The recent intrusions into U.S. Office of Personnel Management (OPM) systems that house personnel and background investigation data for Federal employees and other individuals have raised questions about the security of OPM data and the integrity of its information technology (IT) assets.
Although, OPM has been on a steady path to modernize its IT systems and enhance cybersecurity, recently discovered incidents have underscored the fact that there is clearly more that can and must be done.
Government and non-government entities are under constant attack by evolving, advanced, and persistent threats and criminal actors. These adversaries are sophisticated, well-funded, and focused. For that reason, efforts to combat them and improve Federal IT and data security must be constantly improving as well.
OPM’s report provides a summary of the actions OPM has taken, those that are currently underway, and those that are planned for the future in order to meet this challenge.
Many of these actions are based on recommendations that have been provided by independent experts such as the agency’s Inspector General (IG), the Government Accountability Office (GAO), and other Federal partners. In the coming weeks and months, the agency will continue to consult with Congress, the IG, independent experts inside and outside of government, and others to identify further actions to strengthen cybersecurity and protect its critical IT systems.
One of the principal elements of the plan was information security — to ensure the agency protects the identity and privacy of citizens and employees by implementing and actively monitoring standard security controls in IT systems that effectively protect the large volume of sensitive personal data collected and stored by OPM IT systems.
Under Director Archuleta’s leadership, OPM has made good on that commitment by taking 23 concrete steps to improve information security:
1. Implemented two-factor Strong Authentication for all privileged users, and increased the percentage of unprivileged users with two factor Strong Authentication. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems. OPM has been a leader for the Federal government in this area.
2. Restricted remote access for network administrators and restricted network administration functions that can be performed remotely.
3. Reviewed all connections to ensure that only legitimate business connections have access to the Internet.
4. Deployed new hardware and software tools, including 14 essential tools to secure the network. OPM continues to deploy additional security tools to improve its cybersecurity posture, including tools that mask and redact data.
5. Deployed anti-malware software across the environment to protect and prevent the deployment or execution of cybercrime tools that could compromise the agency’s networks.
6. Upgraded Security Assessment and Authorization for multiple systems.
7. Established a 24/7 Security Operations Center, staffed by certified professionals, to monitor the network for security alerts.
8. Implemented continuous monitoring to enhance the ability to identify and respond, in real time or near real time, to cyber threats.
9. Installed more firewalls that allow the agency to filter network traffic.
10. Centralized security management and accountability into the Office of the CIO and staffed it with security professionals who are fully trained and dedicated to information security on a full-time basis.
11. Conducted a comprehensive review of IT security clauses in contracts to ensure that the appropriate oversight and protocols are in place.
12. Developed a Risk Executive Function to ensure risk mitigation at the organizational, business process, and information system levels, including development of Risk Executive Charter and Risk Registry Template.
13. Mandated cybersecurity awareness training for the entire workforce.
Leveraging Outside Expertise
14. Collaborated with agency partners such as the Office of Management and Budget (OMB) and the National Institute of Standards and Technology to share, learn and standardize best practices, and to ensure information security policies are rigorous and cost-effective based on a risk assessment methodology that considers both current and potential threats.
15. Worked with the intelligence community and other stakeholders to identify high value cyber targets within the OPM network where bulk PII data are present, and mitigate the vulnerabilities of those targets to the extent practicable.
16. Worked with law enforcement and other agencies to shore up existing security protocols, enhance the security of its systems and detect and thwart evolving and persistent threats.
17. Bringing in management and technology expertise by adding experts from around the Government to help manage its incident response, provide advice on further actions, and ensure that Congress and the public are kept fully up-to-date on ongoing efforts.
18. Helping other agencies hire IT leaders to ensure they can acquire the personnel needed to combat evolving cyber threats. This includes leveraging tools and flexibilities such as direct hiring, excepted service hiring flexibilities and critical pay authority to bring IT and cyber experts from the private sector into the Federal government quickly and efficiently.
19. Invested in network remediation and stabilization to modernize OPM’s IT footprint. From Fiscal Year 2014 to 2015, OPM nearly tripled its investment in the IT modernization effort, from $31 million to $87 million. The President’s 2016 Budget calls for an additional $21 million to further this effort. These funds would pay for maintenance of a sustained security operations center (SOC) to provide critical oversight of OPM’s security posture and real-time 24/7 monitoring of network servers to detect and respond to malicious activity. Further, this funding includes support for stronger firewalls and storage devices for capturing security log information used for analysis in incident response.
20. Standardized operating systems. In alignment with an IG recommendation OPM will continue standardizing operating systems and applications throughout the OPM environment, with the ultimate goal of implementing configuration baselines for all operating platforms in use by OPM. Once these baselines are in place, OPM will conduct routine compliance scans against them to identify any security vulnerabilities that may exist.
21. Strengthened oversight of contractors. In alignment with recommendations made by the GAO, OPM is in the process of developing, documenting, and implementing enhanced oversight procedures for ensuring that a system test is fully executed for each contractor-operated system. These procedures will expand the policy for oversight of contractor systems currently in OPM’s IT Security and Privacy Handbook.
22. Tightened policies and practices for privileged users. Consistent with guidance from OMB, OPM is reviewing the number of privileged users, and taking steps to minimize their numbers, limit functions that they can perform, limit the duration of time they can be logged in, limit the functions that can performed remotely, and log all privileged user activity. This review – to be conducted by the CIO and the new cybersecurity advisor – will be completed and will provide recommendations to the Director by July 15.
23. Improved Portfolio Management by hiring a dedicated Level 3 IT portfolio manager, as recommended by the IG, in December 2014 to lead its IT transformation efforts and ensure that security and performance requirements are addressed across the enterprise.
Source: “Actions to Strengthen Cybersecurity and Protect Critical IT Systems.” Read the full report at: https://www.opm.gov/news/latest-news/announcements/cybersecurity-report/
IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide you through the recovery process.
Visit the Federal Trade Commission website: http://ftc.gov/idtheft for ID theft prevention tips and free resources.