The Office of Personnel Management (OPM) made progress during Fiscal Year 2019 on cybersecurity issues, and closed eight prior recommendations from its Office of Inspector General (IG) during the year, according to the IG’s 2019 Federal Information Security Modernization Act (FISMA) audit.
The FISMA audit focused on OPM’s performance in eight domains from the five cybersecurity framework function areas: Identify, Protect, Detect, Respond, and Recover. The OIG made recommendations for each of the eight domain areas.
Under the Risk Management domain, OIG said OPM has successfully identified an enterprise-wide risk management strategy, and is working to implement an inventory management process for its system interconnections, hardware assets, and software.
On Configuration Management, OIG found that OPM has worked to develop baseline configurations and approve standard configuration settings for information systems, and continues to work on these. It has also established a routine audit process.
For Identity Credential, and Access Management (ICAM), OIG stated that OPM is still developing its ICAM strategy, but still does not have a sufficient process in place to manage contractors.
Under Data Protection and Privacy, OPM still has resource constraints within its Office of Privacy and Information Management that limit effectiveness, but has implemented some data protection and privacy related controls.
OPM has also implemented an IT security training strategy program to bolster its Security Training domain, but still has workforce gaps to identify.
Information Security Continuous Monitoring (ISCM) is an area where OPM needs to improve, as it still struggles to conduct security controls assessments on all of its information systems, the IG said. While it has established many ISCM policies and procedures, OPM has not completed the implementation or enforcement of them.
In Incident Response, OIG found that OPM had successfully implemented all FISMA metrics at the “consistently implemented” or higher level.
Lastly, under Contingency Planning, OIG found that OPM “has not implemented several of the FISMA requirements related to contingency planning,” and said this domain has been a “weakness at OPM for over a decade.”
OPM has agreed fully or partially with many of the recommendations in the report, including those rolled over from prior years.
“This year, OPM concurs with 38 of the OIG’s 47 recommendations and respectfully non-concurs or partially concurs with the remaining nine recommendations,” OPM CIO Clare Martorana wrote in response. “OPM and OIG will continue to work together toward mutual understanding of the use of the evolving FISMA maturity model and its underlying metrics that were first introduced in FY 2017.”