FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 The following step will enhance Interior's investment responsibility: * Contract for 3 rd party investment management of IIM pool 3Q CY2003 51 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 (3) CONTROLS - RECEIPTS AND DISBURSEMENTS (i) Statutory Direction The Secretary's proper discharge of the trust responsibilities of the United States shall include (but are not limited to) the following: Provid[e] adequate controls over receipts and disbursements. 25 U.S.C. § 162a (d)(2) {ii) Guidance Regarding Performance Interior assesses its performance of this statutory obligation by reference to the pertinent sections of the following guidelines: · 25 CFR 115, "Trust Funds for Tribes and Individual Indians". Part 115 sets forth guidelines for the management and administration of trust assets owed to beneficiaries. In addition, Part 115 identifies specific sources of money that will be accepted for deposit into a trust account. Part 115 also defines authorized disbursement requests and minors' disbursement plans. (See also 25 CFR 117, "Deposit and Expenditure of Individual Funds of Members of the Osage Tribe of Indians Who Do Not Have Certificates of Competency," and 25 CFR 121, "Distribution of Judgrnent Funds Awarded to the Osage Tribe of Indians in Oklahoma.") · BIMOST Interagency Handbook, July 8, 2002. This handbook sets forth the procedures for receipting trust funds, withdrawing money from an unrestricted account, making disbursements from decedents' IIM 52 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 accounts before probate, withdrawing trust funds for minors and emancipated minors, withdrawing judgment per capita funds, developing supervised and encumbered distribution plans, and making third party disbursements from encumbered "whereabouts unknown" accounts. * 12 CFR Chapter 1, Part 30, Appendix A, "lnteragency Guidelines Establishing Standards for Safety and Soundness", II-A, "Operational and Managerial Standards - Internal Controls and Information Systems". Part 30 states that, "An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope, and risk of its activities...". (iii) Status of Performance The conversion to TFAS provided for: * centralized quality assurance reviews for adherence to policy and documentation requirements; · centralized encoding of transactions; and, · centralized verification of the accuracy of the information entered into the system with the exception of automated interfaces from the BIA legacy system. Once Interior records receipts, from whatever source, in TFAS accounts, controls inherent in the system ensure that the system provides accountability for the funds. Internal controls in TFAS are subject to annual self-assessment reviews (consistent with the objectives of the Federal Managers Financial integrity Act (FMFIA)), an independent financial statement audit, and a Statement of Auditing Standards (SAS) 70 audit 53 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 conducted by an independent auditor selected by the Trust 3000 user group. The SAS 70 audit assures the user group that systern controls are functioning as asserted by the management of the vendor supplying the system. Each business day Interior invests all funds receipted in TFAS for individual Indian accounts in accordance with 25 U.S.C. § 162a. SDAs may be used only as an exception to the mandate for immediate deposit and distribution of trust funds to individual Indian and tribal account holders (Interagency Handbook, Chapter 12, page 1). Currently, SDAs are created in TFAS to receive funds for which ownership or other information has not been provided. Upon the subsequent receipt of account-specific information from BIA, the funds are transfcrred to the identified TFAS accounts. (iv) Steps Necessary to Reach Performance Targets Interior provides adequate controls over receipts (once recorded in TFAS) and current disbursement activity and will meet Interior's obligation when tile following steps are completed: · Resolve validation of documentation for automatic disbursement authorizations pre-TFAS 4Q CY2003 54 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 (4) RECONCILIATIONS (i) Statutory Direction The Secretary's proper discharge of the trust responsibilities of the United States shah include (but are not limited to) the following: Provid[e] periodic, timely reconciliations to assure the accuracy of accounts. 25 U.S.C. .q 162a (d) (3) (ii) Guidance Regarding Performance Interior assesses its performance of this statutory obligation by reference to the pertinent sections of the following guidelines: · 12 CFR Chapter 1, Part 30, Appendix A, "Interagency Guidelines Establishing Standards for Safety and Soundness", II-A, "Operational and Managerial Standards - Internal Controls and Information Systems". Part 30 states that, "An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope, and risk of its activities..." Control activities, one of several components comprising a system of internal controls, should include independent checks on whether certain jobs are getting done and certain recorded amounts are accurate. Examples of controls include - but are not limited to - reconciliations, computer-programmed controls, management reviews of reports that summarize account balances, and user reviews of computer-generated reports. · Office of the Comptroller, "Comptroller's Handbook: Custody Services," January 2002. 55 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 The Handbook states that for off-premises custody, "Custodians should reconcile changes in the depository's position each day that a change in the position occurs, as well as completing a full-position reconcilement at least monthly." ,, Volume 1, Treasury Financial Manual Part 2, Chapter 5100, "Reconciling Fund Balance with Treasury Accounts". This chapter provides policies and procedures for reconciling Interior fund balances with Treasury accounts. Reconciling fund balances with Treasury accounts is a key internal control process. It assures the reliability of the Government's receipt and disbursement data reported by agencies. Therefore, agencies must perform timely reconciliations and implement effective and efficient reconciliation processes. (iii) Status of Performance On a daily basis, OTFM reconciles financial transactions posted to TFAS with financial transactions posted at Treasury and identifies and resolves any differences. At the end of each business day, OTFM balanccs the daily receipt and disbursement activity with the system totals. Any differences are resolved before automated nightly processing begins. On a monthly basis, OTFM reconciles financial transactions reported to Treasury (via the Statement of Transactions Report, SF-224). In addition, OTFM reports and reconciles all Treasury checks issued by the OST disbursing official. OST holds certain securities at Treasury and has since May 1997 contracted with a financial institution to serve as a custodian for securities not held at Treasury. This contract encompasses the settlement of trades, collection and posting of investment 56 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 income on payable date, notification of called securities, and daily reconciliation of investment activity. Investment security units held by the two custodians - Treasury and the contracted institution - are reconciled monthly. Cash and asset reconciliations ensure that trust fund receipts and trust fund disbursements are properly accounted for. The cash and asset reconciliations also serve to confirm that changes to the stated IIM pooled investment account balances are accurate. As Interior previously informed the Court, OST-reported trust fund balances materially exceed Treasury-reported balances. This difference does not impact the earning power of the fund since OST controls investment assets equal to the cash balance shown on its financial statements. OST and the OHTA are working with Treasury to develop options for resolving this difference. In addition, the aggregate of all positive account balances in the IIM detailed subsidiary accounts exceeds the IIM investment pool. This imbalance could have a negative impact on the earning power of the IIM pool. Other accounting discrepancies include the inability to reconcile past clearing and suspense accounts, the inability to collect interest from failed financial institutions and the former lack of daily reconciliation. (iv) Steps Necessary to Reach Performance Targets Interior has adequate reconcilements of current cash and investment activity to meet this obligation. 