Oversight

OPM's IT authorization process a 'material weakness,' IG says

 

An IT security decision made around the time of the discovery of the devastating 2015 hack of Office of Personnel Management systems continues to have "a significant negative impact on the agency," according to a watchdog report.

In April 2015, OPM's CIO moved to halt all technology authorization activity while the agency worked on a plan to migrate its applications to a more modern environment – a project called the shell.

At the time, the IG warned of the "extreme risk associated with neglecting the IT security controls of its information systems."

Eventually, OPM pivoted away from the modernization plan originally cited as the justification for the authorization halt. However, the lapse in authorization activity continues to haunt the agency, according to the July 7 IG report.

OPM revived its IT authorization program in a 2016 "sprint" and made other process improvements, including incorporating the National Institute of Standards and Technology risk framework and updating the roles and responsibilities of the individuals involved.

While expired authorities to operate do not indicate a system is compromised or insecure, the IG report noted that keeping ATOs current is a good way to identify significant risks to be addressed.

In reply comments, OPM CIO Dave DeVries, a former deputy CIO at the Department of Defense who was brought in to lead the development of a new background check system at OPM, said the IG doesn't have all the facts.

"We have notified the OIG that we believe it is issuing the audit without the benefit of the full set of documentation available," DeVries said.

The IG report calls out the OPM local-area and wide-area networks for special attention. The LAN/WAN got a one-year provisional ATO in September 2016, but according to the IG report, the system security plan for that system is missing key information.

Specifically, it said the agency's LAN/WAN system security plan didn't include data about hardware, software, minor systems and some controls. It also said shortcomings in security control testing as part of the LAN/WAN authorization process "likely prevented" the testers from finding vulnerabilities. Additionally, the IG said security weaknesses found during the LAN/WAN authorization weren't tracked in a plan of action and milestones document produced by OPM.

DeVries noted in his comments that the evaluation of the security of the LAN/WAN system took place during modifications of the overall IT infrastructure. "This resulted in a complex, dynamic system that made it difficult for the independent assessor to evaluate the status of many of the security controls with a high degree of confidence," he said.

Despite these caveats, the OIG said it continues to believe that OPM's authorization process "represents a material weakness in the internal control structure of the agency's IT security program."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.