Despite the public nature of Federal Information Security Management Act cybersecurity requirements, the Office of Personnel Management’s Office of the Chief Information Security Officer failed to supply adequate personnel and documentation for its most recent audit, according to an Office of Inspector General report.
“The annual FISMA reporting metrics are publicly available documents, and are made available to OPM and the OIG at the same time, and are generally covering the same topics every year,” the report said. “It would seem obvious that the OCIO should anticipate the required documentation and interview requests and stage the information in a readily accessible location. This audit is essentially an ‘open book test,’ but, inexplicably, OPM continues to struggle in providing timely documentation and appears to be generally unprepared to respond to routine audit requests.”
According to the report, the OCIO failed to invite proper experts to audit meetings and also failed to brief those that did attend on the topic of the meeting.
The report also criticized OPM for not implementing recommendations from previous audits, a problem which can only compound on itself as time goes on.
“OPM is not making substantial progress in implementing our FISMA recommendations from prior audits,” the report said. “OPM has only closed 34 percent of the FISMA findings issued in the past two years, and we expect the number of new recommendations issued to significantly increase as the FISMA audits continue to evolve and look into new areas of the agency’s technical operations.”
According to the report, the agency cited audit fatigue as a major factor in its inability to complete its mission, and that the audits put a strain on already scarce resources.
“Although we agree that audits can be a strain on resources, we believe that the primary cause of OPM’s ‘audit fatigue’ is the OCIO staff’s inability to maintain complete, detailed, and organized documentation,” the report said. “OPM has not implemented several of the FISMA requirements related to contingency planning, and continues to struggle with maintaining its contingency plans as well as conducting contingency plan tests on a routine basis.”
The OIG recommended that OPM hire a sufficient number of security staff to support agency IT systems. However, the OPM OCIO said that a gap in agency resource priorities versus cybersecurity priorities means that they aren’t able to retain or back fill necessary positions.
“OCIO’s resources have been impacted by budgetary uncertainties and the ensuing difficulties in planning and funding hiring actions in upcoming fiscal years,” the OPM OCIO said in the report. “OPM faces challenges in its ability to prioritize cybersecurity positions over other agency hiring decisions.”
However, the report found that current governance of that staff still hampers agency cybersecurity efforts.
“We believe that this centralized security governance structure can be effective. However, the CISO organization continues to struggle in implementing long-standing cybersecurity controls required by FISMA,” the report said. “We believe that OPM’s security governance structure continues to represent a significant deficiency in the agency’s internal controls. While resource limitations certainly impact the effectiveness of OPM’s cybersecurity program, the staff currently in place is not fulfilling its responsibilities that are outlined in OPM policies and required by FISMA.”
Among the biggest problem areas for the agency were information security continuous monitoring and information security governance practices.
“OPM has established many of the policies and procedures surrounding ISCM, but the organization has not completed the implementation and enforcement of the policies,” the report said. “OPM also continues to struggle with conducting a security controls assessment on all of its information systems. This has been an ongoing weakness at OPM for over a decade.”
In fact, the report found that many of OPM’s cybersecurity weaknesses stemmed from a lack of addressing previous review’s recommendations
Of the five maturity levels defined by the 2017 FISMA Reporting Metrics – ad hoc, defined, consistently implemented, managed and measurable, and optimized – the OIG gave OPM an overall ranking of Level 2, or defined, security.