The Office of the Inspector General at the Office of Personnel Management audited the agency’s security programs and practices under the Federal Information Security Modernization Act (FISMA) and found a significant deficiency in OPM’s security management structure.
The IG found material weaknesses in OPM’s Authorization program, and problems in OPM’s security management structure have continued after being resolved in recent years. The problems stem from a high turnover rate of information technology employees at OPM and a struggle to fill recurring vacancies. Also, there have been five individuals in the role of chief information officer at OPM in the past three years. The agency failed to meet FISMA requirements that it had been able to meet in previous years because of this.
The IG recommended that OPM continue to carry out the security information management structure that it has planned by more clearly defining the roles of IT professionals. IT employees at OPM aren’t sure whether they should be tracking or responding to security threats.
OPM is working to deploy a continuous monitoring system for the effectiveness of its security controls. The IG found that the system is on track but not ready to be independently operational without other checks on the system to ensure the security tools are functioning properly. The IG also recommended that OPM develop an agencywide risk management strategy.
The IG found that many of OPM’s system managers aren’t meeting self-imposed deadlines to mitigate security weaknesses within their systems. Out of OPM’s 46 major information systems, 43 have items that are more than 120 days overdue.
While OPM’s vulnerability scanning program has improved to provide confidence that the system is scanning all systems within the environment on a bi-weekly basis, the IG found that parts of OPM’s internal network were not being accessed, and in most cases a thorough analysis wasn’t performed.