Governance & Risk Management , Risk Assessments

Audit: OPM Struggles to Ensure IT Security

IG Identifies Office of Personnel Management Problems In Assessing Security
Audit: OPM Struggles to Ensure IT Security
OPM CIO David DeVries acknowledges the problems the agency faces in authorizing the security of its systems.

The U.S. Office of Personnel Management continues to struggle to ensure the security of its information systems two years after a massive breach that exposed the personal information of some 21.5 million individuals, including many with security clearances.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

A June inspector general's audit assessing how OPM approached the authorization of the security of its systems, made public this past week, identified significant problems in determining whether its systems meet security requirements.

Lacking a valid authorization does not mean the system is insecure, Michael Esser, OMP assistant inspector general for audits, writes in the audit report. "However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities," Esser says. "OPM's management of system authorizations represents a material weakness in the internal control structure of the agency's IT security program."

Main Audit Findings

According to the audit:

  • OPM's local area network and wide area network systems security plan lacked relevant data about hardware, software, minor systems and inherited controls.
  • Deficiencies in the security control testing performed as part of the LAN/WAN authorization process likely prevented the assessors from identifying security vulnerabilities that could have been detected with an appropriately thorough test.
  • Security weaknesses detected during the LAN/WAN authorization were not appropriately tracked in a Plan of Action and Milestones document.
  • Critical elements were missing from many of the other authorization packages prepared during the latest assessment process.

Reevaluation Underway

David DeVries, OPM's CIO, acknowledges the struggles the agency faces in authorizing the security of its IT. "OPM has already initiated a secondary assessment of the infrastructure to evaluate the security controls that were not fully satisfied form the initial assessment," DeVries responded in a memorandum sent to the IG.

OPM had been operating since fiscal year 2014 without valid security authorization for its systems. The following year, OPM temporarily halted authorization activity, further weakening its security posture, the IG says. To address these deficiencies, OPM last year initiated a so-called authorization sprint to get the agency's systems compliant.

An information system authorization is a comprehensive assessment that evaluates whether security controls are meeting requirements. The purpose of this assessment is to document the system's controls, risks and remediation plans. If the security risk associated with the system is deemed to be acceptable, then the system is formally authorized to operate in the agency's production IT environment.

Authorization Moratorium

In 2015, then-OPM CIO Donna Seymour halted the authorization process, justifying the move by pointing out that the agency was migrating its IT infrastructure to two new data centers and modernizing its applications. Once that initiative was completed, she pointed out, all systems would have to receive new authorizations anyway. But within a year, OPM scrapped the original modernization initiative.

"Although the moratorium on authorizations has since been lifted, the effects of the April 2015 memorandum continue to have a significant negative impact on the agency," Esser says. "As a result, many of the systems included in the memorandum operated in the same legacy environment without a valid authorization."

According to the audit, OPM is working to implement a comprehensive security control continuous monitoring program that would eventually replace the need for periodic system authorizations as required by the Federal Information and Security Modernization Act.

Awaiting Maturity

The IG says OPM's continuous monitoring program is rapidly improving but has yet to reach the point of maturity where it can effectively replace the authorization program, a point OPM accepts. OPM acknowledges that a current and comprehensive authorization for each system is a prerequisite for a continuous monitoring program because it would furnish a baseline of the security controls that need to be continuously monitored.

Though not mentioned in the audit, the 2015 breach - believed to have originated in China - highlighted the vulnerabilities in OPM's systems.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.