Information Security: OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain Open

Highlights

What GAO Found

The Office of Personnel Management (OPM) has made progress in implementing GAO's recommendations, but further efforts remain. As of September 20, 2018, OPM had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations, as shown in table 1.

Table 1: OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018

GAO Report Number	Number of Recommendations
	Closed- implemented	Open- insufficient evidence	Open- no evidence	Total
GAO-16-501	0	1	3	4
GAO-16-687SU	46	2	14	62
GAO-17-459SU	2	1	6	9
GAO-17-614	3	1	1	5
Total	51	5	24	80

Source: GAO analysis of OPM evidence. I GAO-19-143R

Notes:

Closed-implemented: GAO validated that OPM implemented the recommendation.

Open-insufficient evidence: GAO determined that evidence provided by OPM was insufficient to demonstrate that the agency had implemented the recommendation.

Open-no evidence: OPM did not provide GAO with any evidence that the agency had implemented the recommendation.

According to officials in OPM's Office of the Chief Information Officer, the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. The agency expects to implement 3 additional recommendations by the end of fiscal year 2019. OPM has created remedial action plans for each of the 28 open recommendations that it plans to implement.

However, OPM does not intend to implement the one remaining recommendation related to deploying a security tool on contractor workstations. The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided GAO with evidence of these controls. Expeditiously implementing all open recommendations is essential to ensuring appropriate controls are in place to protect the agency’s systems and information.

Why GAO Did This Study

The Office of Personnel Management (OPM) collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the data files related to background investigations for 21.5 million individuals.

From February 2015 through August 2017, GAO conducted multiple reviews of OPM's information security and issued four reports based on these reviews. The reports contained 80 recommendations for improving the agency's security posture.

The Explanatory Statement that accompanies the Consolidated Appropriations Act, 2018, included a provision for GAO to brief the House and Senate Appropriations Committees on actions taken by OPM in response to GAO's information security recommendations. GAO's objective for this report was to determine the extent to which OPM has implemented the recommendations to improve the agency's information security.

Recommendations

GAO is not making any new recommendations with this product.

Full Report

Full Report (37 pages)

Accessible PDF (35 pages)

GAO Contacts

Gregory C. Wilshusen

Director

wilshuseng@gao.gov

(202) 512-4800

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Information Security

Background investigationsComputer emergency responseInformation securityPersonnel managementPersonnel recordsSecurity clearancesDesktop computersAudit objectivesContingency plansFinancial services