GAO Plans OPM, FedRAMP Audits in 2017

A top question for government cyber auditors next year will be whether the Office of Personnel Management has shored up the information security weaknesses that led to a massive breach of personnel information in 2015.

A report examining OPM’s efforts to mitigate, detect and combat cyber intrusions is likely to come out in April, Gregory Wilshusen, director of information security issues at the Government Accountability Office, told an advisory board last week.

The OPM review is part of a tally of ongoing and planned GAO cyber audits Wilshusen provided to members of the National Institute of Standards and Technology’s Information Security and Privacy Oversight Board.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The White House ordered a “cyber sprint” to shore up government technology in the wake of the China-linked OPM breach, which compromised sensitive records of 21.5 million current and former federal employees. The White House transferred responsibility for securing government background investigations to the Defense Department following the wake of the breach.

GAO also plans to audit controls on personal information held by the Centers for Disease Control and Prevention and the National Institutes of Health in coming months, Wilshusen said. That audit will be similar to a September audit that found numerous control weaknesses at the Food and Drug Administration that put public health data at risk, he said.

The office is also planning an audit of the Federal Risk and Authorization Management Program, which vets private companies’ ability to sell cloud computing services to the government, Wilshusen said. That audit will focus both on the 24 major federal agencies’ ability to securely use cloud services and on the experience of companies going through the vetting process, he said.