In June 2015, the Office of Personnel Management (OPM) reported that an intrusion into its systems had affected the personnel records of about 4.2 million current and former federal employees. Then, in July 2015, the agency reported that a separate but related incident had compromised its systems and the data files related to background investigations for 21.5 million individuals.
From February 2015 through August 2017, the Government Accountability Office (GAO) conducted multiple reviews of OPM’s information security and issued four reports based on these reviews. The reports contained 80 recommendations for improving the agency’s security posture.
The Explanatory Statement that accompanies the Consolidated Appropriations Act, 2018, included a provision for GAO to brief the House and Senate Appropriations Committees on actions taken by OPM in response to GAO’s information security recommendations. GAO’s objective was to determine the extent to which OPM has implemented the recommendations to improve the agency’s information security.
In a report issued November 13, GAO finds that OPM has made progress in implementing GAO’s recommendations, but further efforts remain. As of September 20, 2018, OPM had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations.
According to officials in OPM’s Office of the Chief Information Officer, the agency plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018. Three of the recommendations that the OPM remain are related to enhancing security plans, performing comprehensive security control assessments, and updating remedial action plans for two selected high-impact systems. The fourth recommendation was to provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.
The agency expects to implement three additional recommendations by the end of fiscal year 2019. However, OPM does not intend to implement the recommendation related to deploying a security tool on contractor workstations. The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided GAO with evidence of these controls.