Primary tabs

FY 16-17: Agency Priority Goal

Cybersecurity Monitoring

Priority Goal

Continue enhancing the security of OPM's information systems by strengthening authentication and expanding the implementation of continuous monitoring.

OPM will increase the use of multi-factor strong authentication in multiple ways. While OPM enforces Personal Identity Verification (PIV) authentication for its internal users, OPM targets PIV usage for OPM services at 50 percent of Federal users by the end of FY 2016. By the end of FY 2017, OPM will enforce multi-factor authentication for 100 percent of all PIV-enabled users and 80 percent of non-PIV-enabled users.

OPM will increase its security posture by expanding the Information Security Continuous Monitoring (ISCM) capabilities throughout FY 2015. Leveraging the Continuous Diagnostic and Mitigation (CDM) program, OPM will expand continuous diagnostic capabilities by increasing the network sensor capacity, automating sensor collections, and prioritizing risk alerts. By the end of the second quarter of FY 2016, OPM will have acquired, implemented, and refined the four (4) CDM controls including vulnerability management, secure configuration management, hardware asset management, and software asset management. These tools will increase OPM’s ability to identify and respond to security issues. By the end of FY 2016, 95 percent of OPM’s assets will be visible in the CDM dashboard. In FY 2017, OPM will use the benchmarking results to identify and prioritize the implementation of other ISCM controls.

OPM will continue to pursue a number of additional actions as outlined in its Cybersecurity Monitoring goal.

Themes:

General Government

OPM.gov

XML

CSV

Expand All

Performance Indicators

Continuous Diagnostics and Mitigation (CDM) Phase 1

Planned CDM capabilities in phase one include:

HWAM – Hardware Asset Management
SWAM – Software Asset Management
CSM – Configuration Settings Management
VUL – Vulnerability Management

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Actual Value	Explanation of Actual
2016-Q1	December, 2015		0	OPM will complete implementation of this in March 2016.
2016-Q2	March, 2016		71.3	As of 3/31/16, 74 percent of the Legacy environment and 69 percent of the IaaS environment devices are covered by the phase 1 CDM controls.
2016-Q3	June, 2016	95	94.0	As of 6/30/16, 87 percent of the Legacy environment and 69 percent of the IaaS environment devices are covered by phase 1 CDM controls.
2016-Q4	September, 2016	95	100	As of 9/30/16, 100 percent of Hardware Asset Management, 100 percent of Software Asset Management, 100 percent of Configuration Settings Management and 100 percent of Vulnerability Management were covered by phase 1 CDM controls.
2017-Q1	December, 2016	95
2017-Q2	March, 2017	95
2017-Q3	June, 2017	95
2017-Q4	September, 2017	95

Indicator Statement:

Percent of network covered by phase one Continuous Diagnostics and Mitigation (CDM) capabilities

Indicator Overview:

Planned CDM capabilities in phase one include:

HWAM – Hardware Asset Management
SWAM – Software Asset Management
CSM – Configuration Settings Management
VUL – Vulnerability Management

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Multi-Factor Authentication

PIV-enabled users
Non PIV-enabled users

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Explanation of Actual
2016-Q1	December, 2015		OPM will begin reporting on this measure by the end of Q4.
2016-Q2	March, 2016		OPM will begin reporting on this measure by the end of Q4.
2016-Q3	June, 2016	25	OPM completed a process to identify HVA Systems and will modify this measure to focus on only the HVA systems that are public facing. Once these are identified, the agency will provide results. OPM will begin reporting on this measure by the end of Q4.
2016-Q4	September, 2016	50	The Identify Management implementation team will be formulating a strategy for this in Q1 FY 2017 and will be able to provide additional information once the strategy is formulated.
2017-Q1	December, 2016	80
2017-Q2	March, 2017	80
2017-Q3	June, 2017	80
2017-Q4	September, 2017	80

Indicator Statement:

Percent of non-OPM users required to use multi-factor authentication to access OPM High Value Asset (HVA’s) systems.

By the end of FY 2016, 50 percent of non-OPM users accessing HVA systems will be required to authenticate to OPM using multi-factor authentication. By the end of FY 2017, OPM will enforce multi-factor authentication for 80 percent of users accessing HVAs.

Indicator Overview:

PIV-enabled users
Non PIV-enabled users

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Indicator Direction: INCREASING

Percent of High Value Asset (HVA) Databases Encrypted

HVA’s were identified in July 15 review of OPM databases. This indicator will track encryption of data at rest in the HVA defined databases.

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Actual Value	Explanation of Actual
2016-Q1	December, 2015	50	50	OPM has eight of 16 defined HVAs with encryption at rest.
2016-Q2	March, 2016	50	50	OPM has 11 or 22 HVAs with databases encrypted
2016-Q3	June, 2016	50	50	OPM has 11 of 22 HVAs with databases encrypted.
2016-Q4	September, 2016	60	54.5	OPM has 12 of 22 HVAs with databases encrypted.
2017-Q1	December, 2016	90
2017-Q2	March, 2017	90
2017-Q3	June, 2017	90
2017-Q4	September, 2017	90

Indicator Statement:

Percent of High Value Asset (HVA) Databases encrypted

Indicator Overview:

HVA’s were identified in July 15 review of OPM databases. This indicator will track encryption of data at rest in the HVA defined databases.

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Indicator Direction: INCREASING

Migration to New IT Environment

The OPM Business Systems inventory is defined in the Enterprise Architecture Tool. This tool will also track migration to new environment.

