862)),&E OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
AUDIT OF THE INFORMATION TECHNOLOGY
SECURITY CONTROLS OF THE
U.S. OFFICE OF PERSONNEL MANAGEMENT’S
USA STAFFING SYSTEM
Report Number 4A-HR-00-18-013
May 10, 2018
EXECUTIVE SUMMARY
Audit of the Information Technology Security Controls of the
U.S. Office of Personnel Management’s
USA Staffing System
Report No. 4A-HR-00-18-013 May 10, 2018
Why Did We Conduct the Audit? What Did We Find?
The USA Staffing System is one of the Our audit of the IT security controls of the USA Staffing System determined that:
U.S. Office of Personnel Management’s
(OPM) major information technology (IT) x The USA Staffing System Security Assessment and Authorization
systems. The Federal Information Security (Authorization) was updated in September 2017, and an Authorization to
Modernization Act (FISMA) requires that Operate was granted for up to three years.
the Office of the Inspector General (OIG)
perform an audit of IT security controls of x The security categorization of the USA Staffing System is consistent with
this system. Federal Information Processing Standards 199 and NIST Special Publication
(SP) 800-60, and we agree with the categorization of “moderate.”
What Did We Audit?
x OPM completed a Privacy Impact Assessment for the USA Staffing System.
The OIG completed a performance audit of
the USA Staffing System to ensure that the x The System Security Plan for the USA Staffing System follows the OCIO
system’s security controls meet the template, but the system inventory includes instances of unsupported
standards established by FISMA, the software.
National Institute of Standards and
Technology (NIST), the Federal x An independent assessor conducted security controls testing and assessed
Information System Controls Audit identified risks for the USA Staffing System.
Manual, and OPM’s Office of the Chief
Information Officer (OCIO). x The USA Staffing System has been subject to routine testing as part of
OPM’s continuous monitoring program.
x OPM developed and tested a contingency plan for the USA Staffing System
that is generally in compliance with NIST SP 800-34, Revision 1, and the
OCIO guidance.
x The USA Staffing System Plan of Action and Milestones documentation from
the most recent Authorization does not include all identified weaknesses.
x We evaluated a subset of the system controls outlined in NIST SP 800-53,
Revision 4. We determined most of the security controls tested appear to be
in compliance, however we did note two areas for improvement.
Michael R. Esser
Assistant Inspector General
for Audits
i
ABBREVIATIONS
Authorization Security Assessment and Authorization
FIPS Federal Information Processing Standards
FISMA Federal Information Security Modernization Act
HRS Human Resources Solutions
IT Information Technology
NIST National Institute of Standards and Technology
OCIO Office of the Chief Information Officer
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
POA&M Plan of Action and Milestones
SP Special Publication
ii
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY..........................................................................................i
ABBREVIATIONS ..................................................................................................... ii
I. BACKGROUND ..........................................................................................................1
II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5
A. Security Assessment and Authorization ..................................................................5
B. FIPS 199 Analysis ...................................................................................................5
C. Privacy Impact Assessment .....................................................................................6
D. System Security Plan ...............................................................................................6
E. Security Assessment Plan and Report .....................................................................8
F. Continuous Monitoring............................................................................................8
G. Contingency Planning and Contingency Plan Testing.............................................9
H. Plan of Action and Milestones Process....................................................................9
I. NIST 800-53 Evaluation ........................................................................................10
APPENDIX: OPM’s March 20, 2018, response to the draft audit report, issued
March 6, 2018.
REPORT FRAUD, WASTE, AND MISMANAGEMENT
I. BACKGROUND
On December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),
which includes Title III, the Federal Information Security Management Act. It requires (1)
annual agency program reviews, (2) annual Inspector General evaluations, (3) agency reporting
to the U.S. Office of Management and Budget (OMB) the results of Inspector General
evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing the
material received from agencies. In 2014, Public Law 113-283, the Federal Information Security
Modernization Act (FISMA) was established and reaffirmed the objectives of the prior Act. This
was our first audit of the USA Staffing System.
