It seems that the Office of Personnel Management’s relationship with its inspector general has gone from a difference of opinion to a heated schism on the subject of IT security.
In the fiscal 2018 audit of OPM’s compliance with Federal Information Security Modernization Act (FISMA) requirements dated Oct. 30, IG officials described the agency’s response to their findings as “unusually adversarial,” saying that agency personnel questioned both auditors’ authority to make recommendations and the validity of the methods it used to conduct the study.
The pugilistic tenor of the two organizations comes as the annual audit has again questioned the overall quality of OPM’s security controls.
Since the agency’s massive 2015 breach — which exposed the information of more than 22 million people and kick-started the federal government’s recent wave of IT modernization and cyber-hygiene — FISMA audits have become an exercise in bedevilment for OPM officials, with the IG routinely panning the agency’s progress in improving its cybersecurity posture.
Though the IG noted that OPM has made great strides since its 2015 breach in improving perimeter security, it found that only six of the agency’s 54 major systems require two-factor authentication, and monitoring and testing security controls continue to be a struggle.
According to auditors, the cause of OPM’s cybersecurity woes rests in the lack of resources agency officials provide the CIO to manage IT operations, combined with a decentralized oversight of IT security professionals and a lack of information system security officers.
“While part of the problem is one of resources, effective management of a skilled team of security experts is also needed,” the IG report said. “The result of this is an inadequate security assessment and authorization program, incomplete testing of system security controls and contingency plans, and lack of corrective action for identified weaknesses.”
But OPM officials weren’t having it. In an Oct. 1 response to the report, then-OPM Director Jeff Pon said the IG’s findings were “unsubstantiated or reflect a subjective opinion.”
“In some instances, the OIG’s comments intrude on the broad discretion afforded to the agency by FISMA to make its own choices regarding appropriate safeguards that are administratively and technologically feasible,” Pon said. “The report reflects OIG’s decision to downgrade OPM’s security governance structure to a material weakness is largely based on OIG’s opinions on OPM staffing decisions.”
The former director went on to say that the report ignores strides made by the agency, including expanding control testing, improving risk assessments and better defining system boundaries. Pon would later abruptly resign without explanation on Oct. 5 and be replaced by Office of Management and Budget Deputy Director for Management Margaret Weichert.
IG officials disputed Pon’s assessment of their role, saying that it runs counter to the spirit of the Inspector General Act of 1978.
“Our findings and conclusions are not ‘unsubstantiated,’ but are supported by relevant and sufficient evidence gathered during the audit,” the report said. “In addition, to the extent that the results of our audit are ‘subjective,’ they are based on our professional judgment, competence, and experience.”
The audit also dinged the OPM Office of the CIO for its approach to addressing open IG recommendations, alleging the office “does not regularly follow OPM’s established processes for managing the resolution” of those recommendations.
The report offered 52 recommendations on how to address FISMA efficiencies, most of which were rolled over from previous audits. OPM officials did not concur with many of those recommendations.
OPM is currently in the midst of a massive transformation that proposes to shift its Human Resources Solutions operations to the General Services Administration and other HR policy functions into the Executive Office of the President.