OPM Gets Poor Cyber Grade 18 Months After Breach

Witnesses including former OPM Director Katherine Archuleta and federal CIO Tony Scott sit before the Senate hearing on federal Cybersecurity and the OPM Data Breach.

Witnesses including former OPM Director Katherine Archuleta and federal CIO Tony Scott sit before the Senate hearing on federal Cybersecurity and the OPM Data Breach. Susan Walsh/AP

High staff turnover puts agency security at risk, according to the annual information security management audit.

The Office of Personnel Management, which suffered a devastating data breach last year, still suffers from extensive cyber weaknesses, including inadequate scanning for computer vulnerabilities and extremely high turnover among staffers responsible for information security, according to an audit released Friday.

A particular concern is the “extremely high employee turnover rate” of information system security officers tasked with guaranteeing the security of specific technology systems, according to the audit from OPM’s inspector general. The agency also had five different chief information officers during the past three years, the audit notes.

“We believe that OPM’s IT security management structure—as currently defined on paper—can be effective with some minor improvements,” the report states. “However, this structure was not operational for the majority of [fiscal year] 2016, and therefore we believe that this issue again rises to the level of a significant deficiency.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The turnover also contributed to a “significant regression” in OPM compliance with the Federal Information Security Management Act, auditors found. The audit is an annual FISMA requirement.

OPM agreed with the auditors’ staffing assessment and plans to staff back up to a full complement of 24 information system security officers shortly, according to the audit.

The 2015 OPM data breach compromised records of 21.5 million current and former federal employees and their families and instigated a full-scale review of government cybersecurity.

The breach also led to the Oct. 1 transfer of responsibility for securing OPM’s Federal Investigative Service, the agency that conducts most civilian background checks to the Defense Department. The new agency, which is housed inside OPM but secured by DOD, is called the National Background Investigation Bureau.

There were four investigative service technology systems that were past due for full security checkups known as “information system security assessment and authorizations” when the inspector general completed is audit. That was before the transfer to DOD. There were 18 total OPM systems without those authorizations, auditors said.

Auditors also dinged OPM for poorly defined IT management roles, inadequate inventory management and expired agreements for contractor operated IT systems.