57 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 The following steps will address past activity issues: · Resolve validation of documentation for automatic disbursement authorizations pre-TFAS 4Q CY2003 · Request legislation to satisfy part of imbalance with Treasury 3Q CY2003 · Determine options for resolving Treasury differences 3Q CY2003 · Resolution of Treasury differences 3Q CY2004 58 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 (S) AUDIT (i) Statutory Direction ANNUAL AUDIT. - The Secretary shall cause to be conducted an annual audit on a fiscal year basis of all funds held in trust by tile United States for the benefit ofan btdian tribe or an individual Indian which are deposited or invested pursuant to the Act of June 24, 1938 (25 U.S.C. _ 162a), and shall include a letter relating to tile audit in the first statement ofperformance provided under subsection (b) after the completion of the audit. 25 U.S.C. § 4011(c) (ii) Guidance Regarding Performance Interior assesses its performance of this statutory obligation by reference to the pertinent sections of the following guidelines: * Generally Accepted Government Auditing Standards (GAGAS). The Comptroller General of the United States published Government Auditing Standards for audits of government organizations, programs, activities and functions. These standards pertain to the auditor's professional qualifications, the quality of audit effort, and the characteristics of professional and meaningful audit reports. · The Federal Accounting Standards Advisory Board (FASAB) Statements of Federal Financial Accounting Standard. (SFFAS) No. 7 "Accounting for Revenue and Other Financing Sources" FASAB issues Statements of Federal Financial Accounting Concepts to guide the members as they deliberate and recommend Statements of Federal Financial Accounting Standards, including the OMB, as it carries out its statutory 59 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 III responsibilities for specifying who should prepare financial statements and the form and content of those statements. SFFAS No. 7 requires certain federal financial statement disclosures regarding "dedicated collections," including fiduciary funds. · FASAB Interpretation No. 1, "Reporting on Indian Trust Funds in General Purpose Financial Reports of the Department of the Interior and in the Consolidated Financial Statements of the United States Government: An Interpretation of SFFAS No. 7.' This Interpretation holds that Indian trust funds are not Federal funds and thus should not be included in Interior's financial statements except by footnote in Interior's gamual Accountability Report. As a result, Interior prepares financial statements for Indian trust funds that are audited and reported separately from Federal funds. (iii) Status of Performance A financial statement audit includes an examination of the statement of assets and trust fund balances, related statement of changes in trust fund balances for the year, an assessment of the accounting principles used, as well as internal controls over financial reporting and compliance with applicable laws and regulations. Since FY 1995, OST has contracted for an independent audit of the financial statements of the trust funds it manages for the benefit of individual Indians, Indian tribes, and others. The FY1995 audit covered the statement of assets and trust fund balances, internal controls, and compliance with laws and regulations. Audits for fiscal years 1996 through 2002 also included the statement of changes in trust fund balances. Interior 60 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 Office of Inspector General oversees the audit and reviews the resulting reports prior to their release to the public. For FY 2002, KPMG LLP performed the audit, which the Office of Inspector General is expected to issue during the second quarter of FY 2003. In addition, the Trust Funds Accounting System (TFAS) is subjected to a separate annual independent audit. As noted above, the current TFAS is a product known as "Trust 3000", which is used in many large trust departments. The Trust 3000 user group continues to receive a Statement of Auditing Standards (SAS) 70 audit opinion for Trust 3000 confirming that the system controls are functioning as asserted by management of the vendor supplying the system. Past financial audits have contained qualified opinions from independent auditors. In part, this is due to the fund imbalance with Treasury described in the reconciliation discussion in this section of the report. Interior has not previously sent letters to account holders relating to each annual audit as required by the 1994 Act. (iv) Steps Necessary to Reach Performance Targets At this time, Interior conducts a current financial statements audit. To meet the statutory direction the following steps need to be completed: 61 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 * Interior will provide notification by letter in coordination with the release of each annual audit beginning with the FY 2002 audit 2Q CY2003 , Repeat with each annual audit 2Q each CY * OST will request an expansion of the FY 2004 annual audit to include all funds held in trust by the United States for the benefit of an Indian tribe or an individual Indian which are deposited or invested pursuant to the Act of June 24, 1938 (25 U.S.C. § 162a) 3Q CY2003 62 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 C. RECORDS MANAGEMENT 1. PERFORMANCE TARGETS Interior plans to: · establish a written policy for the retention of IIM-related trust documents, in both paper and electronic form, necessary to render an accurate accounting; · establish written procedures for the retention of IIM-related trust documents, in both paper and electronic form, necessary to render an accurate accounting; · identify the types of documents needed to undertake an accurate accounting of all money held in the IIM accounts; · assess the physical environment where the records are stored to ensure they are being properly maintained and secured, and taking action to mitigate situations where the relevant records are not being properly maintained and secured; and · establish a written policy and procedure for collecting from outside sources missing information necessary to render an accurate accounting. There are other aspects of records management that Interior will pursue to enhance its ability effectively to preserve documents and to locate and utilize them for accounting purposes. Interior is also working to respond to issues raised by the Special Master. 63 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 2. GUIDANCE REGARDING PERFORMANCE Interior's basic records management policy and guidance is derived from Federal records management laws and regulations, which are governed by the National Archives and Records Administration (44 U.S.C. Chapters 21, 29, 31, 33). The statutes and implementing regulations require federal agencies to make and preserve records, (including electronic records), containing adequate and proper documentation of the organization, functions, policies, decisions, procedures and essential transactions of the agency and designed to fi_rnish the information necessary to protect the legal rights and financial rights of the Government and of persons directly affected by the agency's activities. See 36 C.F.R. Section 1220.30. Further, Office of Management and Budget Circular A-130 (8a), Management of Federal Information Resources, requires agencies to ensure that records management programs provide adequate and proper documentation of agency activities and that records management programs record, preserve and make accessible sufficient information to ensure the management and accountability of agency programs. Interior recognizes that in its role as a trustee, it is required to maintain "those documents that are necessary for an accounting." Cobell v. Norton, 240 F.3d at 1106. Thus, in these instances, this requirement supersedes any NARA records disposition schedules that may allow disposal. 