Despite progress, OPM information systems still at risk, audit says

Despite progress, OPM information systems still at risk, audit says
© Getty Images

The Office of Personnel Management (OPM) has improved its information security controls since a breach of its systems affected nearly 22 million Americans, but it needs to take further action to guard against cybersecurity threats, according to government auditors.

In a report released on Thursday, the Government Accountability Office (GAO) said that the OPM has worked to implement several information security recommendations but that, until all the measures are completed, “its systems are at greater risk than they need be.” 

The OPM revealed in 2015 that two breaches of its databases resulted in the exposure of sensitive information of 21.5 million people, most of them federal workers. The agency later blamed the breaches, which have been linked to Chinese hackers, on its legacy systems in testimony before Congress. The incident eventually led to the resignation of then-Director Katherine Archuleta. 

Legislation enacted in 2016 required the GAO to review information security at the OPM, including the actions the agency has taken since 2015 to guard its systems and respond to breaches. 

The OPM has implemented 11 recommendations made by the computer emergency readiness team at the Department of Homeland Security (DHS) in the wake of the breaches and worked toward implementing the remaining eight recommendations, though the agency has fallen short of four of them, according to the GAO.

It is unclear precisely what the recommendations involve — the report does not offer details on them due to their sensitive nature, though notes that they “pertained to strengthening activities and controls related to passwords, access permissions, patches, audit and monitoring, among other things.” 

An associated sensitive report on the matter has been issued to Congress. 

“OPM also made progress in implementing information security policies and practices associated with selected government-wide initiatives and requirements. However, it did not fully implement all of the requirements,” the GAO wrote in the public audit. 

“For example, OPM identified its high value assets, such as systems containing sensitive information that might be attractive to potential adversaries, but it did not encrypt stored data on one selected system and did not encrypt transmitted data on another,” the report says. “Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be.”