1+ <?xml version =" 1.0" encoding =" UTF-8"
2+ <plan-of-action-and-milestones
3+ uuid =" 714210d2-f8df-448c-be3e-e2213816cf79"
4+ xmlns =" http://csrc.nist.gov/ns/oscal/1.0"
5+ <metadata >
6+ <title >IFA GoodRead Plan of Action and Milestones</title >
7+ <last-modified >2024-02-01T13:57:28.355446-04:00</last-modified >
8+ <version >1.1</version >
9+ <oscal-version >1.1.2</oscal-version >
10+ </metadata >
11+ <import-ssp href =" ../5-authorize/ssp.oscal.xml"
12+ <system-id identifier-type =" http://ietf.org/rfc/rfc4122" system-id >
13+ <observation uuid =" 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf"
14+ <title >Django Framework Examination</title >
15+ <description >
16+ <p >Examine Django Framework for least privilege design and implementation.</p >
17+ </description >
18+ <method >EXAMINE</method >
19+ <type >control-objective</type >
20+ <subject subject-uuid =" 551b9706-d6a4-4d25-8207-f2ccec548b89" type =" component"
21+ <collected >2023-05-19T12:14:16-04:00</collected >
22+ <remarks >
23+ <p >The assessor attempted to access the admin panel while logged into the GoodRead
24+ application as a PAO staff user. They were able to see the admin panel and directly
25+ edit database records for the application using the Django Framework's admin panel.</p >
26+ </remarks >
27+ </observation >
28+ <observation uuid =" 8807eb6e-0c05-43bc-8438-799739615e34"
29+ <title >AwesomeCloud IAM Roles Test - GoodRead System Engineer Role</title >
30+ <description >
31+ <p >Test AwesomeCloud IAM Roles for least privilege design and implementation.</p >
32+ </description >
33+ <method >TEST</method >
34+ <type >finding</type >
35+ <subject subject-uuid =" 551b9706-d6a4-4d25-8207-f2ccec548b89" type =" component"
36+ <collected >2023-06-02T08:31:20-04:00</collected >
37+ <expires >2023-07-01T00:00:00-04:00</expires >
38+ <remarks >
39+ <p >The assessor's security automation platform analyzed all roles specific to the
40+ GoodRead Product Team, not those managed by the Office of Information Technology.
41+ The <code >IFA-GoodRead-SystemEnginer</code > role in their respective AwesomeCloud
42+ account permitted use of the following high-risk actions.</p >
43+ <ul >
44+ <li >awesomecloud:auditlog:DeleteAccountAuditLog</li >
45+ <li >awesomecloud:secmon:AdministerConfigurations</li >
46+ </ul >
47+ <p >Both of these actions are overly permissive and not appropriate for the business
48+ function of the staff member assigned this role.</p >
49+ </remarks >
50+ </observation >
51+ <risk uuid =" 8b8bae66-b28c-4fa5-9a20-b79e7322fc00"
52+ <title >IFA-GOODREAD-RISK-1: PAO Staff Have Over-Privileged Access to GoodRead System</title >
53+ <description >
54+ <p >A user with the privileges of a PAO staff user can exceed the intended privileges for
55+ their related business function and directly edit the database for the GoodRead
56+ application.</p >
57+ </description >
58+ <statement >
59+ <p >An account without proper least privilege design and implementation can be used to
60+ significantly damage links created by the tool for use by public citizens,
61+ potentially causing a national outage. If an outage were to occur, IFA and
62+ Government policy will require the CIO of the agency to notify the Department of
63+ Homeland Security and the public.</p >
64+ <p >Such an event will cause significant financial and reputational risk to IFA's
65+ Administrator, executive staff, and the agency overall.</p >
66+ </statement >
67+ <status >deviation-approved</status >
68+ <characterization >
69+ <origin >
70+ <actor type =" party" actor-uuid =" e7730080-71ce-4b20-bec4-84f33136fd58"
71+ </origin >
72+ <facet name =" likelihood" value =" low" system =" https://ifa.gov/division/ociso/sca"
73+ <facet name =" impact" value =" high" system =" https://ifa.gov/division/ociso/sca"
74+ </characterization >
75+ <mitigating-factor uuid =" 401c15c9-ad6b-4d4a-a591-7d53a3abb3b6"
76+ <description >
77+ <p >The GoodRead application is designed and implemented to only allow access to the
78+ administrative functions for those with PAO staff fole via the VPN via network
79+ configuration between the IFA Enterprise Support Systems and the GoodRead
80+ AwesomeCloud account. Additionally, the load balanacer configuration only allows
81+ access to view shortlinks from the public internet.</p >
82+ </description >
83+ </mitigating-factor >
84+ <deadline >2024-01-01T05:00:00-04:00</deadline >
85+ <response uuid =" d28873f7-0a45-476d-9cd3-1d2ec0b8bca1" lifecycle =" planned"
86+ <title >IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response</title >
87+ <description >
88+ <p >The GoodRead Product Team does not have sufficient personnel and budget to
89+ implement the required changes in their use of the Django Framework and its
90+ configuration in this quarter. With the consultation of the ISSO and the
91+ assessor, the owner of the GoodRead system has decided to accept this risk until
92+ the end of December 2023. From September to December, budget will be available
93+ for the Good Read Product Team's developer and system engineer to completely
94+ disable the functionality that is the source of the risk and its originating
95+ finding.</p >
96+ </description >
97+ <prop name =" type" value =" accept"
98+ <task uuid =" f8b1d4cb-d1a9-4932-9859-2e93b325f287" type =" milestone"
99+ <title >End of Year Project Management Report of Developed Remediations</title >
100+ <description >
101+ <p >The owner, ISSO, and product team of the GoodRead Project intend to complete
102+ the necessary development between September 2023 and December 2023. Whether
