The Office of Personnel Management has improved security practices in the wake of its 2015 data breaches, but further implementation is needed, according to a public version of a sensitive report released August 3 by the Government Accountability Office.
After the personal information for 4.2 million federal employees and the security clearance background information for 21.5 million individuals was compromised in 2015, OPM was given 19 recommendations from the United States Computer Emergency Readiness Team.
The report details the status of these recommendations. Of them, 11 were found to be completed, four needed further improvements, and the remaining four were in progress.
In particular, OPM procedures for contractor-operated systems did not detail and define proper measures that must be taken to ensure comprehensive security. Without defined guidance for information system security officers to conduct assessments, OPM will not have the assurance needed that controls on contractor-operated systems are implemented sufficiently to prevent, mitigate and respond to data breaches.
OPM will remain at a greater risk than needed if the government-wide implementation and requirements remain unfulfilled, according to the GAO report. To help OPM move forward, GAO concludes the report with five recommendations:
- Update the plans of action and milestones to reflect the expected completion dates;
- Improve the validation process associated with evidence for actions taken towards addressing the recommendations;
- Update the policy reflecting the Department of Homeland Security’s threat indicators and specific requirement on 24-hour scanning;
- Develop and implement role-based training for staff using Continuous Diagnostics and Mitigation tools; and
- Provide guidance on quality assurance processes including the evaluation of security control assessments.
Of these, OPM has completely agreed on four of the recommendations and partially agreed with the last. It is unclear what about the second recommendation — improving the validation processes — that OPM did not agree with, but they did state they will review management practices to support a timelier process and closure of plans of action and milestones.