The Government Accountability Office found that the Office of Personnel Management’s cybersecurity posture is still lacking after the major hack of the agency in 2015.
Since the data breach, OPM has taken steps to secure its most sensitive systems, but:
- OPM could institute further improvements.
- The agency did not consistently update completion dates for outstanding recommendations.
- And OPM did not validate corrective actions taken to ensure that the actions effectively addressed the recommendations.
OPM identified its high-value assets, but it didn’t encrypt stored data on one selected system and didn’t encrypt transmitted data on another system.
“Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be,” the GAO report said.
OPM didn’t comprehensively test its controls when overseeing the security of its contractor-operated systems. OPM records security assessment findings for contractor-operated systems in remediation plans, but the agency didn’t ensure that system security assessments involved comprehensive testing. OPM requires IT officers to conduct reviews of contractor-operated systems; however, OPM doesn’t have a policy on how the reviews should be conducted.
“Until such a procedure is clearly defined and documented, OPM will have less assurance that the security controls intended to protect OPM information maintained on contractor-operated systems are sufficiently implemented,” the GAO report said.
GAO recommended that OPM should:
- Update its policy to reflect the deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirements.
- Develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.
- Provide detailed guidance on the quality assurance process that includes evaluating security control assessments.
- Update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.
- And improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.