Months into a government effort to better protect personal information it holds on tens of millions of Americans following two major hacks, auditors remain concerned that planning and funding shortcomings continue to leave the project at “high risk” of failure.
The inspector general of the Office of Personnel Management has said that he stands by that view, after considering OPM management’s responses to an earlier report criticizing the computer security upgrade intended to prevent a repeat of the kind of cyberthefts disclosed in the spring.
OPM had rejected several of the June audit’s recommendations, including one that it first go through a full planning process called a Major IT Business Case in government parlance, and downplayed the IG’s concerns about lack of competition for the contract for the first stages of the work. The personnel agency cited the need to act quickly to close the cyber barn doors after separate breaches of personnel and security clearance files.
The former involved records of some 4.2 million current and former federal employees, implicating personal identifying information, educational background, work histories and similar information. The second involved some 21.5 million persons who applied for security clearances, or had them renewed, since 2000 and in some cases before.
That hack included some 3.6 million current and former federal employees, virtually all of whom had been hit by the personnel files attack, plus contractor and military personnel, and family members mentioned in clearance application files. In addition to basic identifying information, highly personal information that applicants must disclose was stolen, including on personal financial and medical histories, foreign travel, and family information — and in some cases, also fingerprints and notes by background investigators.
Credit monitoring, identity theft restoration and similar services already have been offered to victims of the personnel files breach, while notices offering similar services for the clearance files breach are to go out in the upcoming weeks and continue for several months.
In his latest report, Inspector General Patrick E. McFarland responded in turn to OPM management’s replies to the original audit. The IG said that the time and effort needed to develop a full business case “proves the importance of this point. OPM did not take the time to complete the necessary planning, budgeting, and technical analysis before initiating this massive undertaking.”
It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”
“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.
OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”
It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.
Another point of contention is how OPM has characterized the contract for the project. “OPM’s original assertion that the sole-source contract was not intended to be used for the Migration and Clean-up phases of the Project is not correct,” the IG said. “In fact, the conflicting statements from OPM officials regarding this contract are extremely concerning, especially the comments that were made under oath before Congress by both former Director Archuleta and CIO [Donna] Seymour.”
The report, dated Sept. 3, was released Monday by both the IG’s office and the House Oversight and Government Reform Committee, one of several panels that have held contentious hearings with administration officials on the breaches and the response.
“OPM continues to ignore serious concerns about their IT infrastructure improvement plan from the Inspector General,” Rep. Jason Chaffetz (R-Utah), chairman of the oversight panel, said in a statement. “It’s unsettling that despite a data breach that put the sensitive, personal information of 21.5 million Americans at risk, OPM once again refuses to heed warnings from the IG.”
“Ignoring the IG’s warnings largely got them into this mess in the first place,” he said. “If OPM wants to regain the trust of Congress and the American people, they must make implementing the IG’s recommendations a top priority.”
Since the earlier report, the IG had separately complained that OPM’s Office of the Chief Information Officer had “hindered and interfered with” his office’s oversight of the project and had given the IG “incorrect and/or misleading information.”
In a Sept. 9 response to the latest audit, OPM said that it has improved communication with the IG and has updated its project documentation, which it will submit to the Office of Management and Budget as a formal business case plan. It also said that the original contract will involve only limited work on the data migration and cleanup phases and that for the bulk of the work, “OPM intends to meet its needs through other acquisition strategies or through existing OPM processes, as appropriate.”