“In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals. For many years we have reported critical weaknesses in OPM’s ability to manage its information technology (IT) environment, and warned that the agency was as an increased risk of a data breach. In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture. Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements. During this audit we did close a long-standing recommendation related to OPM’s information security management structure – [Report Number 4A-CI-00-15-011, November 10, 2015] However, this audit also determined that there has been a regression in OPM’s management of its system Authorization program, which we classified as a material weakness in the FY 2014 FISMA audit report. In April 2015, the Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had alrea dy expired, and for those scheduled to expire through September 2016. Should this moratorium on Authorizations continue, the agency will have up to 23 systems that have not been subject to a thorough security controls assessment. We continue to believe that OPM’s management of system Authorizations represents a material weakness in the internal control structure of the agency’s IT security program. The moratorium on Authorizations will result in the IT security controls of OPM’s systems being neglected. Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack.”