identificationtechnologyasbothasecurityfeatureandmeansofexpeditingborder crossings.  Radiofrequencyidentificationtechnologyisaformofautomaticidentificationanddata capturetechnologythatuseselectricormagneticfieldsatradiofrequenciestotransmit information.Theuseofradiofrequencyidentificationtechnologyhasintroducednew securityriskstoagencysystems.Theflexibilityandportabilityofradiofrequency identificationtechnologyanddevicesincreasetheneedforsecurity.Withouteffective securitycontrols,unauthorizeduserscanobtainacompatiblereadertoreaddata storedonacardequippedwithradiofrequencyidentificationtechnology;interceptand readdatatransmittedthroughtheair;oraccessdatastoredinthesystemdatabases.  OuroverallobjectivewastodeterminewhetherUSCIShaseffectivelymanagedthe implementationofradiofrequencyidentificationtechnology.WedeterminedthatUSCIS haseffectivelymanagedtheimplementationofradiofrequencyidentification technologybyestablishinganinformationtechnologyinfrastructuretosecurepersonal informationandimplementingsafeguardstominimizetheriskofusingradiofrequency identificationͲenabledpermanentresidentcards.Forexample,USCIShasgrantedits cardproductionsystemtheauthoritytooperate,evaluatedprivacyimplicationsofusing thesystem,andensuredthatnopersonaldataistransmittedbypermanentresident cards.However,USCIShadnotdeployedtimelysecuritypatchesontheserversand workstationsthatsupportradiofrequencyidentificationprocesses,assessedannually theeffectivenessofsecuritycontrolsimplementedonthesystemthatproducesradio frequencyidentificationcards,orensuredemployeesproducingthesecardsreceivethe mandatoryannualprivacyawarenesstraining.  WearemakingthreerecommendationstotheUSCISChiefInformationOfficer.USCIS concurredwithallrecommendationsandhasbeguntotakeactionstoimplementthem. USCIS’responsesaresummarizedandevaluatedinthebodyofthisreportandincluded, intheirentirety,asappendixB.   www.oig.dhs.gov 1 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security Background  USCISoverseeslawfulimmigrationtotheUnitedStates.Itsmissionincludes administeringimmigrationandcitizenshipservices,promotingawarenessand understandingofcitizenship,andensuringtheintegrityoftheNation'simmigration system.Aspartofitsmission,USCISmanagesthepermanentresidentcardprogram. Figure1depictsasamplepermanentresidentcard.  Figure1.PermanentResidentCard   InresponsetotheIntelligenceReformandTerrorismPreventionAct,theDepartmentsof HomelandSecurityandStateimplementedtheWesternHemisphereTravelInitiative (WHTI)onJune1,2009.Thisinitiativeestablisheddocumentrequirementsfortravelby landorseaintotheU.S.fromCanada,Mexico,theCaribbean,andBermuda.1Tocomply withWHTI,traveldocumentsmusthaveradiofrequencyidentification(RFID) capabilitiesforuseatbordercrossings.  RFIDtechnologyisaformofautomaticidentificationanddatacapturetechnologythat usesradiofrequenciestotransmitinformation.AnRFIDsystemcanidentifymanytypes ofobjectstosupportawiderangeofapplications,suchasassetmanagementand accesscontrol.EachobjectrequiringidentificationhasasmalldeviceknownasanRFID tagaffixedtoorembeddedwithinit.Thetaghasauniqueidentifierandmayhold additionalinformationabouttheobject.DevicesknownasRFIDreaderswirelessly communicatewiththetagstoidentifytheobjectandreadorupdateadditional informationstoredonthetag.Asubsystemcomposedofcommoninformation technology(IT)componentssuchasservers,databases,andworkstationsthatcan  1TheIntelligenceReformandTerrorismPreventionActcalledforimplementationofaplantorequirea passportorotherauthorizedtraveldocumentdeemedsufficienttodenoteidentityandcitizenshipforall travelintothecountry,withthegoalofexpeditingtravelforthosewhofrequentlycrossourborders. www.oig.dhs.gov 2 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security benefitfromtypicalITsecuritycontrolsoftensupportsthissystemoftagsandreaders. Figure2depictsthecomponentsofatypicalRFIDsystem.  