OPM CIO Fires Back at GAO Over Cybersecurity AuditAuditors: Systems at 'Greater Risk' Till OPM Properly Implements All Security Requirements
The chief information officer at the U.S. Office of Personnel Management complains that congressional auditors fail to appreciate all of the steps his agency has taken to secure its IT system, which in 2015 fell victim to a massive security breach that exposed the personal information of more than 21.5 million individuals.
Although the Government Accountability Office gives high marks to the U.S. Office of Personnel Management for some steps it has taken to secure its IT systems, the auditing and investigative arm of Congress contends OPM fell short in several areas that puts its IT assets at risk.
"Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be," GAO Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in an audit report made public Thursday.
OPM Employs Defense-in-Depth Strategy
But OPM CIO David DeVries, in a written response to GAO, says the auditors paint an incomplete and not fully accurate picture of the agency's cybersecurity posture. "GAO does not fully acknowledge OPM's defense-in-depth strategy and compensation controls," DeVries says. "OPM has applied a defense-in-depth strategy to efforts to enhance OPM's cybersecurity posture, meaning there are many layers and aspects to OPM's defensive strategy."
One example of a shortfall GAO points out: OPM failure to encrypt stored data on one selected system as well as transmitted data on another after it identified high value assets, such as systems containing sensitive information that might be attractive to potential adversaries.
According to GAO, OPM's procedures for overseeing the security of its contractor-operated systems failed to ensure that controls were comprehensively tested. "Although the agency has implemented elements of contractor oversight such as recording security assessment findings for contractor-operated systems in remediation plans, it did not ensure that system security assessments involved comprehensive testing," Wilshusen and Barkakati write.
Guidance Seen Lacking on Conducting Reviews
GAO says OPM requires information system security officers to conduct quality assurance reviews that include reviewing security assessments of contractor operated systems; however, its policy did not include detailed guidance on how the reviews are to be conducted.
"Until such a procedure is clearly defined and documented, OPM will have less assurance that the security controls intended to protect OPM information maintained on contractor-operated systems are sufficiently implemented," the audit says.
DeVries, in defending OPM cybersecurity efforts, says the agency has added cybersecurity tools and security updates, staff and agency-wide training, hiring critical personnel and collaborate with interagency partners to enhance its cybersecurity posture. "OPM recognizes that cybersecurity is not just about technology, but is also about people," Devries says.
OPM Mostly Concurs with Recommendations
Still, OPM concurred with four of five recommendations GAO proposed to strengthen IT security at the agency. The fifth recommendation calls for improvements in the timeliness of validating evidence associated with steps taken to address GAO recommendations regarding plans of action and milestones. "OPM will review its management practices to support more timely close of POA&Ms," Devries says.
The GAO audit comes less than a month after the OPM inspector general issued a report that identified significant problems the agency faces in determining whether its IT systems meet security requirements (see Audit: OPM Struggles to Ensure IT Security).