Per the OPM Inspector General’s annual report, 18 major systems at OPM lack current information system security. The Federal Information Security Modernization Act (FISMA) requires IG’s to renew their department’s IT security on an annual basis.
“We acknowledge that OPM is once again taking system authorization seriously and is dedicating significant resources toward re-authorizing the systems that were neglected because of the 2015 moratorium”, Michael Esser, the assistant IG for audits at OPM said.
The authorization program has been a weak area for OPM for some time even though it standardized the process with new policies and procedures in recent years. In April 2015, OPM’s CIO deferred all new authorization activity so it could extend previous authorizations for several OPM systems that had expired or were expiring soon. The IG said that OPM was in the process of modernizing its IT infrastructure and once the modernizing was complete, all systems would have to receive new authorizations anyway. We expressed serious concern with this approach. Furthermore, they warned the agency of the extreme risk associated with neglecting the IT security controls of its information systems.
OPM has started an “authorization sprint” to make all its systems compliant with authorization standards. It has issued 15 authorizations to operate during the “sprint” and has seven more in progress. They expect all their systems to have current authorizations by December 31, 2016. Esser recommended the OPM director consider shutting down systems that lack current authorizations. This would include a point on FISMA compliance in performance metrics for Information System Security Officers (ISSO’s).
OPM wants to implement a continuous monitoring program that could replace the need to periodically re-authorize the agency’s security system. The IG said that this continuous monitoring program reached the ‘defined’ level, the second of 5 levels, this year. This is a step above last year when this remained at the first level, called “ad hoc”.
“The development of these new policies and procedures is a step in the right direction toward a mature [information systems continuous monitoring] ISCM program.” However, OPM has a significant amount of work to complete before it reaches the next level (level three, ‘consistently implemented’) of the ISCM maturity model.
The IG says in its’ report that there is a high turnover rate among the ISSO positions. In fact, five different individuals have held the role of the CIO in the past three years. They recommend OPM hire more ISSO’s, though it acknowledged the agency has recently brought more talent on board. In FY2016, OPM has hired eight ISSO’s and plan on hiring eight more.