Figure2.ComponentsofanRFIDSystem  Tagsarecategorizedintofourtypesbasedonthepowersourceforcommunicationand otherfunctionality—passive,active,semiͲactive,andsemiͲpassive.Tagsneedpowerto performfunctionssuchassendingradiosignalstoareader,storingandretrievingdata, andperformingothercomputations(e.g.,thoseneededforsecuritymechanisms). Passivetags,likethoseinpermanentresidentcards,usetheelectromagneticenergy theyreceivefromareader’stransmissiontoreplytothereaderandaretypicallyless expensive,smaller,andlighterthanactivetags.  TheuseofRFIDtechnologyhasintroducednewsecurityriskstoagencysystems.The flexibilityandportabilityofRFIDtechnologyanddevicesincreasetheneedforsecurity. Withouteffectivesecuritycontrols,anycompliantreadercanreaddataonatag; unauthorizeddevicescaninterceptandreaddatatransmittedthroughtheair;and unauthorizeduserscanaccessdatastoredinthesystemdatabases.  USCISbegantoissueRFIDͲenabledpermanentresidentcardsinMay2010.Sincethen, USCIShasutilizedtheIntegratedCardProductionSystem(ICPS)toproduceandissue morethan6.7millionRFIDͲenabledpermanentresidentcards.ICPSiscomposedofthe followingsubsystems:  x ICPSPrintServices–Convertsapplicantdatatoaformappropriateforcard productionandsendscardproductionrequeststotheNationalProduction System(NPS).  x NPS–Actsasamanagementsystemtocentrallymonitorandcontrolcard requests.  www.oig.dhs.gov 3 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security x NPSWeb–Servesasanintranetforcardproductionstaff,adjudicators,and servicecenterpersonneltomonitorsystemperformance,setoperating parameters,producereports,andmanagethecentralNPSapplication.  x SecureMailInitiative–AllowsUSCIScustomerstoobtainthedeliverystatusof secureidentitydocumentsthroughtheUSCISNationalCustomerServiceCenter.  x CardPersonalizationSystemTechnologyRefreshment(CPSTR)–Extractsthe biographicandbiometricdatafromNPSandreturnsproductionresultstoNPS aftercardproduction.USCISerasesallpersonalinformationfromCPSTRwithin 72hoursofcardproduction.  USCISproducespermanentresidentcardsatitsCorbinProductionFacilityinCorbin,KY. Figure3depictsICPSproductionequipmentatthefacility.Weevaluatedsecurity controlsimplementedtosecuretheworkstationsthatoperatethisequipment.  Figure3.ICPSEquipmentattheCorbinProductionFacility    www.oig.dhs.gov 4 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security ResultsofAudit  InfrastructureEstablishedToManageRFIDTechnologyEffectively  USCIShaseffectivelymanagedtheimplementationofRFIDtechnology.Forexample,the componenthasestablishedaninformationtechnologyinfrastructuretosecurepersonal informationandimplementedsafeguardstominimizetheriskofusingRFIDͲenabled permanentresidentcards.TheITinfrastructureincorporatesthesecurityelements requiredbytheDepartmentofHomelandSecurity(DHS),theFederalInformation SecurityManagementAct(FISMA),andtheOfficeofManagementandBudget. Specifically,USCIShastakenthefollowingactionstosecureICPSandthepersonal informationstoredonandprocessedbythesystem:  x AdoptedDHSsecuritypoliciesandproceduresforRFIDusageandadheresto applicableDHSrequirements.       x AuthorizedICPStooperateforaperiodofthreeyearsinJuly2011,asrequired byFISMA. x DevelopedandimplementedacomprehensivesystemsecurityplanforICPS,as requiredbyFISMA.Inaddition,USCISmaintainsanupͲtoͲdateplanofactionand milestonesforknownITsecurityweaknesses.Wedidnotidentifyany deficienciesinthesystemsecurityplanorplanofactionandmilestones. x EnsuredthatICPSusershavereceivedsecurityawarenesstraining,andusers withsignificantsecurityresponsibilitieshavereceivedspecializedtraining. x PerformedaprivacythresholdanalysisforICPSthattheDHSPrivacyOffice approvedFebruary2014.Accordingtotheanalysis,USCISaddressedtheprivacy