Information security still lagging at OPM, report finds

The agency has completed 11 of the 19 recommendations made in the wake of the 2015 data breach.
Close-up of the Government Accountability Office (GAO) sign outside its main headquarters in Washington, DC. (Getty Images)

While the Office of Personnel Management’s information security practices have improved since the 2015 breach, OPM still has some work to do, a new Government Accountability Office report concludes.

The report, released Thursday, looks at OPM’s progress on the 19 recommendations the United States Computer Emergency Readiness Team (US-CERT) made after the breach that exposed the data of 22.1 million people.

All in all, GAO concludes, OPM has completed 11 recommendations while the eight others remain in need of attention.

“Since the 2015 data breaches, OPM has taken actions to prevent, mitigate, and respond to data breaches involving sensitive personal and background investigation information, but actions are not complete,” the report states. “Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be.”


The GAO makes five recommendations for how OPM should proceed, including the suggestion that “the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.”

OPM remains without a permanent director. President Donald Trump nominated George Nesterczuk to the role, but reports surfaced this week that Nesterczuk withdrew his nomination. Beth Cobert, the former acting director of OPM under President Obama, served for nearly two years without ever receiving Senate confirmation.

Separately, a recent audit by OPM’s inspector general found “significant problems” in the way the agency tests its information security.

Latest Podcasts