64 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 11 Internally, Interior issues specific records management policy and guidance via the Departmental Manual system of internal directives, bureau and service manuals, and Information Resource Management (IRM) bulletins. Specific guidance relating to the Indian trust records supplements existing guidance and procedures. Below are Interior's Records Management directives, manuals, and bulletins used for guidance. Departmental Manual · 303 DM 2, Indian Trust Responsibilities, 10/31/00 303 DM provides Interior-wide guidance for carrying out the Secretary's trust responsibility as it pertains to Indian trust assets. · 380 DM 1, Records Management Program and Responsibilities, 10/7/93 380 DM 1 delegates to all bureaus and offices the responsibility for establishing and maintaining an active and continuing records management program for their organization to include developing and implementing records schedules for all records created and received by the Bureau. Due to Interior's diverse missions and decentralized structure, each bureau and the Office of the Secretary maintains and implements its own records retention/disposition schedule. · 380 DM 2, Adequacy of Documentation, 7/11/94 380 DM 2 requires Interior to make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency. Proper and adequate documentation identifies what and how much information needs to be created 65 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 m or received to manage the organization and to meet Interior's legal responsibilities. This Chapter provides general information and instructions for ensuring that adequate documentation of agency business is established. · 380 DM 3, Files Management, 5/9/95 380 DM 3 establishes Department-wide files management responsibilities and provides standards and guidelines for filing records. · 380 DM 6, Vital Records Program, 3/11/98 380 DM 6 provides general policy and procedures to ensure that Interior has an effective Vital Records Program in place. Interior bureaus and offices are delegated the responsibility for establishing their own Vital Records Program to identify and safeguard their vital records. · 383 DM 1-12, PrivacyAct 383 DM chapters outline Interior's policies for the administration of the Privacy Act of 1974 (5 USC § 552a). Many Indian trust records are protected by the provisions of the Privacy Act. The Privacy Act is applicable to all systems of records containing information about individuals from which information is retrieved by individual name or by an identifying number, symbol or other personal identifier. In particular: Chapter 2 outlines Interior's general guidance to the bureaus for ensuring the technical and physical safeguards of records. Chapter 3 advises that each bureau will: 66 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 · ensure that specific procedures are in place for the security and confidentiality of records; · provide training to employees concerning responsibilities for handling Privacy Act documents; and, · conduct periodic inspection of areas where records subject to the Privacy Act are maintained. Chapter 8 advises that hard copy records shall be safeguarded in a manner commensurate with the sensitivity of the information contained in the system of records, in addition, electronic records shall be subject to the safeguards based on the recommendations of the National Bureau of Standards contained in "Computer Security Guidelines for Implementing the Privacy Act of 1974." · 384 DM 1-4, Records Disposition, 5/12/89 384 DM 1-4 provides general policy and procedures for developing and maintaining an effective records disposition program. · 382 DM 11, Managing Records in Electronic Form, 12/9/85 382 DM 11 provides guidelines, and establishes requirements and procedures for records created, used or maintained in electronic form. It has recently been revised and updated as 380 DM 5, Electronic Records Management. It is currently in draft form and is being prepared for final review and surname. The revised DM will address all aspects of properly managing and securing electronic records. 67 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 · 444 DM 01, Physical Protection and Building Security, 7/7/99 DM 444 establishes policies for the Interior physical security program designed to safeguard Interior personnel and facilities to include buildings, grounds, and property. · 16 Bureau oflndian Affairs Manual (16BIAM) Records and Dispositions Handbook, Chapters 1 - 12, 7/12/89 This manual sets forth the records and files disposition for all of the Bureau of Indian Affairs programs. · IRM Bulletin 96-06, Policy and Guidance for Managing the Creation, Retention and Disposition of Electronic Mail Documents, 7/25/96 This bulletin provides policy and guidance for managing the creation and retention and disposition of electronic mail (e-mail) documents. (3) STATUS OF PERFORMANCE As Interior has conducted pilot pro,ams and in-depth planning for its Historical Accounting Plan (described in a separate submission to this Court), it has gained a more thorough understanding of how a records management program must relate to accounting functions. In most situations, documents are already under the control of Interior. The resulting records management task is to preserve those documents and to make them accessible for accountant review. This task requires identifying relevant types of records, protecting them from destruction, indexing them in a way that provides the information 68 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 usable for researchers, and establishing a system for retrieving them and making them available for use. To be most easily available for historical accounting, large numbers of paper documents will be need to be digitally imaged (i.e., scanned) and coded. In short, Interior needs to design and implement its records management system to be responsive to anticipated uses. The same responsiveness to anticipated use is especially significant in dealing with documents Interior should have but doesn't and are instead held by third parties. Many are records of private companies. Accordingly, the federal government's pursuit of these records should not impose unnecessary burdens on the private sector. Interior's records management policies should be targeted to obtaining those documents actually necessary for conducting the historical accounting. RECORDS UNDER THE CONTROL OF INTERIOR In FY2002, the Deputy Secretary instituted another records management freeze on the movement and destruction of any and all records involving IIM without prior notice to the Court. In a memorandum the Deputy Secretary directed that "...routine document disposal schedules remain suspended for all ACTIVE and INACTIVE Indian trust records. Furthermore, all INACTIVE records placed in storage (whether in Federal or commercial records centers), that are normally eligible for disposal in accordance with the established bureau/office records disposition schedules, cannot be disposed of until further notice. This suspension of disposal schedules currently applies to all stored accessions in 69 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 II the following records groups: 22, 48, 49, 57, 70, 75, 79, 115,253,312, 320, 368, 380, 471,473, and 515." Memorandum from the Deputy Secretary, "Clarification of Indian Trust Records Management and Records Freeze," dated December 4, 2002, p.2. Interior also awarded a contract to Zantaz in October, 2002, to provide real-time e-mail capture that, when implemented, will ensure trust-related e-mail records are retained. In July 2002, Interior began an intensive effort to revitalize the Office of Trust Records (OTR). A comprehensive work plan for OTR was developed and issued on December 19, 2002. An integral part of the work plan is the development of policies and procedures for record keeping activities of the BIA and the OST. The work plan provides for development of programs that will provide guidance to record custodians and managers of the programs with