The Government Accountability Office has evaluated the Office of Personnel Management’s efforts to implement the U.S. Computer Emergency Readiness Team’s 19 recommendations to build up information security controls and practices following the data breaches in 2015 and found that OPM completed actions on 11 recommendations.
GAO said in a report published Thursday that four of the remaining eight US-CERT recommendations require “further improvements” and that OPM failed to verify corrective measures that it has carried out to ensure that such actions addressed the recommendations.
The report also found that OPM launched efforts to implement data security policies in relation to governmentwide requirements such as the identification of information technology systems with sensitive data, but failed to encrypt stored and transmitted data in some IT systems.
The congressional watchdog also offered five recommendations for OPM to protect sensitive data from security vulnerabilities and these include updates to action plans in order to show the expected completion dates for the implementation of US-CERT recommendations.
The acting OPM director should also establish role-based training requirements for personnel through the use of continuous diagnostics and mitigation platforms as well as offer guidelines on the quality assurance process, according to the report.
GAO also called for updates to OPM policies with regard to the implementation of the 24-hour scanning requirement as well as the deployment of threat indicators from the Department of Homeland Security.