Two years after the breaches that exposed the data of 22.1 million people, the Office of Personnel Management is still struggling to properly test its information security.
A new audit by the agency’s inspector general found “significant problems” in OPM’s security assessment and authorization methodology.
Specifically, the audit found weaknesses in the way OPM is testing the security of its local area networks and wide area networks, or LAN/WAN.
The issue stems from April 2015 when then-OPM CIO Donna Seymour decided to extend authorizations for systems that had expired and those that were set to expire through fiscal 2016. At the time Seymour argued this would streamline the authorization process after a big IT modernization project. The move effectively stopped authorization activity at the agency, the IG report states, and placed the agency at “extreme risk associated with neglecting the IT security controls of its information systems.”
The move effectively stopped authorization activity at the agency, the IG report states, and placed the agency at “extreme risk associated with neglecting the IT security controls of its information systems.”
Indeed, the IT modernization project was soon scrapped and this left systems included in the extension operating “in the same legacy environment without a valid Authorization.”
After this, in fiscal 2016, OPM started an “authorization sprint” designed to get all systems compliant with authorization guidelines. While this improved the security situation, the IG found, there remain possible vulnerabilities.
“We acknowledge that the lack of a valid Authorization does not necessarily mean that a system is insecure,” the report states. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities.”
While the audit concludes that OPM’s management of authorizations still constitute a “material weakness” in the agency’s IT security, it ends on a hopeful note.
“It is our understanding that the agency acknowledges this weakness and has a plan in place to address it,” the report acknowledges. “We will continue to monitor this activity closely.”
OPM is also working to develop a “comprehensive security control continuous monitoring program that will eventually replace the need for periodic system Authorizations,” but first it must update its authorizations, the IG found.