OPM Has Yet to Implement Many GAO Information Security Recommendations

OPM Office of Personnel Management

In a report released today, the Government Accountability Office (GAO) said the Office of Personnel Management (OPM) has yet to implement a full one-third of GAO’s information security recommendations issued to OPM in recent years.

From Feb. 2015 through Aug. 2017, GAO issued four reports regarding OPM’s information security practices which included 80 recommendations to improve the agency’s security posture. In order to comply with an Explanatory Statement that is part of 2018 Consolidated Appropriations Act, GAO has to brief the House and Senate Appropriations Subcommittees on Financial Services and General Government on how OPM responded to GAO’s information security recommendations.  With that requirement in mind, GAO began auditing OPM responses in September of this year.

“OPM has made progress in implementing our recommendations for improving its security posture, but further actions are needed,” Gregory C. Wilshusen, director of Information Security Issues at GAO, wrote in a letter to the chairs and ranking members of the Senate and House Appropriations Subcommittees on Financial Services, Sens. James Lankford, R-Texas, and Chris Coons, D-Conn., and Reps. Tom Graves, R-Ga., and Mike Quigley, D-Ill.

“As of September 20, 2018, the agency had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations,” Wilshusen told the lawmakers.

GAO broke down by report which recommendations have not been implemented:

  • GAO-16-501–OPM has not implemented any of the report’s four recommendations, which include suggestions to enhance security plans, perform comprehensive security control assessments, update remedial action plans for two selected high-impact systems, and provide and track specialized training for all individuals, including contractors, who have significant security responsibilities. GAO noted that it designated the first three recommendations as “priority recommendations.”
  • GAO-16-687SU–For this report, OPM has implemented the majority of GAO’s recommendations–46 out of 62. The unimplemented recommendations include “avoiding the use of the same administrator accounts by multiple persons, implementing procedures governing the use of special privileges on a key computer, encrypting passwords while stored or in-transit across the network, and installing the latest versions of operating system software on network devices supporting a high impact system.”
  • GAO-17-459SU–OPM still has seven out of nine recommendations left to implement for the third report. In the report, GAO recommended that OPM reset all passwords following OPM’s 2015 data breach, “install critical patches in a timely manner, periodically evaluate accounts to ensure privileged access is warranted, and assess controls on selected systems as defined in its continuous monitoring plan.”
  • GAO-17-614–In the last report audited, OPM had implemented three out of five recommendations. Remaining on OPM’s to-do list are recommendations to “improve the timeliness of validating corrective actions and to develop and implement training requirements for staff using special tools.” Both recommendations were termed “priority recommendations” by GAO.

In his letter to the legislators, Wilshusen said that officials inside OPM’s Office of the Chief Information Officer said the agency plans to implement 25 of the remaining 29 recommendations by the end of 2018 and will implement another three recommendations by the end of FY 2019. However, the agency does not plan to implement the GAO’s recommendation regarding deploying a security tool on contractor workstations.

“The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided evidence to us of these controls,” Wilshusen wrote. “Expeditiously implementing all remaining open recommendations is essential to ensuring that appropriate controls are in place to protect the agency’s systems and information,” he said.

Recent