Oversight

IG: OPM falling short on FISMA requirements

Shutterstock image: shadowed hacker.

More than a year after the massive data breach at the Office of Personnel Management was revealed to the public, the agency still has a litany of IT weaknesses and deficiencies, according to a new inspector general report.

The IG's Federal Information Security Modernization Act audit for fiscal 2016 begins with a list of 15 findings, most of which are critical of OPM policies and procedures.

According to the report, at the end of fiscal 2016, OPM still had 18 major systems without a valid security assessment and authorization, despite having conducted an "authorization sprint."

"This audit report also re-issues a significant deficiency related to OPM's information security management structure," the report states. "Although OPM has developed a security management structure that we believe can be effective, there has been an extremely high turnover rate of critical positions. The negative impact of these staffing issues is apparent in the results of our current FISMA audit work."

Furthermore, auditors, wrote, "there has been a significant regression in OPM's compliance with FISMA requirements, as the agency failed to meet requirements that it had successfully met in prior years."

Among the auditors' findings:

  • OPM has not adequately defined the roles and responsibilities for all positions within its IT management structure.
  • The system development life cycle policy is not enforced for all system development projects.
  • OPM does not have configuration baselines for all operating platforms, which affects the agency's ability to effectively audit and monitor systems for compliance.
  • Although OPM has made progress in its vulnerability management program, improvements are needed in the scanning and remediation processes.
  • OPM has not fully established a risk executive function.
  • Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.
  • The majority of OPM systems have plans of action and milestones that are more than 120 days overdue.

The audit lists 26 recommendations, many of which were rolled over from previous audits. OPM concurred with most of them, including actions such as shutting down information systems that lack valid authorizations, hiring more information system security officers and implementing "a process to ensure that only supported software and operating platforms are used within the network environment."

As updated in 2014, FISMA authorizes the Department of Homeland Security to administer and implement information security policies for nonmilitary federal agencies. The legislation was originally enacted as part of the E-Government Act of 2002.

The OPM IG's report states that although the agency has made a significant effort to fill open information security management positions, "simply having the staff does not guarantee that the team can effectively manage information security and keep OPM compliant with FISMA requirements. We will continue to closely monitor activity in this area throughout FY 2017."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.