14 DAY TRIAL // The U.S. Office of Personnel Management failed to implement about a third of the 80 information security recommendations made by the Government Accountability Office (GAO) following a data breach announced during 2015.
According to the report sent to the U.S. Congress by GAO, "In summary, OPM has made progress in implementing our recommendations for improving its security posture, but further actions are needed."
OPM reported during June 2015 that its computing systems were accessed by an unauthorized third party which led to the exposure of the personal information of approximately 4.2 million impacted federal employees.
Subsequently, during July 2015, OPM added to its initial statement announcing a second security breach that affected documents and data related to background investigations of roughly 21.5 million individuals the office processed.
After an ongoing investigation between February 2015 and August 2017 of OPM's measures put in place to protect the security of the information stored on its systems, GAO issued four different reports with a list of 80 recommendations designed to allow the agency to boost its security.
OPM plans to implement 25 of 29 recommendations left until the end of 2018
However, as stated in the report sent to the Congress in 2018, "As of September 20, 2018, the agency had implemented 51 (about 64 percent) of the 80 recommendations, but had not provided any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations, as shown in table 1."
Despite not being able to go through and implement about a third of all security improvements suggested by GAO, officials from OPM’s Office of the Chief Information Officer stated that the agency had drawn plans to enact 25 of the 29 recommendations left until the end of 2018.
As detailed by the same OPM statement, it plans to implement three other suggestions until the end of 2019, and it has also devised "remedial action plans" for the rest of the 28 security improvement it still has to put into effect.
Despite all the good intentions the OPM has shown in its statements, GAO concluded that the agency failed to provide "any evidence, or provided insufficient evidence, to demonstrate implementation of the remaining recommendations."