The Defense Department will take over responsibility for storing sensitive information on millions of federal employees and others from the Office of Personnel Management and the government will create a new entity to oversee background investigations, Obama administration officials announced Friday.
Those changes and others are the result of an internal review of how the government conducts those investigations and how it stores and uses the information gathered following the disclosure last summer that OPM’s computer system had been breached in 2014.
A new entity to be called the National Background Investigations Bureau will take over responsibility for conducting background investigations government-wide. That includes some 600,000 investigations annually for new or renewed security clearances, plus other checks, such as on those seeking access to certain government facilities.
The new bureau, to be headed by a presidential appointee, will take over OPM’s Federal Investigative Services branch, while the Pentagon will take over the information technology aspects.
For federal employees and others who hold government-issued security clearances, changes will include a reinvestigation every five years regardless of the level of access, and continuous investigations to determine whether they continue to meet requirements for eligibility.
No time line has been set for the changes, which will be carried out in stages, but “certainly some of them will occur over 2016,” said Michael Daniel, Cybersecurity Coordinator of the National Security Council.
“These are some really key changes in our view,” he said in a conference call with reporters. “They represent real change from how we’ve been doing business currently.”
“We think it’s a signify enhancement of our ability to modernize IT effectiveness for cybersecurity in this area. This is a great opportunity to leverage modern cutting edge tools and systems at DoD to implement significant reforms to the background investigation process,” said Marcel Lettre, Defense Department Under Secretary for Intelligence.
The upcoming Obama administration budget proposal will include a request for $95 million for Defense for that purpose, according to the Office of Management and Budget.
OPM’s stewardship of the background investigations data came under heavy criticism from Congress following the theft —reportedly by China-based hackers — of information on some 21.5 million current and former federal employees, military personnel, contractor employees and others who underwent background checks since about 2000. For those who sought clearances in particular, those files contain highly personal information such as past legal or financial problems; for more than five million, fingerprints also were stolen.
OPM’s personnel files on some 4.2 million current and former federal employees were breached in a separate attack. The government is offering identity monitoring and protection services related to both incidents.
Reaction on Capitol Hill to the announcement was mixed. A leading critic of OPM’s performance before and after the breaches, House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz (R-Utah), said that “simply creating a new government entity doesn’t solve the problem.”
“The administration needs to undertake meaningful reforms to protect citizens’ most sensitive personal information,” Chaffetz said in a statement. “Protecting this information should be a core competency of OPM, the government’s human resources agency. Today’s announcement seems aimed only at solving a perception problem rather than tackling the reforms needed to fix a broken security clearance process.”
However, Rep. Adam Schiff (D-Calif.), the ranking Democrat on the House Intelligence Committee, welcomed the move, saying that “OPM was never designed, nor intended to be, an intelligence or national security agency. By entrusting the cybersecurity of this new bureau to the Pentagon, we will be better able to ensure that the personal information of those who work to secure all of us is protected.”
Administration officials said the Defense Department will build on efforts OPM has made to improve security of the data following breaches of systems that even OPM characterized as being out of date and incapable of providing the latest security protections.
OPM press secretary Samuel Schumach said that OPM has been working toward real-time monitoring of its IT systems, installing network access controls that prohibit unknown devices from logging onto the network, and enforcement of two-factor authentication for logging on, among other controls.
“Utilizing what DoD can provide — a large and trained cybersecurity workforce to protect against and respond to cyber intrusions, and a strong focus on national security — is the right step to take, and we are committed to a close partnership with DoD to make this happen,” he said in an e-mail.
Under the new arrangement, “What you’ll see is an approach that focuses on adaptability over time as different threats and challenges occur,” said U.S. Chief Information officer Tony Scott. “That’s built into the model and I think represents a very significant difference in the approach that we’re taking.”
Officials noted that some changes regarding background investigations already have been made following a separate review spurred by the Washington Navy Yard shootings in September 2013, including a 17 percent cut in the number of clearance holders. Also being developed is better information-sharing among state, local and federal law enforcement entities during background investigations, OMB said in a fact sheet.
Acting OPM Director Beth Cobert added that her agency also is continuing to work to reduce the current backlog of clearance investigations. OPM is in the process of hiring 400 additional investigators and expects to have them trained and in place by end of this year, she said.