The Office of Personnel Management’s inspector general has assessed OPM’s compliance with the Federal Information Security Modernization Act and found that over 18 of its information technology systems operate without valid authorizations.
OPM IG said in a Nov. 9 report that it performed the audit at the agency’s Washington headquarters from April 2016 to September 2016.
The IG said OPM’s continuous monitoring and security incident programs have achieved Level 2 in the Council of the Inspectors General on Integrity and Efficiency maturity model and that the agency has made changes to its vulnerability management initiative and created an inventory of network devices, servers and databases.
The report also cited a “high turnover rate of critical positions” within OPM’s data security management structure and that the agency has failed to establish a risk executive function.
OPM has not evaluated contingency plans for most of its IT systems in fiscal year 2016 and has not required multi-factor authentication to facilitate access to systems in compliance with a memorandum issued by the Office of Management and Budget.
Other security issues found in the audit include OPM’s failure to implement the agency’s lifecycle policy for all system development programs; lack of configuration baselines for all operating platforms; lack of security training among personnel; expired data security agreements between contractor-run information systems and OPM; and overdue milestones and plan of action for majority of OPM systems.