Bad news for the Office of Personnel Management (OPM) continued this week after a “flash audit” revealed "serious concerns" about agency plans for a major IT systems overhaul. According to the inspector general in charge of assessing the OPM, a proposed $91 million IT retooling has not followed management guidelines and granted a no-bid contract with one vendor.
“We have serious concerns regarding OPM’s management of this project,” said Inspector General Patrick McFarland in the audit, which was circulated in Congress and obtained by the Associated Press. “The project is already underway, and the agency has committed substantial funding, but it has not yet addressed several critical project-management requirements.”
On Tuesday, OPM Chief Information Officer Donna Seymour testified that the agency is currently implementing a new IT architecture designed to help better protect sensitive information but that it will take time to implement entirely.
But McFarland, who said he backs an IT overhaul, said there is “a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications.”
OPM Director Katherine Archuleta said earlier this week that much of the OPM’s infrastructure is run on legacy systems but that new technology introduced during her tenure helped with the discovery of the breach in the first place.
McFarland pointed out those legacy systems as well, adding that they “will need to be completely renovated to be compatible with OPM’s proposed new IT architecture.” And the cost of such a migration could go well beyond the proposed $91 million. The OPM has estimated implementation of the new architecture could take 18 to 24 months to complete, but McFarland was less optimistic about such a forecast. He said, for example, a much smaller data migration cost $30 million and took two years to finish.
“The other phases of the project are clearly going to require long-term effort,” McFarland noted, “and, to be successful, will require the disciplined processes associated with proper system development project management.”
The Washington Post reports that, according to anonymous federal officials, Chinese hackers had access to U.S. security clearance data—controlled by OPM—for a year. Former NSA General Counsel Stewart Baker said, “The longer you have to exfiltrate data, the more you can take … If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”
It’s estimated the background check database was infiltrated in June or July of 2014.
Baker added, “This is some of the most sensitive non-classified information I could imagine the Chinese getting access to.”
According to OPM testimony during Tuesday’s House Oversight and Government Reform Committee hearings, the agency has not yet determined how many individuals were affected in the security clearance breach.
However, the number may well be much larger than the 4.2 million records affected in the personnel database and could affect non-government workers, such as contractors hired by the government. According to a Federal Times report, a subcontractor to a large systems integrator supporting a Department of Homeland Security (DHS) contract recently received notification of the background check breach from the agency.
“This is a letter I expect to get from Target or Home Depot,” the anonymous source said. “You understand when you go to a commercial entity it might happen, because well, they’re not DHS.”
The OPM hacks are also becoming politicized, especially as the presidential campaigns heat up. Declared presidential candidate Sen. Marco Rubio (R-FL) has called on the White House to “immediately” release all of the information on the OPM breaches. “All details that can be shared with the public, and especially those affected, should be released immediately to halt the slow trickle of bad news that keeps coming from this attack.”
President Barack Obama said earlier this week that he supports the OPM’s Archuleta, whom he appointed in 2013.
If you want to comment on this post, you need to login.