OPM Cybersecurity Audit Shows Sustained Weaknesses

The news in June 2015 that the Office of Personnel Management (OPM) had suffered a massive data breach raised awareness across the country of the increasing implications of cybersecurity vulnerabilities and unleashed a flurry of cybersecurity improvement efforts at OPM and across federal agencies. Despite these efforts, OPM still experiences broad and significant weaknesses in their cyber-posture that continue to place the agency at risk.

According to a recent fiscal year (FY) 2016 audit from OPM’s inspector general’s office (OIG) the agency’s continued cybersecurity weaknesses range from lax policy and governance to high personnel turnover. Some of the most impactful findings include the following:

• System Security Authorizations – The OIG found a material weakness related to OPM’s Security Assessment and Authorization program, despite an “Authorization Sprint” during FY 2016.  At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization in place and the documentation from the 12-15 systems addressed in the Authorization Sprint was provided so late in the audit that the OIG did not have sufficient time to evaluate the results. OPM says they plan to have Authorizations in place for all systems by the end of calendar 2016.
• Security Management Structure – OPM’s security management structure was not effective throughout FY 2016 due to an extremely high turnover rate of critical positions. In audits from FY 2009 through FY 2013 the OIG recommended OPM recruit a staff of Information System Security Officers (ISSO) that report to the OCIO. In FY 2015 OPM successfully filled the vacant ISSO positions, but in FY 2016 there was an extremely high employee turnover rate for ISSOs and OPM struggled to backfill the vacancies. Compounding the issue is that OPM has had five different CIOs in the past three years. The impact is a significant regression in OPM’s FISMA compliance and failures to meet requirements that it had successfully met in prior years. The agency hired 8 additional ISSOs in FY 2016 – filling 16 of 24 available slots – and hired a permanent CIO, but it will take time to fully fill and ramp the other positions.
• Security Roles and Responsibilities – OPM had not adequately defined the roles and responsibilities for all positions within its IT security management structure. One impact is that that there has been widespread confusion regarding whether certain responsibilities belong to the ISSO or an IT Project Manager (ITPM) position that complements each ISSO and typically has more operational responsibility (vs. security.) This resulted in confusion over who was to receive vulnerability scan results and remediate the weaknesses. OPM is working on updated roles and responsibilities and other IT security policies and procedures to address the issues.
• Systems Development Lifecycle Methodology – The OIG attributes OPM’s history of troubled system development and modernization projects to the lack of centralized oversight of systems development. Although a system development life cycle (SDLC) policy update was published at the end of FY 2013 the OIG found that it is not enforced for all system development projects, but for only those deemed as major investment projects. The policy is not currently applied to Development, Modernization and Enhancement (DM&E) projects. OPM says they are collaborating with an 18F team to update the SDLC into a Digital Transformation SDLC during FY 2017 to incorporate agile development processes.
• Contractor-Operated Systems – The OPM system inventory indicates that 16 of the agency’s 46 major applications are operated by a contractor and interfaces between agency-operated and contractor-operated systems are documented through Interconnection Security Agreements (ISA). The OIG found that the ISAs for 64 of 82 interconnections had expired, raising the potential for increased risk of security failures that compromise the connected systems and related data. OPM says they plan to issue an updated policy on system interconnection requirements in the first quarter FY 2017.

While OPM concurred with the various recommendations made by the OIG and reported already taking steps in early FY 2017 to address several of the concerns raised in the audit it will take several months or even years to fully address all of the issues. The lost ground in several areas due to high turnover of their security staff indicates the impact of leadership and a skilled workforce has on an agency’s cybersecurity. It also underscores the vulnerability to such turnover agencies face if they do not have well-established and effective cybersecurity governance and operational policy in place to sustain it through the transitions.