Audit: OPM IT systems not ‘protected against another attack’
The Office of Personnel Management still struggles to meet many federal cybersecurity requirements, though it has made a concerted effort to improve its information security in the wake of a major data breach discovered earlier this year, according to the agency’s inspector general.
Information security has been a longstanding issue at OPM, the IG detailed in its final Federal Information Security Management Act audit report for fiscal year 2015 — 21 of the 27 recommendations in this latest report are at least a year old. And while OPM has bettered its information security management structure in the past fiscal year, according to this audit, “there has been a regression in OPM’s management of its system Authorization program,” an issue highlighted in the prior year’s audit.
In April, Chief Information Officer Donna Seymour issued an extension on systems with expired authorizations and those set to expire through fiscal year 2016, until the agency migrates applications into an entirely new and modernized IT environment it’s calling the “Shell.” But by then “the agency will have up to 23 systems that have not been subject to a thorough security controls assessment,” the report says, and the IG believes it will “result in the IT security controls of OPM’s systems being neglected.”
Adding to the security weaknesses, the report found OPM’s continuous monitoring methodology to be at a basic, or “ad hoc,” level. That combined with the numerous unauthorized systems makes the IG “very concerned that the agency’s systems will not be protected against another attack.”
OPM Office of the CIO personnel told the IG the continuous monitoring policies and procedures “are currently being restructured to better suit the current OPM environment,” the report states. That effort is currently in the drafting stage.
The agency also showed an “inability to accurately inventory its systems and network devices drastically diminishes the effectiveness of its security controls,” the report states.
The IG noted, however, that OPM has been very cooperative recently and has worked to address the IG’s past recommendations.
“We acknowledge that OPM has recently placed additional focus on addressing OIG audit recommendations, and has sought our input in implementing controls to protect its technical environment,” it said. “Significant work remains for the agency to secure its IT systems, and we are hopeful that this trend continues through the next fiscal year.”
Seymour almost unanimously concurred — she only partially concurred on a few — with the IG’s 26 total recommendations in the report.
“We welcome a collaborative dialogue to help ensure we fully understand the OIG’s recommendations as we plan our remediation efforts so that our actions and the closure of the recommendations thoroughly address the underlying issues,” she wrote in a letter responding to the IG’s draft recommendations. “I look forward to continued discussions during our monthly reviews to help ensure we remain aligned.”
OPM spokesman told FedScoop in an emailed statement: “OPM has been working tirelessly in addressing OIG recommendations. In fact, we have remediated nearly 80% of all OIG recommendations dating back to FISMA 2007 — a substantial increase over last year. As always, we welcome the assistance of our Inspector General in finding more ways to improve, and we are eager to continue our work on these remediations to further enhance our IT and cyber security program.”