responsibilities for trust programs. OTR has developed a draft trust definition matrix for the existing 16 BIAM. This matrix will be modified upon the approval of a revised 16 BIAM and new record retention schedules for the OST. This matrix will facilitate the identification of trust records based on a series of simple yes or no answers. In addition, it contains a list of all currently approved record series that pertain to trust records. High priority policies and procedures have been drafted by OTR and include the following: 70 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 FINAL - Files and Disposition Plan DRAFT--OST/BIA Physical Security and Safety DRAFT--Procedures for Research at OTR Records Centers DRAFT--Policies and Procedures for Contracted and Compacted Tribal Trust Program Records DRAFT--Guidelines for a Vital Records Plan DRAFT--Electronic Records Management Policy DRAFT--Document Production Request Procedures These drafts are scheduled to be published by 2Q CY2003. In addition, OTR plans to have a detailed list of, and a project plan for, the remaining policies and procedures. The 4000 series of the 16 BIAM that includes realty, forestry, fish and wildlife, irrigation, safety of dams, agriculture, environmental, water rights, minerals and mining and range management has been completed under OTR leadership and submitted to BIA for review and approval, and to NARA for a courtesy review. The final draft of the following electronic records schedules are complete and ready to be submitted by OTR to BIA for approval after which they will be submitted to NARA: IRMS Lease, IRMS Lease Distribute, IRMS Lease/Range, IRMS Owner, IRMS Individual Indian Monies, IRMS People, IRMS Royalty Distribution Reporting System and the Osage Annuity System. 71 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 OTR is developing a move plan to continue the centralization of OST financial trust records in Albuquerque, NM. Other move plans will be developed to eliminate records storage issues at BIA field locations. Further, OTR is actively drafting a records retention schedule for OTFM with their cooperation. OTR has entered into an agreement with Labat-Anderson Inc. to develop one index of all Indian records (trust and non-trust) located in Albuquerque and Lee's Summit, MO, under OTR control. This index will facilitate access to these records for all legitimate purposes, including: historical accounting, litigation and research. The project was initiated in October and the indexing began in December 2002. Beyond OTR's activities, BIA identified approximately 950 different types of documents of which approximately 50 were related to IIM accounts. In 1998, BIA and OST signed a memorandum of agreement, which transferred the record management responsibility for these IIM account records to OST. BIA established the BIA Vital Records Policy on October 1, 1998; established the BIA Records Management Adequacy of Documentation policy on October 1, 1998; and, established the BIA Field Inspection policy based on NARA and other guidance RECORDS NOT CURRENTLY UNDER THE CONTROL OF INTERIOR Regarding the collection of back-up records held by third parties that could replace missing information in Interior files, Interior has completed a draft of the policy and procedures that is undergoing review within Interior. The draft policy and procedures 72 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 state that it is Interior's policy to collect information from third parties and that to do so Interior will: · Alert potential third party custodians of Interior's efforts to locate and secure possible missing trust-related information and request that they retain this information; · Identify information that is missing that is needed to conduct a complete historical accounting during the historical accounting process; · Identify and locate records held by third-party custodians; and · Obtain or copy third-party records. Once Interior completes its review of the draft policy and procedures, the document will be finalized and included in the Departmental Manual. Implementation activities pursuant to this requirement have already begun and have been reported to the Court. See Eleventh Report. This project was originally assigned to the Office of the Special Trustee for American Indians and was later reassigned to the OHTA. OHTA has identified broad categories of relevant third parties, e.g., oil and gas producers, foresters and governmental entities, likely to have IIM documents in their possession. As part of its efforts regarding the research and examination of third party records, OHTA plans to complete, by the end of the next reporting quarter, a policy and procedures plan for collection of such records. 73 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 As a result ora Federal Register notice (February 6, 2002, Vol. 67, No. 25, pp 5607-8), three energy companies contacted OHTA and indicated that they may have records pertaining to allotted lands. On August 6 and 7, 2002, OHTA staff conducted an on-site overview of records at one of these companies and concluded a small percentage of the records may be useful as "fill-the-gap" data. The company has agreed to retain custody of the records until further notice. OHTA is in discussions with the other two companies. In September 2002, Interior submitted an additional information collection request to the Office of Management and Budget (OMB). OMB approved the request on October 15, 2002, which will allow OHTA to continue to seek Indian trust-related information from third parties under the original Federal Register notice. Another possible records source is the American Heritage Center at the University of Wyoming. The Center houses the Anaconda Geological Documents Collection, a large and significant body of economic geologic data. In September 2002, OHTA secured a membership to the Center and is planning to inspect records maintained by the Center following its submission of the Court-ordered Historical Accounting Plan. In June 2002, Gustavson Associates (Gustavson) completed a pilot study to search and identify oil and gas records on allotted lands and submitted a report with its findings. The study successfillly demonstrated a methodology for collecting records from third parties, particularly oil and gas companies, but noted that specific solutions for records 74 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 collection will depend on unique problems and conditions. Gustavson briefed Interior on its findings on July 23, 2002. In discussions with representatives of the oil and gas industry, Gustavson concluded there is no standard policy for records retention in the petroleum industry. The cost of maintaining large volumes of records, frequent buying and selling of oil and gas resources, and ongoing industry consolidation were cited as primary reasons for the lack of an industry-wide standard. Gustavson recommended that OHTA work with the Council of Petroleum Accounting Societies (COPAS) to survey its membership about records retention practices. COPAS is an industry trade group and many of its members are chief financial officers, controllers and chief accountants for petroleum companies. On October 23, 2002, OHTA made a presentation to the COPAS fall conference asking for assistance in identifying potential sources of relevant records within the oil and gas industry. OHTA has also contracted with Historical Research Associates (HRA) to research the historical involvement of the U.S. Forest Service on allotted lands. Although anecdotal evidence suggests the Forest Service had little, if any, involvement on allotted lands, OHTA intends to present HRA's findings to the Forest Service for further discussions regarding potentially relevant records. A final report from HRA was received in October 2002. 