Auditors: Systems at ‘Greater Risk’ Till OPM Properly Implements All Security Requirements
Office of Personnel Management Chief Information Officer David DeVries says negative aspects of a Government Accountability Office report on steps OPM is taking to secure its IT paint an incomplete and not fully accurate picture of the agency’s cybersecurity posture.
The chief information officer at the U.S. Office of Personnel Management complains that congressional auditors fail to appreciate all of the steps his agency has taken to secure its IT system, which in 2015 fell victim to a massive security breach that exposed the personal information of more than 21.5 million individuals.
Although the Government Accountability Office gives high marks to the U.S. Office of Personnel Management for some steps it has taken to secure its IT systems, the auditing and investigative arm of Congress contends OPM fell short in several areas that puts its IT assets at risk.
“Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be,” GAO Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in an audit report made public Thursday.
OPM Employs Defense-in-Depth Strategy
But OPM CIO David DeVries, in a written response to GAO, says the auditors paint an incomplete and not fully accurate picture of the agency’s cybersecurity posture. “GAO does not fully acknowledge OPM’s defense-in-depth strategy and compensation controls,” DeVries says. “OPM has applied a defense-in-depth strategy to efforts to enhance OPM’s cybersecurity posture, meaning there are many layers and aspects to OPM’s defensive strategy.”
One example of a shortfall GAO points out: OPM failure to encrypt stored data on one selected system as well as transmitted data on another after it identified high value assets, such as systems containing sensitive information that might be attractive to potential adversaries.
According to GAO, OPM’s procedures for overseeing the security of its contractor-operated systems failed to ensure that controls were comprehensively tested. “Although the agency has implemented elements of contractor oversight such as recording security assessment findings for contractor-operated systems in remediation plans, it did not ensure that system security assessments involved comprehensive testing,” Wilshusen and Barkakati write.
