Beth Cobert, who has been serving as OPM's chief performance officer, will take the director's job on an interim basis while administration searches for a permanent replacement.
Inspector general pushes for better security practices
In the meantime, the inspector general continues to press for OPM to take steps to address lax security practices that he says left the agency vulnerable to the massive breaches that exposed millions of names, addresses, Social Security numbers and other personal information.
Esser describes an inconsistent governance framework for information security, which he sees as the inevitable byproduct of a decentralized organizational structure. The agency has been making some strides on that front, but much work remains, he says.
"It is vital to have a centralized governance structure," Esser says. "OPM has made improvements in this area, but it's still working to recover from years of decentralization."
Additionally, he takes aim at the assessment and authorization mechanisms in place to ensure the security of the applications in use within the agency. In a 2014 audit, Esser's team discovered that 11 of 47 major OPM systems were operating without a valid authorization, as set forth by OMB standards.
Esser also says that OPM needs to improve its technical security controls in areas like authentication and configuration management.
OPM, which oversees sensitive data including files relating to security clearances for federal workers, today finds itself the focal point of the debate over information security within the government, but insiders note that the problems are hardly confined to a single agency.
Gregory Wilshusen is the director of Information Security Issues at the U.S. Government Accountability Office. At the House hearing, he was asked how he would grade the federal cybersecurity apparatus, generally. After only the slightest hesitation, Wilshusen responded, "D."
"In many respects there are improvements within federal information security and some initiatives, but it's getting to the effective implementation of those security controls and some of the initiatives over time consistently that's been proved challenging," he says.
Following the revelations of the OPM data breach, the White House announced what it called a "cybersecurity sprint," a 30-day blitz across the federal government to address some of the most critical vulnerabilities. Then, last week, the administration issued a fact sheet touting the successes of that program and others focused on cybersecurity.
Wilshusen credits the administration for taking steps to improve security and to call attention to the threats, though he takes issue with the terminology of the latest effort, calling for a more fundamental shift that would embed security considerations within the daily operations of the departments and agencies.
"The need for assessing and monitoring the effectiveness of security controls needs to be done on a continuous-monitoring basis because threats change every day," Wilshusen says. "It's not a sprint -- it's a marathon."
Sign up for CIO Asia eNewsletters.