WASHINGTON (Sputnik) – The US Office of Personnel Management (OPM) had history of security requirement failures before a data breach compromised millions of US federal workers’ personal data, the Assistant Inspector General for Audits Michael Esser said in US congressional testimony on Tuesday.
"Many security controls went unimplemented and or remained untested, and OPM routinely failed a variety of FISMA [Federal Information Security Management Act] metrics year after year,” Esser said in a statement to the US House Committee on Oversight and Government Reform.
The inspector general added a decentralized governance structure led to “material weakness” in security at OPM.
Esser said that an audit of OPM revealed the agency did not have a centralized inventory of its servers and databases within its networks.
In 2014, he said, 21 of OPM’s information systems were due for a security assessment and authorization procedure, but had not been completed and proceeded to operate “without a valid authorization.”
Esser said the failure “represents a systemic issue of inadequate planning by OPM program offices to assess and authorize the information systems.”
According to media reports, US investigators believe Chinese hackers were responsible the security breach. China has denied the allegations.
The administration of US President Barack Obama has so far avoided blaming China for the attack.
OPM serves as the US government’s human resource department. Among its responsibilities is managing US federal pension benefits and conducting background investigations for security clearances.