The USA Staffing System is a web-based application used by human resources personnel to
create and manage position vacancy announcements, application assessments and job
questionnaires. Job applicants use the system to apply for open jobs, and hiring managers use it
to select their candidates. The USA Staffing System is in the process of being upgraded, and
there are currently two active versions, legacy and upgrade. Both versions are included in the
scope of this audit.
The U.S. Office of Personnel Management (OPM)’s Office of the Chief Information Officer
(OCIO) and OPM’s Human Resources Solutions (HRS), share responsibility for implementing
and managing the information technology (IT) security controls of the USA Staffing System.
We discussed the results of our audit with the OCIO and HRS representatives at an exit
conference.
1 Report No. 4A-HR-00-18-013
II. OBJECTIVES, SCOPE, AND METHODOLOGY
OBJECTIVES
Our objective was to perform an audit of the security controls for the USA Staffing System to
ensure that OCIO and HRS officials have implemented IT security policies and procedures in
accordance with standards established by FISMA, the National Institute of Standards and
Technology (NIST), the Federal Information System Controls Audit Manual, and OPM’s OCIO.
We accomplished our audit objective by reviewing the degree to which a variety of security
program elements were implemented for the USA Staffing System, including:
x Security Assessment and Authorization (Authorization);
x Federal Information Processing Standards (FIPS) 199 Analysis;
x Privacy Impact Assessment;
x System Security Plan;
x Security Assessment Plan and Report;
x Continuous Monitoring;
x Contingency Planning and Contingency Plan Testing;
x Plan of Action and Milestones Process (POA&M); and
x NIST Special Publication (SP) 800-53, Revision 4, Security Controls.
SCOPE AND METHODOLOGY
We conducted this performance audit in accordance with the Generally Accepted Government
Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the
audit included an evaluation of related policies and procedures, compliance tests, and other
auditing procedures that we considered necessary. The audit covered security controls and
2 Report No. 4A-HR-00-18-013
FISMA compliance efforts of OPM officials responsible for the USA Staffing System, including
the evaluation of IT security controls in place as of January 2018.
We considered the USA Staffing System internal control structure in planning our audit
procedures. These procedures were mainly substantive in nature, although we did gain an
understanding of management procedures and controls to the extent necessary to achieve our
audit objectives.
To accomplish our objective, we interviewed representatives of OPM’s OCIO and HRS with
security responsibilities for the USA Staffing System, reviewed documentation and system
screenshots, viewed demonstrations of system capabilities, and conducted tests directly on the
system. We also reviewed relevant OPM IT policies and procedures, Federal laws, OMB
policies and guidance, and NIST guidance. As appropriate, we conducted compliance tests to
determine the extent to which established controls and procedures are functioning as required.
Details of the security controls protecting the confidentiality, integrity, and availability of the
USA Staffing System are located in the “Audit Findings and Recommendations” section of this
report. Since our audit would not necessarily disclose all significant matters in the internal
control structure, we do not express an opinion on the USA Staffing System internal controls
taken as a whole. The criteria used in conducting this audit include:
x OPM Information Security and Privacy Policy Handbook;
x OMB Circular A-130, Appendix I, Responsibilities for Protecting and Managing Federal
Information Resources;
x E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security
Management Act of 2002;
x P.L. 113-283, Federal Information Security Modernization Act of 2014;
x The Federal Information System Controls Audit Manual;
x NIST SP 800-12, Revision 1, An Introduction to Information Security;
x NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information
Systems;
x NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments;
3 Report No. 4A-HR-00-18-013
x NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems;
x NIST SP 800-37, Revision 1, Guide for Applying Management Framework to Federal
Information Systems;
x NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations;
x NIST SP 800-60, Revision 1, Guide for Mapping Types of Information and Information
Systems to Security Categories;
x NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and
Capabilities;
x FIPS Publication 199, Standards for Security Categorization of Federal Information and
Information Systems; and
x Other criteria as appropriate.
