IG Report: OPM Still Struggles with IT Security

Mark Van Scyoc/Shutterstock.com

The IG report identified persistent security weaknesses.

The Office of Personnel Management is still struggling to address IT recommendations repeatedly made by the inspector general's office, a new report says. 

The IG is required under the Federal Information Security Management Act to review agencies' security programs and practices. This year's review, published just months after OPM admitted that a network hack had exposed the personal information of 22 million people, warned that failure to address its recommendations could make the agency vulnerable to another attack. 

The report's findings included that OPM's procedure for notifying outside groups (including the IG) when incidents occur took too long, and that only 65 percent of employees with "significant security responsibilities" had completed a special IT training during the 2015 fiscal year. 

While the OPM hack "may have been impossible to prevent," auditors have previously identified weaknesses in OPM's IT management, the report said. "Our recommendations appeared to garner little attention, as the same findings were repeated year after year."

The IG also warned against an OPM policy that extends blanket authorizations to IT systems whose authorizations are currently out of date. If the policy continues, OPM could have up to 23 systems improperly assessed, the report said. 

"Combined with the inadequacy and  noncompliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack," the report concluded. 

In a response to the report, OPM Chief Information Officer Donna Seymour wrote that her office had closed 77 percent of the OIG's recommendations between fiscal 2007 and 2014. 

Here are some other findings from the report:

  • Though 17 of 46 major applications were operated by contractors, OPM wasn't maintaining a record outlining each Interconnection Security Agreement.
  • FISMA requires remote access sessions to lock users out after 30 minutes of inactivity, but OPM has not yet met this requirement. It's scheduled for completion in May 2016.
  • The Office of the CIO created a group of IT security professionals in the 2011 fiscal year to serve in a risk management role, but the group still doesn't have a charter and "does not have clearly defined responsibility and authority."
  • OPM still hasn't met the Office of Management and Budget requirements for requiring PIV cards to unlock OPM-issued devices. Though about 97 percent of OPM laptops did require PIV authentication, users didn't need two-factor authentication to log their personal devices onto the network. "Therefore, very few, if any, OPM users were technically required to log onto the network with two-factor PIV authentication," the report said.
  • OPM's Information Systems Continuous Monitoring program is still operating in an "ad-hoc" capacity. OPM plans to install the Department of Homeland Security's Continuous Diagnostic and Mitigation program, but not until the middle of the 2016 fiscal year.

(Image via /Shutterstock.com