Audit: OPM Struggles to Ensure IT SecurityIG Identifies Office of Personnel Management Problems In Assessing Security
The U.S. Office of Personnel Management continues to struggle to ensure the security of its information systems two years after a massive breach that exposed the personal information of some 21.5 million individuals, including many with security clearances.
A June inspector general's audit assessing how OPM approached the authorization of the security of its systems, made public this past week, identified significant problems in determining whether its systems meet security requirements.
Lacking a valid authorization does not mean the system is insecure, Michael Esser, OMP assistant inspector general for audits, writes in the audit report. "However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities," Esser says. "OPM's management of system authorizations represents a material weakness in the internal control structure of the agency's IT security program."
Main Audit Findings
According to the audit:
- OPM's local area network and wide area network systems security plan lacked relevant data about hardware, software, minor systems and inherited controls.
- Deficiencies in the security control testing performed as part of the LAN/WAN authorization process likely prevented the assessors from identifying security vulnerabilities that could have been detected with an appropriately thorough test.
- Security weaknesses detected during the LAN/WAN authorization were not appropriately tracked in a Plan of Action and Milestones document.
- Critical elements were missing from many of the other authorization packages prepared during the latest assessment process.
David DeVries, OPM's CIO, acknowledges the struggles the agency faces in authorizing the security of its IT. "OPM has already initiated a secondary assessment of the infrastructure to evaluate the security controls that were not fully satisfied form the initial assessment," DeVries responded in a memorandum sent to the IG.
OPM had been operating since fiscal year 2014 without valid security authorization for its systems. The following year, OPM temporarily halted authorization activity, further weakening its security posture, the IG says. To address these deficiencies, OPM last year initiated a so-called authorization sprint to get the agency's systems compliant.
An information system authorization is a comprehensive assessment that evaluates whether security controls are meeting requirements. The purpose of this assessment is to document the system's controls, risks and remediation plans. If the security risk associated with the system is deemed to be acceptable, then the system is formally authorized to operate in the agency's production IT environment.
In 2015, then-OPM CIO Donna Seymour halted the authorization process, justifying the move by pointing out that the agency was migrating its IT infrastructure to two new data centers and modernizing its applications. Once that initiative was completed, she pointed out, all systems would have to receive new authorizations anyway. But within a year, OPM scrapped the original modernization initiative.
"Although the moratorium on authorizations has since been lifted, the effects of the April 2015 memorandum continue to have a significant negative impact on the agency," Esser says. "As a result, many of the systems included in the memorandum operated in the same legacy environment without a valid authorization."
According to the audit, OPM is working to implement a comprehensive security control continuous monitoring program that would eventually replace the need for periodic system authorizations as required by the Federal Information and Security Modernization Act.
The IG says OPM's continuous monitoring program is rapidly improving but has yet to reach the point of maturity where it can effectively replace the authorization program, a point OPM accepts. OPM acknowledges that a current and comprehensive authorization for each system is a prerequisite for a continuous monitoring program because it would furnish a baseline of the security controls that need to be continuously monitored.
Though not mentioned in the audit, the 2015 breach - believed to have originated in China - highlighted the vulnerabilities in OPM's systems.