In conducting the audit, we relied to varying degrees on computer-generated data. Due to time
constraints, we did not verify the reliability of the data generated by the various information
systems involved. However, nothing came to our attention during our audit testing utilizing the
computer-generated data to cause us to doubt its reliability. We believe that the data was
sufficient to achieve the audit objectives. Except as noted above, we conducted the audit in
accordance with the Generally Accepted Government Auditing Standards issued by the
Comptroller General of the United States.
The OPM Office of the Inspector General (OIG), as established by the Inspector General Act of
1978, as amended, performed the audit. The OIG conducted the audit from November 2017
through January 2018 at OPM’s Washington, D.C. office.
COMPLIANCE WITH LAWS AND REGULATIONS
In conducting the audit, we performed tests to determine whether OPM’s management of the
USA Staffing System is consistent with applicable standards. While generally compliant, with
respect to the items tested, OPM was not in complete compliance with all standards, as described
in section III of this report.
4 Report No. 4A-HR-00-18-013
III. AUDIT FINDINGS AND RECOMMENDATIONS
A. SECURITY ASSESSMENT AND AUTHORIZATION
A Security Assessment and Authorization (Authorization) includes 1) a The USA Staffing
comprehensive assessment that attests that a system’s security controls System has a
are meeting the security requirements of that system and 2) an official current and valid
management decision to authorize operation of an information system Authorization.
and accept its known risks. OMB’s Circular A-130, Appendix I,
mandates that all Federal information systems have a valid Authorization. Although OMB
previously required periodic Authorizations every three years, Federal agencies now have the
option of continuously monitoring their systems to fulfill the Authorization requirement.
However, OPM does not yet have a mature program in place to continuously monitor system
security controls, therefore a current Authorization is required for every OPM system.
In September 2017 OPM granted an Authorization to Operate that includes both the legacy and
upgraded versions of the system. This Authorization to Operate is valid for up to three years and
includes the requirement that the system owner monitor and remediate identified weaknesses on
an ongoing basis.
Nothing came to our attention to indicate that the USA Staffing System Authorization to Operate
was inadequate.
B. FIPS 199 ANALYSIS
The E-Government Act of 2002 requires Federal agencies to categorize all Federal information
and information systems. FIPS 199 provides guidance on how to assign appropriate
categorization levels for information security according to a range of risk levels.
NIST SP 800-60 Volume I, Guide for Mapping Types of Information and Information Systems
to Security Categories, provides an overview of the security objectives and impact levels
identified in FIPS Publication 199.
The USA Staffing System security categorization documentation analyzes information processed
by the system and its corresponding potential impacts on confidentiality, integrity, and
availability. The USA Staffing System is assessed as having a “moderate” impact level for each
area, resulting in an overall categorization of “moderate.”
5 Report No. 4A-HR-00-18-013
Nothing came to our attention to indicate that the USA Staffing System security categorization
was inadequate.
C. PRIVACY IMPACT ASSESSMENT
The E-Government Act of 2002 requires agencies to perform a Privacy Threshold Analysis of
Federal information systems to determine if a Privacy Impact Assessment is required for that
system. A Privacy Threshold Analysis was performed on the USA Staffing System in July 2017,
and it was determined that a Privacy Impact Assessment was required for this system.
OMB Memorandum M-03-22 outlines the necessary components of a Privacy Impact
Assessment. The purpose of the assessment is to evaluate and document any personally
identifiable information maintained by an information system. The Privacy Impact Assessment
was complete and was formally approved and signed by the Chief Privacy Officer in July 2017.
We did not detect any issues with the Privacy Impact Assessment performed for the USA
Staffing System.
D. SYSTEM SECURITY PLAN
Federal agencies must implement, for each information system, the security controls outlined in
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal
Information Systems, requires that these controls be documented in a System Security Plan for
each system, and provides guidance for doing so.
The USA Staffing System’s System Security Plan was developed using the OCIO’s System
Security Plan template that utilizes NIST SP 800-18, Revision 1, as guidance. The template
requires that the System Security Plan contain the following elements:
x System Name and Identifier; x General Description/Purpose;
x System Owner; x System Categorization;
x Other Designated Contacts; x Authorizing Official;
x System Operational Status; x Assignment of Security Responsibility;
6 Report No. 4A-HR-00-18-013
x Information System Type; x Completion and Approval Dates;
x System Environment; x Minimum Security Controls;
x Laws, Regulations, and Policies Affecting x System Interconnection/Information
the System; Sharing; and
x Security Control Selection.
