The security posture of the Office of Personnel Management has improved drastically and by the end of the year, the agency is on track to meeting almost all recommendations the US Government Accountability Office (GAO) made over the past two years. Full compliance is expected by the end of 2019.

GAO carried out between February 2015 and August 2017 multiple reviews of the security stance of the Office of Personnel Management (OPM), which resulted in four different reports with recommendations for improvements. 

It is important to remind the readers that OPM is an agency of the US federal government that handles personal data of the government's civilian workforce. In June 2015, the agency reported a data breach that was initially thought to affect 4 million federal employees. Details from the investigation pointed to a number of 21.5 million individuals being affected by the hack.

Suspects are Chinese hackers according to reports that have not been confirmed officially. However, the US arrested a Chinese national in 2017 for distributing malware that was used to carry out the OPM hack.

Unsolved initial recommendations

From the total of 80 proposals received the OPM implemented 51 of them in the fiscal year 2018, failing to provide sufficient evidence on five issues and leaving open 24 of them.

In its first report released to the public in June 2016, GAO made four recommendations to OPM, to enhance security plans, run a thorough evaluation of security controls, update action plans and track specialized staff training.

In more specific terms, the agency did not protect some of the systems from unauthorized information exchange, enforce password policies for authenticated access and restrict access to relevant individuals, turn on encryption for a database, or enable sufficient logging to help with monitoring or auditing systems.

"As of September 20, 2018, OPM had not provided sufficient evidence to demonstrate that it had implemented any of the 4 recommendations," reads the latest GAO report.

Decommissioned system helps increase security

In a second report, GAO identified 62 security-related problems and made recommendations such as strengthening firewall controls, stronger password policies, access restrictions to important systems, and activity logging.

OPM has now solved 46 of these issues, a large number of them (21) by removing from service one of the two high-impact systems assessed by GAO.

This leaves 16 problems that still need to be fully addressed. They include sharing the same administrator accounts with multiple individuals, encrypting passwords at rest or in transit across the network, and running the latest version of the operating system for network gear that supports a sensitive system.

OPM still uses passwords prior to the 2015 breach

GAO's pieces of advice in its previous two reports for improving OPM's security stance point to the standard practices and recommendations of the industry.

These refer to installing critical patches as soon as possible, periodic assessment of current accounts to make sure they still need privileged access, or checking controls on specific systems as part of the constant monitoring plan.

None of these have been addressed by OPM. Even more, according to GAO's latest evaluation, OPM still uses credentials that were valid during the breach reported in 2015.

Priority recommendations for the agency that manages data of government workers include training personnel that uses monitoring tools and a shorter validation of corrective actions.

Following the evaluation of its systems and receiving suggestions for improving security, OPM did not agree to all the checkboxes proposed by GAO. One issue that will remain unsolved is to install a security tool on contractor workstations.

Other than this, the agency has made visible progress in adopting GAO's tips. Things moved faster in the latest quarter of 2018, as shown in the graph below:

"Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended," reads the conclusion of the GAO report, adding that the agency's systems and information is at "increased risk of unauthorized access, use, disclosure, modification or disruption."

OPM says that it will continue the efforts for better security of its systems by implementing five more GAO proposals by the end of the year and adopting another 23 by the end of the fiscal year 2019.