The Office of Personnel Management’s (OPM’s) cybersecurity fell under scrutiny in two audits by the agency’s inspector general, with both identifying issues in OPM’s controls and security practices.
The two reports – OPM’s annual Federal Information Security Modernization Act (FISMA) audit and an audit of OPM’s security controls – were both released on October 30 by OPM’s Office of the Inspector General (OIG). The FISMA audit gave OPM’s cybersecurity maturity an overall score of Level 2, while the audit of OPM’s controls found deficiencies on 29 of the 56 controls inspected.
The FISMA audit identified strengths in security training and incident response at Level 4, but noted the need for improvement in risk management and data protection and privacy at Level 1. With agencies expected to reach Level 4 in their FISMA cybersecurity maturity assessments, OPM’s Level 2 score drew many recommendations for improvement.
“While generally compliant, with respect to the items tested, OPM’s OCIO and other program offices were not in complete compliance with all standards,” the report states.
The report makes 45 recommendations for OPM’s CIO office, with 44 rolled over from previous years. OPM concurred with 35 recommendations, partially concurred with three, and did not concur with seven.
For the audit of OPM’s security controls and its Common Security Control Collection (CSSC), the OIG found several weaknesses around documentation of roles, inconsistencies in reporting and tracking remediation, and a lack of communication with system owners. The lack of documented roles also hindered OIG’s recommendations for remediating the 29 deficient controls identified.
“The roles and responsibilities for ensuring the CSCC controls are properly implemented have not been documented. Therefore, we will not make a recommendation on each of the deficient controls as they are symptomatic of the larger underlining issue, the lack of CSCC governance documentation,” the report stated.
With deficiency-specific recommendations excluded, the report made four recommendations to OPM CIO Clare Martorana, calling on the agency to assign clear responsibilities for the CSSC, to notify authorizing officials when controls are not fully implemented, and to continue conducting independent assessments. OPM pushed back some, disagreeing with the recommendation around roles and responsibilities and noting that additional guidance not included in the report’s scope include this information.