OPM Alternative Song Playlist
In the wake of a massive data breach OPM is finally beginning to improve its IT security posture but continues to fail to meet FISMA requirements, the OPM inspector general has said.
It said it has additional concerns with the manner in which the agency is attempting to quickly fix longstanding problems that have been mounting for decades.
OPM is migrating all its systems into a new technical infrastructure the Shell but is not prepared to address many of the very difficult challenges this entails, according to the IG.In its fiscal 2015 FISMA audit of the agency, the IG noted an overall lack of compliance that seems to permeate the agencys IT security program.
As an example, it highlighted OPMs extremely poor decision to put system security assessment and authorizations on hold until applications are migrated into the Shell, and one that make it likely that the IT security controls of OPMs systems will remain neglected during the time that it takes to move the systems to the new environment something that could take years.
The IG said it remains concerned that agency systems will not be protected against another attack.
It credited OPM with having reorganized the Office of the CIO and for establishing an enterprise network security operations center responsible for incident detection and response.
However it cited a long list of shortcomings including:-OPMs system development life cycle policy is not enforced for all system development projects;-OPM does not maintain a comprehensive inventory of servers, databases, and network devices;-Up to 23 major OPM information systems are operating without a valid Authorization;-OPM does not have a mature continuous monitoring program;-Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11;-Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy; and,-OPM has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.
Source: http://www.fedweek.com/uncategorized/ig-slams-opm-for-continued-it-security-weaknesses/