implicationsofusingICPSinaprivacyimpactassessmentcoveringseveralUSCIS systemsassociatedwithprocessingimmigrationapplicationsandpetitions. x ImplementedproceduresatitsCorbinProductionFacilitytosecurepermanent residentcardsthroughouttheproductionprocessbyrestrictingphysicalaccess tocardsandrecordingthemovementofcardstockfromreceiptatthefacility throughshipmenttocardholders. x MinimizedthedatastoredonRFIDtagsinpermanentresidentcardstoinclude onlyauniqueidentificationnumber,anddeletesCPSTRdatabaserecords containingpersonalinformationwithinthreedaysofcardproduction. www.oig.dhs.gov 5 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security x ProtectedagainstthecloningofRFIDtagsbyprocuringRFIDͲenabledcardswith auniquetagidentifier.  ToevaluatethesecurityofRFIDtagsanddeterminewhetherpersonallyidentifiable informationisstoredonpermanentresidentcards,weusedacommerciallyavailable RFIDtagreadertoaccesstheinformationstoredonsamplecardsprovidedbyUSCIS. Throughourtestingwewereabletoreadthetagsembeddedinpermanentresident cardsatarangeof25feet.However,sincethestrengthofthetagreadercanaffectthe distanceatwhichanindividualcanreadtheRFIDtaginapermanentresidentcard,an attackercanuseamorepowerfulreadertoincreasethisrange.Tomitigatethisthreat, USCISprovidesaprotectivesleevewitheachpermanentresidentcardtoshieldtheRFID tag.Whenplacedwithinoneofthesesleeves,wewereunabletoreadtheRFIDtagofa permanentresidentcardatanyrange.  WewereabletoextracttheRFIDtaginformationfromthesamplepermanentresident cards;however,nopersonallyidentifiableinformation(PII)orsensitiveinformationwas storedontheRFIDtags.TheonlyinformationstoredontheRFIDtagisaunique identifierthatcanbeusedtoretrieveadditionalinformationstoredinaCustomsand BorderProtectiondatabase.Intheeventthatamalicioususermayobtainthisunique identifiertogenerateaduplicatesignalatbordercrossings,thethreatcanbeminimized throughvisualinspectionoftravelersandpermanentresidentcards.Asaresult, exposureoftheuniqueidentifiercontainedintheRFIDtagposesminimalrisk.  ImprovementsNeededToStrengthenRFIDManagement  WhileUSCIShastakenactionstosecurepersonalinformationandimplement safeguardstominimizetheriskofusingRFIDͲenabledpermanentresidentcards,we identifieddeficiencieswithtechnicalsecuritycontrols,annualassessments,andprivacy training.Specifically,USCIShadnotdeployedsecuritypatchesontheCPSTRserversand workstationstimely,assessedtheeffectivenessofsecuritycontrolsimplementedon ICPSannually,orensuredICPSuserscompletetherequiredprivacyawarenesstraining annually.  CPSTRSecurityPatchesWereNotDeployedTimely  USCIShasnotappliedtherequiredsecuritypatchestoCPSTRtimely.2 Additionally,USCISwasunabletodeterminethepatchesinstalledonCPSTR.As  2Securitypatchesaresoftwareupdatesthathelppreventexploitationofapplicationsandoperatingsystemsby mitigatingvulnerabilities. www.oig.dhs.gov 6 OIGͲ14Ͳ99  OFFICE OF INSPECTOR GENERAL Department of Homeland Security partofouraudit,weconductedvulnerabilityassessmentsonCPSTRserversand workstations.Ourassessmentsidentifiedthefollowingvulnerabilities:  x Javapatchesdatingbackto2008weremissingon27ofthe31Windows workstationsreviewed.3FailuretopatchapplicationssuchasJavacould allowanattackertoexploitvulnerabilitiestogainaccessthesystem.  x Asecuritypatchthatpreventsanattackerfromremotelyexecuting arbitrarycodewasmissingonbothoftheCPSTRWindowsservers. Arbitrarycodeexecutionmayallowanattackertogainfullaccesstothe affectedserversalongwiththedatatheyprocessandstore. x TwentyͲtwocriticalpatchupdatesweremissingonserversrunningan Oracledatabase.Oraclecriticalpatchupdatesareacollectionofsecurity fixesforOracleproductsreleasedquarterly.  