OPM’s talent acquisition system needs better processes for managing agencies’ data
A GAO report found that OPM’s USA Staffing program lacked procedures for managing the interagency agreement data used when agencies utilized its talent acquisition system.
The Office of Personnel Management lacks clear procedures for managing the data of federal agencies paying to use one of its talent acquisition systems, and the system may contain some cybersecurity risk, the Government Accountability Office has found.
In a report published Tuesday, the GAO examined OPM’s USA Staffing system, which 140 federal agencies used in fiscal 2022 to help manage their talent acquisition, assessment and evaluation processes.
The watchdog found that OPM’s management data from the interagency agreements were often not consistently updated, with no documented roles and responsibilities assigned to oversee the updates.
When an agency uses USA Staffing system for its talent acquisition services, it, or its cabinet-level department, enters into an interagency agreement with OPM and pays for the services through intragovernmental revolving funds. OPM collected more than $50 million in payment for reimbursable services in fiscal 2022 and managed 27 IAAs.
Among the IAA figures maintained by OPM are signed USA Staffing IAA documents — such as orders for USA Staffing licenses — OPM’s manual records on USA Staffing transactions and accounting records stored in the agency’s core financial management system, Delphi.
However, GAO found that OPM had not designated who is responsible for updating its manual records. And while agency officials said that IAA orders should be entered into its core financial management system within 30 days of being signed, nine of 50 IAA orders examined, worth $6 million, were entered beyond the 30-day limit.
OPM officials also had not established a formal process for identifying inconsistencies in the IAA records, instead adopting an ad hoc approach to comparing manual records with those in the Delphi system.
The watchdog also pointed to potential cybersecurity risk posed by OPM not identifying and monitoring expired interconnection agreements with seven agencies.
The agreements, GAO said, “allow organizations to consider the risks when their systems exchange information with other systems that may have different security and privacy requirements,” but the report found that OPM had expired agreements with three Defense Department components, alongside the departments of Health and Human Services, Homeland Security, Justice and Veterans Affairs, with some dating back nearly five years.
“Because these seven agreements had expired, the connections were not authorized and lacked oversight. As a result, OPM was not aware of the relevant security issues related to other agencies’ systems that would form a basis for interconnection agreements,” the report said, noting that OPM information security and program management officials did not consider them significant risks.
OPM security control assessors also did not identify the expired agreements when assessing the agency’s information system controls in 2020 and 2022. Once notified by GAO, OPM did take steps to mitigate any potential threats from the expired agreements.
GAO offered three recommendations to OPM around the management of IAA data, alongside another two recommendations to the National Park Service and the IRS around the solicitation of feedback from human capital professionals using agency training resources offered for USA Staffing functionalities.
The agencies agreed with the recommendations.