2 Years After Massive Breach, OPM Isn’t Sufficiently Vetting IT Systems

More than two years after suffering a massive data beach, the Office of Personnel Management still isn’t sufficiently vetting many of its information systems, an auditor found.

In some cases, OPM is past due to re-authorize IT systems, the inspector general’s audit said. In other cases, OPM did reauthorize those systems but did it in a haphazard and shoddy way during a 2016 “authorization sprint,” the IG said.

“The lack of a valid authorization does not necessarily mean that a system is insecure,” the auditors said. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities.”

The audit is dated June 20 but was publicly released July 7.

OPM became a symbol for the government’s cybersecurity vulnerability in 2015 when Chinese government-linked hackers compromised sensitive security clearance documents stored by the agency about more than 20 million current and former federal employees and their families.

That breach prompted a governmentwide “cyber sprint” to shore up vulnerable systems.

Among other vulnerabilities, the IG found OPM wasn’t sufficiently testing the security of its local area networks and wide area networks, known as LAN/WAN.

As a result, “there is a significant risk, if not likelihood, that the security controls testing performed as part of the LAN/WAN authorization process did not identify security vulnerabilities that could have been detected with an appropriately thorough test,” the IG said.

The security guidelines for those networks also don’t comply with guidance from the government’s cyber standards agency, the National Institute of Standards and Technology, the IG said.