OPM still plagued by cyber weaknesses, IG finds

Shutterstock image: protected hardware. 

Nearly two-and-a-half years since OPM suffered a data breach that exposed the records of over 20 million federal employees and contractors, the agency still has a long way to go when it comes to managing security and meeting key requirements, according to an inspector general report.

The overall cybersecurity posture at OPM has improved, according to the annual FISMA report, but the information security teams continue to struggle with training, hiring and management structure. And despite pockets of improvements, OPM continues to add to its pile unfulfilled recommendations.

The report also fired back at complaints from agency personnel that the intense oversight are creating "audit fatigue" among agency staff, making it difficult to enact improvements.

"Although we agree that audits can be a strain on resources, we believe that the primary cause of OPM’s 'audit fatigue' is the OCIO staff's inability to maintain complete, detailed, and organized documentation," the report states.

The report notes that IG staff "wasted over 600 hours auditing useless and irrelevant information," because of OPM staff's inability to supply needed documentation upon request.

"This audit is essentially an 'open book test,' but, inexplicably, OPM continues to struggle in providing timely documentation and appears to be generally unprepared to respond to routine audit requests," the report states.

Last year's audit dinged OPM for missing requirements it had fulfilled in prior years. This year’s audit hit OPM over its failure to implement contingency planning, risk management and configuration management requirements.

The report includes 39 recommendations, most of which OPM concurred with. According to agency replies, some of the key recommendations will be knocked out via the Continuous Diagnostics and Mitigation program, created to help agencies strengthen their networks and systems. OPM will use CDM to implement recommendations related to endpoint management, software inventory and to analyze OPM’s identity, credential and access management strategy.

About the Author

Ben Berliner is an editorial fellow at FCW. He is a 2017 graduate of Kenyon College, and has interned at the Center for Responsive Politics and at Sunlight Foundation.

He can be contacted at

Click here for previous articles by Berliner.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.