Watchdog: OPM is At Risk of Not Being Able to Restore IT Systems Post-Disaster 

Following the massive data breaches at the Office of Personnel Management in 2015 that are the subject of an ongoing lawsuit, the agency is “at risk” of not being able to restore its IT systems if there is another disaster, according to a watchdog report.

OPM’s cybersecurity “policies, procedures, and strategy are formalized and documented, but not consistently implemented,” according to an inspector general report released on Tuesday. OPM received the second-lowest level of security rating possible,  according to the reporting metrics under the 2002 Federal Information Security Management Act. Although the inspector general said the agency has much to improve on and listed recommendations, it noted that OPM made progress in 2019 since some of the recommendations were carried over from previous years.

The inspector general said the agency’s failure to fully implement its Information Security Continuous Monitoring program, which “involve[s] the ongoing assessment of control effectiveness in support of the agency’s efforts to manage information security vulnerabilities and threats,” is mainly due to staff shortages. As a result, only eight of the agency’s 47 systems had sufficient security control testing and monitoring in fiscal 2019.

Among the other findings:

•  The agency doesn’t keep a list of contractors who have access to OPM’s network, which “increases the risk of inappropriate access to critical or sensitive resources.” 

• The agency doesn’t require individuals assigned to “significant” security or privacy positions to receive role-based training.

• Six of the 47 authorizations on security assessments were signed by officials who don’t work for OPM anymore. This is “a fact that necessitates re-authorization by the new authorizing official,” according to the report 

• Only seven of OPM’s contingency plans for emergencies or disruptions were reviewed and updated in fiscal 2019, which “has been an ongoing weakness at OPM for over a decade.”

The inspector general made 47 recommendations to OPM, many of which were rolled over from years dating back to 2008. They included: routinely test for data breaches, assess employee skills gaps, hire more information security staff and improve security training. OPM concurred or partially concurred with most of the recommendations and explained the progress it has made or plans to take. 

In 2015, OPM disclosed a data breach that exposed personnel files of all current and former federal employees and another that released security clearance files for job applicants and their families. The breaches affected about 21.5 million individuals in total. In October, a federal appeals court denied the Trump administration's appeal to stop the lawsuit brought by current and former federal employees who sued the government over its inability to protect personal data that led to the breaches. The lawsuit can move forward since a judge ruled in June that the plaintiffs have standing.

The inspector general conducted this audit from April to September, based on the metrics from the National Institute of Standards and Technology's Cybersecurity Framework. The audit was required by the 2002 Federal Information Security Management Act.