DHS4300ASensitiveSystemsHandbookrequirescomponentstomitigatesystem vulnerabilitiesbypromptlyinstallingsecurityandsoftwarepatches.TheDHS SecurityOperationsCenterpublishesInformationSecurityVulnerability Managementmessagesthatdictatethetimeframeinwhichcomponentsmust installthesepatches.Additionally,NationalInstituteofStandardsand TechnologySpecialPublication800Ͳ53Revision4:SecurityandPrivacyControls forFederalInformationSystemsandOrganizationsrequiresthatagencies promptlyinstallsecurityͲrelevantsoftwareupdates.  USCISusescentralizedandautomatedpatchdeploymentsoftwaretoidentify andinstallupdatestotheworkstationsandserversthatconnecttoitsnetwork. However,afirewallthatsegregatesCPSTRfromtherestoftheUSCISnetwork preventsOfficeofInformationTechnology(OIT)personnelfromdeterminingif theyhadinstalledthepatchesontheCPSTRnetwork.Tomitigatethislimitation, OITmailsadisccontainingpatchestopersonnelattheCorbinProductionFacility quarterly.Personnelatthisfacilitytheninstalltheprovidedpatchestoeach CPSTRserverorworkstationindividually.However,sinceOITcannotaccurately determineiftheyhadinstalledthepatches,manypatchesarenotaddedtothe discandinstalledasneeded.AccordingtoOIT,itplanstofullyintegrateCPSTR withtheUSCISnetworkbythesecondquarteroffiscalyear2015,whichwill allowOITtoautomaticallydeploysecuritypatchesdirectlytoCPSTR.   3Javaisacomputerprogramminglanguageusedtodevelopapplications. www.oig.dhs.gov 7 OIGͲ14Ͳ99  OFFICE OF INSPECTOR GENERAL Department of Homeland Security CPSTRserversandworkstationsremainvulnerableuntilOITidentifiesand appliesthemissingcriticalandhighͲriskpatches.Failuretodeploysoftware patchestimelymayexposeUSCIStounnecessaryriskssuchasthetheftofPII. EnsuringCPSTRserversandworkstationsareupͲtoͲdatewithsecuritypatches minimizesthisrisk,andprotectsCPSTRcomputersandthesensitiveinformation theyprocessandstore.  Recommendation WerecommendthattheChiefInformationOfficer:  Recommendation#1:  ExpediteCPSTR’sintegrationintotheUSCISnetworktofacilitatethetimely identificationanddeploymentofsecuritypatchestoprotectthesensitive informationprocessedandstoredbythesystem.  ManagementCommentsandOIGAnalysis  USCISconcurredwithrecommendation1.TheintegrationofCPSTRintothe USCISnetworkisalreadyinprogressandOITplanstocompletethisprocessby August2014.  WeagreethatthestepsUSCISistaking,andplanstotake,begintosatisfythis recommendation.Thisrecommendationwillremainopenandresolveduntil USCISprovidessupportingdocumentationthatallplannedcorrectiveactionsare completed.  AssessmentsofICPSSecurityControlsWereNotPerformedTimely  USCISdidnotperformannualassessmentstoevaluatetheeffectivenessof securitycontrolsimplementedonthesystemscomprisingICPS.OITinstead conductedmonthlyvulnerabilityscanstoidentifymissingpatches.However,OIT cannotassesstheeffectivenessofcertainsecuritycontrolsthroughvulnerability scanning,suchascontingencyplantesting,restrictionofphysicalaccessto systems,orincidentreporting.Further,ourreviewoftheresultsofOIT’s September2013vulnerabilityscanofCPSTRrevealedthatOITscannedlessthan 10percentofCPSTRcomputers.Inaddition,theOITscansfailedtoidentifymany ofthevulnerabilitiesthatweidentifiedduringourevaluation.  www.oig.dhs.gov 8 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security FISMArequiresthatagenciesperformperiodictestingandevaluationofthe effectivenessofinformationsecuritypolicies,procedures,andpractices,atleast annually.Thismustincludetestingofmanagement,operational,andtechnical controls.  AccordingtoOITpersonnel,theynolongerperformannualassessmentsof securitycontrolsbecausetheDHSOfficeofChiefInformationOfficerhasnot issuedrequirementsforperformingtheassessmentssincefiscalyear2011. Further,OITpersonnelsaidthattheirmonthlyvulnerabilityscanningadheresto theguidancetheyhavereceivedfromDHSindicatingthatthereshouldbemore focusoncontinuousmonitoringfortechnicalcontrols.However,until continuousmonitoringisfullyimplemented,annualmonitoringisnecessaryto ensuretheperiodicevaluationofallcontrols.  