I have been reading the OPM Inspector General FISMA Report from November 2015, only one month ago. It almost seems like something written for the TV series The Twilight Zone, where reality never seemed to be quite what you expected or could imagine from past experience. OPM is a disaster waiting to happen - again - and nobody in the Federal government seems able to stop it or even slow down the train that led to the compromise of 24 million security clearance records.
OPM still has the same kinds of problems that allowed the Chinese to steal those records, but puts on a face that says they have corrected most of the things that allowed that to be done. So, do we believe what OPM's leadership says, or what the IG says? Had we listened to the the IG in 2012, 2013, or 2014 there is some chance that the theft of data might not have occurred. Can we do this again and still feel good about it? Obviously, OPM thinks it can.
There are some glaring deficiencies in OPM that make it a constant target, but ignoring them will not make them go away:
1. The IG says that 23 systems continue to operate without Authorization. What that really means is that OPM leadership does not want to take the risk of putting their name on anything that might come back to bite them. It reminds me of the IRS, when the CIO was briefed on the vulnerabilities of electronic filing - before it started - and he dropped the report on his desk and said, "I've heard of that. Give that to [one of his assistants] to read." The systems continue to operate without approval.
2. Remedial action is not being carried out where deficiencies have been noted. This is a trick many agencies use. They don't record the actions required to fix a problem so they can't be cited for not doing those things.
3. The systems still aren't being properly monitored for intrusions:
OPM does not have a mature continuous monitoring program, nor established a baseline that is needed to assess one.
The OCIO has implemented an agency-wide information system configuration management
policy; however, configuration baselines have not been created for all operating platforms.
Also, all operating platforms are not routinely scanned for compliance with configuration
baselines.
We are unable to independently attest that OPM has a mature vulnerability scanning program. I kind of wonder about this since OPM IG has access to most of the people in the organization and we have to wonder why they can't find out if such a program exists...
Multi-factor authentication is not required to access OPM systems in accordance with OMB
memorandum M-11-11.
OPM has established an Enterprise Network Security Operations Center that is responsible for
incident detection and response.
OPM has not fully established a Risk Executive Function.
These are basic things that do not require a PhD to implement, nor a lot of time, yet from one year to the next OPM has the same identified set of problems. The only difference is they have had an identified hack since then. Any normal person would think that would cause an effort to try to correct some of the more egregious ones like not have 2-factor authentication or not doing security scanning. Perhaps the next thing that should be done is get the damned security records out of the hands of OPM and put them back in DoD where they came from.
No comments:
Post a Comment