Despite some improvement, the Office of Personnel Management continues to lag in cybersecurity, according to the most recent info security audit from the agency’s internal watchdog. Failure to move on key vulnerabilities leaves OPM potentially open to another devastating attack, according to the fiscal 2015 audit from OPM’s Office of the Inspector General.
Despite an increased focus on IT security at OPM after a breach exposed the personal information of over 20 million current, former and prospective federal employees, the agency “continues to struggle to meet many…requirements” under the Federal Information Security Modernization Act, the report stated.
One key weakness: CIO Donna Seymour in April issued an extension on OPM system authorizations that had expired. A continued moratorium on authorizations “will result in the IT security controls of OPM’s systems being neglected,” the report said. “Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack.”
As many as 23 major OPM IT systems are operating without a valid authorization, according to the OIG. The agency agreed with the OIG’s recommendation that all active OPM systems have a valid authorization, but the OIG does not appear convinced of OPM’s intent to follow through on it.
“The [Office of the CIO] could not have made a ‘risk-based’ decision to extend the authorizations of these systems because it has not done any assessment to determine what risks actually exist within these systems,” the report said.
On the positive side of the ledger, OPM closed one recommendation to expand its network monitoring program to include the Continuous Diagnostics and Mitigation Program offered by the Department of Homeland Security on Sept. 30 of this year.
On Nov. 6, OPM’s tech team expanded its data collection to record “more meaningful data” on network events, while reducing the proportion of extraneous information, closing an OIG recommendation from 2014.
Changes made to information security governance this fall at OPM satisfied a long-standing weakness cited by OIG. At OIG’s urging, the agency implemented, “a centralized information security governance structure where all information security practitioners, including designated security officers, report to the [chief information security officer].”
Still, key weaknesses remain, according to the report. OPM does not have a thorough inventory of its servers, databases, and network devices, which “drastically diminishes” the effectiveness of the agency’s security tools, the report stated. In an age of telework, the OIG also found that OPM has not configured its virtual private network servers to automatically log out of remote sessions.
An ambitious project to revamp OPM’s IT infrastructure by migrating applications to a new “Shell” environment has impacted OPM’s FISMA reporting metrics. The audit compared OPM’s inventory of major IT systems with an inventory done in preparation for the Shell migration.
“There are significant discrepancies between the two lists, and our primary concern is that there are still unidentified systems residing on OPM’s network, and that existing applications are not appropriately classified as major or minor,” the report said. OPM has estimated that the first two phases of the Shell project will cost $93 million, and the agency has struggled to come up with the money for the project.
In comments on a draft of the OIG report, the CIO office said it was “proud” to report that it had closed 77 percent of recommendations made by OIG FISMA audits from fiscals 2007 to 2014. The OIG was less impressed with that number.
“The vast majority of those recommendations were closed many years ago, and are no longer relevant to the current cybersecurity threats that the agency faces,” the OIG report stated. “A more relevant statistic is that OPM has closed only 43 percent” of recommendations in fiscal 2013 and 2014 FISMA audits, it added.