Information Security:

OPM Has Improved Controls, but Further Efforts Are Needed

GAO-17-614: Published: Aug 3, 2017. Publicly Released: Aug 3, 2017.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Since the 2015 data breaches, the Office of Personnel Management (OPM) has taken actions to prevent, mitigate, and respond to data breaches involving sensitive personal and background investigation information, but actions are not complete. OPM implemented or made progress towards implementing 19 recommendations made by the United States Computer Emergency Readiness Team (US-CERT) to bolster OPM's information security practices and controls in the wake of the 2015 breaches. GAO determined that the agency completed actions for 11 of the recommendations and took actions for the remaining 8, with actions for 4 of these 8 requiring further improvement (see table). In addition, OPM did not consistently update completion dates for outstanding recommendations and did not validate corrective actions taken to ensure that the actions effectively addressed the recommendations.

Table 1: GAO Assessment of the Status of Recommendations to the Office of Personnel Management (OPM) by the U.S. Computer Emergency Readiness Team

Status

Number of recommendations

Completed actions

11

Further improvements needed for actions OPM considered complete

4

In progress

4

Source: GAO evaluation of OPM data. | GAO-17-614

OPM also made progress in implementing information security policies and practices associated with selected government-wide initiatives and requirements. However, it did not fully implement all of the requirements. For example, OPM identified its high value assets, such as systems containing sensitive information that might be attractive to potential adversaries, but it did not encrypt stored data on one selected system and did not encrypt transmitted data on another. Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be.

OPM's procedures for overseeing the security of its contractor-operated systems did not ensure that controls were comprehensively tested. Although the agency has implemented elements of contractor oversight such as recording security assessment findings for contractor-operated systems in remediation plans, it did not ensure that system security assessments involved comprehensive testing. The agency requires information system security officers to conduct quality assurance reviews that include reviewing security assessments of contractor-operated systems; however, its policy did not include detailed guidance on how the reviews are to be conducted. Until such a procedure is clearly defined and documented, OPM will have less assurance that the security controls intended to protect OPM information maintained on contractor-operated systems are sufficiently implemented.

Why GAO Did This Study

OPM collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In 2015, OPM reported significant breaches of personal information that affected 21.5 million individuals.

The Senate report accompanying the Financial Services and General Government Appropriations Act, 2016 included a provision for GAO to review information security at OPM. GAO evaluated OPM's (1) actions since the 2015 reported data breaches to prevent, mitigate, and respond to data breaches involving sensitive personnel records and information; (2) information security policies and practices for implementing selected government-wide initiatives and requirements; and (3) procedures for overseeing the security of OPM information maintained by contractors providing IT services. To do so, GAO examined policies, plans, and procedures and other documents; tested controls for selected systems; and interviewed officials. This is a public version of a sensitive report being issued concurrently. GAO omitted certain specific examples due to the sensitive nature of the information.

What GAO Recommends

GAO is making five recommendations to improve OPM's security. OPM concurred with four of these and partially concurred with the one on validating its corrective actions. GAO continues to believe that implementation of this recommendation is warranted. In GAO's limited distribution report, GAO made nine additional recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: OPM concurred with the recommendation. In fiscal year 2018 we verified that the updated document now reflects expected completion dates for implementing the recommendations made by US-CERT. This action increases assurance that vulnerabilities that can expose the agency's systems to cybersecurity incidents are mitigated.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT.

    Agency Affected: Office of Personnel Management

  2. Status: Open

    Priority recommendation

    Comments: OPM partially concurred with the recommendation. The agency asserts it is working on making improvements to its automated system to further support its remedial action management processes, including timely closure. OPM has established metrics for timeliness, and expects to create a baseline for measuring performance before the end of fiscal year 2018. As of August 2018, OPM had not yet provided evidence that it has implemented the recommendation.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.

    Agency Affected: Office of Personnel Management

  3. Status: Closed - Implemented

    Comments: OPM concurred with the recommendation. In fiscal year 2018 we verified that OPM has updated its policy to reflect deployment of DHS threat indicators and the specific 24-hour scanning requirement. This action increases assurance that the agency's controls are being communicated to those responsible for their performance and are capable of being monitored and evaluated.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement.

    Agency Affected: Office of Personnel Management

  4. Status: Open

    Priority recommendation

    Comments: OPM concurred with the recommendation. The agency plans to implement role-based training for staff who use Continuous Diagnostics and Mitigation tools, with an expected completion date before the end of fiscal year 2018. As of August 2018, OPM had not yet provided evidence that it has implemented the recommendation.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.

    Agency Affected: Office of Personnel Management

  5. Status: Closed - Implemented

    Comments: OPM concurred with the recommendation. In fiscal years 2017 and 2018 OPM, in response to our recommendation, provided guidance on its quality assurance process. The agency issued a security handbook that lists a policy, strategy, and guides for evaluating security control assessments. In addition, OPM provided staff with training on evaluating assessment results.

    Recommendation: To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments.

    Agency Affected: Office of Personnel Management

 

Explore the full database of GAO's Open Recommendations »

Dec 6, 2018

Nov 13, 2018

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Jul 31, 2018

Jul 25, 2018

Jul 12, 2018

Jun 14, 2018

May 14, 2018

Looking for more? Browse all our products here