An Inspector General audit of computer systems at the Office of Personnel Management was recently released. Two years after millions of personnel records were stolen from the agency, the IG found little progress in securing data. A Fox News story on November 18 characterized the situation as “actually regressing in its efforts to provide adequate defenses against further cyber-intrusions.”
In June, we covered the “computer chaos” all across the Federal government, with out-of-date systems and no plans to modernize. The 2016 IG audit of OPM, in compliance with the Federal Information Security Modernization Act, found 18 separate systems lacking a security authorization. In addition, the audit found that the agency was unable to retain skilled employees in critical positions.
Fox notes one large retention issue for OPM: five Chief Information Officers in three years. This is suggestive of a serious internal push-back on computer systems modernization and security within the agency. The loss of CIOs indicates the inability of OPM management to implement existing laws, regulations and requirements on the topic. The result: “There has been a significant regression in OPM’s compliance with FISMA requirements, as the agency failed to meet requirements that it had successfully met in prior years.”
Out of Compliance and Unable to Meet Deadlines
The Inspector General audit criticizes the lack of agency-wide IT infrastructure development oversight as well as an investment policy that includes all purchases, not just major ones. It notes that the responsibilities and duties of various members of IT teams have not been defined. Despite an “Authorization Sprint” in 2016, 18 systems remain out of compliance with agency and government-wide requirements. Worth noting is that five of these are in the office of the Chief Information Officer itself.
Where progress is underway, it is slow. The audit notes that “Many information system owners are not meeting the self-imposed deadlines for remediating the security weaknesses listed on the Plan of Action and Milestones”. 43 of 46 major information systems have at least one item that is 120 days or longer past due. Here again, the largest number of such items is in the office of the CIO.
OPM has an inventory of software and hardware, new for 2016. However, it does not have the software mapped to the hardware it resides upon. In addition, while OPM has begun using standard security configuration checklists, the IG found that implementation of configuration standards was inconsistent across multiple operating systems. Adding to the difficulty is the existence of “severely out-of-date and unsupported software and operating platforms.”
Contractors operate a large number of OPM systems. OPM has an effective method of removing its own personnel as authorized users when they terminate employment. The IG found that the agency lacks a centralized process for doing the same for contract employees. Indeed, OPM does not maintain a list of all contractors with access to OPM networks.
The audit contains many additional findings and recommendations. Many are repeated from prior years. OPM concurs with most recommendations, totally or in part. However, that concurrence was a part of previous audits. A large question mark continues to overlay the Office of Personnel Management’s ability and willingness to achieve improved cybersecurity.
