The Office of Personnel Management’s (OPM) data breaches of 2015 left 26.1 million US citizens with their personal identifying information (PII) compromised. In December 2015, OPM issued it’s last update on the breach. Since then, the IT side of OPM house had been charged with tightening up infrastructure.
Last week, the “Audit of the US Office of Personnel Management’s Security Assessment and Authorization Methodology” was released publicly. The bottom line from the OPM IG: “We detected significant problems”
What are the problems identified by the OPM IG?
- The LAN/WAN system security plan (SSP) was missing relevant data about hardware, software, minor systems, and inherited controls. Additionally, the LAN/WAN SSP also failed to appropriately address several relevant controls, labeled as “not applicable.”
- Deficiencies in the security control testing performed as part of the LAN/WAN Authorization process likely prevented the assessors from identifying security vulnerabilities that could have been detected with an appropriately thorough test.
- The security weaknesses detected during the LAN/WAN Authorization were not appropriately tracked in a Plan of Action and Milestones document.
OPM IG Recommendations
Complete the SSP
OPM IG recommended that the OPM IT folks complete the SSP and this time make sure it contains all the elements from the original OPM SSP and adhere to NIST guidance. Perhaps the most egregious was the lack of inventory documentation on hardware or software used within OPM. The report highlights, correctly, how without an inventory of what is attached to the network, those responsible for securing the systems will be hard pressed to design controls and protect the environment. Furthermore, they note that “an independent assessor cannot effectively evaluate the security posture of the system as a whole.” OPM promised an updated SSP.
Of the 334 LAN/WAN security controls which the OPM IG tested, 202 were “either not satisfied or only partially satisfied.” With the security controls in such a state, “the LAN/WAN security controls assessment likely did not identify vulnerabilities that could have been detected with a thorough test. ” The OPM IG urged OPM to conduct a thorough security controls assessment after the SSP is in place. OPM noted that their system is dynamic, and that exclusion of portions of the network was not purposeful obfuscation.
Plan of Action
The absence of a comprehensive plan of action and milestones document leaves one guessing as to the current state of remediation to deficiencies found during testing and assessments. For those looking in from afar it may seem like a “duh” moment when we learn that there is no bingo-card checking off the identified weaknesses and remediation status. When challenged, OPM did provide a plan of action document, which contained 15 independent assessor findings. The OPM IG found that the plan of action was short 51 findings, as the assessor had found 66 findings.
OPM restructured its IT team following the 2015 breaches. They continue in their role within the security clearance process, and millions of US citizens have entrusted OPM with their most sensitive data (their SF-86, the results of background interviews on each cleared individual and the adjudication decision on the granting of security clearances authorizing access to US national security information).
OPM has an obligation to get it right, or the events of 2015 are destined to be replicated. The nation’s adversaries have not disappeared, they are enhancing and retooling their own capabilities, as millions of OPM files remain the mother load of assessment information for the hostile foreign intelligence adversary.