Over two years after the Office of Personnel Management (OPM) suffered a massive data beach compromising the data of over 20 million current and former federal employees and their families, there are still notable deficiencies in the way the agency handles its information systems, according to a recent audit.
Though there have been improvements to OPM’s IT security programs, the report notes there were”significant problems with the authorization packages prepared during the sprint” conducted in 2016 to bring the agency’s IT systems up-to-date and that “there is still significant effort needed to stabilize the authorization program.”
OPM does not fully comply with the cyber-security protocol issued by the National Institute of Standards and Technology, which all federal agencies will be required to adhere to.
“Of primary concern is the fact that the assessors performing the sprint activity did not have access to enough accurate and complete information to make valid risk-based decisions about the
systems’ security posture,” said the report.
OPM isn’t sufficiently testing the security of its local area networks and wide area networks, known as LAN/WAN, according to the Inspector General’s report. “There is a significant risk, if not likelihood, that the security controls testing performed as part of the LAN/WAN authorization process did not identify security vulnerabilities that could have been detected with an appropriately thorough test,” said the report.
“The lack of a valid authorization does not necessarily mean that a system is insecure,” according to the audit. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities.”
The audit, dated June 20, was made publicly available on July 7.