Federal Manager's Daily Report

High turnover and resulting vacancies along with the need for training have aggravated IT security issues at OPM, according to an IG report.

A report on the agency’s compliance with the Federal Information Security Modernization Act repeated earlier criticisms of the agency’s security management structure, saying that “although OPM has developed a security management structure that we believe can be effective, there has been an extremely high turnover rate of critical positions.”

In addition to turnover among operational staff, five people have served as OPM chief information officer in the past three years. “The negative impact of these staffing issues is apparent in the results of our current FISMA audit work. There has been a significant regression in OPM’s compliance with FISMA requirements, as the agency failed to meet requirements that it had successfully met in prior years,” it said.

The report said OPM has made filling vacancies a priority, “but simply having the staff does not guarantee that the team can effectively manage information security and keep OPM compliant with FISMA requirements,” it said. For example, only 73 percent of employees with significant security responsibilities completed specialized IT security training in fiscal 2016.

The IG’s office has issued a string of reports raising red flags about OPM’s cybersecurity practices dating to before the agency was victimized by thefts of data from its personnel records and background investigations databases.