Information Security: OPM Has Implemented Many of GAO's 80 Recommendations, but Over One-Third Remain Open
Highlights
What GAO Found
The Office of Personnel Management (OPM) has made progress in implementing GAO's recommendations, but further efforts remain. As of September 20, 2018, OPM had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations, as shown in table 1.
Table 1: OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018
| GAO Report Number | Number of Recommendations | |||||||
|
Closed- implemented |
Open- insufficient evidence |
Open- no evidence |
Total | |||||
| GAO-16-501 | 0 | 1 | 3 | 4 | ||||
| GAO-16-687SU | 46 | 2 | 14 | 62 | ||||
| GAO-17-459SU | 2 | 1 | 6 | 9 | ||||
| GAO-17-614 | 3 | 1 | 1 | 5 | ||||
| Total | 51 | 5 | 24 | 80 | ||||
According to officials in OPM's Office of the Chief Information Officer, the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. The agency expects to implement 3 additional recommendations by the end of fiscal year 2019. OPM has created remedial action plans for each of the 28 open recommendations that it plans to implement.
However, OPM does not intend to implement the one remaining recommendation related to deploying a security tool on contractor workstations. The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided GAO with evidence of these controls. Expeditiously implementing all open recommendations is essential to ensuring appropriate controls are in place to protect the agency’s systems and information.
Why GAO Did This Study
The Office of Personnel Management (OPM) collects and maintains personal data on millions of individuals, including data related to security clearance investigations. In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the data files related to background investigations for 21.5 million individuals.
From February 2015 through August 2017, GAO conducted multiple reviews of OPM's information security and issued four reports based on these reviews. The reports contained 80 recommendations for improving the agency's security posture.
The Explanatory Statement that accompanies the Consolidated Appropriations Act, 2018, included a provision for GAO to brief the House and Senate Appropriations Committees on actions taken by OPM in response to GAO's information security recommendations. GAO's objective for this report was to determine the extent to which OPM has implemented the recommendations to improve the agency's information security.
Recommendations
GAO is not making any new recommendations with this product.