Audit: OPM Struggles to Ensure IT Security

IG Identifies Office of Personnel Management Problems In Assessing Security

The U.S. Office of Personnel Management continues to struggle to ensure the security of its information systems two years after a massive breach that exposed the personal information of some 21.5 million individuals, including many with security clearances.

A June inspector general’s audit assessing how OPM approached the authorization of the security of its systems, made public this past week, identified significant problems in determining whether its systems meet security requirements.

Lacking a valid authorization does not mean the system is insecure, Michael Esser, OMP assistant inspector general for audits, writes in the audit report. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities,” Esser says. “OPM’s management of system authorizations represents a material weakness in the internal control structure of the agency’s IT security program.”

Main Audit Findings

According to the audit:

  • OPM’s local area network and wide area network systems security plan lacked relevant data about hardware, software, minor systems and inherited controls.
  • Deficiencies in the security control testing performed as part of the LAN/WAN authorization process likely prevented the assessors from identifying security vulnerabilities that could have been detected with an appropriately thorough test.
  • Security weaknesses detected during the LAN/WAN authorization were not appropriately tracked in a Plan of Action and Milestones document.
  • Critical elements were missing from many of the other authorization packages prepared during the latest assessment process.