Further,whilecontinuousmonitoringefforts,suchasvulnerabilityscans,can helptoevaluateasampleoftechnicalsecuritycontrols,annualassessments provideadditionalevaluationofmanagementandoperationalcontrols.Annual evaluationsalsoservetoinformtheauthorizingofficialofchangesthatmay affectthesecurityofthesystem.Withoutresultsfromannualassessments,OIT maynotadequatelyinformmanagementoftheoperatingstatusofalltypesof securitycontrols.  Recommendation  WerecommendthattheChiefInformationOfficer:  Recommendation#2:  Performtherequiredassessmentsperiodicallytoevaluatetheeffectivenessof management,operational,andtechnicalsecuritycontrolsimplementedonICPS anddocumenttheassessmentresults. ManagementCommentsandOIGAnalysis  USCISconcurredwithrecommendation2.AspartoftheICPSreauthorization effort,USCISrecentlycompletedasecuritycontrolassessmenttoevaluatethe effectivenessoftheimplementedmanagement,operational,andtechnical securitycontrols.BySeptember2014,USCISplanstoincorporateICPSintothe USCISOngoingAuthorizationprogramwhichwillresultintheassessmentof securitycontrolsonacontinualbasis.   www.oig.dhs.gov 9 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security WeagreethatthestepsUSCISistaking,andplanstotake,begintosatisfythis recommendation.Thisrecommendationwillremainopenandresolveduntil USCISprovidessupportingdocumentationthatallplannedcorrectiveactionsare completed.  SomeICPSUsersHadNotCompletedAnnualPrivacyAwarenessTraining  SomeICPSusershadnotcompletedthemandatoryannualprivacyawareness training.Ofthe615userswithactiveICPSaccounts,12didnotcompletethe trainingwithintherequiredtimeframe.WhilethistrainingisrequiredofallDHS employees,itisofparticularimportancetothosewithaccesstoICPSasPIIis storedinthissystemandusedtoproducepermanentresidentcards.We determinedthatsomeICPSusershadnotcompletedprivacyawarenesstraining withinthepastyearbecausemanagementhasnotenforcedthetraining requirement.  TheOfficeofManagementandBudgetandDHSrequirethatemployees completeprivacyandawarenesstrainingbeforepermittingtheiraccessto agencyinformationandinformationsystems.Afterinitialtraining,employees mustcompleteonlineprivacyrefreshertrainingannually.  SafeguardingandpreventinginadvertentexposureofPIIstoredinandprocessed bytheRFIDsystemisessentialtoprotecttheprivacyofapplicantsandensure USCISretainspublictrust.Throughitspermanentresidentcardprogram,USCIS usersofICPShaveaccesstopersonalinformationofmillionsofpermanent residentsintheUnitedStates.Betterenforcementoftherequirementto completeprivacyawarenesstrainingannuallywillhelpensurethisinformationis secure.  Recommendation  WerecommendthattheChiefInformationOfficer:  Recommendation#3:  ImplementprocedurestoensureandverifythatICPSusersreceivetherequired privacytrainingannually.    www.oig.dhs.gov 10 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security ManagementCommentsandOIGAnalysis  USCISconcurredwithrecommendation3.USCIS’OfficeofPrivacyhas determinedwhichFederalandcontractorICPSusershavenotcompletedthe requiredannualprivacyawarenesstraining,andisactivelycommunicatingwith theseICPSusersandleadershiptoensuretherequiredtrainingiscompletedby theendofMay2014.Inaddition,theOfficeofPrivacywillcontinuetotrackand monitorICPSusers’completionofthisannualcoursethroughmonthlyreportsto USCISleadership.  WeagreethatthestepsUSCISistaking,andplanstotake,begintosatisfythis recommendation.Thisrecommendationwillremainopenandresolveduntil USCISprovidessupportingdocumentationthatallplannedcorrectiveactionsare completed.   