Despite making some security improvements, the Office ofPersonnel Management is still struggling to comply withrecommendations that the Inspector General's office has maderepeatedly – making it vulnerable to another breach.

The fiscal 2015 audit from the OPM's Office of the InspectorGeneral — published just months after the OPM admitted a networkhack exposed the personal information of 21.5 million former,current and prospective U.S. employees — stated the agency isvulnerable to another cyberattack, as it continues to struggle tomeet many requirements under the Federal Information SecurityModernization Act.

“We continue to believe that (the) OPM's management of systemauthorizations represents a material weakness in the internalcontrol structure of the agency's IT security program,” Michael R.Esser, assistant inspector general for audits, said in thereport.

The authorization moratorium creates neglect within the ITsecurity controls of the OPM's systems, he added.

“Combined with the inadequacy and non-compliance of OPM'scontinuous monitoring program, we are very concerned that theagency's systems will not be protected against another attack,”Esser said.

While the massive OPM hack may have been impossible to prevent,auditors had previously identified weaknesses in the OPM's ITmanagement system, the report said.

“Our recommendations appeared to garner little attention, as thesame findings were repeated year after year,” it said.

Additionally, the report strongly suggested the OPM's inabilityto accurately inventory its systems and network devices severelylimits the efficacy of its security controls.

“(The) OPM has implemented a large number of improved securitymonitoring tools, but without a complete understanding of itsnetwork, it cannot adequately monitor its environment and thereforethe usefulness of these tools is reduced,” the report stated.

Information security governance changes made this fall by theOPM satisfied a long-standing weakness cited by the OIG. At theOIG's advice, the OPM implemented a centralized informationsecurity governance structure where all information securitypractitioners, including designated security officers, report tothe chief information security officer.

Nevertheless, key weaknesses still exist, according to thereport. For example, the OPM does not have a thorough inventory ofits servers, databases and network devices, which drasticallydiminishes the effectiveness of its security tools, the reportstated. The OIG also found the OPM has not configured its virtualprivate network servers to automatically log out of remotesessions.

The report also revealed only 65% of employees with “significantsecurity responsibilities” had completed special IT training duringthe 2015 fiscal year.

“The OPM has been neglecting security best practices for a longtime and has not spent enough of its resources, long term, onsolving this,” Stu Sjouwerman, founder/CEO of the Clearwater,Fla.-based cybersecurity company KnowBe4, stated. “It is nosurprise they are having trouble catching up. Cybersecurity needsto be a much higher priority, especially now.”

“The government needs to change the speed of IT securityprojects execution,” Ondrej Krehel, founder/CEO of the New YorkCity-based cybersecurity intelligence firm LIFARS, said. “In thepast, any government project generally took longer to implementwith many corrective actions.”

Krehel also pointed out hackers work with high velocity andspeed, and that cybersecurity remediations must run at a similartempo and with similar precision.

“This is not the current state of actions at many governmentinstitutions, which is a combination of a lack of a talent as wellas a project management skill set in cybersecurity,” he said.“Cybersecurity is not a cookie cutter solution. Tailoring theproper solution takes multiple steps and proper design isneeded.”