75 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 (4) STEPS NECESSARY TO REACH PERFORMANCE TARGETS · Complete the identification of IIM-related documents necessary to render an accurate accounting. Q1/CY2003 · Establish and implement revised records retention schedules for non- electronic records for the BIA and OST. Q4/CY2003 · Establish and implement electronic records retention schedules for the BIA and OST. Q 1/CY2004 · Review records retention schedules of othcr Interior agencies to ensure that IIM -related documents necessary to render an accurate accounting are properly retained. Q3/CY2003 · Establish and implement training programs for records custodians on the usage of the new schedules (on a continual basis beginning with current schedules). Q 1/CY2003 · Index identified documents under OTR control necessary to perform an accurate accounting of all IIM trust funds held in trust by the United States. Q2/CY2004 · Draft policies and procedures regarding retrieval of records and implement. Q1/CY2003 ,, Complete Departmental review of policy and procedures for collection of missing information from third parties. Q1/CY2003 · Collect the identified needed IIM-related trust documents from sources within or outside Interior and provide the retrieved documents to the parties 76 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 II undertaking the accounting. With respect to oil and gas records necessary for undertaking an accounting, require lessees and other royalty payors to produce records less than six years old and those over six-years old that are still in their possession. Ongoing · Conduct site assessments of the physical environment where records are stored to ensure they are being properly maintained and secured and implement corrective actions, if necessary. Ongoing · Establish and implement a Privacy Act program to ensure compliance with Federal and Departmental Privacy Act regulations and directives. Provide training to all employees concerning responsibilities for handling Privacy Act documents. Conduct period inspections of areas where records subject to the Privacy Act are maintained. QI/CY2004 The work plan for development of appropriate policies and procedures for retention of llM-related records gives the detail on the process whereby these policies and procedures are planned to be completed and when. Until such policies and procedures are in place, Interior has, as noted above, a specific directive to all personnel involved with Indian trust activities to retain all documents relating to trust activities whether in paper or electronic format. 77 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 IIII A. STAFFING OF TRUST ORGANIZATIONS: WORKFORCE PLANNING (1) Statutory Direction The Secretary's proper discharge of the trust responsibilities of the United States shall include (but are not limited to) the following: (7) Provid[e] adequate staffing, supervision, and training for trust fund management and accounthtg. 25 U.S.C. § 162a (d) (7) Workforce planning is a comprehensive process that provides managers with a framework for making staffing decisions based on an organization's mission, strategic plan, budgetary resources, and the associated skills needed to accomplish mission tasks now and in the future. Indian trust management workforce planning is underway in Interior and involves a comprehensive process of assessing: current workload, current program efficiencies and gaps, future work and skill gaps together with options for addressing future workforce needs. This planning process is a large undertaking that requires both significant top-down leadership and involvement of field activity level personnel who know firsthand about the work being performed. Trust organizations are being asked to combine budget, program performance, and workforce priorities into a cohesive strategy that is useful for human resources planning as well as for budget justifications. 78 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 (1) Staffing Performance Targets Interior will be in compliance with its staffing and workforce planning obligations when it: · Establishes written policy and procedures for the staffing of trust management functions necessary to render an accurate accounting; · Establishes an annual written workforce plan to identify the strategies to achieve trust management staffing requirements that are necessary to render an accurate accounting; · Completes its reorganization plan and identifies required staffing; · Fills positions called for in the Interior trust management plan with qualified, suitable persomlel; · Releases workforce plans for all trust locations; · Establishes a trust training program for all trust personnel; and, · Manages employee development needs. Each employee with trust responsibilities has an individual development plan. (2) Guidance Regarding Performance Although there are numerous statutes governing Federal employment matters, only the 1994 Trust Reform Act discusses a trust-specific requirement. It requires "adequate" staffing, supervision and training. 25 U.S.C. § 162 (d)(7). The statute requiring Indian preference hiring in B1A has unique implications for Interior's trust activities. 25 U.S.C. 79 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 III § 472. The following Interior documents are the procedures and policies Interior has established for its employees and programs in order to improve workforce performance. · Departmental Workforce Planning Policy, dated October 30, 2001. The policy requires that Interior bureaus and offices have workforce plans in place by September 30, 2003, and provides procedural guidance with step-by-step instructions. · Personnel Bulletin No. 02-3 Workforce, Staffing, and Individual Development Planning for Trust Management Activities, was put into place on October 31, 2001. Among other things this bulletin sets forth the Interior policies and procedures for developing workforce plans for all positions with trust management responsibilities. · 441 Departmental Manual 3, Position Sensitivity and Risk Level Designation Criteria. Trust positions must be appropriately designated for risk associated with duties and employees screened in conjunction with the designation. (3) Status of Performance Interior established written policies and procedures for the staffing of trust management functions in October 2001. These are set forth in the three documents listed above. In these documents Interior has established requirements to address the various components ofworkforce planning. Interior directed its offices and bureaus to develop workforce plans by September 30, 2003, for FY 2004-2008 that will be updated mmually. Currently, offices and bureaus are developing these workforce plans. Interior has 80 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 M undertaken a significant analysis of workforce issues from a department-wide perspective. On September 9, 2002, Interior published its Strategic Human Capital Management Plan. In building the Strategic Human Capital Management Plan, the Interior leadership collaborated in setting a context and plan of action for management of the human resources of the department that highlights our focus on Indian Trust Management. To assist trust managers in developing their workforce plans, the Department of the Interior University and the Office of Personnel Policy of the Interior staff jointly worked with a contractor to complete development of two workforce planning training courses. These courses serve both the needs of those responsible for creating and implementing trust-related workforce plans and the overall human resources community. The first is a one-day overview course for managers and supervisors, and the second is a more detailed, "how-to" three-day version that will guide practitioners (advisors to the managers) through the actual creation of workforce plans. Training for all Interior managers is being scheduled. Typically, the one-day overview sessions are followed by sessions tailored to practitioners. Appropriate trust management staffs are being trained or scheduled to attend training sessions throughout FY 2003. Trust management reorganization efforts and the business process reengineering under the "As-Is" and "To-Be" approach affect the skills analysis, workforce analysis and planning decisions. As the business process reengineering progresses, new job requirements will be established that will require different training and skill levels. 