Information Security:

OPM Has Improved Controls, but Further Efforts Are Needed

GAO-17-614: Published: Aug 3, 2017. Publicly Released: Aug 3, 2017.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Since the 2015 data breaches, the Office of Personnel Management (OPM) has taken actions to prevent, mitigate, and respond to data breaches involving sensitive personal and background investigation information, but actions are not complete. OPM implemented or made progress towards implementing 19 recommendations made by the United States Computer Emergency Readiness Team (US-CERT) to bolster OPM's information security practices and controls in the wake of the 2015 breaches. GAO determined that the agency completed actions for 11 of the recommendations and took actions for the remaining 8, with actions for 4 of these 8 requiring further improvement (see table). In addition, OPM did not consistently update completion dates for outstanding recommendations and did not validate corrective actions taken to ensure that the actions effectively addressed the recommendations.

Table 1: GAO Assessment of the Status of Recommendations to the Office of Personnel Management (OPM) by the U.S. Computer Emergency Readiness Team

Status

Number of recommendations

Completed actions

11

Further improvements needed for actions OPM considered complete

4

In progress

4

Source: GAO evaluation of OPM data. | GAO-17-614

OPM also made progress in implementing information security policies and practices associated with selected government-wide initiatives and requirements. However, it did not fully implement all of the requirements. For example, OPM identified its high value assets, such as systems containing sensitive information that might be attractive to potential adversaries, but it did not encrypt stored data on one selected system and did not encrypt transmitted data on another. Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be.

OPM's procedures for overseeing the security of its contractor-operated systems did not ensure that controls were comprehensively tested. Although the agency has implemented elements of contractor oversight such as recording security assessment findings for contractor-operated systems in remediation plans, it did not ensure that system security assessments involved comprehensive testing. The agency requires information system security officers to conduct quality assurance reviews that include reviewing security assessments of contractor-operated systems; however, its policy did not include detailed guidance on how the reviews are to be conducted. Until such a procedure is clearly defined and documented, OPM will have less assurance that the security controls intended to protect OPM information maintained on contractor-operated systems are sufficiently implemented.

Why GAO Did This Study

OPM collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In 2015, OPM reported significant breaches of personal information that affected 21.5 million individuals.

The Senate report accompanying the Financial Services and General Government Appropriations Act, 2016 included a provision for GAO to review information security at OPM. GAO evaluated OPM's (1) actions since the 2015 reported data breaches to prevent, mitigate, and respond to data breaches involving sensitive personnel records and information; (2) information security policies and practices for implementing selected government-wide initiatives and requirements; and (3) procedures for overseeing the security of OPM information maintained by contractors providing IT services. To do so, GAO examined policies, plans, and procedures and other documents; tested controls for selected systems; and interviewed officials. This is a public version of a sensitive report being issued concurrently. GAO omitted certain specific examples due to the sensitive nature of the information.

What GAO Recommends

GAO is making five recommendations to improve OPM's security. OPM concurred with four of these and partially concurred with the one on validating its corrective actions. GAO continues to believe that implementation of this recommendation is warranted. In GAO's limited distribution report, GAO made nine additional recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: OPM concurred with the recommendation. The agency plans to update the plans of action and milestones with the current status, including expected completion dates.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency Affected: Office of Personnel Management

  2. Status: Open

    Comments: OPM partially concurred with the recommendation. The agency is working on making improvements to its automated system to further support its remedial action management processes, including timely closure.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency Affected: Office of Personnel Management

  3. Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of updating security policies.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency Affected: Office of Personnel Management

  4. Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of defining role-based training requirements for its continuous monitoring program.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency Affected: Office of Personnel Management

  5. Status: Open

    Comments: OPM concurred with the recommendation. The agency is in the process of developing additional standards for evaluating security controls testing and asserts it will use these standards for evaluating security control assessments.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency Affected: Office of Personnel Management

 

Explore the full database of GAO's Open Recommendations »

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Feb 14, 2017

Looking for more? Browse all our products here