The Office of Personnel Management is objecting to a report from federal auditors that its cybersecurity practices are lacking, and says the auditors held back on providing the agency with critical information.
The report, issued on Tuesday by the nonpartisan Government Accountability Office, found the agency’s systems lacked appropriate access control. OPM responded in a statement later in the day, saying the GAO had withheld information about its assessment of OPM’s “boundary protection” and “authorization” vulnerabilities.
“While OPM and GAO are in agreement on most of their recommendations, we continue to disagree with GAO’s security control assessments recommendation,” agency spokesman Samuel Schumach, said in a statement. He added that GAO had either failed to conduct or refused to provide OPM with analysis detailing the alleged weaknesses.
The vulnerabilities in question refer to the agency’s ability to fend off intrusions from outside attackers, as well as authorization restrictions in place to prevent insiders from inflicting serious damage. Schumach said the audit failed to account for improvements the agency had made since October of last year, including a cybersecurity monitoring system and its employees’ use of multifactor authentication.
“Over the past year, OPM has taken significant steps to enhance its cybersecurity posture, protect individuals who had their data stolen in the incidents last summer, and reestablish confidence in its ability to deliver on OPM’s core missions,” Schumach said.
Related Story: http://www.washingtonexaminer.com/article/2583869
The agency has been working to improve its cybersecurity posture following last year’s discovery that it had been breached by hackers linked to China. The hack resulted in the theft of information on more than 22 million people in the agency’s system, and the resignation of both its director and chief information officer.
The GAO report found that state-backed hackers were the most common source of attacks on government systems, and that malicious emails were the most common method of breaking in. Those findings were consistent with the OPM hack, which is thought to have originated in malicious email initially delivered to a contractor.
In addition to the OPM, the GAO also audited the Nuclear Regulatory Commission, the Department of Veterans Affairs, and NASA. Those agencies said they had no comment beyond their concurring responses included in the GAO report.