81 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 The reorganization of BIA and OST has been approved by the appropriations committees in both houses of the Congress. The reorganization aligns the trust responsibilities within BIA and OST to assure responsiveness to individual trust needs. A description of the new organization for both agencies is attached as Exhibit 2. This new organizational alignment will assist Interior in its review of the performance results of the staff that provide service to trust beneficiaries. BIA and OST will create trust positions as part of a restructuring of trust functions. New trust officer positions at the agency will, among other things, review and evaluate trust transactions, approve certain transactions and strengthen the system of accounts receivable. Interior plans to implement the new organization during calendar year 2003. Training and staffing for new trust positions are planned and are expected to be implemented through calendar year 2004. Starting in January 2001, Upper Mohawk Inc. conducted staff training classes in basic trust concepts. That training is now a three-day training session entitled Trust Foundations: An Introduction to Trust Reform and Change. It is non-technical training that provides trust systems personnel at every level with an increased understanding of the Government's and Interior's fiduciary responsibilities with respect to the Indian trust assets held in trust for tribes and individuals. More recently, a proposal has been developed with the Cannon Financial Institute. Cannon is a training organization used by many large trust companies and banks for 82 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 specialized banking and trust training and to develop training curriculums for current managers involved with all trust activities. Earlier training was contracted through Cannon by OTFM to provide training of key staff as the transition was made from legacy systems to the new accounting system. Starting on December 31, 2002, Interior requires an Individual Development Plan (IBP) for each employee with trust process responsibility. Offices and bureaus will be reporting their compliance in early January and this information will be provided to the Court in the next quarterly report. The IbP is a valuable performance enhancement tool for any federal employee that specifies future training for that employee. The IbP can be of great assistance to managers who are committed to heightened skill requirements of subordinates and to those employees who want to enhance skills and strengths and learn more about matters that are relevant to the performance of the agency. IDPs are updated periodically as the work changes, as the employee moves onto another position, and as the needs of the organization changc. IDPs are being reviewed internally in each trust organization. In the OST, all of the existing IDPs are under review by a working group that is focused on global trust management training requirements. (4) Steps Necessary to Reach Performance Targets Workforce planning policies for the staffing of trust management positions have been in place since October 2001, and the first required annual workforce plans are scheduled to be completed by September 30, 2003. Workload analysis and workforce planning software options to allow for automation of the workforce planning process are currently being evaluated by Interior's personnel policy staff. 83 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 · By September 30, 2003, it is expected that all Interior agencies that provide management and accounting of trust funds will have workforce plans that are recognized in budget submissions, training schedules that improve the competencies of employees, and processes to ensure that adequate staffing is in place. · Workforce planning during calendar year 2003 will assess current and future workload, identify workforce skill gaps, and identify the strategies for addressing needed or surplus skills. * Once the workforce planning policies and procedures have been fully implemented, trust organizations will be taking the necessary staffing actions to comply with the 1994 Trust Reform Act. Obviously, however, ongoing staffing and training improvements are essential to continued progress on trust management. · Current staffing plans are undergoing review and changes. These changes will be driven, in large part, by the results of the EDS "As-Is" and "To-Be" business process study and the completion ofworkforce plans. Workforce planning efforts have identified trust management positions and employees. Their roles and responsibilities are being analyzed in order to better define and manage the skills and competencies needed to perform the work. The addition of trust officers and trust administrators to the staffing of OST, and new staffing in BIA will begin in calendar year 2003. Staffing is expected to be completed in all agencies that have trust activity by the end of calendar year 2004. The staffing will begin in the agencies that have the greatest trust income and greatest number of account holders. When the appropriate level of staffing is in place, the manager can 84 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 effectively focus on employee development and actively engage in managing skill replacement needs. 85 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 D. COMPUTER AND BUSINESS SYSTEMS ARCHITECTURE (1) ENTERPRISE ARCHITECTURE The 1994 Act does not establish a particular standard or guidance regarding computer and business systems architecture. However, Interior plans to prepare an enterprise architecture plan, which incorporates both computer and business systems architecture. · Adopt a written policy to develop an Indian trust enterprise architecture. · Adopt written procedures to develop an Indian trust enterprise architecture. · Approve, publish and disseminate an Indian trust enterprise architecture plan. The Indian trust enterprise architecture will incorporate a broader view of systems integration than that needed to render all accurate accounting of the IIM trust. Other systems, (e.g. those designed to support a variety of administrative functions, asset management, ownership interests, etc.) will also be incorporated into the enterprise architecture plan. (2) GUIDANCE REGARDING PERFORMANCE When assessing performance regarding enterprise architecture, Interior plans to consider the relevant sections of the following: · A Practical Guide To Federal Enterprise Architecture, Version 1.0, Chief Information Officer Council, February 2001 The guide documents federal government policies and procedures, regarding the development of enterprise architecture plans. Enterprise architecture includes a 86 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 baseline architecture, target architecture, and [transitional] sequencing. The "business systems architecture" and the "computer systems architecture" and are embodied in the development of the "enterprise architecture". Various Interior publications that also provide information on this subject are described below. (3) STATUS OF PERFORMANCE (i) PROGRESS TOWARDS AN INDIAN TRUST ENTERPRISE ARCHITECTURE Interior formed a Trust Management Improvement Project Team, in 1999, and tasked it with the responsibility of defining an architecture framework and developing the initial baseline business, data, application, technology, and security architecture documents. The Trust Management Improvement Project Team prepared, in FY 2001, a series of documents related to computer and business systems. These documents represent the initial product of efforts to develop an Indian Trust Enterprise Architecture. Interior published the U.S. Department of the Interior Information Architecture - Conceptual Architecture Principles in January 2002. This document establishes the basic principles to be used for Interior enterprise architecture development. 