The Office of Personnel Management’s own inspector general recently completed an audit of the agency’s security programs and practices and the findings were, at best, a mixed bag. Thorough and extensive, the resulting report could easily be applied to many agencies and is a piercing commentary on the state of cybersecurity in many federal agencies today.
Interestingly, the audit used the NIST Cybersecurity Framework to measure the overall maturity level of the OPM security program with five levels of maturity ranging from “Ad Hoc” to “Optimized.”
The OIG report rates OPM’s program overall level at 2 (“Defined”), although it gives the agency the high mark of 4 (“Managed and Measurable”) in their ability to respond to incidents. This comes as no surprise, given the high-profile breach of security clearance records in 2015 at OPM.
The resulting OIG report offers three key lessons for agencies seeking to avoid the issues facing OPM today:
1. Organize your assessment documents regularly.
The tone of the report suggests a tension between the agency’s security team and those performing the audit — an all-too-familiar situation seen today. In fact, the OIG notes that the agency has struggled with ongoing security control assessments for over a decade. Citing “audit fatigue,” the security team expresses that the audits are duplicative and strain already scarce resources. However, the OIG puts OPM’s disorganization at fault, mentioning a specific occasion where auditors spent 600 hours evaluating a package of documents, only to discover the documents were outdated and incorrect.
Whether an organization uses a simple folder or a high-end document management system, it is essential to implement and enforce a strict structure for organizing the voluminous documentation associated with assessment and authorization requirements. From time-stamping documents to making final copies read-only, agencies can save tremendous amounts of labor and time. But organizing documents is more than an administrative exercise. An accurate assessment of risk and planning for security program improvements rests squarely on the accuracy for documentation. If it isn’t clear which documents are correct, how can an agency know how to improve their security posture?
2. Resolve findings and enforce POA&Ms.
The OIG report takes OPM to task for its failure to remediate findings from past audits, specifically citing weaknesses in continuous monitoring, contingency planning and Plans of Action and Milestones (POA&Ms). It notes that OPM has only closed 34 percent of the FISMA findings in the past two years — which is expected to only increase as FISMA audits continue. Some findings and recommendations have even been unresolved for over a decade.
If POA&Ms are organized, it is much easier to stay ahead of audit findings and to resolve them before they become chronic issues. POA&Ms must have some “teeth” to be more than exercises in paperwork. Deadlines need to be taken seriously, and if a resource shortage is the cause of a continuous problem, agencies should document the reasons thoroughly to prepare for future audits. If findings are documented clearly, tension may also ease between security and audit teams — which can also lead to candid discussion and cooperation on how to improve an agency’s overall security status.
3. Don’t wait for a major breach to happen.
OPM’s experience shows the agencies must develop a robust response capability before the face a major breach.
As a result of the 2015 breach, OPM’s reputation suffered and the agency head was asked to leave. More importantly, millions of people — including myself — found that their security clearance information had been compromised.
Protection needs to be a reflexive action rather than a reaction. No agency is immune, but a robust and timely response capability could have mitigated the damage.
Will IT modernization help?
Unfortunately, many agencies see modernization as a complicated effort, rather than one that can resolve their security challenges. Support systems for new technology can be hard to find, and thus are more expensive. The transition period to a new system can also bring security issues itself, and there is always potential for new hardware and software to be vulnerable.
Modernization is more than installing new software or eliminating unused and redundant legacy systems. It is an ongoing effort. It requires continuous upgrades, constant systems improvements, ongoing staff training, and a commitment to security from the top. It’s essential for agencies to look at modernization as an opportunity to simplify and streamline systems, the types of efforts that can help them avoid the challenges facing OPM.