OPM Contends 'Audit Fatigue' Hampers InfoSec ComplianceIG Identifies Significant Deficiencies in Agency's IT Management Structure
The head of the U.S. Office of Personnel Management cites "audit fatigue" as a factor explaining why the federal agency that experienced a massive data breach in 2015 continues to come up short in securing its information systems.
See Also: Data Sharing: Myths vs. Reality
OPM Acting Director Kathleen McGettigan, in response to the OPM inspector general's annual audit required under the Federal Information Security Modernization Act, points out that the OPM's IG is one of several entities that audit OPM IT.
"Each time an engagement commences, OCIO (Office of the Chief Information Officer) is obligated to expend time and resources locating responsive documents, responding to questions and, ultimately, replying to these multiple, sometimes overlapping duplicative audits," McGettigan says. "We appreciate and understand the importance of these audits, but believe OCIO would benefit from an effort to achieve a more tailored, streamlined and coordinated approach from its various auditors."
OPM has long struggled with securing critical IT, as exemplified by the 2015 breach - believed to have originated in China - in which personal information of some 21.5 million people, many with security clearances - was exposed (see OPM's 2nd Breach: 21.5 Million Victims). The IG, in its latest audit reports published earlier this week, documents that OPM continues to struggle with IT security.
In the audit that covers fiscal 2017, which ended on Sept. 30, the IG notes that OPM made improvements in its security assessment and authorization program. But the IG identifies significant deficiencies in OPM's IT management structure. "While resource limitations certainly impact the effectiveness of OPM's cybersecurity program, the staff currently in place is not fulfilling its responsibilities that are outlined in OPM policies and required by FISMA," Assistant Inspector General for Audits Michael Esser writes in the FISMA assessment.
Esser's comments were in response to McGettigan's contention that OPM's CIO office has limited resources to implement previous IG recommendations to comply fully with FISMA requirements. "OCIO's resources have been impacted by budgetary uncertainties and the ensuing difficulties in planning hiring actions that can be sustained in the upcoming fiscal year," McGettigan says.
Among the continuing security challenges OPM faces, according to the audit, is information security continuous monitoring. OPM has not completed the implementation and enforcement of continuous monitoring policies. "OPM also continues to struggle with conducting a security controls assessment on all of its information systems," Esser says. "This has been an ongoing weakness at OPM for over a decade."
The IG says OPM also struggles with maintaining its contingency plans as well as conducting routine contingency plan tests.
Still, the IG says, OPM has made significant strides in incident response, implementing all of the FISMA metrics at the level of "consistently implemented" or higher.
Lack of Maturity
Overall, the audit reveals, OPM IT security isn't as mature as it should be. FISMA, the law that governs federal government IT security, uses metrics derived from the cybersecurity framework developed by the National Institute of Standards and Technology (see NIST Tailors Framework for Federal Agencies). The cybersecurity framework identifies five maturity levels, from 1 to 5, and graded OPM's maturity level at 2, the second lowest. The framework describes level 2 as policies, procedures and strategy being formalized and documented but not consistently implemented.
The IG made 40 recommendations on how OPM can improve its IT security posture. On nearly all of them, OPM either entirely or partially agreed with the recommendations.
But OPM did not concur on one recommendation, first made in 2014, that systems owners be the ones who authorize access rights and privileges. OPM says it will take the IG's suggestion under advisement but first wants to consult with the agency's subject matter experts to determine whether the recommendation is necessary and appropriate. "It appears that the agency has not yet determined whether it agrees with the recommendation," Esser says. "We will provide additional feedback once OPM solidifies its position."