Despite a concerted effort, the Office of Personnel Management is still falling short in its promise to improve multiple aspects of its IT security.
Eighteen major systems at OPM lack a current information system security authorization, according to the agency’s inspector general’s annual report. Inspectors general are required under the Federal Information Security Modernization Act (FISMA) to review their department’s IT security on an annual basis.
“We acknowledge that OPM is once again taking system authorization seriously and is dedicating significant resources toward re-authorizing the systems that were neglected as a result of the 2015 moratorium,” Michael Esser, assistant inspector general for audits at OPM, said.
The authorization program has long been a weak area for OPM, even though it standardized the process with new policies and procedures in recent years.
In April 2015, the OPM chief information officer deferred all new authorization activity so it could extend previous authorizations for several OPM systems that had expired or soon-to-be expired approvals.
“The justification was that OPM was in the process of modernizing its IT infrastructure and that once this modernization was completed, all systems would have to receive new authorizations anyway,” the IG said. “We expressed serious concern with this approach and warned the agency of the extreme risk associated with neglecting the IT security controls of its information systems.”
Now, OPM is still feeling the effects of that approach. The agency started an “authorization sprint” to make all of its systems compliant with authorization standards. It issued 15 authorizations to operate during the “sprint” and has seven more in progress.
OPM said it expects all of its systems will have current authorizations by Dec. 31, 2016.
Esser recommended that the OPM director consider shutting down some systems that lack current authorizations and including a point on FISMA compliance in performance metrics for information system security officers (ISSOs).
Ultimately, OPM hopes it can implement a continuous monitoring program that would eventually replace the need to periodically re-authorize the agency’s security systems altogether.
The program has certainly progressed, Esser said, but it’s not yet at the point where it can effectively replace the OPM authorization program.
The IG said OPM’s continuous monitoring program reached the “defined” level, the second of five levels in total, this year. That’s a step above last year, when the program remained at the first “ad hoc” level.
“The development of these new policies and procedures is a step in the right direction toward a mature [information systems continuous monitoring] ISCM program,” Esser said. “However, OPM still has a significant amount of work to complete before it reaches the next level (level three, ‘consistently implemented’) of the ISCM maturity model.”
The inspector general’s tone in the report wasn’t entirely pessimistic. The OIG pointed to a few areas where it’s seen improvement and appeared optimistic that OPM could improve its IT governance structure.
The OIG re-issued OPM’s information security management structure as having a “significant deficiency.” The agency had previously closed this area as a deficiency.
“For a brief period of time, this governance structure was operating effectively,” the IG said. “However, there has been an extremely high employee turnover rate for the ISSO positions, and OPM has struggled to backfill these vacancies. There have been five different individuals in the role of the chief information officer in the past three years.”
OPM brought in several new, longtime IT management experts to lead its work in this area. Lisa Schlosser, the federal deputy chief information officer, recently completed an 18-month detail to OPM as the acting CIO. She’s expected to retire from government at the end of the month.
The agency also has a new chief information officer. David DeVries joined OPM in August with 35 years of experience from the Pentagon.
Though OPM’s IT security management structure looks good on paper, most of it wasn’t implemented until later in the year, the IG said. Staffing shortages didn’t help either.
Specifically, the IG recommends that OPM hire more information system security officers, though it acknowledged that the agency has recently brought more talent on board. OPM hired eight ISSOs in fiscal 2016 to bring its overall total to 16. The Office of the Chief Information Officer will hire eight more, three of whom are in the middle of the onboarding process now, the agency said.
The inspector general sees promising signs in OPM’s IT security management structure, though the agency should properly clarify all team members’ roles and responsibilities, the report said.
Esser listed 25 specific recommendations, which cover OPM’s lack of risk management strategy, IT security training and authentication procedures, among others.
OPM put new controls in place in 2016 that prevented non-OPM issued devices from connecting to the network. But two of OPM’s 46 major applications are compliant with Office of Management and Budget standards on personal identity verification (PIV), the IG said.