OPM Improves Cybersecurity After Mega Breach But Challenges Remain
The U.S. Office of Personnel Management (OPM) has made strides in increasing its cybersecurity, but more work remains to be done almost five years after the agency suffered one of the largest government data breaches in history.
OPM’s Office of the Inspector General (OIG) publicly released three reports this week on how the agency is handling the cybersecurity and data protection of its systems.
In a final audit report on OPM’s implementation of the Federal Information Security Modernization Act (FISMA), the inspector general said OPM “does not have sufficient processes in place to manage contractors in its environment,” that there are “resource constraints within OPM’s Office of Privacy and Information Management that limit its effectiveness,” that it still needs to “identify gaps in its IT security training program,” that it continues to “struggle with conducting a security controls assessment on all of its information systems,” and that “contingency plan testing has been an ongoing weakness at OPM for over a decade.”
The audit made more than 40 cybersecurity recommendations for the agency, some which were previous recommendations in earlier audit reports. OPM closed eight recommendations from the 2018 report—a 15 percent closure rate.
“While we do not agree with all of the recommendations made in this report, we appreciate OIG’s focus on continued progress toward a fully matured cybersecurity program as set forth by the FISMA maturity model and underlying metrics,” wrote Clare A. Martorana, chief information officer at OPM, in response to the OIG’s audit.
In a second report on OPM’s information technology controls for its consolidated business information system, the OIG recommended the agency conduct role-based security training for personnel who use the system, that the system application meet federal requirements for multi-authentication using federally issued personal identity verification (PIV) credentials, and that OPM ensure system administrators receive incident response training, among other recommendations.
“We determined most of the security controls tested appear to be in compliance; however, we did note several areas for improvement,” the report found.
And in the final report made public this week, the OIG highlighted that OPM does not have software that can conduct vulnerability scans of its mainframes.
“Failure to scan the mainframe can leave the system vulnerable to security breaches,” the OIG found. “We recommend that OPM conduct an analysis to determine the viability of acquiring a vulnerability scanning tool for the mainframe.”
OPM agreed with this recommendation and said it is conducting market research to procure a vulnerability scanning tool—if it has the resources to do so—in fiscal year 2020.
OPM has been under pressure for the past five years to overhaul and drastically improve its cybersecurity and monitoring capabilities after hackers breached it, compromising data on 4.2 million current and former U.S. government employees. The hackers also stole background investigations records of current, former, and prospective employees and contractors—compromising data on 21.5 million individuals.
This theft of data had a major impact on the individuals affected due to the unique nature of the data that was stolen, explained Michael Adams, a global director for information security with a Swiss-based company and former U.S. special operations command sergeant major.
“What does this mean for someone like me, who has had a security clearance for over three decades?” Adams wrote for Lawfare. “Given that the data set stolen from the OPM go back to 1985, the information known to the attacker potentially includes all data collected during my initial clearance process and every comprehensive mandatory update, including all of the data from multiple polygraph examinations.”
Rebuilding trust in OPM’s ability to keep data secure has been a key element to its work, explained Charles Phalen, the director of the National Background Investigations Bureau (NBIB), in an interview with Security Management in 2017. The NBIB was created after the OPM breach to improve how the U.S. federal government conducts and delivers background investigations.
“The breach issue was about trust, and trust in ourselves and in the American public as to whether we can protect this stuff—both now and in the future,” Phalen said.