The Office of Personnel Management has yet again received less than favorable marks on its annual cybersecurity audit in the wake of massive breaches at the agency fewer than three years ago.
OPM’s inspector general released its Federal Information Security Management compliance report for fiscal 2017 Monday, concluding that while OPM has “made improvements” in its Security Assessment and Authorization program, there is still a “significant deficiency in OPM’s information security management structure.”
This latest report comes on the heels of another from the IG this summer that found “significant problems” in OPM’s now-improved security assessment and authorization methodology. OPM was the victim of a series of breaches revealed in 2015 that compromised the information of more than 20 million Americans.
In total, OPM received a score of 2 from the IG out of a possible 5 for its cybersecurity maturity level.
“OPM is not making substantial progress in implementing our FISMA recommendations from prior audits,” the IG said. “While resource limitations certainly impact the effectiveness of OPM’s cybersecurity program, the staff currently in place is not fulfilling its responsibilities that are outlined in OPM policies and required by FISMA.”
The IG found glaring deficiencies, in particular, in OPM’s continuous monitoring, saying though it had established policies and procedures, “the organization has not completed the implementation and enforcement of the policies.”
“OPM also continues to struggle with conducting a security controls assessment on all of its information systems,” the report states. “This has been an ongoing weakness at OPM for over a decade.”
With the impact of 2015’s breaches still lingering for the agency, the IG came down on OPM quite hard and at times was condescending in the audit.
“The annual FISMA reporting metrics are publicly available documents, and are made available to OPM and the OIG at the same time, and are generally covering the same topics every year,” the IG writes. “It would seem obvious that the OCIO should anticipate the required documentation and interview requests and stage the information in a readily accessible location. This audit is essentially an ‘open book test,’ but, inexplicably, OPM continues to struggle in providing timely documentation and appears to be generally unprepared to respond to routine audit requests.”
The IG also made sure to point out that although OPM may lack the full resources it needs, like many agencies, for an optimal cybersecurity program, that’s not the problem in this case. “The staff currently in place is not fulfilling its responsibilities outlined in OPM policy and required by FISMA. We continue to find issues with the quality of the work that is completed, and routinely detect instances where work was completed that did not adhere to OPM policy.”
Since the breaches, cybersecurity has become a top-level issue at OPM. Former Director Beth Cobert touted the progress the agency made under tenure around things like two-factor authentication on every network, progress encrypting data and piloting many of the Department of Homeland Security’s continuous monitoring tools as she left government earlier this year. And Jeff Pon, President Donald Trump’s nominee to head OPM, vowed recently that if confirmed to the position, he would make the agency’s cybersecurity one of his top priorities.