In recent years, high profile accounting and management scandals have given rise to legislative action to improve internal controls over financial reporting. Additional laws and regulations have been passed since outlining requirements for establishing and maintaining internal controls for federal agencies, the most notable of these being the Office of Management and Budget’s (OMB) Circular A-123. OMB updated Circular A-123 with Appendix A to prescribe a strengthened process to assess the effectiveness of the internal controls over financial reporting.
The Department of the Navy reviews its internal control environment, via its Managers’ Internal Control Program (MICP), annually to validate compliance with the requirements, identify control gaps or deficiencies, and define and implement remediation activities based on the findings. These reviews have uncovered a general need to improve internal controls over financial reporting, including organizational, process, and technology/security related controls. These improvements are necessary to enhance the DON’s risk posture, fiduciary responsibility over its assets, as well as to bolster the validity of financial statement assertions.
IT security controls are meant to provide reasonable assurances that the DON’s systems operate as intended, its data is reliable, and complies with applicable laws and regulations. IT security controls can be further aligned to one of two major categories -based on GAO’s Federal Information System Controls Audit Manual (FISCAM):
- Information Technology General Controls (ITGCs): automated and/or manual controls that apply to system components, processes, data, and the overall information technology environment such as applications, operating systems, databases, and supporting IT infrastructure.
- Business Process Application Controls (BPACs): automated and/or manual controls over the completeness, accuracy, validity, confidentiality and availability of transactions and data during application processing.
ITGCs and BPACs, among the DON’s audit priorities, must be designed and operating effectively in order to comply with a number of laws to protect the confidentiality, integrity, and availability of the sensitive information resources that support federal operations and assets, including financial systems and data. These laws and regulations include, the Federal Information Security Management Act of 2002 (FISMA), the Federal Managers’ Financial Integrity Act of 1982 (FMFIA), and the Federal Financial Management Improvement Act of 1996 (FFMIA).
Financial Management Policy and Systems (FMP)-10, within Financial Management and Comptroller, has focused efforts on strengthening internal controls, and its regulatory compliance through its MICP, FM Overlay and continuous monitoring programs. The DON will perform end-to-end process assessments annually for ITGCs and BPACs supporting financially relevant systems.
A high priority DON remediation area is Privileged User Access where individuals with elevated access within a system environment are considered ‘privileged.’ These are normally administrators but a system owner may identify privileged authority to a greater group. IT security controls around their provisioning, recertification and actions must be closely monitored as they can have the highest impact to confidentiality, integrity and availability of data. Privileged User Access individuals should not have the ability to perform business process functions without adequate compensating controls.
As one community, we must consider the following activities to properly safeguard our DON data:
- Provide education to our stakeholders. It is crucial for stakeholders to comprehend the urgency of privileged account and access management security.
- Identify privileged accounts. In order to safeguard something, you have to know where it exists.
- Automate the management and protection of privileged account passwords. Manually tracking privileged account passwords can be a daunting task.
- Adopt and implement security policies. Adopt standards and policies to stay compliant.
In accordance with the Risk Management Framework (RMF) and FM Overlay, the DON approves every information system’s Authorization to Operate (ATO) in its environment through the application of a RMF for federal information systems to confirm business and IT stakeholders have considered risks, threats and vulnerabilities.
The DON continuously monitors risks by applying the Financial Management (FM) Overlay to financially relevant systems which synchronizes the FISCAM methodology with the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, IT security controls catalog for unified security control management and implementation.
The Department of Defense released its version of the FM Overlay, which is mandatory for all information systems that impact financial reporting; however, the DON is conducting a risk-based gap assessment of the IT security controls for an adoptable way forward. Details of the DON and DoD FM Overlay are shown below:
- DON FM Overlay consists of 103 NIST SP 800-53 controls
- Includes interface and reconciliation controls.
- Implemented within the FM enterprise.
- DoD FM Overlay consists of 590 NIST SP 800-53 controls
- Additional assessment procedures and evidence sampling requirements.
- Restrictions on the issuance of authorizations (i.e., Authorization to Operate) based upon the gravity of control findings such as material weakness and deficiency.
In addition, when DON systems are migrated and hosted in a cloud computing environment, the Cloud Service Provider (CSP) will assume more responsibility on implementing IT security controls. The CSP should provide inheritable IT security controls the hosted system will rely upon. Subscription of cloud computing services will not absolve the Program Manager (PM) and Information System Owner (ISO) of accountability in enforcing internal controls, including those of the RMF and FM Overlay. PM, ISO, and Information System Security Managers (ISSM) are encouraged to understand roles and responsibilities of the design and enforcement of IT security controls. It may fall upon the CSP, Navy Echelon II Cloud Broker (CB), and/or system management.
Inheritable controls from the CSP and CB must be part of the System-Level Continuous Monitoring (SLCM) plan. The Service Level Agreement (SLA) and the System and Organization Control (SOC) report will enumerate the inheritable controls from the CSP and CB, which must be monitored periodically.
FMP-10 maintains the DON Enterprise IT Control Standards which require system owners to review these individuals on a quarterly basis to ensure they maintain proper authorization and a need to know. We must take on the difficult task of minimizing risk in our organization earnestly. As the playing field continues to shift, leadership at all levels are required to take ownership for internal and external risks facing the organization. These issues should not be delegated solely to one “IT department” – rather at all levels throughout the organization.
Lastly, we must not rely on external audits to discover deficiencies. We must implement continuous reviews and receive time and attention from senior management.