One third of recommendations made by GAO to OPM regarding PII, biometrics data security still not fixed
The federal Office of Personnel Management (OPM) – which collects and maintains biometric and other Personally Identifiable Information (PII) on millions of past and present federal employees – including security clearance background information — has made progress in implementing Government Accountability Office (GAO) recommendations for improving OPM’s “security posture,” but further actions are still needed, GAO revealed in a recent briefing for the staff of the Senate and House Appropriations Subcommittees on Financial Services and General Government, based on a new audit report.
GAO stated that as of September 20, 2018, OPM had implemented 51 (about 64 percent) of its 80 recommendations, “but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations.”
GAO’s audits were in response to a June 2015 intrusion into OPM’s data systems in which personnel records of about 4.2 million current and former federal employees were compromised.
“Then, the next month, the agency reported that a separate, but related, incident had compromised files [also containing sensitive biometric PII] related to background investigations for an estimated 21.5 million individuals” seeking security clearances, from which valuable PII and biometrics could be used by hostile foreign intelligence services.
Indeed. Gene L. Dodaro, Comptroller General of the United States, recently told the House Committee on Oversight and Government Reform Subcommittee on Government Operations and Information Technology that this breach “compromised … the files related to background investigations for” these 21.5 million individuals, adding, “foreign nations — where adversaries may possess sophisticated levels of expertise and significant resources to pursue their objectives — pose increasing risks. Rapid developments in new technologies, such as artificial intelligence and the Internet of Things, makes the threat landscape even more complex and can also potentially introduce security, privacy, and safety issues that were previously unknown.”
From February 2015 through August 2017, GAO conducted multiple reviews of OPM’s information security, issuing four reports based on these reviews containing 80 recommendations “for improving the agency’s security posture.”
GAO was tasked by the Consolidated Appropriations Act of 2018 to brief the House and Senate Appropriations Committees on actions taken by OPM in response to GAO’s information security recommendations. GAO re-audited OPM from September 2018 through November 2018.
OPM’s implementation of GAO’s information security program and control recommendations as of September 20, 2018, GAO stated “systems agencies categorize as high impact” (systems where the loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, assets, or individuals) that, “OPM had not provided sufficient evidence to demonstrate that it had implemented [GAO’s] 4 recommendations. Three of the recommendations were related to enhancing security plans, performing comprehensive security control assessments, and updating remedial action plans for two selected high-impact systems. The fourth recommendation was to provide and track specialized training for all individuals, including contractors, who have significant security responsibilities.”
In a footnote, GAO stated, “Priority recommendations are those that GAO believes warrant priority attention from heads of departments and agencies. In a July 2016 letter to OPM’s Acting Director, the Comptroller General informed her of these three priority recommendations related to strengthening controls for high-impact systems. In June 2017, the Comptroller General sent a similar letter highlighting these three priority recommendations to another OPM Acting Director, as well as in another letter to the OPM Director in March 2018 because the agency had not implemented the recommendations.”
Of the 62 recommendations GAO made in another report, “OPM had implemented or addressed 46 recommendations, including those recommendations associated with strengthening firewall controls, enforcing password policies, restricting access to a key server, logging security-related activities, and updating the contingency plan for a high-impact system.”
However, GAO reported OPM “had not provided sufficient evidence that it had implemented the other 16 recommendations,” which “included avoiding the use of the same administrator accounts by multiple persons, implementing procedures governing the use of special privileges on a key computer, encrypting passwords while stored or in-transit across the network, and installing the latest versions of operating system software on network devices supporting a high-impact system.”
With regards to a third audit, GAO found, “OPM had implemented 2 of the 9 recommendations,” but while OPM improved on 2 dealing with protection of data by encrypting data for two selected systems we reviewed,” OPM “had not demonstrated that it had fully implemented 7 other recommendations, including recommendations to reset all passwords subsequent to the breach, install critical patches in a timely manner, periodically evaluate accounts to ensure privileged access is warranted, and assess controls on selected systems as defined in its continuous monitoring plan.”
Finally, while OPM implemented 3 of 5 recommendations GAO made in a fourth audit report by updating milestones for completing United States Computer Emergency Readiness Team recommendations and its policy for deploying threat indicators, and had improved its guidance for evaluating the quality of control assessments, OPM “had not demonstrated that it had implemented 2 recommendations that we had designated as priority recommendations to improve the timeliness of validating corrective actions and to develop and implement training requirements for staff using special tools.”
According to GAO, “officials in OPM’s Office of the Chief Information Officer said OPM “plans to implement 25 of the remaining 29 open recommendations by the end of calendar year 2018,” and “expects to implement 3 additional recommendations by the end of Fiscal Year 2019.”
“However,” GAO noted, “the officials stated that the agency does not plan to implement the one remaining recommendation related to deploying a security tool on contractor workstations. The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided evidence to us of these controls. Expeditiously implementing all remaining open recommendations is essential to ensuring that appropriate controls are in place to protect the agency’s systems and information.”
GAO has issued literally dozens of audit reports to Congress and appropriate federal agencies, and made nearly 2,500 recommendations to these agencies to improve their implementation of information security and access security controls. These recommendations have identified actions across the federal enterprise to take to not only protect their information databases and systems, but “to fully implement their information security programs and better protect the privacy of the PII contained in these systems, which includes a wealth of personal biometric information.
GAO said in its latest government “High Risk” summary that “critical actions” are needed to address four major cybersecurity challenges,” and that federal “agencies need to consistently implement policies and procedures for responding to breaches of PII” by improving federal efforts to protect privacy and sensitive data, and appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent.”