OPM is Still Falling Short in the IT Security Area

by | Jan 9, 2017

Last Updated May 8, 2024
IT security

securityPer the OPM Inspector General’s annual report, 18 major systems at OPM lack current information system security. The Federal Information Security Modernization Act (FISMA) requires IG’s to renew their department’s IT security on an annual basis.

“We acknowledge that OPM is once again taking system authorization seriously and is dedicating significant resources toward re-authorizing the systems that were neglected because of the 2015 moratorium”, Michael Esser, the assistant IG for audits at OPM said.

Historical Weaknesses and Recent Efforts

The authorization program has been a weak area for OPM for some time even though it standardized the process with new policies and procedures in recent years. In April 2015, OPM’s CIO deferred all new authorization activity so it could extend previous authorizations for several OPM systems that had expired or were expiring soon. The IG said that OPM was in the process of modernizing its IT infrastructure and once the modernizing was complete, all systems would have to receive new authorizations anyway. We expressed serious concern with this approach. Furthermore, they warned the agency of the extreme risk associated with neglecting the IT security controls of its information systems.

OPM has started an “authorization sprint” to make all its systems compliant with authorization standards. It has issued 15 authorizations to operate during the “sprint” and has seven more in progress. They expect all their systems to have current authorizations by December 31, 2016. Esser recommended the OPM director consider shutting down systems that lack current authorizations. This would include a point on FISMA compliance in performance metrics for Information System Security Officers (ISSO’s).

OPM wants to implement a continuous monitoring program that could replace the need to periodically re-authorize the agency’s security system. The IG said that this continuous monitoring program reached the ‘defined’ level, the second of 5 levels, this year. This is a step above last year when this remained at the first level, called “ad hoc”.

Ongoing Security Challenges and Recommendations

“The development of these new policies and procedures is a step in the right direction toward a mature [information systems continuous monitoring] ISCM program.” However, OPM has a significant amount of work to complete before it reaches the next level (level three, ‘consistently implemented’) of the ISCM maturity model.

The IG says in its’ report that there is a high turnover rate among the ISSO positions. In fact, five different individuals have held the role of the CIO in the past three years. They recommend OPM hire more ISSO’s, though it acknowledged the agency has recently brought more talent on board. In FY2016, OPM has hired eight ISSO’s and plan on hiring eight more.

Message us & find out if you qualify today!

  • This field is for validation purposes and should be left unchanged.

Recent Articles

Yes, You Can Work after Federal Disability Retirement

Have you looked at your Federal Disability Retirement annuity, a knot of uncertainty coiling in your stomach as you question - will it be enough? Have you ever wondered if you could keep working after being approved for Federal Disability Retirement? You can work...

The 4 Key Benefits of Federal Disability Retirement

Imagine a lifeline, a beacon of hope for your future when you're struggling with an injury or illness that’s impacting your federal job. That lifeline is Federal Disability Retirement. If you can't perform at least one of the essential functions of your role, you...

6 Key Reasons Why Your Disability Retirement Application Was Denied

Have you recently applied for Federal Disability Retirement, only to receive a denial? The Office of Personnel Management (OPM) is denying more initial applications than ever. However, it's important to understand that a denial does not mean the end of the road for...

Federal Employee Resources

Our ever growing library of federal employee resources give you the knowledge you need to make smart choices about your future.

FAQs

Frequently Asked Questions

Get the answers you need on-demand, from a team of federal employee benefits professionals.

View FAQ
Webinars

Federal Benefit Webinars

Twice per month we host webinars to help federal employees better understand their benefits and answer their questions LIVE.

See Webinar Schedule
Guides

Benefit Guides

From guides to detailed charts, these educational resources will help clarify confusing federal employee benefits topics.

See our resources