www.oig.dhs.gov 11 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security AppendixA Objectives,Scope,andMethodology  TheDepartmentofHomelandSecurityOfficeofInspectorGeneralwasestablishedby theHomelandSecurityActof2002(PublicLaw107Ͳ296)byamendmenttotheInspector GeneralActof1978.Thisisoneofaseriesofaudit,inspection,andspecialreports preparedaspartofouroversightresponsibilitiestopromoteeconomy,efficiency,and effectivenesswithintheDepartment.  TheobjectiveofourauditwastodeterminewhetherUSCIShaseffectivelymanagedthe implementationofRFIDtechnology.Specifically,wedeterminedwhetherUSCIShas (1)developedproperpoliciesandprocedurestoensuretheconfidentiality,availability, andintegrityofdataonRFIDtags,readers,anddatabases;(2)implementedeffective securitycontrolsonitsRFIDdevicestoprotectthedatacollected,processed,and generated;and(3)developedeffectivepoliciesandprocedurestoprotectthePII collectedbyandstoredontheRFIDsystem.Also,wedeterminedwhetherUSCIS systemsusingRFIDtechnologywereincompliancewithFISMArequirements.  OurauditfocusedonrequirementsspecifiedintheDHSSensitiveSystemsHandbook 4300A,UnitedStatesGovernmentConfigurationBaseline,andFISMA.Weinterviewed selectedpersonnelandmanagementofficialsfromtheOfficeofInformation Technology,OfficeofIntakeandDocumentProduction,andDHSOfficeofPrivacy.We performedfieldworkatUSCISofficesinWashington,DC,andtheCorbinProduction FacilityinCorbin,KY.WereviewedDHSpoliciesandproceduresforusingRFID equipment,securingserversandworkstations,completingITsecurityandprivacy training,andreportingprivacyincidents.Inaddition,weperformedvulnerabilityand configurationscansusingAppDetectiveandNessuson33CPSTRserversand workstationsattheCorbinProductionFacility.  WeconductedthisperformanceauditbetweenNovember2013andFebruary2014 pursuanttotheInspectorGeneralActof1978,asamended,andaccordingtogenerally acceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanand performtheaudittoobtainsufficient,appropriateevidencetoprovideareasonable basisforourfindingsandconclusionsbaseduponourauditobjectives.Webelievethat theevidenceobtainedprovidesareasonablebasisforourfindingsandconclusions baseduponourauditobjectives.   www.oig.dhs.gov 12 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security AppendixB ManagementCommentstotheDraftReport  U.S. Department of Homda:od Sc:turlty U.S. Citizenship llrd Immigration Strvices Office ojlftc Direclor (MS 2000) Washington, DC 20529~2000 ,~t U.S. Citlzenship 1 ~7 ~t and ~mmigration ~-~ SerVIces Memorandum MAV- 8 2Dl4 TO: Richard Harsche Acting Assistant Inspector Gtmeral , Office of Information Technology Audits FRO!v}~ Lori Scialabba~~ /l ~ Acting Director J .,....._., SUBJECT: U.S. Citizenship and Immigration Services Response to the Draft Report "Radio Frequency Identification Security at USCJS is Managed Effectively, But Can Be Strengthened" For Official Use Only (OJG- 1 3-165-ITA-USCIS) Thank you for the opportunity to review and comment on the subject Office of the Inspector General (OIG) draft report. [n addition to this response, U.S. Citizenship and Immigration Services (US CIS) has separately provided technical and sensitivity comments related to the subject draft report. The draft report positively notes USCTS's implementation of safeguards and establishment of an information technology infrastructure to secure personal information and minimize risk with radio frequency identifkation technology. The report further identifies measures use1s can take to enhance the radio frequency identification program's overall effectiveness. Specifically, the OIG recommends that use rs 's Chief Information Officer take the following steps: Recommendation 1: Expedite Card Personalization System Technology Refreshment (CPSTR) integration into the users network to facilitate the timely identification and deployment of security patches to protect the sensitive information processed and stored by the system.