We reviewed the current USA Staffing System’s System Security Plan, signed in August 2017,
and determined that it does include the necessary information, approvals, and supporting
documentation. We did identify one issue with the USA Staffing System’s System Security
Plan.
1) Unsupported Software Platform
The system’s software inventory includes an operating platform that is no longer supported
by the vendor. Unsupported software does not receive updates and security patches.
OMB Circular A-130 requires that “Agencies shall: … Prohibit the
The system
use of unsupported information systems and system components, and
inventory includes
ensure that systems and components that cannot be appropriately
software that is no
protected or secured are given a high priority for upgrade or
longer supported
replacement;” and details that this “Includes hardware, software, or
by the vendor.
firmware components no longer supported by developers, vendors,
or manufacturers through the availability of software patches,
firmware updates, replacement parts, and maintenance contracts.”
Failure to remove unsupported software increases the risk that system weaknesses could be
exploited.
Recommendation 1
We recommend that OPM upgrade the unsupported operating platform hosting the USA
Staffing System.
7 Report No. 4A-HR-00-18-013
OPM Response:
“We concur. The software in question is currently in use by the
Legacy version of [the USA Staffing System]. The Legacy servers are scheduled for a
phased decommission starting but we have started upgrades where possible
while not impacting mission critical functions. The outdated
software does not impact [the USA Staffing System’s] Upgrade version.”
OIG Comment:
As part of the audit resolution process, we recommend that the OCIO provide OPM’s
Internal Oversight and Compliance office with evidence that this recommendation has been
implemented. This statement applies to all subsequent recommendations in this audit report
that HRS agrees to implement.
E. SECURITY ASSESSMENT PLAN AND REPORT
The USA Staffing System’s Security Assessment Plan and Security Assessment Report were
completed by OPM in August and September of 2017, respectively, as a part of the system’s
Authorization process. We reviewed the relevant documents to verify that a risk assessment was
conducted in accordance with NIST SP 800-30 Revision 1, Guide for Conducting Risk
Assessments. We also verified that appropriate management, operational, and technical controls
were tested for a system with a “moderate” security categorization.
Nothing came to our attention to indicate that the USA Staffing System’s Security Assessment
Plan and Report were inadequate.
F. CONTINUOUS MONITORING
OPM requires that the IT security controls of each application be The USA Staffing
assessed on a continuous basis. OPM’s OCIO has developed an System security
Information Security Continuous Monitoring Plan that includes a controls were subject
template outlining the security controls that must be tested for all to routine testing as a
information systems. All system owners are required to tailor the part of continuous
Information Security Continuous Monitoring Plan template to each monitoring.
individual system’s specific security control needs and then test the
system’s security controls on an ongoing basis. The test results must be provided to the OCIO
on a routine basis for centralized tracking.
8 Report No. 4A-HR-00-18-013
We did not detect any issues with the USA Staffing System continuous monitoring submissions
thus far in fiscal year 2018.
G. CONTINGENCY PLANNING AND CONTINGENCY PLAN TESTING
NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems,
states that effective contingency planning, execution, and testing are essential to mitigate the risk
of system and service unavailability. OPM’s security policies require all major applications to
have viable and logical disaster recovery and contingency plans, and that these plans be annually
reviewed, tested, and updated.
1) Contingency Plan
The USA Staffing System contingency plan documents the functions, operations, and
resources necessary to restore and resume the USA Staffing System when unexpected events
or disasters occur. The contingency plan follows the format suggested by NIST SP 800-34,
Revision 1, and OPM’s template for contingency plans.
We did not detect any issues with the USA Staffing System contingency plan.
2) Contingency Plan Testing
Contingency plan testing is a critical element of a viable disaster recovery capability. OPM
requires that contingency plans for all systems be tested annually to evaluate the plan’s
effectiveness and the organization’s readiness to execute the plan. NIST SP 800-34,
Revision 1, provides guidance for testing contingency plans and documenting the results.
