FEDERAL INFORMATION SECURITY MODERNIZATION ACT AUDIT FISCAL YEAR 2025

Date Issued

Monday, November 24, 2025

Submitting OIG

Office of Personnel Management OIG

Agencies Reviewed/Investigated

Office of Personnel Management

Report Number

2025-ISAG-008

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 8 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2	No	$0	$0
We recommend that OPM evaluate and adjust its cybersecurity risk management strategy based on its threat environment and organization-wide cyber and privacy risk assessment.
4	No	$0	$0
We recommend that OPM develop policies and procedures for developing and maintaining a data inventory.
7	No	$0	$0
We recommend that OPM ingest security logs from its FISMA systems and analyze events and anomalies.
12	No	$0	$0
We recommend that OPM configure the agency logs/logging tools to meet the EL1 (basic) logging requirements outlined in M-21-31.
10	No	$0	$0
We recommend that OPM document lessons learned to improve its ISCM policies and strategy.
9	No	$0	$0
We recommend that OPM document POA&Ms for all ISCM risks.
11	No	$0	$0
We recommend that OPM update its ISCM strategies to include policies and procedures to monitor its cloud service providers security posture.
13	No	$0	$0
We recommend that OPM test all ISCP's annually as required by OPM policy.