Oversight

OPM's IT authorization process a 'material weakness,' IG says

 

An IT security decision made around the time of the discovery of the devastating 2015 hack of Office of Personnel Management systems continues to have "a significant negative impact on the agency," according to a watchdog report.

In April 2015, OPM's CIO moved to halt all technology authorization activity while the agency worked on a plan to migrate its applications to a more modern environment – a project called the shell.

At the time, the IG warned of the "extreme risk associated with neglecting the IT security controls of its information systems."

Eventually, OPM pivoted away from the modernization plan originally cited as the justification for the authorization halt. However, the lapse in authorization activity continues to haunt the agency, according to the July 7 IG report.

OPM revived its IT authorization program in a 2016 "sprint" and made other process improvements, including incorporating the National Institute of Standards and Technology risk framework and updating the roles and responsibilities of the individuals involved.

While expired authorities to operate do not indicate a system is compromised or insecure, the IG report noted that keeping ATOs current is a good way to identify significant risks to be addressed.

In reply comments, OPM CIO Dave DeVries, a former deputy CIO at the Department of Defense who was brought in to lead the development of a new background check system at OPM, said the IG doesn't have all the facts.

"We have notified the OIG that we believe it is issuing the audit without the benefit of the full set of documentation available," DeVries said.

The IG report calls out the OPM local-area and wide-area networks for special attention. The LAN/WAN got a one-year provisional ATO in September 2016, but according to the IG report, the system security plan for that system is missing key information.

Specifically, it said the agency's LAN/WAN system security plan didn't include data about hardware, software, minor systems and some controls. It also said shortcomings in security control testing as part of the LAN/WAN authorization process "likely prevented" the testers from finding vulnerabilities. Additionally, the IG said security weaknesses found during the LAN/WAN authorization weren't tracked in a plan of action and milestones document produced by OPM.

DeVries noted in his comments that the evaluation of the security of the LAN/WAN system took place during modifications of the overall IT infrastructure. "This resulted in a complex, dynamic system that made it difficult for the independent assessor to evaluate the status of many of the security controls with a high degree of confidence," he said.

Despite these caveats, the OIG said it continues to believe that OPM's authorization process "represents a material weakness in the internal control structure of the agency's IT security program."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Tue, Jul 11, 2017 Chuck Viator United States

Keep drinking from the same well the water is not going to change. Open doors and minds will find that there are a couple of diamonds in the cyber business that can drastically reduce the complexity of your cyber infrastructure, significantly improve your cyber posture and reduce the total cost of ownership. If you are interested in positive change it is available!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group