Oversight

OPM's IT authorization process a 'material weakness,' IG says

 

An IT security decision made around the time of the discovery of the devastating 2015 hack of Office of Personnel Management systems continues to have "a significant negative impact on the agency," according to a watchdog report.

In April 2015, OPM's CIO moved to halt all technology authorization activity while the agency worked on a plan to migrate its applications to a more modern environment – a project called the shell.

At the time, the IG warned of the "extreme risk associated with neglecting the IT security controls of its information systems."

Eventually, OPM pivoted away from the modernization plan originally cited as the justification for the authorization halt. However, the lapse in authorization activity continues to haunt the agency, according to the July 7 IG report.

OPM revived its IT authorization program in a 2016 "sprint" and made other process improvements, including incorporating the National Institute of Standards and Technology risk framework and updating the roles and responsibilities of the individuals involved.

While expired authorities to operate do not indicate a system is compromised or insecure, the IG report noted that keeping ATOs current is a good way to identify significant risks to be addressed.

In reply comments, OPM CIO Dave DeVries, a former deputy CIO at the Department of Defense who was brought in to lead the development of a new background check system at OPM, said the IG doesn't have all the facts.

"We have notified the OIG that we believe it is issuing the audit without the benefit of the full set of documentation available," DeVries said.

The IG report calls out the OPM local-area and wide-area networks for special attention. The LAN/WAN got a one-year provisional ATO in September 2016, but according to the IG report, the system security plan for that system is missing key information.

Specifically, it said the agency's LAN/WAN system security plan didn't include data about hardware, software, minor systems and some controls. It also said shortcomings in security control testing as part of the LAN/WAN authorization process "likely prevented" the testers from finding vulnerabilities. Additionally, the IG said security weaknesses found during the LAN/WAN authorization weren't tracked in a plan of action and milestones document produced by OPM.

DeVries noted in his comments that the evaluation of the security of the LAN/WAN system took place during modifications of the overall IT infrastructure. "This resulted in a complex, dynamic system that made it difficult for the independent assessor to evaluate the status of many of the security controls with a high degree of confidence," he said.

Despite these caveats, the OIG said it continues to believe that OPM's authorization process "represents a material weakness in the internal control structure of the agency's IT security program."

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


The Fed 100

Read the profiles of all this year's winners.

Featured

Reader comments

Tue, Jul 11, 2017 Chuck Viator United States

Keep drinking from the same well the water is not going to change. Open doors and minds will find that there are a couple of diamonds in the cyber business that can drastically reduce the complexity of your cyber infrastructure, significantly improve your cyber posture and reduce the total cost of ownership. If you are interested in positive change it is available!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group