Respon se: users concurs with this recommendation. The integration of CPSTR into the USCIS network is already in progress and the Office of Information Technology is scheduled to complete this process by August 2014. Recommendation 2: Perform the required assessments periodically to evaluate the effectiveness of management, operational, and technical security controls implemented on Integrated Card Production System (rCPS) and document the assessment results. Response: USCIS concw·s with thi~ recommendation.

As part of the !CPS reauthorization effort, users recently completed a security control assessment to evaluate the effectiveness of the implemented management, operational and technical security controls. By September 2014, ICPS will be adopted in the USCIS Ongoing Authorization program and the security controls will be assessed on a continual basis. www.oig.dhs.gov 13 www.ascis.gov  OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security  U.S. Citizenship and Immigration Services Response to the Draft Report ''Radio Frequency Identification Security at USCIS is Managed Effectively, But Can Be Strengthened" For Official Use Only (OIG-13-1 65-ITA-USCIS) Recommendation 3: Implement procedures to ensure and verify that ICPS users receive the required pri vacy training annually. Response: USCIS concurs' with this recommendation. USCIS's Office ofPrivncy has determined which federal and contractor ICPS users have not completed the required annual Privacy Awareness training, and is actively communicating with these ICPS users and leadership to ensure the required training is complekti hy the end of May 2014.

In addition, the Office of Privacy will continue to track and monitor !CPS users' completion of this aruma] course through monthly reports to USCTS leadership.    www.oig.dhs.gov 14 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security AppendixC MajorContributorstoThisReport  ChiuͲTongTsang,Director MikeHorton,ITOfficer BridgetGlazier,LeadITAuditor DavidBunning,ITSpecialist SheldonLiggins,ITAuditor AnthonyNicholson,Referencer www.oig.dhs.gov 15 OIGͲ14Ͳ99 OFFICE OF INSPECTOR GENERAL Department of Homeland Security AppendixD ReportDistribution  DepartmentofHomelandSecurity  Secretary DeputySecretary ChiefofStaff DeputyChiefofStaff GeneralCounsel ExecutiveSecretary Director,GAO/OIGLiaisonOffice AssistantSecretaryforOfficeofPolicy AssistantSecretaryforOfficeofPublicAffairs AssistantSecretaryforOfficeofLegislativeAffairs Director,USCIS DHSComponentLiaison ChiefPrivacyOfficer ChiefInformationOfficer,USCIS ChiefPrivacyOfficer,USCIS Chief,OfficeofIntakeandDocumentProduction,USCIS ChiefInformationSecurityOfficer,USCIS AuditLiaisonTeamLead,USCIS  OfficeofManagementandBudget  Chief,HomelandSecurityBranch DHSOIGBudgetExaminer  Congress  CongressionalOversightandAppropriationsCommittees,asappropriate  www.oig.dhs.gov 16 OIGͲ14Ͳ99 ADDITIONAL INFORMATION To view this and any of our other reports, please visit our website at: www.oig.dhs.gov. For further information or questions, please contact Office of Inspector General (OIG) Office of Public Affairs at: [email protected], or follow us on Twitter at: @dhsoig.

OIG HOTLINE

To expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any other kinds of criminal or noncriminal misconduct relative to Department of Homeland Security (DHS) programs and operations, please visit our website at www.oig.dhs.gov and click on the red tab titled "Hotline" to report. You will be directed to complete and submit an automated DHS OIG Investigative Referral Submission Form. Submission through our website ensures that your complaint will be promptly received and reviewed by DHS OIG. Should you be unable to access our website, you may submit your complaint in writing to: Department of Homeland Security Office of Inspector General, Mail Stop 0305 Attention: Office of Investigations Hotline 245 Murray Drive, SW Washington, DC 20528-0305 You may also call 1(800) 323-8603 or fax the complaint directly to us at (202) 254-4297.

The OIG seeks to protect the identity of each writer and caller.

Chat with this agency guidance using AI

Ask CiteLaw's AI Navigator anything about this agency guidance, verify citations, and research related authorities. Sign up for CiteLaw free today to get started.