Information Security: OPM Has Improved Controls, but Further Efforts Are Needed
Highlights
What GAO Found
Since the 2015 data breaches, the Office of Personnel Management (OPM) has taken actions to prevent, mitigate, and respond to data breaches involving sensitive personal and background investigation information, but actions are not complete. OPM implemented or made progress towards implementing 19 recommendations made by the United States Computer Emergency Readiness Team (US-CERT) to bolster OPM's information security practices and controls in the wake of the 2015 breaches. GAO determined that the agency completed actions for 11 of the recommendations and took actions for the remaining 8, with actions for 4 of these 8 requiring further improvement (see table). In addition, OPM did not consistently update completion dates for outstanding recommendations and did not validate corrective actions taken to ensure that the actions effectively addressed the recommendations.
Table 1: GAO Assessment of the Status of Recommendations to the Office of Personnel Management (OPM) by the U.S. Computer Emergency Readiness Team
Status |
Number of recommendations |
Completed actions |
11 |
Further improvements needed for actions OPM considered complete |
4 |
In progress |
4 |
Source: GAO evaluation of OPM data. | GAO-17-614
OPM also made progress in implementing information security policies and practices associated with selected government-wide initiatives and requirements. However, it did not fully implement all of the requirements. For example, OPM identified its high value assets, such as systems containing sensitive information that might be attractive to potential adversaries, but it did not encrypt stored data on one selected system and did not encrypt transmitted data on another. Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be.
OPM's procedures for overseeing the security of its contractor-operated systems did not ensure that controls were comprehensively tested. Although the agency has implemented elements of contractor oversight such as recording security assessment findings for contractor-operated systems in remediation plans, it did not ensure that system security assessments involved comprehensive testing. The agency requires information system security officers to conduct quality assurance reviews that include reviewing security assessments of contractor-operated systems; however, its policy did not include detailed guidance on how the reviews are to be conducted. Until such a procedure is clearly defined and documented, OPM will have less assurance that the security controls intended to protect OPM information maintained on contractor-operated systems are sufficiently implemented.
Why GAO Did This Study
OPM collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In 2015, OPM reported significant breaches of personal information that affected 21.5 million individuals.
The Senate report accompanying the Financial Services and General Government Appropriations Act, 2016 included a provision for GAO to review information security at OPM. GAO evaluated OPM's (1) actions since the 2015 reported data breaches to prevent, mitigate, and respond to data breaches involving sensitive personnel records and information; (2) information security policies and practices for implementing selected government-wide initiatives and requirements; and (3) procedures for overseeing the security of OPM information maintained by contractors providing IT services. To do so, GAO examined policies, plans, and procedures and other documents; tested controls for selected systems; and interviewed officials. This is a public version of a sensitive report being issued concurrently. GAO omitted certain specific examples due to the sensitive nature of the information.
Recommendations
GAO is making five recommendations to improve OPM's security. OPM concurred with four of these and partially concurred with the one on validating its corrective actions. GAO continues to believe that implementation of this recommendation is warranted. In GAO's limited distribution report, GAO made nine additional recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Personnel Management | To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update the plans of action and milestones to reflect expected completion dates for implementing the recommendations made by US-CERT. |
OPM concurred with the recommendation. In fiscal year 2018 we verified that the updated document now reflects expected completion dates for implementing the recommendations made by US-CERT. This action increases assurance that vulnerabilities that can expose the agency's systems to cybersecurity incidents are mitigated.
|
Office of Personnel Management |
Priority Rec.
To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should improve the timeliness of validating evidence associated with actions taken to address the US-CERT recommendations.
|
OPM partially concurred with the recommendation. In fiscal year 2023, we verified that OPM improved the timeliness of validating evidence associated with actions taken to address US-CERT recommendations.
|
Office of Personnel Management | To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should update policy to reflect deployment of Department of Homeland Security threat indicators and the specific 24-hour scanning requirement. |
OPM concurred with the recommendation. In fiscal year 2018 we verified that OPM has updated its policy to reflect deployment of DHS threat indicators and the specific 24-hour scanning requirement. This action increases assurance that the agency's controls are being communicated to those responsible for their performance and are capable of being monitored and evaluated.
|
Office of Personnel Management |
Priority Rec.
To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.
|
OPM concurred with the recommendation. In fiscal year 2022 we verified that OPM developed and implemented role-based training requirements for staff using Continuous Diagnostics and Mitigation tools.
|
Office of Personnel Management | To further improve security over personnel and other sensitive information at the agency, the Acting Director of OPM should provide detailed guidance on the quality assurance process that includes evaluating security control assessments. |
OPM concurred with the recommendation. In fiscal years 2017 and 2018 OPM, in response to our recommendation, provided guidance on its quality assurance process. The agency issued a security handbook that lists a policy, strategy, and guides for evaluating security control assessments. In addition, OPM provided staff with training on evaluating assessment results.
|