The Office of Personnel Management continues to struggle with cybersecurity more than two years after the agency first publicly acknowledged they were breached due to poor security practices, according to a newly released Office of the Inspector General report.
The report, which focuses on the state of systems during fiscal year 2017, concludes that while OPM has “made improvements in its Security Assessment and Authorization (Authorization) program,” inspectors were nonetheless able to find a “significant deficiency in OPM’s information security management structure.”
This translated to a poor overall cybersecurity score, as defined by the National Institute of Standards and Technology, of two out of five for OPM. The score from the OIG is supposed to define the “maturity” level of an organization in relation to the security of information systems.
This lackluster rating is due in large part to inaction by the agency regarding prior security recommendations referenced in other audits.
“OPM is not making substantial progress in implementing our FISMA recommendations from prior audits,” the report reads. “While resource limitations certainly impact the effectiveness of OPM’s cybersecurity program, the staff currently in place is not fulfilling its responsibilities that are outlined in OPM policies and required by FISMA.”
A piece of legislation known as the Federal Information Security Modernization Act, or FISMA, which was enacted into law during the Obama administration in 2014, requires inspector general offices to conduct annual information security assessments within multiple federal agencies.
The OIG-OPM report disclosed Monday is a result of FISMA being implemented.
Although OPM has reportedly made improvements in several recognized issue areas, including for example with the agencies’ increased ability to quickly remediate cyberattacks due to a more competent incident response process, it “continues to struggle” in other domains. The OIG took note — repeatedly — of what they precisely described as a longstanding lack of “contingency planning” and a failure to enforce continuous monitoring program policies.
OPM failed to test contingency plans that it had devised — like those used in emergency situations, data breaches and unpredictable system failures — across a number of different divisions; representing a continuation of past problems, the report identified.
According to the OIG, the lack of such testing could one day be catastrophic.
“OPM’s failure to test the contingency plans for almost 90 percent of its systems is a symptom of the significant deficiency in the agency’s information security governance structure,” according to the OIG. “Failure to appropriately manage information system contingency plans in a changing environment increases the risk that contingency plans will not meet OPM’s system recovery time and business objectives should disruptive events occur.”
Under the Trump administration, OPM saw an overall budget boost in fiscal year 2017 of approximately $18 million. A significant portion of this new funding was allocated to upgrading legacy IT systems, which are typically more difficult to update and therefore maintain secure.
Jeff Pon, the White House’s nominee for the OPM director post, has said he will prioritize the recruitment of cybersecurity professionals; calling it his “number one” priority during a recent confirmation hearing.