87 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 Interior published the U.S. Department of the Interior Enterprise Architecture -Technical Reference Model, Version 1.0, August 15, 2002. This document describes Interior's computer systems infrastructure and established basic IT related procurement requirements. Interior published the U.S. Department of the Interior, Interior Enterprise Architecture - Conceptual Migration and Implementation Plan, Version 1, December 2, 2002. This document represents the adoption of a broader enterprise architecture for Interior overall. Because computer systems architecture guides computer system purchases, the capital planning process is closely tied to the decisions that must be made during the enterprise architecture process. Interior published the Department of the Interior Capital Planning and Investment Control Process guide in November 2002, which was developed in accordance with the requirements of OMB Circular A-11. The guide builds upon and complements the GAO Information Technology Investment Management (ITIM) framework that was developed to provide a common structure for discussing and assessing IT capital planning and investment control (CPIC) practices at Federal Agencies. (ii) Key Steps To Develop An Indian Trust Enterprise Architecture Obtain Executive Buy-in and Support The Associate Deputy Secretary has coordinated efforts throughout Interior to ensure that Bureau level and Department level executive buy-in and support is in place. 88 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 Other key personnel that are engaged in the enterprise architecture include the: Acting Special Trustee for American Indians, the Director of the Office of Indian Trust Transition, acting Assistant Secretary-Indian Affairs, acting Deputy Commissioner for BIA, Indian Affairs chief information officer, Interior chief information officer (CIO), Interior trust architect, Interior information systems security officer and Interior trust information teclmology security officer. Establish Management Structure and Control Interior has implemented weekly conference calls between the Associate Deputy Secretary, the Interior CIO, and all of the Bureau CIOs. This is a tactical solution to address the most immediate operational issues. Interior also established the multi-bureau trust architecture working group. Through the Interior sponsored trust architecture working group, Interior has drafted a trust governance policy and trust enterprise architecture development and systems integration management policy. These two policies identify the roles and responsibilities for the key trust system owners, business owners, and executive management. Define an Architecture Process and Approach Some of the analysis involved in establishing an enterprise architecture plan is similar to the basic planning approach ("As-Is" / "To-Be") described elsewhere in Interior's plan. The elements of the enterprise architecture involve the following components: · Strategic Planning · Policies 89 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 * Capital Planning and Investment Control · Governance · Program Management · Configuration Management · Enterprise Architecture · "As-Is"Business Architecture · "As-Is" Data Architecture · "As-Is" Application Architecture · "As-Is" Teclmical Architecture · "As-Is" Security Architecture · "To-Be"Business Architecture · "To-Be"Data Architecture · "To-Be" Application Architecture · "To-Be"Technical Architecture · "To-Be" Security Architecture · Information Resource Catalog (IRC) · Transition Plan In accordance with OMB Circulars A-130 and A-11 and the Clinger Cohen-Act all major systems need to be identified, evaluated regularly for its cost and benefits to achieving its intended business mission support. BIA has established a Portfolio Management Capital Assets (PMCA) project to assist BIA with analysis, requirements, and execution for the 90 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 prioritization of IT assets. The PMCA project will enable project managers to evaluate, rank, and select high priority projects. Develop a Baseline Enterprise Architecture In FY2002, Interior contracted EDS to conduct a detailed trust "As-Is" business process model. The draft results of the EDS "As-Is" analysis are described, in detail, in other parts of this document. Progress on this facet of the enterprise architecture is already being reported to the court. See Eleventh Report. Develop a Target Enterprise Architecture The recommendations of the EDS "As-Is" business process model and business owner expert knowledge will drive the "To-Be" trust enterprise architecture. Currently, Interior is considering the development of a data warehouse that integrates trust data from the current source systems. This data warehouse may provide a common index across the trust records and will provide easier consolidated individual Indian account reporting. A key activity has been to develop a core set of common critical data elements. Develop a Sequencing Plan The details of the "To-Be" business processes have not been fully developed at this time. Once the "To-Be" process is completed, Interior will need carefully to plan process changes. To ensure changes are made in a logical order, Interior intends to prepare a sequencing plan. 91 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 (4) STEPS NECESSARY TO _ACH PERFORMANCE TARGETS Interior has prepared a project plan to complete the steps necessary to develop and adopt enterprise architecture for Indian trust systems enterprise architecture using the previously discussed architectural documents. As described above, some of the steps required to produce an enterprise architecture plan have already been taken. The key steps that remain include: · Establish an enterprise architecture executive steering committee · Appoint achiefarchitect · Establish an enterprise architecture management office · Develop an enterprise architecture program management plan · Define the Intended Use of The "To-Be" Architecture · Build the baseline"As-Is" architecture · Build the target "To-Be" architecture · Development the transition/sequencing plan · Approve, publish and disseminate the enterprise architecture plan The completion of the enterprise architecture depends upon the completion of the "As-Is"/"To-Be" business systems analysis and will be developed subsequent to the development of the business model. 92 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 C. ELECTRONIC RECORDS SECURITY (1) PERFORMANCE TARGETS The 1994 act does not establish a particular standard for electronic records security. The leading document setting forth performance criteria, on IT Security is OMB Circular A- l 30. Interior intends to obtain certification and accreditation, pursuant to OMB Circular A-130, Appendix III, for each IT system containing IIM trust information necessary to perform an accurate accounting of all IIM trust funds held in trust by the United States. (2) GUIDANCE REGARDING PERFORMANCE When assessing performance regarding electronic records security, Interior plans to consider the relevant sections of the following: · 375 DM 19, Information Technology Security Program, 04-15-02 Departmental Manual (DM) 375, Chapter 19 implements the Federal IT security requirements contained in the Computer Security Act of 1987 and OMB Circular A-130, Appendix III, within Interior. The chapter establishes policies, assigns organizational and management roles and responsibilities, and establishes minimum requirements for the development, implementation, maintenance, and oversight of an IT security program for protecting Interior information and IT systems that store, process, or transmit unclassified information. · 441 DM 01, Personnel Security and Suitability Requirements, 10-03-00 93 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 DM 441 establishes polices, regulations, and procedural guidelines governing an individuals suitability for Federal employment and national security interests. Each bureau or office head is responsible for implementing the security and suitability program * 444 DM 01, Physical Protection and Building Security, 07-07-99 DM 444 establishes policies for the Interior physical security program designed to safeguard Interior personnel and facilities to include buildings, grounds, and property. Each bureau or office head is responsible for ensuring that bureau specific physical security review and compliance programs and policies are developed and implemented. In addition to these portions of the Departmental Manual, Interior also plans to review other publications in addressing electronic records security issues. The primary documents are cited in the text below. (3) STATUS OF PERFORMANCE (i) ACHIEVING OMB CIRCULAR A-130, APPENDIX III CERTIFICATION Interior has established a goal for compliance with OMB Circular A-130, Appendix III, for systems housing individual Indian trust data (IITD), by December 31, 2005. 