103+ or not the necessary development for remedation is complete, the product
104+ team's project manager will submit the final annual report. They will
105+ identify this work item and whether it has been completed.</p >
106+ </description >
107+ <timing >
108+ <within-date-range start =" 2023-09-29T09:00:00-04:00"
109+ end =" 2024-01-01T05:00:00-04:00"
110+ </timing >
111+ </task >
112+ </response >
113+ <related-observation observation-uuid =" 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf"
114+ </risk >
115+ <risk uuid =" 1c65d2d3-7735-47fa-8f68-a236744beab7"
116+ <title >IFA-GOODREAD-RISK-2: GoodRead System Engineers Have Over-Privileged Access to Cloud
117+ Infrastructure Account</title >
118+ <description >
119+ <p >A user in the GoodRead cloud environment with the privileges of a system engineer can
120+ exceed the intended privileges for their related business function. They can delete
121+ all historical audit records and remove important security monitoring functions for
122+ the IFA Security Operations Center staff.</p >
123+ </description >
124+ <statement >
125+ <p >An account without proper least privilege design and implementation can be used to
126+ surreptitiously add, change, or delete cloud infrastructure to the too managing all
127+ links to IFA's communication to public citizens, potentially causing significant
128+ harm with no forensic evidence to recover the system. Regardless of the extent and
129+ duration of a potential incident, such a configuration greatly increases the risk of
130+ an insider threat if there were likely to a potential insider threat in the GoodRead
131+ Product Team.</p >
132+ <p >If such an insider threat existed and acted with this misconfigruatio, the resulting
133+ event could cause significant financial and reputational risk to IFA's
134+ Administrator, executive staff, and the agency overall.</p >
135+ </statement >
136+ <status >open</status >
137+ <characterization >
138+ <origin >
139+ <actor type =" party" actor-uuid =" e7730080-71ce-4b20-bec4-84f33136fd58"
140+ </origin >
141+ <facet name =" likelihood" value =" low" system =" https://ifa.gov/division/ociso/sca"
142+ <facet name =" impact" value =" high" system =" https://ifa.gov/division/ociso/sca"
143+ </characterization >
144+ <deadline >2023-06-23T17:00:00-04:00</deadline >
145+ <response uuid =" 4676b126-ba6d-40cc-9dc8-f2aa677b03ee" lifecycle =" planned"
146+ <title >IFA-GOODREAD-RISK1-RESPONSE: IFA GoodRead Prouct Team Response</title >
147+ <description >
148+ <p >The GoodRead Product Team does not have siginficant mitigations or compensating
149+ controls to counter this risk, even if likelihood is low. The IFA CISO has cited
150+ ongoing guidance that potential insider threat risks be prioritized above
151+ alternative categories of risk for this quarter. Additionally, there is
152+ sufficient budget and unallocated time for the GoodRead and Office of
153+ Information Technology system engineers to modify AwesomeCloud IAM roles on or
154+ before the next continuous monitoring cycle beginning in July 2023. The planned
155+ completion data is June 23, 2023.</p >
156+ </description >
157+ <prop name =" type" value =" mitigate"
158+ <task uuid =" a0bb457d-0d14-4a74-801a-ffc9bc4cd636" type =" milestone"
159+ <title >Completion of GoodRead Sprint Ending June 23, 2023</title >
160+ <description >
161+ <p >The owner, ISSO, and product team of the GoodRead Project intend to complete
162+ the necessary development by June 23. 2023, the last day of the coinciding
163+ sprint. Whether or not the necessary development for mitigation is complete,
164+ the product team's project manager will write a brief at the end of the
165+ sprint to thw owner and ISSO of this system with the final status and
166+ determination of this work item in this sprint.</p >
167+ </description >
168+ <timing >
169+ <within-date-range start =" 2023-06-03T00:00:00-04:00"
170+ end =" 2024-06-23T17:00:00-04:00"
171+ </timing >
172+ </task >
173+ </response >
174+ <related-observation observation-uuid =" 8807eb6e-0c05-43bc-8438-799739615e34"
175+ </risk >
176+ <poam-item uuid =" e174dfb9-0ae3-4a8f-8e7c-081527b84337"
177+ <title >Update Django Framework Configuration to Disable Default Admin Panel</title >
178+ <description >
179+ <p >Budget and technical staff are needed to re-design and re-implement a part of the
180+ GoodRead application's use of a web appplication programming framework to mitigate
181+ the risk of low privilege users directly modifying the database of this application.
182+ This application is a high-visibility service and integral to future operations of
183+ the IFA Office of Public Affairs and its staff.</p >
184+ </description >
185+ <related-observation observation-uuid =" 0c4de4fc-9bde-46af-b6fe-3b5e78194dcf"
186+ <associated-risk risk-uuid =" 401c15c9-ad6b-4d4a-a591-7d53a3abb3b6"
187+ </poam-item >
188+ <poam-item uuid =" 48c8368d-43ff-4736-9b28-64b1b1284c03"
189+ <title >GoodRead System Engineers Have Over-Privileged Access to Cloud Infrastructure Account</title >
190+ <description >
191+ <p >Budget and technical staff allocation are available and designated to fix a
192+ misconfiguration of the IAM roles for members of the GoodRead Product Team in their
193+ AwesomeCloud account to implement least privilege as designed.</p >
194+ </description >
195+ <related-observation observation-uuid =" 8807eb6e-0c05-43bc-8438-799739615e34"
196+ <associated-risk risk-uuid =" 1c65d2d3-7735-47fa-8f68-a236744beab7"
197+ </poam-item >
198+ </plan-of-action-and-milestones >
0 commit comments