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Actual Value	Explanation of Actual
2016-Q1	December, 2015	0	0	No systems have been migrated to IaaS yet. No system can be migrated to IaaS receives Full Operational Capabilities, which is expected by the end of Q3 FY2016.
2016-Q2	March, 2016	0	0	No systems have been migrated to IaaS yet. No system can be migrated until IaaS receives Full Operational Capabilities, which is expected by the end of Q3 FY2016.
2016-Q3	June, 2016	0	0	No systems have been migrated to IaaS yet. No system can be migrated until IaaS receives Full Operational Capabilities, which is now expected in Q4 FY2016.
2016-Q4	September, 2016	60	0	OPM continues to plan for the migration of its systems during the data center consolidation initiative.
2017-Q1	December, 2016	80
2017-Q2	March, 2017	80
2017-Q3	June, 2017	80
2017-Q4	September, 2017	80

Indicator Statement:

Percent of OPM Business Systems migrated to new network infrastructure environment

Indicator Overview:

The OPM Business Systems inventory is defined in the Enterprise Architecture Tool. This tool will also track migration to new environment.

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Indicator Direction: INCREASING

Federal Information Security Management Act (FISMA) Compliance - SDLC

Business Systems and required artifacts tracked in the OPM Enterprise Architecture (EA) tool. Indicator will take average for all Business Systems in the EA tool.

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Actual Value	Explanation of Actual
2016-Q1	December, 2015	50	37	As of the end of Q1, 17 of the 46 systems had active Authorities to Operate.
2016-Q2	March, 2016	50	67.4	As of the end of Q2, 31 of 46 OPM systems had active Authority To Operate.
2016-Q3	June, 2016	50	56.5	As of the end of Q3, 26 of the 46 systems had active Authorities to Operate. A number of ATOs expired, resulting in a decrease in active ATOs. OPM awarded a contract in July to perform the assessment for all of OPM’s systems with expired or expiring ATOs, and expects the percentage of systems with active ATOs to increase over the next few quarters.
2016-Q4	September, 2016	50	67.4	As of the end of Q4, 31 of 46 systems had active Authority To Operate.
2017-Q1	December, 2016	80
2017-Q2	March, 2017	80
2017-Q3	June, 2017	80
2017-Q4	September, 2017	80

Indicator Statement:

Percent of OPM IT Systems compliant with FISMA required documentation.

Indicator Overview:

Business Systems and required artifacts tracked in the OPM Enterprise Architecture (EA) tool. Indicator will take average for all Business Systems in the EA tool.

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Indicator Direction: INCREASING

Federal Information Security Management Act (FISMA) Compliance – POAM’s

This indicator will track the percent of FISMA audit findings since 2007 that have been mitigated.

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Actual Value	Explanation of Actual
2016-Q1	December, 2015	80	70.6	As of January 7, 2016, OPM has closed 154 of 218 findings since 2007.
2016-Q2	March, 2016	80		OPM is revising the Q2 result
2016-Q3	June, 2016	80	72.9	OPM closed 159 of 218 findings
2016-Q4	September, 2016	80	75.6	OPM closed 165 of 218 findings.
2017-Q1	December, 2016	90
2017-Q2	March, 2017	90
2017-Q3	June, 2017	90
2017-Q4	September, 2017	90

Indicator Statement:

Percent of FISMA audit findings mitigated

Indicator Overview:

This indicator will track the percent of FISMA audit findings since 2007 that have been mitigated.

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Indicator Direction: INCREASING

Continuous Diagnostics and Mitigation (CDM) Phase 2

Planned phase two CDM capabilities include:

Least Privilege and Infrastructure Integrity

TRUST –Access Control Management (Trust in People Granted Access)
BEHV – Security-Related Behavior Management
CRED – Credentials and Authentication Management
PRIV – Privileges

Indicator target and actual value information
Fiscal Year Quarter	Period Ending (Month, Year)	Target Value	Actual Value	Explanation of Actual
2016-Q1	December, 2015	0	0	Phase two will not begin until FY 2017.
2016-Q2	March, 2016	0	0	Phase two will not begin until FY 2017.
2016-Q3	June, 2016	0	0	Phase two will not begin until FY 2017.
2016-Q4	September, 2016	0	0	Phase two will not begin until FY 2017
2017-Q1	December, 2016	95
2017-Q2	March, 2017	95
2017-Q3	June, 2017	95
2017-Q4	September, 2017	95

Indicator Statement:

Percent of network covered by phase two Continuous Diagnostics and Mitigation (CDM) capabilities

Indicator Overview:

Planned phase two CDM capabilities include:

Least Privilege and Infrastructure Integrity

TRUST –Access Control Management (Trust in People Granted Access)
BEHV – Security-Related Behavior Management
CRED – Credentials and Authentication Management
PRIV – Privileges

Unit Of Measurement: Percentage

Indicator Reporting Frequency: Quarterly

Primary tabs

Cybersecurity Monitoring

Priority Goal

Goal Overview

Strategies

Progress Update

Next Steps

Performance Indicators

Continuous Diagnostics and Mitigation (CDM) Phase 1

Multi-Factor Authentication

Percent of High Value Asset (HVA) Databases Encrypted

Migration to New IT Environment

Federal Information Security Management Act (FISMA) Compliance - SDLC

Federal Information Security Management Act (FISMA) Compliance – POAM’s

Continuous Diagnostics and Mitigation (CDM) Phase 2

Contributing Programs & Other Factors