3 Years After Data Breaches, OPM Still Has Security Deficiencies

Over 3 years after the data breaches were reported at OPM, the agency still has not made a number of recommended security improvements.

A recent report from the Government Accountability Office found that the Office of Personnel Management still has not implemented a little over one third of recommended security improvements in the wake of the data breaches that impacted the agency over three years ago.

About the Data Breaches

In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a second breach had compromised its systems and the files related to background investigations for 21.5 million individuals. The compromised data included fingerprints as well as personal data of over 25 million current and former federal employees.

There was significant fallout from the breaches, including the resignations of OPM’s director at the time, Katherine Archuleta, as well as the agency’s chief information officer. NTEU and AFGE also both sued OPM over the data breaches, citing failures on the agency’s part to properly safeguard federal employees’ personal data.

OPM’s Progress on Security

In 2017, GAO reported that there were 19 security improvement recommendations made, and OPM had completed actions for 11 of the recommendations and taken actions for the remaining 8.

Earlier this year, an OPM Inspector General said that the agency is continuing to make some of the same mistakes that left it vulnerable to the data breaches.

The IG said in that report:

On the surface, OPM is continuing to make the same mistakes that plagued its recent unsuccessful “Shell” initiative. Rather than developing a modernization strategy, evaluating alternatives, estimating the costs, and following established capital budgeting processes, OPM is doing it backwards.

OPM has still not clearly identified a comprehensive modernization strategy or established the required planning and budgeting mechanisms that would accompany such a project.

And today? The GAO said in its latest report:

OPM has made progress in implementing our recommendations for improving its security posture, but further actions are needed. As of September 20, 2018, the agency had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations.

The table below from GAO’s report shows where OPM stands on implementation of GAO’s various recommendations for improving IT security.

OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018

Number of Recommendations
GAO Report Number Closed – implemented Open – insufficient evidence Open – no evidence Total
GAO-16-501 0 1 3 4
GAO-16-687SU 46 2 14 62
GAO-17-459SU 2 1 6 9
GAO-17-614 3 1 1 5
Total 51 5 24 80

Despite some of these deficiencies, OPM’s Office of the Chief Information Officer told GAO that the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. OPM also expects to implement 3 additional recommendations by the end of fiscal year 2019.

A copy of the GAO report is included below.

GAO Report on OPM’s IT Security Progress

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He has over 20 years of combined experience in media and government services, having worked at two government contracting firms and an online news and web development company prior to his current role at FedSmith.