The Washington PostDemocracy Dies in Darkness

OPM officials hindering scrutiny of hacked computer systems, watchdog says

(Andrew Harrer/Bloomberg)

The Office of Personnel Management’s inspector general has accused the agency’s information technology office of trying to thwart scrutiny of how well OPM protected the security clearance and federal employee personnel files that were hacked and how well it responded to those breaches.

Inspector general Patrick E. McFarland said that OPM’s Office of the Chief Information Officer, or OCIO, has “hindered and interfered with” his office’s oversight and “has created an environment of mistrust by providing my office with incorrect and/or misleading information.”

In a memo to acting OPM director Beth Cobert, McFarland said that while his independent office traditionally has had a positive relationship with the OCIO, recent events make him “question whether the OCIO is acting in good faith.”

In particular, the memo said that the IG delayed a planned audit of a contractor when officials pointed out that another audit recently had been done, even though they knew by then that the contractor already had been breached — a breach that has been described as providing the key to unlocking the OPM personnel files. The CIO’s office also “failed to timely notify” the IG of the hack of the personnel records, which “impeded our ability to coordinate with other law enforcement organizations and conduct audit oversight activity,” it said.

Management also tried to keep IG investigators out of meetings with the FBI and others on the security-clearance files breach, and did not fully inform the IG of a major IT project for nearly a year after planning and implementation began, it said.

While some of those events happened many months ago, McFarland also pointed to what he called “inaccurate or misleading” information originating with the chief information office that OPM officials provided in recent testimony before Congress.

“I am sharing this with you not to accuse any OPM employees of intentional misconduct, but rather to clear the air and rebuild a productive relationship between the OIG and the OCIO,” McFarland wrote to Cobert on July 22; he forwarded it to the House Oversight and Government Reform Committee on Monday.

However, the memo has spurred the head of that committee, Rep. Jason Chaffetz (R-Utah), to renew his call  for the administration to remove Chief Information Officer Donna Seymour. That committee held several contentious hearings on the data breaches at which some members said they wanted Seymour and then-OPM director Katherine Archuleta, who hired her, to resign or be fired. Later, 17 committee members wrote to the White House requesting that both be fired.

Archuleta resigned under pressure after she and other officials disclosed the wide scope of the breach of security clearance files. That breach involves highly personal information on more than 21 million federal employees, military personnel and contractor employees who applied for a clearance or had one renewed since 2000 and in some cases before. The personnel files breach involves some 4.2 million current and former federal workers and includes personal identifying information.

In a letter sent Thursday to Cobert, who took over as acting director after Archuleta resigned, Chaffetz said that “it has been two weeks since the IG informed you of these serious transgressions and Ms. Seymour is still in a position of trust at the agency. Ms. Seymour has already failed the American people with her inability to secure OPM’s networks, and to learn that her office may be actively interfering with the work of the Inspector General only adds insult to injury.”

While the memo, released by both McFarland and Chaffetz, said that Archuleta and Seymour provided inaccurate or misleading information to Congress, details were redacted from the memo as it was made public.

In a response letter to McFarland, Cobert wrote that she and the agency’s leadership are committed to a productive relationship with the IG. She acknowledged his “frustration about what you perceive to be ineffective communication between your office and the OCIO” and suggested meetings monthly or more often between the IG and OCIO offices in addition to those already occurring, among other steps.

However, substantial portions of her letter, released by the OPM, also were redacted. The portions made public did not address McFarland’s specific complaints in detail beyond a promise to provide the IG with updated information on the IT upgrade.

OPM spokesman Sam Schumach said in a statement that “since Ms. Seymour’s arrival at OPM in late 2013, OPM has undertaken an aggressive effort to upgrade the agency’s cybersecurity posture, adding numerous tools and capabilities to its various legacy networks.  These efforts were critical in helping OPM to identify the recent cybersecurity incidents,” the statement said, citing her 37 years of federal service and recognition awards.

The IG’s office earlier clashed with Archuleta and Seymour by issuing, on the day of one of the hearings, a memo stating that the IT upgrade that those officials credited with detecting the breach was itself at high risk of failure and cost overruns.

The IG’s office had pointed out weaknesses in OPM’s cybersecurity over a number of years, including recommendations that it shut down several of the systems that ended up being hacked. OPM officials didn’t follow those recommendations, stating since then that the issues were not serious enough to warrant shutting down so many systems so vital to the government’s personnel operations.

U.S. Chief Information Officer Tony Scott “stands by his comments” at a June Senate hearing, an Office of Management and Budget official said. At that hearing, Scott expressed confidence in both Seymour and Archuleta, who at the time was still in office. Scott said that the OPM’s responses to the breaches “serve as a template and a model for work that other agencies need to do as well” on cyber security.

At that same hearing, McFarland was asked whether he had confidence that the OPM management team was capable of fixing the agency’s cyber security problems and responded, “based on what we’ve found, no.”