The Office of Personnel Management (OPM) received a mostly positive Federal Information Security Modernization Act (FISMA) audit from its Office of the Inspector General (OIG) this year, but the agency still needs to fill some security gaps – such as improving its IT security training program.
FISMA requires Federal civilian agencies to comply with cybersecurity standards. In its audit of OPM’s FISMA compliance efforts throughout fiscal year (FY) 2024, the OIG measured OPM’s cybersecurity maturity level as “3 – Consistently Implemented.”
Despite the agency’s consistent compliance, the OIG said that OPM still has areas to improve. For example, the OIG said that OPM has an established configuration change control process, but it has not integrated its overall configuration management plan into its continuous monitoring and risk management programs.
“We recommend that OPM integrate its configuration management plan into the risk management and continuous monitoring programs, and utilize lessons learned to make improvements to the plan,” the OIG said.
This recommendation – which OPM concurred with – was rolled over from FY2023, as were two other recommendations. One of those is to develop a system of records notice (SORN) for all applicable systems.
However, OPM did not concur with the second recommendation, noting that while SORNs should be developed, it already has policies and procedures in place with SORN requirements.
The other recommendation the OIG rolled over from FY2023 is to develop and conduct an updated assessment of its workforce knowledge, skills, and abilities “to identify any skill gaps and specialized training needs.” OPM concurred with this recommendation.
The fourth and final recommendation the OIG made was a new one for FY2024. The OIG recommended that OPM “obtain feedback on its security awareness and training program and use the information to make improvements to the IT security training program.”
According to the OIG, OPM has not provided evidence for how it collects feedback on its security awareness and training information.
“Failure to obtain training feedback does not allow OPM to analyze participant satisfaction on the quality of the course in terms of how engaging it is, how much knowledge is retained, and how that retained knowledge has impacted the agency,” the audit says.
OPM concurred, saying that it has already procured updated training and assessment tools to help gather feedback from participants.
“In FY2025, OPM will use the tools to analyze participant satisfaction on the quality of the course,” the agency said. “We will gauge how engaging the course is, how much knowledge is retained, and how retained knowledge has impacted the agency.”
