The Office of Personnel Management faces a tight deadline to set up a new health insurance marketplace for Postal Service employees and retirees to enroll in new plans, starting next year.
Now OPM is addressing watchdog concerns about whether the IT infrastructure supporting this new USPS marketplace is following federal cybersecurity requirements.
OPM’s Office of Inspector General, in a flash audit released Friday, raised concerns about the cybersecurity steps OPM took before launching the IT systems that will run the Postal Service Health Benefits (PSHB) Program.
OPM is creating the Postal Service Health Benefits (PSHB) Program as a separate entity from the Federal Employee Health Benefits (FEHB) program, as required under the Postal Service Reform Act signed into law last year.
The IG report focuses on the steps OPM took to launch Carrier Connect, a system OPM is using to communicate and share data with health care providers.
According to the report, OPM officials acknowledged the agency started the assessment and authorization process too late in the security development lifecycle — in the summer of 2023 — and knew they would have to launch Carrier Connect under a provisional authority to operate (ATO).
“IT security was not integrated at the beginning and as a result, many of the required elements of an authorization to operate (ATO) package were not completed before the system was authorized to operate and placed into production,” the IG report states.
OPM’s IG office said it met with OPM management and IT officials in late September.
“As a result of OPM’s flawed security assessment and authorization process, it is possible that unknown security vulnerabilities in the Carrier Connect system have increased the risk of a significant security incident,” OPM OIG wrote.
The IG report also warned that OPM launching Carrier Connect under a provisional ATO created the “potential for greater risk that attackers could establish a foothold in OPM’s IT environment and compromise enterprise-wide security.”
OPM OIG said it issued the alert to make sure OPM addresses the audit findings “in a timely manner,” and that OPM completes critical security documentation before it launches other IT elements of the Postal Service Health Benefits Program.
Federal News Network has reached out to OPM and USPS for comment.
Officials within OPM’s Office of the Chief Information Officer (OCIO) said the IG office’s focus on the provisional ATO was more of a “nomenclature issue” rather than a cause for concern. They told the IG’s office that this was not an “interim” ATO, and that it had measures in place to ensure cybersecurity measures were completed.
“We were also told that since the initial version of Carrier Connect is considered a minimally viable product and there is no personally identifiable information in the system, it was viewed to be lower risk,” the OPM OIG report states.
OCIO officials also told auditors that functional testing of the system’s security provided better insights than “point-in-time” cybersecurity compliance documents.
OPM said it conducted a penetration test of Carrier Connect to better understand system vulnerabilities, and that its agency’s IT security team “routinely leverages all available security tools to continuously monitor all systems.”
OPM’s Chief Information Officer Guy Cavallo, according to the report, told the IG’s office that in the past, there were several OPM systems operating without a proper ATO, “that he views the issue very seriously, and that his team is working hard to ensure that all systems have a proper ATO.”
Cavallo also told the IG’s office, according to the report, that OPM will assign more staff and start its security assessments much earlier in the security development lifecycle for the Postal Service Health Benefits System (PSHBS), the online portal that postal employees and retirees will use to enroll in health care plans.
“Carrier Connect is an important system that serves as a key part of program planning, but PSHBS will be the actual centralized enrollment portal that will directly affect the success of the entire project. It is critical that established SDLC principles are strictly enforced,” the report states.
The IG’s report said OPM has made “great strides in recent years in improving its overall IT security program,” as documented by recent Federal Information Security Modernization Act (FISMA) audits.
“The agency has improved technical security controls and is focusing on its zero-trust networking strategy. However, functional and technical security controls, such as those relied upon by the OCIO in this case, complement rather than replace proper IT security planning and documentation,” the report states.
OPM is developing a Postal Service Health Benefits program (PSHB) within the Federal Employee Health Benefits (FEHB) program, starting in January 2025.
The Postal Service Health Benefits program will provide health insurance plans to eligible USPS employees, annuitants and their eligible family members. But the legislation specifies requirements for postal-only health plans that don’t apply to plans offered under FEHB.
The first Open Season for the PSHBP will begin on November 11, 2024, and run through December 9, 2024. The first contract year will begin on January 1, 2025.
The upcoming change has the support of postal unions, federal employee associations and health care providers in the federal marketplace — but has gotten pushback from postal workers and retirees who say they have more questions than answers about enrolling in a new plan under PSHB.
Several postal retirees wrote to OPM earlier this year, complaining about their inability to stay “grandfathered” into their current FEHB plans, and having to enroll in a new one during the Open Enrollment period in 2024.