OPM OIG Audit Finds Significant Problems Remain
From the Executive Summary of FY 2015 FISMA Results:
- The significant deficiency related to information security governance has been dropped due to the reorganization of the Office of the Chief Information Officer (OCIO).
- OPM’s system development life cycle policy is not enforced for all system development projects.
- OPM does not maintain a comprehensive inventory of servers, databases, and network devices.
- Up to 23 major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM’s IT security program.
- OPM does not have a mature continuous monitoring program. Also, security controls for all OPM systems are not adequately tested in accordance with OPM policy.
- The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.
- We are unable to independently attest that OPM has a mature vulnerability scanning program.
- Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11.
- OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.
- OPM has not fully established a Risk Executive Function.
- Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.
- Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&M) and the majority of systems contain POA&Ms that are over 120 days overdue.
- OPM has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.
- Not all OPM systems have reviewed their contingency plans or conducted contingency plan tests in FY 2015.
- Several information security agreements between OPM and contractor-operated information systems have expired.
Federal Information Security Modernization Act Audit FY 2015
Report Number 4A-CI-00-15-011
November 10, 2015