A recent report from the Government Accountability Office found that the Office of Personnel Management still has not implemented a little over one third of recommended security improvements in the wake of the data breaches that impacted the agency over three years ago.
About the Data Breaches
In June 2015, OPM reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a second breach had compromised its systems and the files related to background investigations for 21.5 million individuals. The compromised data included fingerprints as well as personal data of over 25 million current and former federal employees.
There was significant fallout from the breaches, including the resignations of OPM’s director at the time, Katherine Archuleta, as well as the agency’s chief information officer. NTEU and AFGE also both sued OPM over the data breaches, citing failures on the agency’s part to properly safeguard federal employees’ personal data.
OPM’s Progress on Security
In 2017, GAO reported that there were 19 security improvement recommendations made, and OPM had completed actions for 11 of the recommendations and taken actions for the remaining 8.
Earlier this year, an OPM Inspector General said that the agency is continuing to make some of the same mistakes that left it vulnerable to the data breaches.
The IG said in that report:
On the surface, OPM is continuing to make the same mistakes that plagued its recent unsuccessful “Shell” initiative. Rather than developing a modernization strategy, evaluating alternatives, estimating the costs, and following established capital budgeting processes, OPM is doing it backwards.
OPM has still not clearly identified a comprehensive modernization strategy or established the required planning and budgeting mechanisms that would accompany such a project.
And today? The GAO said in its latest report:
OPM has made progress in implementing our recommendations for improving its security posture, but further actions are needed. As of September 20, 2018, the agency had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations.
The table below from GAO’s report shows where OPM stands on implementation of GAO’s various recommendations for improving IT security.
OPM’s Implementation of GAO’s Information Security Program and Control Recommendations, as of September 20, 2018
| Number of Recommendations | ||||
|---|---|---|---|---|
| GAO Report Number | Closed – implemented | Open – insufficient evidence | Open – no evidence | Total |
| GAO-16-501 | 0 | 1 | 3 | 4 |
| GAO-16-687SU | 46 | 2 | 14 | 62 |
| GAO-17-459SU | 2 | 1 | 6 | 9 |
| GAO-17-614 | 3 | 1 | 1 | 5 |
| Total | 51 | 5 | 24 | 80 |
Despite some of these deficiencies, OPM’s Office of the Chief Information Officer told GAO that the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. OPM also expects to implement 3 additional recommendations by the end of fiscal year 2019.
A copy of the GAO report is included below.
