OPM OIG Audit Finds Significant Problems Remain

Posted on by Dissent

From the Executive Summary of FY 2015 FISMA Results:

  •   The significant deficiency related to information security governance has been dropped due to the reorganization of the Office of the Chief Information Officer (OCIO).
  •   OPM’s system development life cycle policy is not enforced for all system development projects.
  •   OPM does not maintain a comprehensive inventory of servers, databases, and network devices.
  •   Up to 23 major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM’s IT security program.
  •   OPM does not have a mature continuous monitoring program. Also, security controls for all OPM systems are not adequately tested in accordance with OPM policy.
  •   The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.
  •   We are unable to independently attest that OPM has a mature vulnerability scanning program.
  •   Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11.
  •   OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.
  •   OPM has not fully established a Risk Executive Function.
  •   Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.
  •   Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&M) and the majority of systems contain POA&Ms that are over 120 days overdue.
  •   OPM has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.
  •   Not all OPM systems have reviewed their contingency plans or conducted contingency plan tests in FY 2015.
  •   Several information security agreements between OPM and contractor-operated information systems have expired.

SOURCE:

Federal Information Security Modernization Act Audit FY 2015
Report Number 4A-CI-00-15-011
November 10, 2015

Category: Commentaries and AnalysesGovernment SectorOf NoteU.S.