OPM “has improved its security posture and is in the process of taking numerous actions” since disclosures in 2015 that two databases containing information on federal employees had been hacked, GAO has said.

Since the breaches of a personnel records database and another containing information on federal employees and others who had undergone background investigations, OPM has been working to put in place government-wide cybersecurity policies and recommendations from DHS’s US-CERT office, GAO said. These include restricting the number of users authorized to access such files, beefing up authentication requirements for users, and more tightly controlling the information available to even privileged users.

In addition, OPM established the semi-independent National Background Investigations Bureau which will use DoD cybersecurity resources to protect information related to those checks.

“However, by not validating remedial actions in a timely manner, the agency has limited assurance whether these actions effectively mitigated vulnerabilities that can expose systems to incidents,” a report said. It further said the steps taken so far were not consistently applied across all systems.