3 Years After Data Breaches, OPM Still Has Security Deficiencies

View this article online at https://www.fedsmith.com/2018/11/14/3-years-data-breaches-opm-still-security-deficiencies/ and visit FedSmith.com to sign up for free news updates
By on November 14, 2018 in Agency News with 0 Comments

Padlock pictured against a background designed to look like the surface of a computer microchip depicting cybersecurity

A recent report from the Government Accountability Office found that the Office of Personnel Management still has not implemented a little over one third of recommended security improvements in the wake of the data breaches that impacted the agency over three years ago.

About the Data Breaches

In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a second breach had compromised its systems and the files related to background investigations for 21.5 million individuals. The compromised data included fingerprints as well as personal data of over 25 million current and former federal employees.

There was significant fallout from the breaches, including the resignations of OPM’s director at the time, Katherine Archuleta, as well as the agency’s chief information officer. NTEU and AFGE also both sued OPM over the data breaches, citing failures on the agency’s part to properly safeguard federal employees’ personal data.

OPM’s Progress on Security

In 2017, GAO reported that there were 19 security improvement recommendations made, and OPM had completed actions for 11 of the recommendations and taken actions for the remaining 8.

Earlier this year, an OPM Inspector General said that the agency is continuing to make some of the same mistakes that left it vulnerable to the data breaches.

The IG said in that report:

On the surface, OPM is continuing to make the same mistakes that plagued its recent unsuccessful “Shell” initiative. Rather than developing a modernization strategy, evaluating alternatives, estimating the costs, and following established capital budgeting processes, OPM is doing it backwards.

OPM has still not clearly identified a comprehensive modernization strategy or established the required planning and budgeting mechanisms that would accompany such a project.

And today? The GAO said in its latest report:

OPM has made progress in implementing our recommendations for improving its security posture, but further actions are needed. As of September 20, 2018, the agency had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations.

The table below from GAO’s report shows where OPM stands on implementation of GAO’s various recommendations for improving IT security.

OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018

Number of Recommendations
GAO Report Number Closed – implemented Open – insufficient evidence Open – no evidence Total
GAO-16-501 0 1 3 4
GAO-16-687SU 46 2 14 62
GAO-17-459SU 2 1 6 9
GAO-17-614 3 1 1 5
Total 51 5 24 80

Despite some of these deficiencies, OPM’s Office of the Chief Information Officer told GAO that the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. OPM also expects to implement 3 additional recommendations by the end of fiscal year 2019.

A copy of the GAO report is included below.

GAO Report on OPM’s IT Security Progress

Want to see more articles like this one? Sign up for FedSmith's free email lists!

© 2019 Ian Smith. All rights reserved. This article may not be reproduced without express written consent from Ian Smith.

Tags:

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He enjoys writing about current topics that affect the federal workforce.

Top