Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Skip to main content

Goal 6: Enhance Cybersecurity

Protect citizen data and build trust with a comprehensive security strategy


IT security is critical to OPM. Every OPM executive, manager, and employee plays a critical role in helping the agency protect the sensitive data of federal applicants, employees, and retirees. As such, every OPM stakeholder must understand their risk management responsibilities and act accordingly. Ultimately, OPM must be viewed as—and serve as—a trusted entity for that data.

Define OPM’s overall IT security strategy and budget based on current cybersecurity tools and best practices

All organizations that leverage IT face a tension: how much does one take away from investments that serve its mission to invest in IT security? Given the sensitivity of the data and its operations, OPM has developed a sound, funded security strategy. As examples, OPM is updating commercial software and hardware releases, meeting requirements of the recently issued Executive Order (EO) on cybersecurity, and deploying secure configurations for applications and data migrating to the cloud.

Initiatives for this strategic objective include:

  • Achieve and self-fund IT security strategy objectives for the life of this Strategic Plan
  • Implement all elements of Executive Order 14028 Improving the Nation’s Cybersecurity
  • Develop and implement a security architecture leveraging cloud-based solutions
  • Coordinate with Facilities, Security, and Emergency Management (FSEM) regarding appropriate responses to disaster scenarios
  • Implement a risk quantification program
  • Streamline Authorization to Operate (ATOs) and move to a continual systems security authentication process

Increase cyber visibility and protection of key systems

Not all data and systems are the same when it comes to IT security. OPM will continue addressing cyber vulnerabilities for its systems and related data. This has the highest near-term priority of all strategic objectives within this strategic goal.

Initiatives include:

  • Continue enhancing enterprise logging and monitoring capabilities with OPM key systems
  • Continuously enhance enterprise vulnerability and baseline configuration scanning capabilities with OPM key systems
  • Continuously improve logging, log retention, and log management capabilities to enhance visibility and incident response actions
  • Execute action plans to address gaps in cyber supportability for OPM key systems

Achieve cyber modernization to counter everchanging and increasingthreats to OPM’s mission

IT security vulnerabilities are constantly changing, and solutions to address vulnerabilities are continually evolving. OPM leverages current, proven technologies and continually modernizes its cybersecurity architecture. This includes adopting a Zero Trust architecture and solution over the next couple of years, and implementing a robust Identity, Credential, and Access Management (ICAM) solution. Additionally, OPM is deploying cybersecurity capabilities to address all systems and data in the cloud and conducting rigorous application testing for all software developed for OPM.

Initiatives include:

  • Continue complying with OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles by the end of FY 2024, and implement an OPM-wide Zero Trust program
  • Establish an enterprise-wide ICAM program
  • Continue improving the authentication capabilities and experience for all OPM customers
  • Use the Security Orchestration, Automation, and Response(SOAR) platform to automate and improve existing processes
  • Implement a rigorous application security testing program
  • Implement cloud native cybersecurity AI and ML tools

Train OPM staff in cybersecurity role and responsibilities

A critical facet of OPM’s IT security strategy is the role of OPM’s stakeholders. OPM OCIO will define all stakeholder roles and develop cybersecurity training specific to each role. As stakeholders receive training, OPM OCIO will solicit feedback to make such training more valuable and compelling.

Initiatives include:

  • Continue defining and reevaluating security responsibilities for all OPM stakeholders
  • Continue requiring that OPM staff complete basic cybersecurity training to learn about cybersecurity roles
  • Improve quality in advanced cybersecurity training, and provide OPM staff with appropriate advanced cybersecurity training
  • Establish continuous improvement objectives for OPM staff in security awareness and compliance

Increase the perception of OPM as a trusted entity in the protection of customer and stakeholder data, and mission-critical processing

Through yearly improvements to OPM’s FISMA score, cybersecurity cross-agency priority goals, delivering on commitments to implement a Zero Trust solution, and meeting DHS Binding Operational Directives and Emergency Directives, OPM will become a trusted entity in the protection of its customer data and mission-critical processing.

Initiatives include:

  • Continue improving OPM’s communications around the agency’s IT security posture
  • Continue improving OPM’s system owner visibility into the system’s security posture
Control Panel