The most recent contingency plan test for the USA Staffing System was conducted in April
2017. The functional test was considered successful although the recovery took slightly
longer than anticipated.
Nothing came to our attention to indicate that the USA Staffing System contingency plan
testing process was inadequate.
H. PLAN OF ACTION AND MILESTONES
A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring
the progress of corrective efforts for known IT security weaknesses. OPM has implemented an
9 Report No. 4A-HR-00-18-013
agency-wide POA&M process to help track known IT security weaknesses associated with the
agency’s information systems.
1) POA&M Review Three POA&Ms
were not included
The Security Assessment Report, completed as part of the USA in the most recent
Staffing System Authorization, identified 17 control weaknesses, and Authorization.
these were consolidated into 6 POA&M items that were
appropriately included in the Authorization package. However, 3 additional POA&M items
existed for the USA Staffing System prior to its most recent Authorization, and these 3 items
were not included in the Authorization package for consideration.
OPM’s policy states that “For systems going through a reauthorization, the POA&M also
includes all other open and draft weaknesses that are on the existing POA&M as well.”
Failure to properly include all POA&Ms in the Authorization package results in the
authorizing official granting an Authorization to Operate without having access to all
relevant risk information about the system.
Recommendation 2
We recommend that OPM update the USA Staffing System Authorization package to include
the missing POA&Ms and re-issue the Authorization to Operate.
OPM Response:
“We concur. The three existing POA&Ms, from prior to the FY2017 Authorization &
Assessment, will be added to the [USA Staffing System] FY17 Authorization package and
resubmitted to the [USA Staffing System] Authorizing Official for review and appropriate
action.”
I. NIST SP 800-53 EVALUATION
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, provides guidance for implementing a variety of security controls for information
systems supporting the Federal government. As part of this audit, we evaluated whether a subset
of these controls had been implemented for the USA Staffing System. We tested approximately
40 controls as outlined in NIST SP 800-53, Revision 4, including one or more controls from each
of the following control families:
10 Report No. 4A-HR-00-18-013
x Access Control; x Audit and Accountability;
x Configuration Management; x Contingency Planning;
x Identity and Authentication; x Planning;
x Risk Assessment; x Security Assessment and Authorization;
x System and Communications Protection; and x System and Information Integrity.
These controls were evaluated by interviewing individuals with system security responsibilities,
reviewing documentation and system screenshots, viewing demonstrations of system
capabilities, and conducting tests directly on the system.
We determined that the tested security controls appear to be in compliance with NIST SP 800-
53, Revision 4, requirements, with the exceptions detailed below. Configuration
deviations for the
1) Control CM-6 – Configuration Settings USA Staffing
System have not
The USA Staffing System security documentation states that the been documented
approved server configuration settings for the system follow the and approved.
Defense Information Systems Agency’s Security Technical
Implementation Guide. Configuration settings are the system options that are adjusted to
enforce or enhance protection of system components and data. We conducted configuration
compliance scans on the servers supporting the USA Staffing System to verify that the
established settings had been properly applied. However, our scans found over 200
configuration settings that were not in compliance with the Defense Information Systems
Agency’s Security Technical Implementation Guide. These deviations have not been
documented and approved.
NIST SP 800-53, Revision 4, states that “Configuration settings are the set of parameters that
can be changed in hardware, software, or firmware components of the information system
that affect the security posture and/or functionality of the system. Information technology
products for which security-related configuration settings can be defined include, for
example, mainframe computers, servers ... .” NIST requires that configuration settings be
established and documented and any deviations be documented and approved.
11 Report No. 4A-HR-00-18-013
Failure to apply established configuration settings increases the risk that hackers could
exploit system weaknesses.
Recommendation 3
We recommend that OPM apply the approved security configuration settings for the USA
Staffing System.
