OPM's CIO criticized auditors for not looking at the whole of the agency's efforts to strengthen its cybersecurity posture.
OPM's CIO criticized auditors for not looking at the whole of the agency's efforts to strengthen its cybersecurity posture.

A Government Accountability Office (GAO) audit report that scolded the Office of Personnel Management (OPM) for falling short of meeting recommendations made after the agency experienced serious breaches in 2015 received pushback from OPM CIO David DeVries, who said the GAO auditors didn't take into the account the whole of his agency's efforts to strengthen its cybersecurity posture.

OPM did not consistently update completion dates for outstanding recommendations and did not validate corrective actions taken to ensure that the actions effectively addressed the recommendations,” said the report, which was penned by GAO Chief Technologist Nabajyoti Barkakati and Gregory Wilshusen, its information security issues director. "Until OPM completes implementation of government-wide requirements, its systems are at greater risk than they need be."

But DeVries fired back, writing that "GAO does not fully acknowledge OPM's defense-in-depth strategy and compensation controls” and noting that “OPM has applied a defense-in-depth strategy to efforts to enhance OPM's cybersecurity posture, meaning there are many layers and aspects to OPM's defensive strategy."

The audit report, however, was not wholly critical of OPM's efforts, acknowledging that the agency had “implemented or made progress towards implementing 19 recommendations made by the United States Computer Emergency Readiness Team (US-CERT) to bolster OPM's information security practices and controls.”