Part III – The Forthcoming OPM Breach IG Report

It is probably not shocking to hear that CIO Donna Seymour was slow-walking this investigation as it seems to be the preferred strategy during the Hussein Administration and this was duly noted in a memo by General Patrick McFarland also noting that there seemed to be an** “atmosphere of mistrust” **by giving him “false and misleading evidence” and ultimately resigned in February 2016. Subsequently, the IG Report was released later that same year in November. The key summary issues were:

• The significant deficiency related to information security governance has been dropped due to the reorganization of the Office of the Chief Information Officer (OCIO).
• OPM’s system **development life cycle policy is not enforced **for all system development projects.
• OPM **does not maintain a comprehensive inventory **of servers, databases, and network devices.
• Up to 23 major OPM information systems are operating without a valid Authorization. This represents a material weakness in the internal control structure of OPM’s IT security program.
• OPM does not have a mature continuous monitoring program. Also, security controls for all OPM systems are not adequately tested in accordance with OPM policy.
• The OCIO has implemented an agency-wide information system configuration management policy; however, configuration baselines have not been created for all operating platforms. Also, all operating platforms are not routinely scanned for compliance with configuration baselines.
• We are unable to independently attest that OPM has a mature vulnerability scanning program.
• Multi-factor authentication is not required to access OPM systems in accordance with OMB memorandum M-11-11 (only user name and password was required to logon system.

To put this into perspective, when one uses an ATM, they are using multi-factor by possessing a bank card, something they have, and a PIN, something they know.

• OPM has established an Enterprise Network Security Operations Center that is responsible for incident detection and response.
• OPM has not fully established a Risk Executive Function.
• Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy (such as preventing social engineering attacks).
• Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&M) and the majority of systems contain POA&Ms that are over 120 days overdue.
• OPM has not configured its virtual private network servers to automatically terminate remote sessions in accordance with agency policy.
• Not all OPM systems have reviewed their contingency plans or conducted contingency plan tests in FY 2015.
• Several information security agreements between OPM and contractor-operated information systems have expired (Service Level Agreements).

https://www.opm.gov/our-inspector-general/reports/2015/federal-information-security-modernization-act-audit-fy-2015-final-audit-report-4a-ci-00-15-011.pdf https://web.archive.org/web/20180726055245/https://www.opm.gov/our-inspector-general/reports/2015/federal-information-security-modernization-act-audit-fy-2015-final-audit-report-4a-ci-00-15-011.pdf

Unsurprisingly, it was the usual suspects that had the knee jerk reactions to quickly blame the Chinese as James Clapper said they were the leading suspect while NSA Director Admiral Mike Rogers was not on board with. Luckily for the American people (sarcasm here), Eric Holder and Loretta Lynch supposedly stepped up their game to commit more resources, while Texas Republican Will Hurd believed dishonesty was involved because no one was reprimanded, suspended or even fired over it.

“Hurd and other lawmakers accused President Barack Obama's so-called national security team including Valerie Jarrett and Susan Rice and other government officials of covering up information on the severity of the security breaches as well as failing to respond to years of warnings that the OPM which stores personnel files and security clearance background check reports on all federal workers were not properly secured.”

https://hurd.house.gov/media-center/in-the-news/obama-and-opm-blasted-hypocrites-over-cyber-security-breaches https://archive.li/dsXvR

Ironically, it is interesting that Hussein ordered the stand down orders when they initially suspected that the Russians were interfering with the presidential elections, but then again, they never thought she would lose, so they swept it under the rug. Well that was until Donald Trump rightfully won the election and suddenly the rug was pulled up to show the swept-up dirt. In fact, in 2015, Hussein stated, “much more aggressive” response to cyber attacks should take place.

https://www.dailydot.com/layer8/obama-opm-hack-cybersecurity-defenses/ https://web.archive.org/web/20180726083544/https://www.dailydot.com/layer8/obama-opm-hack-cybersecurity-defenses/

Next: Part IV - OPM Stolen Data Used… In Virginia!