OPM Response:
“We concur. All impacted and servers along with [the USA Staffing
System] Legacy servers are scheduled for a phased decommission starting
. The remaining [USA Staffing System] Upgrade servers are
scheduled for replacement with [Defense Information Systems Agency’s Security
Technical Implementation Guide] hardened . A phased rollout of
servers is scheduled to start in .”
2) Control SI-2 – Flaw Remediation
We also conducted credentialed vulnerability scans on the servers
Several of the USA
supporting the USA Staffing System looking for security
Staffing System
weaknesses. The results of our scans indicate several servers
servers were missing
were missing critical patches that had been released more than 30
patches more than 30
days before the scans took place. The specific vulnerabilities
days old.
found by the scans were provided to OPM personnel, but will not
be detailed in this report.
NIST SP 800-53, Revision 4, requires that, “The organization: ... Identifies, reports, and
corrects information systems flaws ... [and] Installs security-relevant software and firmware
updates ... .”
Failure to remediate vulnerabilities increases the risk that hackers could exploit system
weaknesses.
Recommendation 4
We recommend that OPM apply system patches in a timely manner and in accordance with
policy.
12 Report No. 4A-HR-00-18-013
OPM Response:
“We concur. We have mitigated 75% of the server scan related and web-based findings
identified within the OIG Audit Inquiry 01. The remaining 25% of identified findings will
be addressed in conjunction with the phased Legacy server and web-based interface
decommissioning starting , the phased rollout of servers
scheduled to start in , and the Upgrade software release scheduled for
.”
13 Report No. 4A-HR-00-18-013
APPENDIX
March 20, 2018
MEMORANDUM FOR:
Chief, Information Systems Audit Group
Office of the Inspector General
FROM: ROBERT M. LEAHY
Deputy Chief Information Officer
DIANNA SAXMAN
Deputy Associate Director, Federal Staffing Center
Human Resources Solutions
SUBJECT: Audit of the Information Technology Security Controls of
the U.S. Office of Personnel Management’s USA Staffing
System
Report No. 4A-MO-00-18-013
Thank you for providing OPM the opportunity to respond to the Office of the Inspector General
(OIG) draft report, Audit of the Information Technology Security Controls of the U.S. Office of
Personnel Management’s USA Staffing System, 4A-MO-00-18-013.
Responses to your recommendations including planned corrective actions, as appropriate, are
provided below.
Recommendation 1: We recommend that OPM upgrade the unsupported operating
system hosting the USAS.
Management Response: We concur. The software in question is
currently in use by the Legacy version of USAS. The Legacy servers are scheduled for a phased
decommission starting but we have started upgrades where possible while not
impacting mission critical functions. The outdated software does not
impact USAS’s Upgrade version.
Recommendation 2: We recommend that OPM update the USAS Authorization package to
include the missing POA&Ms and re-issue the ATO.
Report No. 4A-HR-00-18-013
Management Response: We concur. The three existing POA&Ms, from prior to the FY2017
Authorization & Assessment, will be added to the USAS FY17 Authorization package and
resubmitted to the USAS Authorizing Official for review and appropriate action.
Recommendation 3: We recommend that OPM apply the approved security
configuration settings for the USAS.
Management Response: We concur. All impacted and servers along
with USAS Legacy servers are scheduled for a phased decommission starting
. The remaining USAS Upgrade servers are scheduled for
replacement with DISA STIG hardened servers. A phased rollout of
servers is scheduled to start in .
Recommendation 4: We recommend that OPM apply system patches in a timely manner and in
accordance with policy.
Management Response: We concur. We have mitigated 75% of the server scan related and
web-based findings identified within the OIG Audit Inquiry 01. The remaining 25% of
identified findings will be addressed in conjunction with the phased Legacy server and web-
based interface decommissioning starting , the phased rollout of
servers scheduled to start in , and the Upgrade software release scheduled for
.
I appreciate the opportunity to respond to this draft report. If you have any questions regarding
our response, please contact , , and @opm.gov.
Report No. 4A-HR-00-18-013
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations to
us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management's USA Staffing System
Published by the Office of Personnel Management, Office of Inspector General on 2018-05-10.
Below is a raw (and likely hideous) rendition of the original report. (PDF)