OPM was saddled with outdated technology and weak management. A DHS Federal Information Security Management Act (FISMA) Audit for fiscal year 2014 audit of the Office of the Inspector General found serious flaws in OPM’s network and the way it was managed. OPM did not maintain an inventory of systems and baseline configurations, with 11 servers operating without valid authorization. The auditors could not independently verify OPM’s monthly-automated vulnerability scanning program for all servers. There was no senior information security specialist or chief information security officer (CISO) responsible for network security. OPM lacked an effective multi factor authentication strategy and had poor management of user rights, inadequate monitoring of multiple systems, many unpatched computers, and a decentralized and ineffective cyber security function. OPM had the vulnerabilities, no security-oriented leadership, and a skillful and motivated adversary.