94 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 That target date reflects various influences associated with the length of time anticipated to delineate clearly the organizational structure to be served, the time needed to review the "As-ls" analysis being conducted by EDS, the reengineered "To-Be" process, the deliberations of the IT technical teams, the observations made by the National Institute of Standards and Technology (NIST) Computer Security Expert Assist Team (CSEAT) report, funding commitments and expectations, and the short-term priority to improve the security of Interior's systems. · For electronic records stored in IT systems, Interior has adopted NIST 800-37 Certification and Accreditation process, as outlined in the new NIST Special Publication 800-37, Federal Guidelines for the Security Certification and Accreditation of Information Technology Systems. This process establishes the recommended requirements to bring a system on-line, such as, a computer systems security plan, security specifications and test results, contingency plan, and other pertinent documents (e.g., risk analyscs, audits, information resources management reviews). In FY 2002, BIA developed system interface diagrams that illustrate the flow of data processing from one trust system to another. These system interface diagrams are required in order to certify and accredit systems in accordance with the NIST 800-37 Certification and Accreditation standards. 95 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 Multi-disciplinary teams, involving Interior employees, along with technical contractors, have been evaluating the requirements of OMB Circular A-130, Appendix III, and the status of Interior's trust or IIM systems. The teams are developing a list of tasks that will require completion prior to system accreditation. Interior's IT security goal is to protect and secure the confidentiality, integrity, and accessibility of trust data internally and externally. To ensure that proper access to data, integrity of data, and confidentiality of data is maintained electronically, Interior has begun the implementation of OMB Circular A- l30, Appendix III process to achieve compliance. Projects include the following: · BIA plans to provide information assurance and security awareness training to BIA trust system planners, developers, users, and administrators. Within the security architecture, the transitional goal is to secure the network perimeter, harden the security of the equipment and software, secure user accounts, and track and report incidents. Indian Affairs is in the process of conducting risk and vulnerability assessments using NIST 800-26 and 800-37 criteria. · Interior plans to enhance security management through the development of security plans, procedures and policies, risk assessments, continuity of operations plan and user account security. Funding has been obtained for the top priority trust systems. BIA awarded a contract to Senet, Inc. to provide security analysis, security planning, and security operations support. 96 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 4. THE IT SECURITY AUDIT FINDINGS DATABASE Interior established a database to track IT security audit findings and actions taken that originated from the Special Masters Report (November 1, 2001), which documented lapses in Interior IT as well as other IT audit findings. BIA assigned a project manager for the audit findings and recommendations database project. The following tasks have been initiated and/or completed: * Reviewed and categorized the audit findings database using NIST Principles and Practices for Securing IT Systems as guidance; * Entered additional findings from the SRA Risk Assessment Report and the NIST CSEAT Report; * Developed a menu-driven interface for audit record additions, extractions, sorting, reporting and administratively controlled editing o f audit findings; - Developed a work plan to close findings grouped into NIST SP 800-14 categories, (i) Security E-Mail and Web Proxies Services * BIA plans to provide content filtering and access control to permit authorized communication and prohibit unauthorized communication to and from trust personnel and systems. BIA developed a technical 97 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 requirements document outlining the HTTP, HTTPS, SMTP, FTP, and Lotus Notes security requirements for reconnecting to the Intemet. * BIA also conducted a gap analysis, selected a network security configuration and successfully installed and tested a prototype. The network security configuration meets BIA's specifications which are designed to provide sufficient security from potential external intrusions (hacking) and internal leakage of data. This solution is proposed to be the first phase of the BIA's conversion onto a secure communications network. · Secure e-mail and web proxies, along with system hardening, will provide sufficient security for establishing the reconnection of BIA trust users to the Internet. Efforts will continue beyond this first phase to harden other systems within the BIA trust environment and to establish the necessary operation management security practices to sustain long term security. (ii) Secured Network Communication · BIA plans to use a secured communications network to replace BIANet between the central office, the regional offices, and the agencies. BIA plans to connect the agencies to the tribes, at some point in the future, when proper security measures have been agreed 98 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 upon. BIA plans to install secure e-mail and web proxies at the central office first, followed by installation of the six hubs and then installation at the regional offices and agencies. The network will have around-the-clock monitoring and incident response in a secured environment connecting back to BIA where system performance and monitoring will be added. · System boundary definitions, which define the connection points, data flows and trusted relationships between systems are being evaluated. These should also identify potential hacker penetration paths so they can be addressed. (iii) Vulnerability Assessment and Mitigation · Vulnerability assessment and mitigation will incrementally address hardening requirements in BIA central office, regions, and agencies. This will be accomplished through site visits by contractors who will assess each site's OMB Circular A-130 compliance and create a work plan to correct any material deficiencies that are found. System hardening efforts will focus on network hardening, desktop hardening, physical security, personnel security, and systems documentation. Interior has undertaken measures to harden the Central Office-East (Reston, VA), is completing the Central Office- West (Albuquerque, NM), and is starting the next priority hub site. BIA has implemented the NIST 800-26 Evaluations for OMB Circular A-130 99 FIDUCIARY OBLIGATIONS COMPLIANCE PLAN JANUARY 6, 2003 compliance at these sites and is developing work-off plans to address the vulnerabilities discovered in the above review. (iv) Computer Systems Inventory Management · To improve IT security effectively, the BIA needs to know what IT assets it has, where the IT assets are, who owns the IT assets, who uses the IT assets, how are the IT assets configured, and when were the IT assets were last modified. To answer these questions BIA has successfully installed network automated discovery tools and is in the process of completing the implementation of the desktop automated discovery, problem resolution management, and remote control tools. This will enable BIA to validate the Security Technical Implementation Guide Hardening and Windows 2000 upgrade requirements. (5) STEPS NECESSARY TO REACH PERFORMANCE TARGETS Obtain certification and accreditation, pursuant to OMB Circular A-130, Appendix III, for each IT system containing IIM trust information necessary to perform an accurate accounting 100