The Office of Personnel Management (OPM), victim of a massive data breach in July in which personal records of 21.5 million individuals were compromised, continues to struggle to meet security requirements, according to an audit by OPM's Office of Inspector General (OIG).
The audit found that the OPM has made some progress improving security practices. But it found the agency lacking in many areas.
The audit outlined several recommendations which the OPM should take to meet the security requirements mandated under the Federal Information Security Modernization Act (FISMA).
"In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals," the audit said. "For many years we have reported critical weaknesses in
OPM's ability to manage its information technology (IT) environment, and warned that the agency was at an increased risk of a data breach.
"In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture," the report continued. "Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements."
The OIG said the audit shows an "overall lack of compliance that seems to permeate the agency's IT security program."
The agency showed poor judgment by delaying a full security assessment while it migrates applications into a new technical infrastructure, the audit said. "Combined with the inadequacy and non-compliance of OPM's continuous monitoring program," the audit said, "we are very concerned that the agency's systems will not be protected against another attack."
Among the findings, OPM has up to 23 systems that have not been subject to a thorough security controls assessment. "Combined with the inadequacy and non-compliance of OPM's continuous monitoring program, we are very concerned that the agency's systems will not be protected against another attack," the OIG said.
OPM has also failed to accurately inventory its systems and network devices, "drastically" diminishing the effectiveness of its security controls. While OPM has implemented a large number of improved security monitoring tools, without a complete understanding of its network, it cannot adequately monitor its environment and therefore the usefulness of these tools is reduced, the audit said.
The audit found that OPM's system development life cycle policy is not enforced for all system development projects; it does not maintain a comprehensive inventory of servers, databases, and network devices; and it does not have a mature continuous monitoring program in which security controls for its systems are adequately tested in accordance with its own policy.
In addition, auditors were unable to independently confirm OPM has a mature vulnerability scanning program. Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11; many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy; and the agency has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.
The OIG made 26 recommendations. The auditors said OPM should develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. The OPM's Office of the CIO (OCIO) should develop a plan and timeline to enforce the new Systems Development Lifecycle (SDLC) policy to all of OPM's system development projects. Additionally, the OCIO should implement a process to ensure routine vulnerability scanning is conducted on all network devices documented within the inventory.