OPM has complied with only about two-thirds of the recommendations in a series of GAO reports that followed the disclosure that personal information on some 21.5 million federal employees, retirees and other persons had been stolen from OPM databases, GAO has said.
Of the 80 recommendations in those reports, 61 have been carried out and OPM says that almost all of the rest are to be finished during the present fiscal year, but “until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption,” GAO said.
The latest report came in a response to a that requiring that GAO assess the response to the mid-2015 disclosure of breaches of OPM’s personnel records database and a separate database on people on whom background checks had been conducted. The latter included highly personal medical, financial and other information along with the same type of identifying personal information also included in the former.
OPM however does not plan to carry out a recommendation to deploy a security tool for contractor workstations; the breach began with gaining access through a contractor employee’s laptop. OPM “asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided evidence to us of these controls,” GAO said.
Meanwhile, a federal appeals court recently heard a challenge to the dismissal by a lower court of a federal employee union-sponsored suit against OPM related to the breaches. Even if successful, that appeal would result only in an order for the lower court to hear the case, which seeks to force OPM to take certain data security steps and to provide lifetime free credit monitoring and identity theft protection services to affected persons. Under current law, such services are required through 2026; a new contract is due to be issued by the end of this year.