IG: OPM falling short on FISMA requirements

More than a year after the massive data breach at the Office of Personnel Management was revealed to the public, the agency still has a litany of IT weaknesses and deficiencies, according to a new inspector general report.

The IG's Federal Information Security Modernization Act audit for fiscal 2016 begins with a list of 15 findings, most of which are critical of OPM policies and procedures.

According to the report, at the end of fiscal 2016, OPM still had 18 major systems without a valid security assessment and authorization, despite having conducted an "authorization sprint."

"This audit report also re-issues a significant deficiency related to OPM's information security management structure," the report states. "Although OPM has developed a security management structure that we believe can be effective, there has been an extremely high turnover rate of critical positions. The negative impact of these staffing issues is apparent in the results of our current FISMA audit work."

Furthermore, auditors, wrote, "there has been a significant regression in OPM's compliance with FISMA requirements, as the agency failed to meet requirements that it had successfully met in prior years."

Among the auditors' findings:

• OPM has not adequately defined the roles and responsibilities for all positions within its IT management structure.
• The system development life cycle policy is not enforced for all system development projects.
• OPM does not have configuration baselines for all operating platforms, which affects the agency's ability to effectively audit and monitor systems for compliance.
• Although OPM has made progress in its vulnerability management program, improvements are needed in the scanning and remediation processes.
• OPM has not fully established a risk executive function.
• Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.
• The majority of OPM systems have plans of action and milestones that are more than 120 days overdue.

The audit lists 26 recommendations, many of which were rolled over from previous audits. OPM concurred with most of them, including actions such as shutting down information systems that lack valid authorizations, hiring more information system security officers and implementing "a process to ensure that only supported software and operating platforms are used within the network environment."

As updated in 2014, FISMA authorizes the Department of Homeland Security to administer and implement information security policies for nonmilitary federal agencies. The legislation was originally enacted as part of the E-Government Act of 2002.

The OPM IG's report states that although the agency has made a significant effort to fill open information security management positions, "simply having the staff does not guarantee that the team can effectively manage information security and keep OPM compliant with FISMA requirements. We will continue to closely monitor activity in this area throughout FY 2017."