Only two of the Office of Personnel Management’s 46 major IT applications are fully compliant with federal requirements for employees to use two-factor authentication to access the systems, a new report from agency watchdogs says.
While OPM has made large strides in the past year to comply with the Federal Information Security Management Act’s call for two-factor authentication with personal identification verification credentials — namely to log on to its network — the agency’s inspector general found in its fiscal year 2016 FISMA report that the same access controls were not being used for individuals systems.
“In early FY 2016, OPM implemented controls that prevent non-OPM issued devices from connecting to the network. These controls close a previous loophole that allowed users to gain access to the network without PIV authentication,” the report says.
Despite that progress, the IG said, OPM can’t be fully two-factor, PIV compliant until “all of its information systems (applications) can be accessed only via PIV authentication in lieu of a username and password.”
“Our audit work indicated that only 2 of OPM’s 46 major applications enforced PIV authentication,” the report says. “This is a critical control because without PIV authentication enforced at the application level, users of the network (either authorized or unauthorized) could still gain access to applications that they are not authorized to use, and public-facing systems are more vulnerable to remote attack.”
Also of note in the report, the IG states that the agency struggles to manage access to its network for contractors who have been terminated from a project.
“Our evaluation of OPM’s termination process indicates that the process appears to work as intended for removing terminated agency (non-contractor) employees in a timely manner,” the report says. “However, the process for terminating access for contractor employees leaving the agency is not centrally managed, and it is the responsibility of the various Contracting Officer Representatives to notify the OCIO that a contractor no longer requires access. Furthermore, OPM does not maintain a complete list of all the contractors that have access to OPM’s network, so there is no way for the OCIO to audit the termination process to ensure that contractor accounts are removed in a timely manner.”
Quoting the Federal Information System Controls Audit Manual, the IG says such employees or contractors who are no longer serving the agency but “continue to have access to critical or sensitive resources pose a major threat.”
Many reports point to contractor credentials as the source of an intrusion on OPM’s systems in 2014, ultimately leading to the theft of more than 20 million federal employee’s and background check applicants’ records. Apparently, to gain access to OPM’s network, the hackers used a credential from contractor KeyPoint Government Solutions, though it wasn’t mismanaged but rather taken in a separate breach of the company months prior.
OPM CIO Dave DeVries only partially concurred with the IG’s recommendation to create a master list and more effectively manage this access.
While OPM does have an access list for both employees and contractors, he said “management of the OPM contractor workforce is an agency-wide effort. OCIO will engage appropriate program offices to support the management of contractor personnel. OCIO will review and update its account management processes to ensure network accounts are secured after contractor termination actions are taken in a timely manner in accordance with OPM security policies.”
Elsewhere, the report points to concerns with OPM’s IT security management structure, as the IG has reported in years past. Though the agency has filled many key information security positions in the past year and centralized that responsibility under the CIO, staffing issues continue to plague its effectiveness.
“For a brief period of time, this governance structure was operating effectively,” the report says. “However, there has been an extremely high employee turnover rate for the ISSO positions, and OPM has struggled to backfill these vacancies. In addition, there have been five different individuals in the role of the Chief Information Officer in the past three years.”
However, in the past fiscal year, OPM hired eight “information system security officers,” a permanent CISO and DeVries — an experienced federal IT leader — as its permanent CIO.
Still, the report says, “simply having the staff on board does not guarantee that the team can effectively manage information security and keep OPM compliant with FISMA requirements.”