Dive Brief:
- Following the June and July 2015 data breach, the Office of Personnel Management (OPM) has completed 11 of the 19 security requests made by the U.S. Government Accountability Office (GAO), according to a GAO report. There are four tasks that need further improvement and four that are still in development.
- Following the breach that compromised the information of 21.5 million people, GAO reviewed the plan of action OPM must take to mitigate present and future security risks. Part of the GAO's task was, in part, assessing the actions taken by the OPM following the breach and then reviewing the policies already in place for cybersecurity. The GAO also requested OPM inspect its strategy in monitoring contract IT employees.
- The report from the GAO is a slow but steady progression in cybersecurity accountability efforts. The review process has included examination of the OPM’s plans of action, data and even review of personnel.
Dive Insight:
Last year it was reported that the U.S. government's ranking in cybersecurity falls behind those in the private sector. As the report included government of all levels, it is noted that such a large data source is hard to maintain securely.
The OPM breach serves as the nation's human resources department for government officials. Housing personal data as well as data stored for security clearances, the 2015 breach was not taken lightly.
As of May, OPM completed 11 of the 19 security changes set by the GAO and United States Computer Emergency Readiness Team (US-CERT). Specifics of the completed, incomplete and in-progress tasks are not available due to the data sensitivity.
Outside of the US-CERT recommendations, the Obama administration implemented a National Background Investigations Bureau (NBIB), relieving OPM from the responsibility of background checking federal employees. As the NBIB is headed by the Department of Defense, last year OPM named its new CIO, David De Vries, from the Pentagon.
Two years following the breach, OPM acknowledged its role and has taken the steps necessary in preventing breaches of that severity. Changes in cybersecurity take time as they are diverse in nature. For OPM, those changes have included evaluating the number of privileged users, requiring multilayered authentication processes, encrypting data for certain networks, launching malware/threat-detector technologies, and even examining the implementation of security regulations made by contractors.
The review by the GAO is an opportunity for any company in the public or private sector to examine their security. Any changes in existing structures needs to be followed with proper training to ensure true effectiveness.