The Office of Personnel Management's cybersecurity is still in bad shape, three years after it suffered a massive data breach that compromised sensitive records about more than 20 million Americans.
OPM has made some cybersecurity and management improvements, but “significant deficiencies” remain and the current information security staff is “not fulfilling its responsibilities,” the agency's inspector general said Monday.
OPM's overall cybersecurity maturity score is 2 out of a possible 5, according to the year-end report on the personnel office’s compliance with the Federal Information Security Management Act.
Level 2 is described as “defined.” That’s a step above level 1 – “ad hoc,” but beneath level 3 – “consistently implemented,” level 4 – “managed and measurable,” and level 5 – “optimized.”
OPM has not fully implemented a system to continuously monitor its information security and has not successfully assessed the information security controls on all of its systems, the auditor said, adding that “this has been an ongoing weakness at OPM for over a decade.”
The office has improved its information security training but has not done a workforce assessment to determine how well that training is working, the auditor said.
The office has, however, made strides on its cyber incident response plans, the auditor said. OPM earned a level 3 – “consistently implemented” – maturity score on that metric.
The OPM breach, which was disclosed in 2014, compromised security clearance information for about 21.5 million current and former federal employees and their families. The breach compromised fingerprint information for a smaller number of employees.
The Chinese government is widely believed to be responsible for the breach.
In the wake of the breach, former President Barack Obama ordered personnel information to be moved to a new organization, the National Background Investigation Bureau, which is inside OPM but secured by the Defense Department.