OPM's IT authorization process a 'material weakness,' IG says

A 2015 decision to pause tech authorizations is putting the Office of Personal Management at risk, according to a new inspector general report.

 

An IT security decision made around the time of the discovery of the devastating 2015 hack of Office of Personnel Management systems continues to have "a significant negative impact on the agency," according to a watchdog report.

In April 2015, OPM's CIO moved to halt all technology authorization activity while the agency worked on a plan to migrate its applications to a more modern environment – a project called the shell.

At the time, the IG warned of the "extreme risk associated with neglecting the IT security controls of its information systems."

Eventually, OPM pivoted away from the modernization plan originally cited as the justification for the authorization halt. However, the lapse in authorization activity continues to haunt the agency, according to the July 7 IG report.

OPM revived its IT authorization program in a 2016 "sprint" and made other process improvements, including incorporating the National Institute of Standards and Technology risk framework and updating the roles and responsibilities of the individuals involved.

While expired authorities to operate do not indicate a system is compromised or insecure, the IG report noted that keeping ATOs current is a good way to identify significant risks to be addressed.

In reply comments, OPM CIO Dave DeVries, a former deputy CIO at the Department of Defense who was brought in to lead the development of a new background check system at OPM, said the IG doesn't have all the facts.

"We have notified the OIG that we believe it is issuing the audit without the benefit of the full set of documentation available," DeVries said.

The IG report calls out the OPM local-area and wide-area networks for special attention. The LAN/WAN got a one-year provisional ATO in September 2016, but according to the IG report, the system security plan for that system is missing key information.

Specifically, it said the agency's LAN/WAN system security plan didn't include data about hardware, software, minor systems and some controls. It also said shortcomings in security control testing as part of the LAN/WAN authorization process "likely prevented" the testers from finding vulnerabilities. Additionally, the IG said security weaknesses found during the LAN/WAN authorization weren't tracked in a plan of action and milestones document produced by OPM.

DeVries noted in his comments that the evaluation of the security of the LAN/WAN system took place during modifications of the overall IT infrastructure. "This resulted in a complex, dynamic system that made it difficult for the independent assessor to evaluate the status of many of the security controls with a high degree of confidence," he said.

Despite these caveats, the OIG said it continues to believe that OPM's authorization process "represents a material weakness in the internal control structure of the agency's IT security program."