Oversight

IG details OPM contractor's security flaws

threat

A government audit of the contractor at the center of the Office of Personnel Management breach has found serious flaws in the company's IT security regime at the time of the hack.

The contractor, KeyPoint Government Solutions, lacked a formal incident response procedure and the security controls necessary to prevent unauthorized devices from connecting to the network, according to OPM's inspector general.

The audit was conducted from April to June 2015, the month that OPM publicly revealed it had been the victim of a massive hack, and it includes information that was current as of July 2015. The audit's findings were published last week.

At the time of the audit, KeyPoint did not have a standard for configuring its firewalls and had not implemented an outbound web proxy, according to the IG. The contractor also lacked a process for regularly auditing configuration settings on its workstations, servers and databases. The absence of a configuration audit program "increases the risk that insecurely configured servers exist undetected, creating a potential gateway for malicious virus and hacking activity," the audit states.

Investigators said they found several other shortcomings in KeyPoint's IT security at the time of the audit: There was no formal process for auditing physical access privileges, nor were there formal procedures for reviewing system logs.

OPM's CIO office generally concurred with the IG's recommendations while saying KeyPoint had rectified or addressed many of the flaws in its security controls. For example, the firm updated its incident response plan and installed a web proxy that can limit outbound traffic, according to the CIO's office.

A KeyPoint spokesperson could not be reached for comment. According to reply comments in the report, the company has implemented many of the 15 recommendations or is in the process of doing so.

KeyPoint was in the crosshairs as lawmakers sought answers in the hours of hearings held after the OPM hack became public. During a June 24, 2015, hearing, KeyPoint CEO Eric Hess confirmed that the OPM system credentials of a KeyPoint employee had provided hackers with the keys to OPM's networks, but more details have been slow to emerge.

KeyPoint itself was hacked in 2014, but OPM retained the contractor's background check services.

U.S. officials say they have learned their lesson about secure identity management from the breach of OPM via KeyPoint. In awarding a $133 million contract to Identity Theft Guard Solutions in September 2015, an interagency group helped draw up tighter security requirements for the data the contractor will hold.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.