Years after breach, OPM still shows infosec weakness

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen. 

The Office of Personnel Management needs to do more to secure its systems, despite its extensive efforts in the wake of the 2015 hack that affected some 21.5 million people. That's the message of a new Government Accountability Office report that pointed to hurdles still facing the agency.

After the 2015 hack, the U.S. Computer Emergency Readiness Team made 19 recommendations on strengthening security related to passwords, permissions, encryption and patches.

Since then, GAO reported, OPM has successfully implemented 11 of the recommendations, but failed to update its plan of action and milestones required by the Office of Management and Budget, making it difficult for cybersecurity efforts at OPM to begin to establish accountability. 

The report also criticized the lag time before OPM began to address the recommendations. "OPM has limited assurance that the actions taken have effectively mitigated vulnerabilities that can expose its systems to cybersecurity incidents," the report stated.

The report indicated that OPM made progress implementing information security policies and practices associated with selected governmentwide initiatives and requirements. However, GAO noted that many tasks were not finalized, nor did OPM "fully implement all of the requirements."

One example was a failure to encrypt data stored on one system, and another was failure to encrypt data in transit on a different system.

In reply his comments, OPM CIO Dave DeVries pushed back on some of this criticism, saying that GAO "does not fully acknowledge OPM's 'defense in depth' strategy and compensating controls.

Earlier in July, an IG report took OPM to task, critiquing its IT authorization process, warning of a "material weakness."

The news comes as the Trump administration faces the prospect of naming a permanent director for the personnel agency. Nominee George Nesterczuk, withdrew his nomination on July 31, without having received a confirmation hearing.

About the Author

Ben Berliner is an editorial fellow at FCW. He is a 2017 graduate of Kenyon College, and has interned at the Center for Responsive Politics and at Sunlight Foundation.

He can be contacted at bberliner@fcw.com.

Click here for previous articles by Berliner.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.