Skip to main content

Information Security: OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain Open

GAO-19-143R Published: Nov 13, 2018. Publicly Released: Nov 13, 2018.
Jump To:
Skip to Highlights


What GAO Found

The Office of Personnel Management (OPM) has made progress in implementing GAO's recommendations, but further efforts remain. As of September 20, 2018, OPM had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations, as shown in table 1.

Table 1: OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018 

GAO Report Number   Number of Recommendations




insufficient evidence


no evidence

GAO-16-501                  0  1 3 4
GAO-16-687SU 46 2 14 62
GAO-17-459SU 2 1 6 9
GAO-17-614 3 1 1 5
Total 51 5 24 80
Source: GAO analysis of OPM evidence.  I   GAO-19-143R
Closed-implemented: GAO validated that OPM implemented the recommendation.
Open-insufficient evidence: GAO determined that evidence provided by OPM was insufficient to demonstrate that the agency had implemented the recommendation.
Open-no evidence: OPM did not provide GAO with any evidence that the agency had implemented the recommendation.

According to officials in OPM's Office of the Chief Information Officer, the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. The agency expects to implement 3 additional recommendations by the end of fiscal year 2019. OPM has created remedial action plans for each of the 28 open recommendations that it plans to implement. 

However, OPM does not intend to implement the one remaining recommendation related to deploying a security tool on contractor workstations. The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided GAO with evidence of these controls. Expeditiously implementing all open recommendations is essential to ensuring appropriate controls are in place to protect the agency’s systems and information.

Why GAO Did This Study

The Office of Personnel Management (OPM) collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the data files related to background investigations for 21.5 million individuals.

From February 2015 through August 2017, GAO conducted multiple reviews of OPM's information security and issued four reports based on these reviews. The reports contained 80 recommendations for improving the agency's security posture.

The Explanatory Statement that accompanies the Consolidated Appropriations Act, 2018, included a provision for GAO to brief the House and Senate Appropriations Committees on actions taken by OPM in response to GAO's information security recommendations. GAO's objective for this report was to determine the extent to which OPM has implemented the recommendations to improve the agency's information security.


GAO is not making any new recommendations with this product.

Full Report

GAO Contacts

Office of Public Affairs


Background investigationsComputer emergency responseInformation securityPersonnel managementPersonnel recordsSecurity clearancesDesktop computersAudit objectivesContingency plansFinancial services