The Office of Personnel Management (OPM), which suffered cyber intrusions discovered in 2015 that compromised personnel records and files on background investigations of more than 25 million people, has implemented most of the Government Accountability Office’s 80 recommendations to strengthen its security posture but more than a third remain open, the auditing agency says in a new report.
As of Sept. 20, 51 of the recommendations, about 64 percent, had been implemented, GAO says in the report that was issued on Tuesday. Of the 29 open recommendations, OPM officials told GAO that it planned to implement 25 of them before the end of 2018 and three more in fiscal year 2019.
“However, the officials stated that the agency does not plan to implement the one remaining recommendation related to deploying a security tool on contractor workstations,” GAO says. “The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided evidence to us of these controls.”
GAO also says that OPM hasn’t done comprehensive security control assessments and isn’t tracking specialized training for its personnel that have “significant security responsibilities.”
OPM in June and July 2015 reported on two cyber breaches, leading the administration of then President Obama to declare a 30-day “cyber sprint” requiring all federal agencies to review their cyber security needs and to develop plans to mitigate vulnerabilities.
GAO’s recommendations are found in four reports the agency did between February 2015 and August 2017 on OPMs information security.
Chinese hackers are suspected to behind the OPM breaches.