The computer upgrade that federal officials tout as having detected — although not prevented — a massive breach of information on federal employees is itself at high risk of failure, according to a new internal audit.
The independent inspector general’s office within the Office of Personnel Management is conducting a thorough review of the upgrade but issued a “flash audit alert” to top agency leaders “to bring to your immediate attention serious concerns we have” that require “immediate action.”
“There is a high risk that this project will fail to meet the objectives of providing a secure operating environment for OPM systems and applications,” the alert says.
OPM “has initiated this project without a complete understanding of the scope of OPM’ s existing technical infrastructure or the scale and costs of the effort required to migrate it to the new environment . . . In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure,” it says.
The alert is dated June 17, the same day that top OPM officials participated in a contentious House hearing about two separate breaches, one involving personnel records of current and former federal workers and one involving security clearance application files.
The breach of OPM’s security-clearance computer system happened a year ago, giving Chinese government intruders considerable time to explore the sensitive data and identify information that they wanted to steal, according to details disclosed last week.
The compromise of that system — which includes a wealth of personal, family and financial details on millions of current, former and prospective federal employees and contractors — was uncovered in early June and goes back about a year, government officials said.
The discovery that the security-clear system had been infiltrated came after the detection in April of the compromise of a separate OPM personnel database that contains the personal information, including Social Security numbers, of 4.1 million current former federal employees.
The release of the IG’s audit comes as Congress is set to hold three more hearings this week on the issue and amid growing calls for more disclosure and accountability from OPM.
At last week’s hearing, members of both parties criticized OPM for failing to respond to prior reports from the inspector general warning of vulnerabilities in its computer systems. Those warnings included recommendations, not carried out, that OPM consider shutting down certain systems that did not meet certain security standards.
In response to those criticism, OPM director Katherine Archuleta repeatedly pointed to an ongoing upgrade project that ultimately detected the breaches, although months after they happened.
According to the latest IG report, that upgrade was launched in response to the failed attempt to hack the security clearance files in March 2014, an attempt that was made public several months later. The successful breach of those files happened around that same time, while the breach of the personnel files happened in late 2014.
The upgrade project includes a full overhaul of the agency’s technical infrastructure and then migrating the entire infrastructure into a completely new environment.
“While we agree in principle that this is an ideal future goal for the agency’s IT environment, we have serious concerns regarding OPM’s management of this Project. The Project is already underway and the agency has committed substantial funding, but it has not yet addressed several critical project management requirements,” the alert says.
One such issue is the time required to move the data into the new system, which OPM estimates at 18 to 24 months. “We believe this is overly optimistic and that the agency is highly unlikely to meet this target,” the auditors said.
Also questionable is the ultimate cost and how it will be paid for: “When we asked about the funding for the Migration phase, we were told, in essence, that OPM would find the money somehow, and that program offices would be required to fund the migration of applications that they own from their existing budgets. However, program office budgets are intended to fund OPM’ s core operations, not subsidize a major IT infrastructure project. It is unlikely that OPM will be able to fund the substantial migration costs related to this Project without a significantly adverse impact on its mission, unless it seeks dedicated funding through Congressional appropriation,” the audit says.
In addition, OPM has not completed other standard best practice project management steps such as a study of the scope and timeline, a technology acquisition plan, a test plan, and full implementation plan, it says.
While it was understandable that OPM had to shortcut the initial steps of the project to get it underway, it says, “the other phases of the project are clearly going to require long-term effort, and, to be successful, will require the disciplined processes associated with proper system development project management.”
At a Senate subcommittee hearing Tuesday morning, Archuleta said, “I assure the inspector general and everyone here that all our decisions are being tracked, documented and justified.”
She said the administration has designated $67 million in 2014 and 2015 funds for the project and is requesting another $27 million for 2016. She added that a request for additional funding may be made soon.
OPM press secretary Sam Schumach said in a statement later Tuesday, “If the agency were to follow the OIG recommendation that OPM adhere to the regular timetable of submitting this project as part of the FY 2017 budget process, then it would be necessary for OPM to begin a process that could not be completed in time and that would only serve to stall the critical efforts already underway.”
Michael Esser, the agency’s assistant inspector general for audits, said at the hearing that the upgrade “definitely needs to be done. We fully support that project. In general, we definitely think that’s the right path to follow.”
However, his formal statement raised many of the issues contained in the audit, adding that the money set aside or requested so far would pay only for the work up to the migration of data—which “is likely to be, by far, the most expensive part of the project.”