The government’s employment website USAJobs.gov has passed its first independent cybersecurity test since the Office of Personnel Management transferred the system to an internal data center, OPM’s inspector general’s office said in a report released Friday.
“Overall, USAJOBS was found to be in good security standing and does not appear to pose any significant risk to OPM or its constituents,” the IG’s office wrote.
OPM assumed control of the federal jobs portal from Monster Government Solutions in October 2011, after two security breaches in 17 months compromised job-seeker information housed in the system.
The IG’s office, working with FishNet Security, Inc., found no issues that pose an immediate threat to the new website or user information in its database. But auditors did take issue with the portal’s supporting infrastructure.
“The testers discovered that the domain hosting USAJOBS is shared with other services and applications hosted by OPM’s Macon data center,” the report said. “USAJOBS is widely considered the flagship information system at OPM. Any application with the size, visibility and public importance of USAJOBS should be operating in a dedicated, multi-tiered environment, thereby creating a defense-in- depth strategy for protecting the confidentiality, integrity, and availability of system resources and data.”
In addition, investigators uncovered three high-severity vulnerabilities, which risk probable damage to the systems data and resources.
“Of these three high-severity vulnerabilities, two dealt with the problem of improper input validation; one instance on the main USAJOBS website and one on the iOS mobile application,” auditors wrote. “The other high-severity vulnerability related to parameter-based redirection that could lead a user to a malicious website.
But the system weaknesses may no longer be issues, the report said, because the OPM chief information officer’s staff has “already remediated many of the specific audit recommendations that were outlined in the draft report, including all three related to high-severity vulnerabilities.
The report does not provide specifics about the recommendations, because of their sensitive nature.
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.